Author Topic: Journal "virus" spreading as we speak (Read 2690 times)

pmart · « **on:** June 19, 2011, 06:42:59 pm »

Looks like XSS vulnerabilities strike again. http://astronauts.freeiz.com/coolbeans/ appears to be a 404 page but actually posts one of 8 (9?) randomized journals if accessed by a logged in FA user. It's already gotten huge in the past hour or so.

The code, should the page go down: http://pastebin.com/94Y3fU6f

Edit: At 1:56 am UT (9:56 pm EDT), FurAffinity tweeted that they've fixed this.

Dr. Dos · « **Reply #1 on:** June 19, 2011, 07:13:27 pm »

Same expolit eevee mentioned back in October.

Pi · « **Reply #2 on:** June 19, 2011, 07:42:10 pm »

If this is like any other fix they've done, it is a botch and doesn't actually fix the real problem. We'll see.

Eevee · « **Reply #3 on:** June 19, 2011, 07:43:54 pm »

It is a botch and doesn't actually fix the real problem.

Pi · « **Reply #4 on:** June 19, 2011, 07:54:03 pm »

Did I call it, or did I call it?

Jim Demintia · « **Reply #5 on:** June 20, 2011, 08:18:07 am »

God, script kiddie doesn't even begin to describe that. And of course furries would fall for it.

Conan · « **Reply #6 on:** June 20, 2011, 12:59:32 pm »

This is also the same exploit that Henri Watson provided a proof of concept for prior to December, and that Arcturus used in the YiffyLeaks page a few months ago.

Jim Demintia · « **Reply #7 on:** June 20, 2011, 03:29:37 pm »

Quote from: Conan on June 20, 2011, 12:59:32 pm

This is also the same exploit that Henri Watson provided a proof of concept for prior to December, and that Arcturus used in the YiffyLeaks page a few months ago.

labs dot henriwatson dot com. Good grief.

Aaand his Mercurical server (the link in that page) is MIA. Hey, kid- I really doubt it, but I hope you have enough self-awareness and humility to realize your bullshit act really only impresses people of the caliber of Sean Piche. Everyone else can see through it like a clear summer's day.

Unless I'm mistaken, the only way to fix this kind of thing is to disable the use of HTTP GET to muck around in the database. Until a POST is used as it's name suggests it is intended to be used, there's pretty much no real fix for this.

What makes fixing this so damn hard for them? I'm serious, I don't understand.

Jim Demintia · « **Reply #8 on:** June 20, 2011, 03:51:25 pm »

Neer has also taken care to make a front-page Fender post, complete with the rationale that deviantART is also coded by barely-literate PHP programmers in remote tribal regions of Kazhikstan. FAleaks is still fresh on his mind, despite the fact he hasn't done anything about it.

Additionally, in about ten days it will have been a month since the post promising the new UI. I'm so excited! I'll bet he has nothing functional right now, and very little else (i.e. code) besides those Adam Wan mockups. Can't wait to hear nothing about this for another few months, before more vague promises.

Eevee · « **Reply #9 on:** June 20, 2011, 03:59:23 pm »

Quote from: Jim Demintia on June 20, 2011, 03:29:37 pm

Unless I'm mistaken, the only way to fix this kind of thing is to disable the use of HTTP GET to muck around in the database. Until a POST is used as it's name suggests it is intended to be used, there's pretty much no real fix for this.

POST makes this less laughably easy to exploit, but it's not a fix. The only real solution is to have a user-specific nonce as part of every POST form, and check for it right off the bat server-side.

Pi · « **Reply #10 on:** June 21, 2011, 09:03:47 pm »

It's worth noting that net-cat actually really fixed this particular exploit after it was pointed out that the first "fix" was bullshit:

Quote

Bloody hell.

I applied a quick, non-comprehensive fix that stopped the immediate exploit so we'd could work on a proper fix, which is now applied. (Not fully. Some of the things on Eevee's list still work at the moment. But that will change.)

Thanks to some people who felt that the proof of concept for a workaround that Eevee graciously supplied to me needed to be tweeted and spread every-fucking-where ever, they managed to stir up another shitstorm.

yeah, net-cat, go ahead and blame everyone else for "stirring up a shitstorm", and not, say, you and your team for ignoring this problem until it repeatedly gets exploited. Remember the old adage about pointing fingers?

Clayton · « **Reply #11 on:** June 21, 2011, 09:36:18 pm »

Think this is the same kind of deal?

http://forums.furaffinity.net/threads/101850-Possible-Submission-Hack-ongoing-now

Conan · « **Reply #12 on:** June 21, 2011, 11:05:43 pm »

Quote from: Clayton on June 21, 2011, 09:36:18 pm

Think this is the same kind of deal?

http://forums.furaffinity.net/threads/101850-Possible-Submission-Hack-ongoing-now

Yes.

Pi · « **Reply #13 on:** June 21, 2011, 11:23:05 pm »

From Arcturus's FALeaks:

Code: [Select]

<img src="http://www.furaffinity.net/submit/?part=5&submission_type=submission&cat=all&atype=all&species=swiper&gender=female&rating=1&scrap=0&title=Cat&message=This%20is%20a%20fake%20submission!&keyboards=fake%20so_fake" /> <!-- tee hee hee -->
<img src="http://www.furaffinity.net/logout/" /> <!-- I'm so bad. -->

It is laughable that you can create submissions, via GET, without attaching a file. Simply amazing.

Now we will get a whole host of people posting the wikipedia entry for "confused deputy", suggesting that everyone install NoScript and to change their passwords and basically farting all over like they know a goddamn thing about webapp security, all the while cursing at Eevee for no particular reason besides everyone else is doing it. Lather, rinse, repeat.

Jim Demintia · « **Reply #14 on:** June 22, 2011, 02:53:46 pm »

Quote from: Pi on June 21, 2011, 11:23:05 pm

like they know a goddamn thing about webapp security

Welcome to the circus.

Conan · « **Reply #15 on:** June 22, 2011, 03:56:39 pm »

Within the past 3 hours they fixed the blank submission thing, but the logout exploit still works.

Jim Demintia · « **Reply #16 on:** June 22, 2011, 04:15:20 pm »

Quote from: Conan on June 22, 2011, 03:56:39 pm

Within the past 3 hours they fixed the blank submission thing, but the logout exploit still works.

Unless they do the nonce thing that Eevee mentioned, it'll be a mixture of unfixable problems and a game of whack-an-exploit. Don't really know how you could fix the logout thing without a nonce.

loki · « **Reply #17 on:** June 22, 2011, 06:16:04 pm »

So could you upload PHP files to their server with a local fake form? This has been broken for years now anyways... at one point you could upload any type of file as long as it had the right extension.

Malicious User: Yea, this is totally a .JPG and not malicious in any way.

FA Server: Ok, go right ahead!

Clayton · « **Reply #18 on:** June 22, 2011, 08:56:18 pm »

I don't understand why they don't take FA down for a few months or so to patch it all up. I mean I understand it being 'Neers cash cow or whatever, but one would think user security is more important than the greed?

Ugh.

Jim Demintia · « **Reply #19 on:** June 23, 2011, 04:22:46 am »

Quote from: Clayton on June 22, 2011, 08:56:18 pm

I don't understand why they don't take FA down for a few months or so to patch it all up. I mean I understand it being 'Neers cash cow or whatever, but one would think user security is more important than the greed?

Ugh.

Couldn't have said it better myself.