It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussion (archive)So was there any security hazard at all today?(43 posts)(43 posts)
(43 posts)
Pages:
1
2
3
This is my favourite topic
Posted July 19, 2012
avatar
DProject: I apologize for dwelling on something that already happened, but I was left in the dark and have no clue what has happened. Nevertheless I'm very interested though; not because I feel there's problems with security on the site, but because I'm a curious person by nature. Would anyone care to explain what exactly has happened recently? All I know is that some person wrote <title> in his topic and that somehow made the entire forums wonky (how exactly wonky?)
I'm pretty sure I'm going to get ninja'd, but here goes:

HTML, the markup language which tells your browser what to display, uses for this purpose something known as tags, which are basically keywords (you can think of those as commands) identified by < and > on both sides. There's a limited set of such keywords; "title" just happens to be one of those. This means browsers reading the page suddenly received an unexpected command, got all confused and displayed garbage.

That's not the main problem, though. The problem is that at that moment, it became publicly known that GOG forum software does not strip tags from user input in the case of forum post titles (which is absolutely basic security practice) and that it was possible to essentially inject your own code to GOG's thanks to another tag, "<script>", which executes javascript. This can be abused in a million ways. Luckily, it wasn't.

The only professional response to that was to take down the forums immediately until the bug is fixed, which alas did not happen. The users did a great job trying to prevent any smartarse from exploiting the weakness, but there's only so much they could do.
Posted July 19, 2012
avatar
lowyhong: No shit? That's funny lol.
(how did he even get TET's number?)
avatar
TheEnigmaticT: It's actually pretty easy; I suspect it took him about 5 minutes--maybe.
How many Trevor L's are there in Warshaw? Not many I suppose.
Post edited July 19, 2012 by IronStar
Posted July 19, 2012
avatar
IronStar: How many Trevor L's are there in Warshaw? Not many I suppose.
Jesus. I thought my stalking skills were good. Remind me never to cross you. :P
Posted July 19, 2012
avatar
IronStar: How many Trevor L's are there in Warshaw? Not many I suppose.
avatar
lowyhong: Jesus. I thought my stalking skills were good. Remind me never to cross you. :P
Beware! :P
Posted July 19, 2012
avatar
DProject: I apologize for dwelling on something that already happened, but I was left in the dark and have no clue what has happened. Nevertheless I'm very interested though; not because I feel there's problems with security on the site, but because I'm a curious person by nature. Would anyone care to explain what exactly has happened recently? All I know is that some person wrote <title> in his topic and that somehow made the entire forums wonky (how exactly wonky?)
avatar
bazilisek: I'm pretty sure I'm going to get ninja'd, but here goes:

HTML, the markup language which tells your browser what to display, uses for this purpose something known as tags, which are basically keywords (you can think of those as commands) identified by < and > on both sides. There's a limited set of such keywords; "title" just happens to be one of those. This means browsers reading the page suddenly received an unexpected command, got all confused and displayed garbage.

That's not the main problem, though. The problem is that at that moment, it became publicly known that GOG forum software does not strip tags from user input in the case of forum post titles (which is absolutely basic security practice) and that it was possible to essentially inject your own code to GOG's thanks to another tag, "<script>", which executes javascript. This can be abused in a million ways. Luckily, it wasn't.

The only professional response to that was to take down the forums immediately until the bug is fixed, which alas did not happen. The users did a great job trying to prevent any smartarse from exploiting the weakness, but there's only so much they could do.
Lol, thanks for the input, but I am familiar with HTML and have written some myself for many years, both for my own website and for work. What I wanted to know, was what kind of damage the forum suffered in regards of appearance & functionality, and I got the answer for that. But yeah, thanks anyway :)

edit: Also, there's an IRC Channel for GOG?? I must join; I reckon it's #GOG.com (or plain GOG?) and it's on IRCnet?
Post edited July 19, 2012 by DProject
Posted July 19, 2012
avatar
bazilisek: The only professional response to that was to take down the forums immediately until the bug is fixed, which alas did not happen. The users did a great job trying to prevent any smartarse from exploiting the weakness, but there's only so much they could do.
There will probably come the day when the only "old" thing about GOG will be the forums ... ;-P
Post edited July 19, 2012 by SimonG
Posted July 19, 2012
avatar
lowyhong: ...
http://profile.ak.fbcdn.net/hprofile-ak-snc4/371558_522685474_422718304_n.jpg
Posted July 19, 2012
avatar
lowyhong: ...
avatar
Elenarie: http://profile.ak.fbcdn.net/hprofile-ak-snc4/371558_522685474_422718304_n.jpg
Photo of TET when Lexor woke him up this morning. True story. :P
Posted July 19, 2012
avatar
lowyhong: ...
avatar
Elenarie: http://profile.ak.fbcdn.net/hprofile-ak-snc4/371558_522685474_422718304_n.jpg
So that was him? When I saw that link on IRC I thought it might be you :P
Posted July 19, 2012
avatar
DProject: Lol, thanks for the input, but I am familiar with HTML and have written some myself for many years, both for my own website and for work. What I wanted to know, was what kind of damage the forum suffered in regards of appearance & functionality, and I got the answer for that. But yeah, thanks anyway :)
Yeah, I thought I was probably overexplaining that, but that can't hurt.
This kind of stuff by itself can't really hurt the forum or GOG, but it could affect individual users very badly by running malicious code, redirecting to fraudulent websites and all of that fun stuff.
Posted July 19, 2012
avatar
DProject: edit: Also, there's an IRC Channel for GOG?? I must join; I reckon it's #GOG.com (or plain GOG?) and it's on IRCnet?
Here you go:
http://webchat.quakenet.org
Posted July 19, 2012
Why Quakenet, that's so 2000s. I was hoping it would be on IRCnet, but I'll pay a visit anyway.
Posted July 19, 2012
avatar
DProject: that's so 2000s.
You forget what website you're on ;)
Posted July 19, 2012
Lol, good point ;D
Pages:
1
2
3
This is my favourite topic
Community
General discussion (archive)So was there any security hazard at all today?(43 posts)(43 posts)
(43 posts)