Thursday, March 27. 2008
Blog-Spam abusing XSS
I got some spam in the comment fields of my blog that raised my interest.
Some sample how they looked like:
http://www.unicef.org/voy/search/search.php?q=some+advertising%3Cscript%3Eparent%2elocation%2ereplace%28%22http%3A%2F%2Fgoogle%2ede22%29%3C%2Fscript%3E
I've replaced the forwarding URL and the advertising words (cause I don't want to raise interest on spammers pages). I got several similar spam comments the following days all with the same scheme. Using a Cross Site Scripting vulnerability, mostly on pages that might raise trust to forward to a medical selling page.
This is probably a good reason why XSS should be fixed, no matter what attack vectors there are. It can always be used by spammers to use your pages fame / authority to advertise their services. Same goes for redirectors or frame injections. Some where already reported at some public place (for the above see here). I've re-reported them all, but got just one reply by a webmaster who fixed it. True reality on the internet today, even webmasters of famous public organizations don't seem to care about internet security.
For the record, the others:
http://adventisthealth.org/utilities/search.asp?Yider=<script>alert(1)</script>
http://www.loc.gov/rr/ElectronicResources/search.php?search_term=<script>alert(1)</script>
And thanks to iconfactory, they fixed their XSS.
Some sample how they looked like:
http://www.unicef.org/voy/search/search.php?q=some+advertising%3Cscript%3Eparent%2elocation%2ereplace%28%22http%3A%2F%2Fgoogle%2ede22%29%3C%2Fscript%3E
I've replaced the forwarding URL and the advertising words (cause I don't want to raise interest on spammers pages). I got several similar spam comments the following days all with the same scheme. Using a Cross Site Scripting vulnerability, mostly on pages that might raise trust to forward to a medical selling page.
This is probably a good reason why XSS should be fixed, no matter what attack vectors there are. It can always be used by spammers to use your pages fame / authority to advertise their services. Same goes for redirectors or frame injections. Some where already reported at some public place (for the above see here). I've re-reported them all, but got just one reply by a webmaster who fixed it. True reality on the internet today, even webmasters of famous public organizations don't seem to care about internet security.
For the record, the others:
http://adventisthealth.org/utilities/search.asp?Yider=<script>alert(1)</script>
http://www.loc.gov/rr/ElectronicResources/search.php?search_term=<script>alert(1)</script>
And thanks to iconfactory, they fixed their XSS.
Monday, March 17. 2008
Campaign to shoot down an UFO
Well, I usually don't tend to blog the content of my spam inbox, but hey, this time I make an exception. It's worth the fun.
There's a campaign that wants the UN to start a military action to shoot down an Unidentified Flying Object to know if there are extraterrestrians:
http://www.ufocampaign.org/
Yeah, that's really something worth making a petition. Tell those politicians you want their military to shoot down aliens. I wonder if this is a well-made hoax or not.
There's a campaign that wants the UN to start a military action to shoot down an Unidentified Flying Object to know if there are extraterrestrians:
http://www.ufocampaign.org/
Yeah, that's really something worth making a petition. Tell those politicians you want their military to shoot down aliens. I wonder if this is a well-made hoax or not.
Wednesday, March 12. 2008
A try on current nouveau
nouveau, the project for creating a free 3D linux driver for nvidia cards, recently got first support for real 3D applications with gallium on some NV4X cards (see Nouveau Companion 36). Today I got it working on a friends machine.
Here you can see an openarena benchmark (also uploaded on youtube). It got 55 fps, which is far away from the nvidia binary driver yet (178 fps), but at least more than my r200 setup (32 fps).
For the brave ones, here's a quick and dirty howto for Gentoo:
a) Get the nouveau overlay with svn co https://svn.hboeck.de/nouveau-overlay and add it to PORTDIR_OVERLAY in make.conf.
b) The nouveau-overlay won't install the nouveau/gallium-branch of mesa. Get my overlay with svn co https://svn.hboeck.de/overlay and also add that to your PORTDIR_OVERLAY (I'll try to contact the nouveau-overlay developer if we can merge this).
b) Add media-libs/mesa, x11-base/x11-drm, x11-libs/libdrm and x11-drivers/xf86-video-nouveau to /etc/portage/package.keywords and merge them.
c) If you've been running the nvidia binary driver, eselect opengl set xorg-x11, change the graphics driver in xorg.conf to nouveau, rmmod nvidia (if you've been running the binary driver), modprobe nouveau and start X.
d) Have fun!
Note: The nouveau developers consider gallium completely unsupported at the moment and don't want to get end-user bugs. If it runs, fine, if not, don't nag them with it.
Here you can see an openarena benchmark (also uploaded on youtube). It got 55 fps, which is far away from the nvidia binary driver yet (178 fps), but at least more than my r200 setup (32 fps).
For the brave ones, here's a quick and dirty howto for Gentoo:
a) Get the nouveau overlay with svn co https://svn.hboeck.de/nouveau-overlay and add it to PORTDIR_OVERLAY in make.conf.
b) The nouveau-overlay won't install the nouveau/gallium-branch of mesa. Get my overlay with svn co https://svn.hboeck.de/overlay and also add that to your PORTDIR_OVERLAY (I'll try to contact the nouveau-overlay developer if we can merge this).
b) Add media-libs/mesa, x11-base/x11-drm, x11-libs/libdrm and x11-drivers/xf86-video-nouveau to /etc/portage/package.keywords and merge them.
c) If you've been running the nvidia binary driver, eselect opengl set xorg-x11, change the graphics driver in xorg.conf to nouveau, rmmod nvidia (if you've been running the binary driver), modprobe nouveau and start X.
d) Have fun!
Note: The nouveau developers consider gallium completely unsupported at the moment and don't want to get end-user bugs. If it runs, fine, if not, don't nag them with it.
Posted by Hanno Böck
in Computer culture, Copyright, English, Gentoo, Linux
at
00:06
| Comments (3)
| Trackbacks (0)
(Page 1 of 1, totaling 3 entries)