×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Even Slashdcode has vulnerabilities

FortKnox (169099) writes | more than 11 years ago

Slashdot.org 10

Check this out. Apparently, slashcode has a vulnerability that has been fixed. Jamie states that there will be an explanation today. Looking forward to it.Check this out. Apparently, slashcode has a vulnerability that has been fixed. Jamie states that there will be an explanation today. Looking forward to it.

10 comments

yup.... (2, Informative)

jeffy124 (453342) | more than 11 years ago | (#3807365)

I got burned by it yesterday morning (thank god I was the only one in the lab).

Basically, trolls found a way to embed javascript into a post, using the onmouseover function. Run the mouse over a post (no-click req'd) with this and get about 10 new windows showing goatse's glory.

Other variations on this were changing all the links in the page to goatse, alert("You're now being redirected to one of out sponsors.") only to get goatse, infinite loops of goatse pop-ups. You get the idea.....

When I found this, I ran over to SourceForge and wrote up a bug report. During the time I wrote it up, they took slashdot offline or something, as I couldnt reach anything other than the front page after the doing the write up. I suspect they (Jamie, CmdrTaco, etc) found a problem and thought they were r00t3d (or got a ton of WTF emails) and decided to shut the servers down and investigate further. Maybe then they found wither my bug report, or others like it.

Jamie wrote in the report that they fixed the slashcode bug and have removed all the offending posts, citing the FAQ that they remove posts that contain bad HTML.

Re:yup.... (2)

Jucius Maximus (229128) | more than 11 years ago | (#3807425)

"Basically, trolls found a way to embed javascript into a post, using the onmouseover function. Run the mouse over a post (no-click req'd) with this and get about 10 new windows showing goatse's glory."

Stuff like this is one reason why I always browse with images turned OFF when at the office.

Re:yup.... (2)

phyxeld (558628) | more than 11 years ago | (#3809731)

So, theres an exploit where you can run javascript code "from" slashdot.org... and can read slashdot cookies... and the best exploit was a goatse popup? I would think someone would have taken advantage of this and, oh, harvested some fucking passwords or something. Or fucked with people's slashdot preferences. Or SOMETHING. But, no, the uncreative troll community just puts up a goatse popup. *sigh* (correct me if i'm wrong here..)
Stuff like this is one reason why I always browse with images turned OFF when at the office.
HA! Thats so fucking stupid I'm not even going to start...

Re:yup.... (2)

Jucius Maximus (229128) | more than 11 years ago | (#3809789)

"HA! Thats so fucking stupid I'm not even going to start..."

I agree but I am forced to use only MSIE 5 / Outlook97 and cannot install other software or even apply security patches. Because of this, I turn of all scripting as well. It's my only defence. At home I have better solutions like Moz and Konq.(Yeah I turn them on of they are really needed to browse.)

Re:yup.... (1)

The Turd Report (527733) | more than 11 years ago | (#3808117)

citing the FAQ that they remove posts that contain bad HTML

So, why isn't the front page blank? ;)

Re:yup.... (1)

jeffy124 (453342) | more than 11 years ago | (#3808195)

lol.... with all the times they screw up links or forget the http://, I'm surprised the front page isn't missing more often.

Well (0)

Anonymous Coward | more than 11 years ago | (#3807461)

That's a big shocker.

i know why they got to it so fast..... (0)

Anonymous Coward | more than 11 years ago | (#3807665)

the bug was largely cross-platform. it affected:

Netscape
Internet Explorer
Opera
Konquerer
and most importantly... Mozilla

Re:i know why they got to it so fast..... (0)

Anonymous Coward | more than 11 years ago | (#3807793)

yeah. i suspect the mozilla factor was the motivating factor for this one....

eh, Klerck?

The Silence Gets Us Nowhere Way Too Fast... (1)

dthable (163749) | more than 11 years ago | (#3808436)

Sorry to rip off the lyrics of a song, but it's so damn true. While Microsoft is patching bugs the /. community driven by the editors flames them and expresses outrage that the truth isn't disclosed to the end users. So what do you call the last few weeks?

The bug in Apache, the OpenSSH flaw, and now the /. bad HTML bug. Each time the public talks about it we get responses similar to jamie's response...."We'll, everyone needs to give us time to fix it and then they can talk about it or draw conclusions about the nature of the bug.". I only have one message for all of these people....WTF.

Everyone expects to bash the evil world of commercial software and Microsoft, yet when they get caught with their pants down it's a different story. Everyone is still waiting on the response from the /. team and more importantly, who it affects. Why is this so hard to produce from these teams? For now, I expect that the /. editors won't be bashing Micrsofot for let those free from sin cast the first stone.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...