×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

YouTube Hit By HTML Injection Vulnerability

Soulskill posted more than 3 years ago | from the enjoy-the-holiday-google dept.

Youtube 224

Virak writes "Several hours ago, someone found an HTML injection vulnerability in YouTube's comment system, and since then sites such as 4chan have had a field day with popular videos. The bug is triggered by placing a <script> tag at the beginning of a post. The tag itself is escaped, but everything following it is cheerfully placed in the page as is. Blacked out pages with giant red text scrolling across them, shock site redirects, and all sorts of other fun things have been spotted. YouTube has currently blocked such comments from being posted and set the comments section to be hidden by default, and appears to be in the process of removing some of these comments, but the underlying bug does not seem to have been fixed yet."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

224 comments

Series of tubes... (5, Funny)

ae1294 (1547521) | more than 3 years ago | (#32792264)

All of your tubes are belonging to US now.

Re:Series of tubes... (5, Funny)

KevMar (471257) | more than 3 years ago | (#32792282)

Somebody set up us the script bomb

Re:Series of tubes... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#32792398)

As the family wagon pulled into a small truck stop in the middle of nowhere, Rob "CmdrTaco" Malda's father turned to him and his mother.

"Who else is hungry? "

They had been driving across state to visit family and were now heading back home again. The problem is that it's a long drive and Robs portable Ogg Vorbis player ran out of battery a long time ago. Without his collection of Creative Commons music and GNU/Linux oggcasts, all he has had to entertain himself with was his imagination, and like every other overweight manchild, he couldn't help but fantasize about things of an x-rated nature. All this had gotten him rather hot and horny so as his parents headed into the small cafeteria attached to the gas station he told them he was feeling a little car sick and needed to go to the toilet for a while.

"Okay Rob" said his mother. "We'll be inside having lunch, take your time darling. But make sure you have something to eat okay?"

"Okay" muttered Rob as he headed off in the direction of the arrow marked 'Toilets'.

He walked around the corner of the small service building close to where some other cars and trucks were parked, and headed away from the main road. The toilets seemed like they where pretty far away but that was okay with Rob, he would need some privacy. Around the back of the building stood a small wooden hut with two toilet stalls inside, Rob thought it didn't look much like a public toilet but he was in too much of a hurry to care. He entered the small hut and closed the door, unfortunately it didn't have a lock so he moved past the sinks and into one of the stalls. This door had a rusty old lock that looked pretty flimsy, but the other stall was not an option, it was just too filthy, so Rob closed the stall door and sat down.

He pulled his jeans down to his knees and removed his hardening cock from his tight underwear. A hideous chud of 34 years, Rob had a stocky build and a goatee; he had dark blonde hair and brown eyes and was covered head to toe in sickly-looking pasty-white skin. He began to rub his cock which grew even harder in his hand, at its full length it was about 4 and a half inches but looked larger as Rob shaved and waxed most of his body as it made certain sports such as LARP easier. All of the fantasies from the car trip rushed through his mind and he felt his orgasm building up. He noticed the graffiti on the back of the door, there where some stupid tags but front and centre was a drawing of a large cock dripping with cum. Strangely this aroused Rob who was straight but he put it out of his mind to focus on the task at hand.

He was jerking his cock nice and hard when Rob heard footsteps outside the toilet and froze, worrying that it might be his parents or that he might have been moaning loudly, he sat in complete silence. The door of the bathroom opened and Rob heard someone enter, he listened as they walked slowly across the dirty tiled floor and stopped outside the stall he was sitting in. then, without warning the lock snapped off and the door flew open to reveal a large trucker standing there with his grubby hand holding the handle. He was big, he took up the entire door frame with his size, he was hairy too, beard stubble covered his dark rugged face and thick black hair ran down his exposed forearms. He wore a red checked long sleeved shirt that was rolled up to his elbows, black jeans, workers boots and a cap which covered more dark hair.

Tall and bulky, the trucker looked down at Rob, who was almost half his size. Rob tried to cover himself up but he was frozen with shock and fear.

"Heh heh!" the huge stranger laughed in a deep and menacing voice. "Listen up whore! I'm gonna fuck you hard and rough and you're gonna like it! No one can hear you scream back here so don't even try it! And if you don't do exactly as I say, I will pound the shit out of ya. Then I'll go and pound your mom and your dad too! You got that?!"

Rob sat there stunned. This guy was definitely not joking and Rob knew he had no chance against this guy, he was just too big and strong.

"Do ya hear me cock-slut?!!!" The trucker yelled as he moved forward and grabbed Rob by the back of the head.

"Yessssss!" Rob squealed back as his head was jerked down by the truckers' huge hands. The stranger stank of dirt, sweat and beer, Rob saw how dirty and grimy the guy was and felt the strength of his arms.

"Good!" said the trucker as he leant down to come face to face with his prey. "Now do as you're told and you will be fine! But if you don't act like you're enjoying it, then I'm gonna get rougher and a whole lot meaner! Understand?!!!"

"Yessss!" Rob groaned under the weight of his attacker strength. He knew that to disagree would mean that the trucker would beat the shit out of him and his family and he also knew there was no way to escape. It seemed hopeless, he was fucked either way. So he made a decision there and then. Rob decided to act like a female pornstar, he was going to do everything that he saw them do in porno's because if he did what the trucker wanted then it would all be over a lot quicker. If his parents came looking for him, then they where all in trouble. So it had to be quick.

With that, the huge, dirty trucker lifted Rob up and grabbing a fistful of his shirt, tore it off over his head. He then pushed Rob back onto the toilet seat and lifted his legs to pull his shoes and socks off, before stripping off his pants and underwear leaving him completely naked. He then threw his shoes and clothes out through an open window high above the toilet. Trembling, Rob tried to compose himself and act like the 'slut' this guy wanted.
The trucker blocked Rob into the stall and kept him sitting on the toilet as he undid his own fly and pulled out a big dirty looking cock. It was not fully erect but still nearly thrice as big as Robs. The trucker thrust it into Robs face and swallowing hard, Rob took it. He took hold of the thick, dirty cock and began to rub it, feeling it grow in his hands. When it became hard it stood at nearly 14 inches long and 4 inches thick. It was a monster, bigger than anything Rob had ever seen, even in porn.

"Now suck it bitch!" commanded the huge trucker.

Placing his hands on the truckers' hips, Rob licked his lips and opened his mouth. The giant cock wobbled just in front of his face. It was long, thick and dirty, much like the trucker himself, his cock reeked of sweat, dirt and cum. Rob leaned forward on the toilet seat, trying to get the end of the truckers' giant meat in his mouth as it swayed in front of his face.

Mouth open and tongue out, Rob seemed ready as the trucker thrust his massive rod into his warm wet mouth. His fat snake was so big that it stretched Robs lips and cheeks wide until spit and pre-cum began to run down his chin and naked body. He nearly gagged at the feeling and taste of this stranger's dirty fat cock in his mouth, but knowing the consequences of not doing what he was told, he began to suck the cock, moving his head back and forth along the truckers hard shaft. He was completely vulnerable and at the mercy of the strong, dark truckers sadistic desires.

"That's it, oh yeah! Good little whore!" moaned the trucker as he watched Malda suck his fat cock.

"I haven't cum in weeks! I need this badly, so you better make me cum!"

As he sucked the thick man meat in and out of his mouth, Rob took his hands off of the truckers' hips and grasped the shaft of his cock. He then jerked the huge snake as he sucked and licked its head. He looked up at the trucker and licked his cock head gently, before taking it back into his mouth again. Robs other hand found the truckers' balls which felt huge even compared to his cock. Its was obvious that what he had said about not having cum in a while was true, so lifting up his massive cock, Rob took one of the truckers' dirty, hairy balls into his mouth and sucked it softly before doing the same to he next one. Just like the massive cock, Rob had trouble fitting the balls in his mouth but he knew that the quicker he could make the trucker cum, the sooner it would all be over. He then licked the truckers' cock, all the way up the shaft from his balls to his head before sucking the end of his giant prick back into his mouth.

Rob was astonished at how easily it all came to him. Maybe it was due to the fact that he was incredibly horny before this all happened or the fact that it was so naughty and so wrong that Rob was even more turned on at being dominated so roughly. But sucking a big fat cock didn't bother him as much as he thought it would, he knew he wasn't gay, but there was still something about it that made his heart beat faster.

The trucker groaned in pleasure and relief before grabbing Rob roughly and turning him around, where he placed him on his knees facing the toilet. He then lifted the toilet seat up and pushed Rob forward until his head and neck squeezed through the hole in the seat. Robs' head was stuck through the seat which now rested on his shoulders with the trucker holding the seat above his head and pushing it closed again. This move forced Robs' head down into the toilet bowl and moved his ass up into the air. Robs realised what the trucker was about to do, but was powerless to stop him, especially now that he was trapped with his face in the toilet bowl just above the water.

The trucker pulled his own shirt over his head and kicked his pants and boxers off. He was now naked except for his big workers boots and baseball cap. He then knelt down behind Rob, his huge frame hulking over the trapped nerd.

"Hold steady you little bitch! This will hurt a whole lot more if your squirmin' around!" the trucker said as he lined himself up behind Rob and grabbing his victims hips he aimed his spit covered cock directly at Robs bare ass. Then he spat on Robs exposed asshole and gripping him tightly, the trucker pushed his monster cock slowly into Robs ass.

The pressure on Robs ass was very powerful until the big, fat cock of the mysterious trucker popped passed his butt hole and pushed deep into his bowels.

Rob screamed into the toilet bowl as he felt the truckers massive, rock hard pole drive deep into his ass, it stretched him wide but luckily it didn't rip his anus. His screams where muffled by the toilet bowl and the water, but it didn't matter anyway, the trucker was right when he said no one would hear him scream back here.

The trucker then began to slide his fat greasy cock in and out of Robs tight ass, thrusting into him hard until finally all 14 inches of his massive tool where deep inside Robs rectum, stretching him to the max. As the trucker pumped harder and faster into his butt, Rob was pushed harder into the toilet bowl, its putrid smell unable to take Robs mind of the rough treatment of his ass.

Rob was being completely manhandled, as the trucker, fucked his tight ass hard and pounded him into the dirty toilet bowl. After a few minutes of having his butt hole reamed by a giant trucker, Rob found the sensation to be slightly better, the pain had left as he began to loosen up and now it was just sex. Hard, dirty, violent sex!
The trucker then pulled out of Robs ass and pushed the toilet seat back over his head before picking him up and pushing him against the wall. Holding him by his ass, the trucker lifted Rob up the wall so that his legs where spread out to the side and his ass hole sat tantalizingly close, just above the truckers juiced up cock. He then lowered Rob down onto his hard pole letting it slowly push up into Robs' flexed butt hole. Rob grimaced as he felt the massive man meat push up into his ass. He was helpless in the truckers' strong grip, and found himself more turned on by it. Strangely, he liked being dominated like this. The trucker began to fuck up into Robs stomach, pounding his ass raw as he held him there, pinned against the wall.

"Oh oh oh oh!" Rob began to gasp as he was lifted up and down on the monster cock of the dirty trucker.

"You like that don't ya? You fucking whore! You like daddy fucking your asshole?"

There was no denying it now; Rob was really aroused by the whole situation. This combined with the extreme pressure on his prostate lead to something Rob never expected. His legs shook in the truckers arms and he arched his back against the wall as his limp cock began spurting a hot load of cum all over itself.

"Ooooooooooooooooohhhhhhhhhh!!" he moaned as he orgasmed.

"That's right you fuck-toy! I told you that you would like it! You God damn slut!"

Robs orgasm seemed to turn the trucker on too. He pulled out of Robs' ass and pushed him down onto the ground where he put Rob over the toilet facing upwards and once again pulled the seat down over his head. Rob was now stuck sitting on the ground leaning back with his face looking up through the toilet seat. The trucker then squatted over him and stuffed his thick, dirty cock back into Robs mouth.

"That's it you fucking cum-slut! Clean that mess off my cock! Yes! You like that don't ya!"

Rob choked and gagged on the filthy monster cock that had just been deep in his own ass. The trucker fucked down into Robs mouth, forcing his hard cock down his throat, as Rob spluttered all over the truckers huge balls. He was being face fucked and there was nothing he could do about it. Then the trucker grunted hard as he came, shooting his steaming, massive load of cum hard into Robs unsuspecting mouth, right down his throat. There was so much cum that it spurted out of Robs mouth, squirting out the sides around the truckers cock spilling down Robs chin onto his chest. The trucker then pulled out of Robs' mouth still cumming like a fountain, and began to spray jizz all over Robs body.

"Aaaaaaaaaaaaaarrrrrrrrrrrrrrrrrrrrggggghhhhh!!!!!!!! FUCK!! YES!!!" the trucker shouted, wringing the last few spurts of cum from his swollen balls.

"Aaaaaahhhhhh yes!"

His head now free from the toilet seat, Rob coughed and spluttered, spitting up cum and trying to wipe it from his eyes. He was drenched in hot man spunk, it was in his hair, his eyes, his nose, it dripped from his mouth and ran down his naked body. The trucker stepped forward again, still groaning, and began to slap the half blinded Rob in the face with his deflating cock.

"Open up whore! Drink the rest of the cum from my cock!"

Rob sucked the truckers softening cock back into his mouth and licked the cum from it, slurping the last remaining drops from deep within his balls. The trucker moved away, getting dressed while Rob struggled with the pool of cum he had been drowned in. As he finished wiping jizz from his eyes, Rob looked up to see the now fully dressed Trucker doing up his fly before walking back over to the toilet stall. He looked down at Rob, at what he had done to him, and laughed.

"Ahhh...I told ya you would like it! I knew you where are filthy little cum-slut just begging fucked hard the moment I saw you get outta the car with your parents! Now run along whore! Go and tell ya folks what a dirty little cock-whore you are!"

Rob heard the trucker laughing to himself as he left the toilet, leaving Rob drenched in a pool of hot cum, struggling to catch his breath. His ass and throat hurt. His whole body ached. With no clothes and no way to properly wash all of the thick white cum from his sweaty naked body, Rob wondered how he was going to get back to his parents, and what he would say to them, when they came looking for him.

Re:Series of tubes... (0)

Anonymous Coward | more than 3 years ago | (#32792440)

woah, what?

Re:Series of tubes... (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32792496)

complete bullshit. For starters, malda popped his ass cherry when he was 19.

Re:Series of tubes... (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#32792800)

Yeah, for most people, having their ass raped would be a devastating experience, requiring years of therapy to overcome. For Malda, it would be a Tuesday afternoon.

Re:Series of tubes... (3, Insightful)

Anonymous Coward | more than 3 years ago | (#32792370)

Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.

The solution to this is for users to be asked if they want to participate in commented sections when signing up. Not just at youtube, but everywhere. And probably not just comments, but any user input area.

Re:Series of tubes... (4, Funny)

ae1294 (1547521) | more than 3 years ago | (#32792656)

Really? They're really only removing some of them? When they can just do a simple delete query and wipe everythin with a properly escaped script tag at the top of the comment? Wow. Just wow.

Shhh.... one word... overtime pay.

I experienced this! (5, Funny)

Anonymous Coward | more than 3 years ago | (#32792270)

I went to youtube, but all I saw was crap material. Someone had injected a bunch of crap!

Re:I experienced this! (1, Troll)

sopssa (1498795) | more than 3 years ago | (#32792366)

I don't really understand who uses YouTube like that anyway. Usually I search for something and I get what I want, or I follow a link [youtube.com] on a discussion that is already interesting to me [youtube.com] . Then there also many sites and forums that categorize videos of a certain theme. YouTube is obviously too big to cater for everyone in a different way.

htmlspecialchars() (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32792274)

Problem solved?

Re:htmlspecialchars() (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32792430)

I think you can count the lines of PHP in the Youtube codebase on zero hands, but yes, that would be the gist of it.
Proper escaping isn't that hard, so this sounds like a poorly thought-out anti-injection measure accidentally circumvented the usual escaping. Generic blacklist-based XSS filters are pretty much useless, there's just too many ways to get a browser to execute some code, even without the general potential for fucking up your site.

Re:htmlspecialchars() (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32792552)

It's not that hard for a small typo to result in something like this:

$text =~ s/([<>])/'&#'.ord($1).';'/ge;
vs
$text =~ s/([<>])/'&#'.ord($1).';'/e;

And not that hard to introduce such a bug when working on existing code to support new output mediums (such as in ajax responses or mobile or the like). In theory code review is supposed to catch it, but...

Re:htmlspecialchars() (2, Insightful)

Anonymous Coward | more than 3 years ago | (#32792910)

Indeed, which is why everyone but Perl programmers use library functions rather than writing their own regular expressions for working with markup. As a bonus you avoid little bugs like forgetting to escape '&', and it'll probably escape '"' and ''' as well so you can use it for attributes.

Re:htmlspecialchars() (0)

Anonymous Coward | more than 3 years ago | (#32792582)

Hm. "too many ways" was supposed to be a link here [ckers.org] . Has /. got rogue XSS filter roaming about as well?

Re:htmlspecialchars() (1)

Peach Rings (1782482) | more than 3 years ago | (#32792674)

Does anyone understand what IF_HTML_FUNCTION is supposed to mean in the exploit code? As far as I can tell it's just plain text with no special meaning, it's just copied and pasted blindly from some previous code. Am I wrong?

Ha ha (1)

grub (11606) | more than 3 years ago | (#32792288)

Awesome. The youtubers getting their panties in a knot have to lighten up. Based on some if their comments, you'd think the world was coming to an end.

Re:Ha ha (5, Funny)

bsDaemon (87307) | more than 3 years ago | (#32792300)

Based on the typical YouTube comment (or video, for that matter), I already hard sort of expected that to be the case.

Re:Ha ha (1)

jack2000 (1178961) | more than 3 years ago | (#32793020)

It is so bad i had to re-purpose a greasemonkey script that changes the style of youtube to hide the comments section. What were they thinking taking out the option to hide the damn comments.

Re:Ha ha (0, Flamebait)

Anonymous Coward | more than 3 years ago | (#32792558)

Awesome?

How can you have a Slashdot ID as low as 11606, and still have a mental age of 17???

Re:Ha ha (0)

Anonymous Coward | more than 3 years ago | (#32792682)

Only someone with a mental age of 12 would associate an ID number with a mental age.

Re:Ha ha (1)

mickwd (196449) | more than 3 years ago | (#32792790)

Well, given that such a low ID would have been given out a number of years ago now........

People do get older, you know.

Re:Ha ha (4, Insightful)

twidarkling (1537077) | more than 3 years ago | (#32792830)

Physical age doesn't necessarily correspond to mental age. Personally, I've been getting more immature as years pass.

Re:Ha ha (1)

Cylix (55374) | more than 3 years ago | (#32793096)

Well, given that such a low ID would have been given out a number of years ago now........

People do get older, you know.

No they don't. PooFace!

Re:Ha ha (4, Funny)

SpeedyDX (1014595) | more than 3 years ago | (#32792692)

YouTube is supposed to be a kid-friendly place. Parents could do their best to try to responsibly monitor and guide their kids' surfing habits, but still fail because of this exploit. This is not funny, nor awesome. This is not someone finding a potential exploit and graciously letting Google know so they can patch it up. Just a bunch of 4channers screwing around, and to hell with the consequences. And people like you encouraging that type of behaviour.

Just because this is The Internet(TM), it doesn't mean that common courtesy need not apply.

Re:Ha ha (0)

Anonymous Coward | more than 3 years ago | (#32792710)

If the kid is young enough to be bothered by such exploits, the kid should not surf alone, ever.

The Youtube or Internet in general is not a babysitter.

Re:Ha ha (1)

JohnFen (1641097) | more than 3 years ago | (#32792768)

YouTube is supposed to be a kid-friendly place.

Good lord, that's the funniest thing I've read in a while. Thank you.

You tube itself (the videos) are generally fine, but the comment section is one of the more famous and major of the internet cesspools. I would never characterize it as "kid-friendly".

Re:Ha ha (1)

negRo_slim (636783) | more than 3 years ago | (#32792936)

YouTube is supposed to be a kid-friendly place.

Good lord, that's the funniest thing I've read in a while. Thank you.

Yup soon the Texas Donk Squad [youtube.com] will over take Sesame Street in children's programming.

Re:Ha ha (1, Insightful)

Anonymous Coward | more than 3 years ago | (#32792772)

Have you taken a look in the real world lately. Common courtesy doesn't seem to apply there either.

Re:Ha ha (2, Informative)

Anonymous Coward | more than 3 years ago | (#32792714)

From what I've seen, there were not only simple insults and racist annoyances, but numerous redirects to the hardest shock site you've probably ever seen. That video makes 2girls1cup, benzin.avi and even the hardest war-porn look like family-friendly softcore entertainment in comparison. It has something to do with 1 man and 1 jar and I dare you to Google that if you have doubt this is emotionally scarring material.

Re:Ha ha (0)

Anonymous Coward | more than 3 years ago | (#32792950)

oh god. oh god no. why did i look.

Evolution of an exploit (5, Informative)

Anonymous Coward | more than 3 years ago | (#32792296)

The evolution of this bug exploit was quite interesting to follow up close.

At first it simply prevented any further comments to be posted.
Then text was added.
Then the text was scrolling.
Suddenly, the entire page was blacked out except for the added text.

And that's when the more technical minded people realized much much more was possible.
Bam! Popups!
Infinite popups that lead to browser crashes!
Page redirects to shock sites!
The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..

And when the exploit was blocked in the comments, it had a small resurgence as video reply title, before being smacked down once more.

Glorious.

Re:Evolution of an exploit (0)

Anonymous Coward | more than 3 years ago | (#32792484)

The most sophisticated version I saw actually replaced the Youtube video in-place with the 1man1jar video..

tell the truth, it was the original content and you weren't rickrolled.

Re:Evolution of an exploit (5, Interesting)

larry bagina (561269) | more than 3 years ago | (#32792554)

Reminds me of the slashdot <a onhover=".."> bug. It was a while back (2000-2002 era?) but inline javascript wasn't filtered from a tags. The first exploit (that I saw, anyhow) simply used DHTML (as it was then known) to add (paraphrasing) "I can't believe this hasn't been fixed" to the post. (which took about 5 minutes given the speed of computers, javascript, and dom manipulation). About 30 seconds later, redirects to porn, last measure, etc appeared. Slashdot's initial response was to mod them down to -5 and then deleting them.

Re:Evolution of an exploit (4, Insightful)

wmbetts (1306001) | more than 3 years ago | (#32792570)

I'm really surprised it used for trolling rather than making money. That seems like a phishers wet dream.

Re:Evolution of an exploit (0)

Anonymous Coward | more than 3 years ago | (#32793008)

I'm really surprised it used for trolling rather than making money. That seems like a phishers wet dream.

Don't underestimate the stupidity of adolescents who spend too much time on Youtube.

Re:Evolution of an exploit (4, Interesting)

Anonymous Coward | more than 3 years ago | (#32792758)

I saw someone on /g/ claim to have pulled 300k+ youtube user cookies doing this. The bad thing is your YT account is usually tied to gmail now. Scary... glad I had noscript on.

Re:Evolution of an exploit (0)

Anonymous Coward | more than 3 years ago | (#32793242)

>implying anyone on /g/ has any hacker skills whatsoever

An update (5, Informative)

Virak (897071) | more than 3 years ago | (#32792298)

They actually got it fixed a bit after I submitted this story. A shame, lemonparty was a big step up from the usual level of discussion on YouTube videos. More seriously, I'm interested in finding out exactly what happened here. Hopefully Google will post some sort of explanation. YouTube is a massive site and it's somewhat bizarre seeing them make the sort of mistake you'd expect from something put together by a drooling moron with nothing but a "How to learn PHP in 24 hours!" book.

Why natural language needs grouping symbols (5, Funny)

Anonymous Coward | more than 3 years ago | (#32792350)

a "How to learn PHP in 24 hours!" book

Does that mean:

1. It teaches you, over the course of an unspecified period of time, how to learn PHP in 24 hours?
2. It teaches you, over the course of 24 hours, how to learn PHP? or
3. After 24 hours have elapsed, it teaches you how to learn PHP?

Note that it doesn't actually teach you PHP. It just teaches you how to learn it.

Re:Why natural language needs grouping symbols (1)

JamesP (688957) | more than 3 years ago | (#32792516)

Actually, it teaches you PHP if you're on the cast of '24 hours'

Re:Why natural language needs grouping symbols (3, Funny)

maxwell demon (590494) | more than 3 years ago | (#32792526)

No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

Re:Why natural language needs grouping symbols (5, Funny)

osu-neko (2604) | more than 3 years ago | (#32792926)

No, it tells you how you learn the lesser-known language named "PHP in 24 hours" which differs from normal PHP in that the scripts always take 24 hours to run.

An optimized version, then? ;)

Re:Why natural language needs grouping symbols (2, Funny)

weicco (645927) | more than 3 years ago | (#32792616)

I can't wait 24 hours! Got to get 12 hour book...

Re:Why natural language needs grouping symbols (0)

Anonymous Coward | more than 3 years ago | (#32792706)

Sams actually have a Teach Yourself X in 10 Minutes range!

Re:Why natural language needs grouping symbols (1)

roman_mir (125474) | more than 3 years ago | (#32792752)

It does no such thing, that book talks about a guy I know, who is about to learn PHP. The guy's name is How, yes all my friends are like that.

Re:Why natural language needs grouping symbols (2, Funny)

CODiNE (27417) | more than 3 years ago | (#32792776)

I've seen the book, option 3 is the correct answer.

It's 1,440 pages of "Wait one minute, then turn the page" which sadly forces one into an inescapable loop for 24 hours. After one has starved, missed sleep and soiled oneself through this excruciating 24 hour period the last page says only this:

Buy the book titled 'This book teaches you PHP'.

I was thoroughly disappointed.

Re:Why natural language needs grouping symbols (1)

tomhudson (43916) | more than 3 years ago | (#32792784)

I'm in Canada - we're on METRIC time, you insensitive clod! 100 seconds per minute, 100 minutes per hour, 10 hours per day!

Re:Why natural language needs grouping symbols (1, Informative)

Anonymous Coward | more than 3 years ago | (#32793230)

That's DECIMAL time, not metric time.

SI units only define second, so there is 1 second, 1 kilo-second, 1 mega-second, 1 giga-second, etc...

http://en.wikipedia.org/wiki/Decimal_time
http://en.wikipedia.org/wiki/Metric_time

If you look in the first link, you'll notice that 1 decimal-second = 0.864s

Re:Why natural language needs grouping symbols (0)

Anonymous Coward | more than 3 years ago | (#32792854)

It means that you shouldn't use PHP libraries. It only takes 5 minutes in C.

Re:Why natural language needs grouping symbols (1)

noidentity (188756) | more than 3 years ago | (#32792860)

Note that it doesn't actually teach you PHP. It just teaches you how to learn it.

Does this mean that you learn how to teach it?

tags, quoting and XSS (1)

Gopal.V (532678) | more than 3 years ago | (#32792402)

If I had to guess, I think it's a variant of an attack [notmysock.org] I've seen before.

Re: tags, quoting and XSS (1)

Peach Rings (1782482) | more than 3 years ago | (#32792680)

Ah the intricacies of the Firefox codebase.

Re: tags, quoting and XSS (0)

Anonymous Coward | more than 3 years ago | (#32792794)

Nothing to do with Firefox. HTML does not interpret Javascript, so in some sense, this is the "correct" (and very unfortunate) behavior.

Re:An update (1)

mikael_j (106439) | more than 3 years ago | (#32792424)

Yes, this does seem like the kind of bug I'd expect halfway competent dev to take into consideration when building a site. A very simple fix is to translate all < and > characters to the & lt; and & gt; versions instead, AFAIK youtube doesn't even allow HTML in comments anyway...

They hid all comments... (5, Insightful)

Inf0phreak (627499) | more than 3 years ago | (#32792310)

wait for it... wait for it... And nothing of value was lost!

... if you want to keep it (4, Informative)

xororand (860319) | more than 3 years ago | (#32792520)

Get the YouTube Comment Snob [mozilla.org] addon for Firefox.

YouTube Comment Snob filters out undesirable comments from YouTube comment threads. You can choose to have any of the following rules mark a comment for removal:

* More than # spelling mistakes: The number of mistakes is customizable, and the extension uses Firefox's built-in spell checker.
* All capital letters
* No capital letters
* Doesn't start with a capital letter
* Excessive punctuation (!!!! ????)
* Excessive capitalization
* Profanity

Re:... if you want to keep it (4, Funny)

Rallion (711805) | more than 3 years ago | (#32792716)

*Reads list of filtering options*

So does it just hide the whole comment section, or show it as being empty?

Re:... if you want to keep it (0)

Anonymous Coward | more than 3 years ago | (#32793106)

I just installed SlashDot Comment Snob and the site is blank!

Re:They hid all comments... (1)

Yvanhoe (564877) | more than 3 years ago | (#32792586)

The day youtube implements a slashcode moderation system, internet will awake to global consciousness...

Really? (2, Interesting)

Dremth (1440207) | more than 3 years ago | (#32792318)

Wow. You'd think somebody would've figured out something like this a long time ago.

Re:Really? (0, Redundant)

sopssa (1498795) | more than 3 years ago | (#32792346)

They probably introduced the bug recently. It's not like they wrote the code once 6 years and called it done, code on websites changes all the time and generally with any program it's easier to miss something and introduce new bugs in existing code since you can quite easily forget something.

Re:Really? (4, Insightful)

Scrameustache (459504) | more than 3 years ago | (#32792382)

Wow. You'd think somebody would've figured out something like this a long time ago.

But since merely gazing at youTube comments lowers your IQ by at least 20 points, I'm actually amazed someone found it. Must have used some of kind of proxy who looked at it, got dumber for it, but managed to pass along the code to someone who could look at it without being exposed to the dumb.

It happened to Slashdot years ago. (1)

Anonymous Coward | more than 3 years ago | (#32792334)

Someone used an > to fool the tag parser and did recurring alert boxes and also redirects to Goatse. It's quite a common problem, as illustrated by Bobby Tables.

The very definition of Youtube (5, Funny)

Anonymous Coward | more than 3 years ago | (#32792340)

Lots of people anonymously "injecting" a bunch of crap into a website for all others to see.

This exploit is just an alternative to the original "Upload Video" button.

I'd love to see the Comments removed period (2, Interesting)

Anonymous Coward | more than 3 years ago | (#32792348)

A lot of the comments are just troll BS. Most people log on for videos not to read the ramblings of basement dwelling trolls. I try to ignore them but they can be really obnoxious. I don't post on Youtube but I have had things pirated and posted just so they could make obnoxious comments. The work posted was just previs stuff that was just done for editing slugs but it was presented as finished work. It caused some trouble with a client so I got a lot more careful about letting development work out there. It's just sad a handful have to spoil things for everyone else. I used to post a lot of development work on my web site but I stopped completely. Trolls are like the people that talk and answer phone calls and take infants to movies. They really spoil the experience for the rest of us. I say if the comments can't be a constructive outlet then remove them and get rid of that security hole completely. The other option for security would be removing the HTML and go pure text. It's nice having HTML input but you don't really need the formatting for comments and it's always going to be a source of potential holes.

Re:I'd love to see the Comments removed period (4, Interesting)

grumbel (592662) | more than 3 years ago | (#32792456)

A lot of the comments are just troll BS.

Yes, but I blame the comment system for that. A comment system that doesn't allow links, doesn't allow more then a handful of characters, is a complete usability nightmare when you want to browse more then the last ten comments, doesn't allow search and doesn't support threads or replies properly is just useless when you actually want to write something insightful. A comment system should encourage informative posts, not make them impossible like the Youtube system does.

The latest changes that the highest rated comments and comments from the video upload appear on top have helped a bit to cleanup the mess, but its still far away from being a comment system where people actually can have a meaningful discussion.

Someone needs to lose their job over this (1, Funny)

l0ungeb0y (442022) | more than 3 years ago | (#32792410)

What idiot doesn't check user input with at least a regex replace to look for offending tags in fields *YOU KNOW* will be rendered by an HTML interpreter (browser)?
Languages like PHP even have built-in routines that will strip out all HTML tags except for safe one you specify, it's been a few years, but I believe it's called htmlSafeTags(string, array of safe tags).

This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.

Re:Someone needs to lose their job over this (0)

Anonymous Coward | more than 3 years ago | (#32792466)

Are you retarded? Look at the exploit. It is not an obvious error in the sanitization logic. Obviously you can't type in and expect it to work, the actual exploit is quite a bit more involved. HTML tags are escaped out on YT by default, this was a case where escape logic had a bug in it.

You're like one of those people that goes, oh dentists, they just put anesthetic gas and pull teeth! are they so dumb that they can't turn the valve, sheesh. Can't be THAT hard to gas somebody first.

Re:Someone needs to lose their job over this (5, Informative)

Krahar (1655029) | more than 3 years ago | (#32792486)

This isn't a simple mistake, it's a sign of pure incompetence since the developer put no forethought into the uses of the tool he was developing and blindly trusted user input from a textarea. User input is dirty, dirty dirty and any developer who does not clean and sanitize it before consuming it is not doing his/her job.

The summary states that the first script tag was escaped as it should be. It was a bug, not a lack of foresight.

Re:Someone needs to lose their job over this (0)

Anonymous Coward | more than 3 years ago | (#32792906)

It's a sign of incompetence. You never "filter" user input if it's a security issue. Always parse and resynthesize. No change of bugs like this slipping in then.

Re:Someone needs to lose their job over this (1)

Sigma 7 (266129) | more than 3 years ago | (#32792632)

What idiot doesn't check user input with at least a regex replace to look for offending tags in fields *YOU KNOW* will be rendered by an HTML interpreter (browser)?

http://thedailywtf.com/articles/injection-proofd.aspx [thedailywtf.com]

Reactive regexing offending tags such as "script", "object" or "embed" don't work if you don't know they exist. As such, it's easier to simply include functions in the programming language API that escape/unescape strings sent in through user input so that junk like that doesn't get echoed into something hazardous.

Re:Someone needs to lose their job over this (1)

sound+vision (884283) | more than 3 years ago | (#32793024)

Youtube comments are appreciably complex - You can type in a timecode and it appears in the comment as a link that directs the Flash to jump the specified point in the stream, for just one example. So the code that processes the comments is more complex than simply taking user input, scrubbing it, and writing it at the specified point in the HTML. As a developer, you should know that as the complexity of code increases, the potential for ever more weirdly complex bugs also increases. I don't know if we'll ever hear an explanation from Google about the specifics of the bugged code, but I wouldn't be so quick to deem whoever (or rather, whichever team) wrote it as totally incompetent and worthy of a pink slip.

Ebaumsworld (0, Troll)

Anonymous Coward | more than 3 years ago | (#32792470)

word is its Ebaumsworld course you can't trust the b tards anymore than you can them.

Re:Ebaumsworld (0)

Anonymous Coward | more than 3 years ago | (#32792490)

Hi /b/, having fun today?

Interest pondering the how and why of such fails (3, Interesting)

DRJR (1842278) | more than 3 years ago | (#32792500)

I find it interesting pondering the how and why these things fail-- the insight into how the code must have been put together to fail on a particular input.

My initial guess for this one would be that they escape html and scripts separately-- scripts do not need greater than, less than, and ampersand escaped-- and that detecting the keyword 'script' switched modes from html to script. The fact that the first script tag is properly html-escaped suggests that while it was properly detected, the code to switch between html and script modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support code meant for the programmers' side inadvertently managed to cross over into user land.

My two cents.
--Dave Romig, Jr.

Re:Interest pondering the how and why of such fail (1)

mwvdlee (775178) | more than 3 years ago | (#32792596)

Why would they have a distinction between a HTML and a script mode on comments? Is there any reason you'd ever want a comment to contain a script?

Re:Interest pondering the how and why of such fail (1)

linguizic (806996) | more than 3 years ago | (#32792712)

Exactly, why not just escape the whole thing? Or if you're even more paranoid, why not just strip the script tags and everything in between? That being said, the fact that this exploit exists in the first place shows that they're not doing either one of those things.

Re:Interest pondering the how and why of such fail (0)

Anonymous Coward | more than 3 years ago | (#32792694)

I find it interesting pondering the how and why these things fail-- the insight into how the rig must have been put together to fail and cause a blowout.

My initial guess for this one would be that they were separating the fish and oil with a valve-- when you're drilling on the seafloor some fish will get sucked into the tubes and will have to be let out into the ocean again-- and that a fish happened to get into the "oil" tube, which confused the valve into switching modes from fish to oil. The fact that they started releasing oil into the sea suggests that while the fish was properly detected, the code to switch between fish and oil modes did not take this detection into account and switched anyway. I'm going to further guess that this do to some support pipes meant for the engineers' side inadvertently managed to cross over into Florida.

My two cents.
--Anonymous Coward

Massive rickroll? (5, Funny)

mwvdlee (775178) | more than 3 years ago | (#32792580)

If they didn't redirect ALL videos to a Rick Astley video, they have missed the opportunity of a lifetime.

Is it Christmas already? (4, Interesting)

dswensen (252552) | more than 3 years ago | (#32792610)

Comments turned off by default? Great! Any chance they can make that permanent?

Re:Is it Christmas already? (2, Insightful)

Max Romantschuk (132276) | more than 3 years ago | (#32792696)

The comments never bothered me. I simply don't read them.

Re:Is it Christmas already? (1)

osu-neko (2604) | more than 3 years ago | (#32793002)

The comments never bothered me. I simply don't read them.

This sounds good in theory. In practice, people who read a lot generally cannot help but successfully read entire sentences in their peripheral vision. Nothing short of removing the text from my visual field will prevent the meaning of the words from becoming instantly lodged in my brain the moment they appear anywhere visible.

Re:Is it Christmas already? (4, Informative)

Wingnut64 (446382) | more than 3 years ago | (#32792846)

Any chance they can make that permanent?

Use Addblock Plus and add the following element hiding rules:

##div#watch-discussion
##div.watch-comment-entry

1epi (0)

Anonymous Coward | more than 3 years ago | (#32792618)

read more about the vulnerability here : http://blog.insecurity.ro/youtube-html-code-injection/
tinkode found it.

Trolling as a method to expidite bug fixes? (5, Interesting)

twidarkling (1537077) | more than 3 years ago | (#32792916)

Since this was turned in to a massive, YouTube-wide trolling effort, it's being fixed nearly immediately. What if 4chan hadn't gotten a hold of it though? What if some scammers/spammers did? And used it for weeks? It would have been more subtle, and with YouTube's traffic, it could have been massively successful. Who knows what effect that could have had if this wasn't caught quickly. Did 4chan just do a good thing?

Re:Trolling as a method to expidite bug fixes? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#32793156)

For some reason, you're assuming it wasn't used by scammers, and that it wasn't known for more than a few hours.

Ebaums (0)

Anonymous Coward | more than 3 years ago | (#32792956)

Fun stuff, but I believe it was done by the notorious Ebaums world, and not 4chan.

Server vs. Client? (1)

Kaenneth (82978) | more than 3 years ago | (#32793170)

How much of this kind of problem is caused by the standard behavior of browsers to make a 'best guess' at interpreting 'bad' HTML, since the parsing rules are very lax compared to XML?

Should unmatched tags cause the browser to stop and say 'Parsing Error, Invalid HTML'? (or whatever user-friendly message the browser author writes)

'cause I could totally imagine someone, somewhere writing a browser that sees '&lt's and auto-re-encodes them, then does it's tag parsing.

Back around 1998 I worked for a company that made e-commerce sites as their first tester for less than a month. The first bug I found was that a new user could insert script tags in their username (any field, really), my employers response was "Why would anyone want to hack a website?"... I wouldn't drop the issue, so they dropped me.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...