XSS vulnerability in SNEAK 1.27 (PHP version)
[View]
[Reply]
[Top]
Posted by Ret. Lambda CinC snarkles
On 2008-01-17 02:25:19
|
Big thanks to Frank Nguyen who tipped me off to an XSS vulnerability in the Caesar Bruteforce option in SNEAK 1.27. Its output was not properly being escaped, because it prints stuff directly to the browser rather than running through the central filtering routine (holy cow I used to write simply awful PHP ;)).
Unfortunately, I've not been active in CyberArmy for over two years (as you probably know :D), so I am not sure of my login credentials, etc. for SVN anymore. But there's a new 1.28 version of SNEAK available on my site at http://snarkles.net/scripts/sneak/sneak-1.28.zip. If someone could replace the version in CyberArmy's SVN with that one, that'd be awesome!
|
SNEAK 1.28 (PHP version) Uploaded to SVN
[View]
[Reply]
[Top]
Posted by Beta Maj SAJChurchey
On 2008-06-08 05:27:04
|
If you are using this script anywhere and haven't already updated it, you need to.
|
Hello stranger! :)...
[View]
[Reply]
[Top]
Posted by Delta Gen int16h
On 2008-01-17 02:27:00
|
eek @ XSS :P Naughty ;)
How have you been?
I'm a MacWhore now!
On 2008-01-17 02:25:19, snarkles wrote
>Big thanks to Frank Nguyen who tipped me off to an XSS vulnerability in the Caesar Bruteforce option in SNEAK 1.27. Its output was not properly being escaped, because it prints stuff directly to the browser rather than running through the central filtering routine (holy cow I used to write simply awful PHP ;)).
>
>Unfortunately, I've not been active in CyberArmy for over two years (as you probably know :D), so I am not sure of my login credentials, etc. for SVN anymore. But there's a new 1.28 version of SNEAK available on my site at http://snarkles.net/scripts/sneak/sneak-1.28.zip. If someone could replace the version in CyberArmy's SVN with that one, that'd be awesome!
|
RE: Hello stranger! :)...
[View]
[Reply]
[Top]
Posted by Ret. Lambda CinC snarkles
On 2008-01-17 03:25:20
|
On 2008-01-17 02:27:00, int16h wrote
>eek @ XSS :P Naughty ;)
Indeed. :( There was another XSS vulnerability back a few years ago that the CSA brigade found, but this one was in one of the newer functions I added after that audit.
>How have you been?
Really well! Still working on Drupal stuff, traveling out of the country at least once a month teaching, etc. My job makes me kind of like Robin Hood... Our company makes websites for companies like Sony and MTV, and the improvements we make go back out in the open source community, where they're used by Amnesty International and the United Nations. ;) It's a pretty sweet gig. :D
>I'm a MacWhore now!
OMG. Me too. :( There's no other platform where you can test Safari, IE, and Konquerer on the same machine. ;) Plus having an actual Unix command prompt anywhere you go is pretty sweet. :) There are still some things that really annoy me about it... like hitting enter on a highlighted file/folder *renames* it (?) rather than executes it, and when you hit some arcane button combination you see all the windows on your desktop pull to the outer edges sllllooowwwwllllyyy and ever so infuriatingly. :P But whatever. It has OmniGraffle. That's a plus. ;)
Good to see you still kicking around these parts. :)
|
RE: Hello stranger! :)...
[View]
[Reply]
[Top]
Posted by Delta Gen int16h
On 2008-01-17 03:47:03
|
>Indeed. :( There was another XSS vulnerability back a few years ago that the CSA brigade found, but this one was in one of the newer functions I added after that audit.
Aaah, I forgot all about that :X
>Really well! Still working on Drupal stuff, traveling out of the country at least once a month teaching, etc. My job makes me kind of like Robin Hood... Our company makes websites for companies like Sony and MTV, and the improvements we make go back out in the open source community, where they're used by Amnesty International and the United Nations. ;) It's a pretty sweet gig. :D
Great & cool! I had been using Drupal myself quite a bit until recently, It's certainly nothing like the Yet-Another-Crappy-PHP-CMS systems around, I like it! It's great that you get to travel a bit, and even more so about giving back to the OSC :D
>>I'm a MacWhore now!
>
>OMG. Me too. :( There's no other platform where you can test Safari, IE, and Konquerer on the same machine. ;) Plus having an actual Unix command prompt anywhere you go is pretty sweet. :) There are still some things that really annoy me about it... like hitting enter on a highlighted file/folder *renames* it (?) rather than executes it, and when you hit some arcane button combination you see all the windows on your desktop pull to the outer edges sllllooowwwwllllyyy and ever so infuriatingly. :P But whatever. It has OmniGraffle. That's a plus. ;)
Haha, yeah! I don't have real Apple hardware yet (well, none that can't be considered antiques!) but the laptop I bought at new-year works 99% perfectly with Leopard (Full Sound, Gfx, Network, Wifi)... I love the ease of use, compatibility but also the power of a UNIX-like OS :)
>Good to see you still kicking around these parts. :)
And you! I nobody else will hit me with frying pans, it's depressing! :( Make sure you pop in when you can though, everyone could do with some cheering up I think ;p :)
|
RE: Hello stranger! :)...
[View]
[Reply]
[Top]
Posted by Alpha Tr Ploy
On 2008-01-18 08:30:00
|
How'd ye get the ISO? None of them seem to have any seeds for me :( Wanting to try it on this laptop (worried that the Atheros AR5007EG wifi won't work though!)
On 2008-01-17 03:47:03, int16h wrote
>>Indeed. :( There was another XSS vulnerability back a few years ago that the CSA brigade found, but this one was in one of the newer functions I added after that audit.
>
>Aaah, I forgot all about that :X
>
>
>>Really well! Still working on Drupal stuff, traveling out of the country at least once a month teaching, etc. My job makes me kind of like Robin Hood... Our company makes websites for companies like Sony and MTV, and the improvements we make go back out in the open source community, where they're used by Amnesty International and the United Nations. ;) It's a pretty sweet gig. :D
>
>Great & cool! I had been using Drupal myself quite a bit until recently, It's certainly nothing like the Yet-Another-Crappy-PHP-CMS systems around, I like it! It's great that you get to travel a bit, and even more so about giving back to the OSC :D
>
>>>I'm a MacWhore now!
>>
>>OMG. Me too. :( There's no other platform where you can test Safari, IE, and Konquerer on the same machine. ;) Plus having an actual Unix command prompt anywhere you go is pretty sweet. :) There are still some things that really annoy me about it... like hitting enter on a highlighted file/folder *renames* it (?) rather than executes it, and when you hit some arcane button combination you see all the windows on your desktop pull to the outer edges sllllooowwwwllllyyy and ever so infuriatingly. :P But whatever. It has OmniGraffle. That's a plus. ;)
>
>Haha, yeah! I don't have real Apple hardware yet (well, none that can't be considered antiques!) but the laptop I bought at new-year works 99% perfectly with Leopard (Full Sound, Gfx, Network, Wifi)... I love the ease of use, compatibility but also the power of a UNIX-like OS :)
>
>>Good to see you still kicking around these parts. :)
>
>And you! I nobody else will hit me with frying pans, it's depressing! :( Make sure you pop in when you can though, everyone could do with some cheering up I think ;p :)
>
>
>
|
|
|
|
Oh, and P.S... Hi, folks!! :D -nt-
[View]
[Reply]
[Top]
Posted by Ret. Lambda CinC snarkles
On 2008-01-17 02:26:10
|
|
wanna play chess sometime? -nt-
[View]
[Reply]
[Top]
Posted by Tr zero one
On 2008-01-20 00:36:22
|
|
No, I wouldn't want to embarrass you again ;)
[View]
[Reply]
[Top]
Posted by Ret. Lambda CinC snarkles
On 2008-01-21 19:11:11
|
Heya, zero one! :D Good to see you hanging in there.
|
the embarassment is all yours snarks :]
[View]
[Reply]
[Top]
Posted by Tr zero one
On 2008-01-22 07:01:28
|
It's been a while since I've actually been back. Site says my last log-in was in 2003, hahah. I can't even remember that to be honest.
I seen you were CinC a while ago tho, and now you passed the torch to ickz. Mind throwin my name in there when she retires? lol.
|
|
|
|
dear snorkles
[View]
[Reply]
[Top]
Posted by Alpha Gen adtrace
On 2008-01-20 00:35:22
|
xo. You still in the Mo-town? I'm living nearby. Stay well,
|
Hey, adtrace!
[View]
[Reply]
[Top]
Posted by Ret. Lambda CinC snarkles
On 2008-01-21 19:12:38
|
Yep, still in Montreal. Well. At least once a month anyway. :P My job has me traveling /a lot/. Which is both fortunate and unfortunate since I like being home but don't really like Montreal all that much. ;)
You still talk w/ Socrat, etc.? I met him when I first came here but then dropped out of touch. :(
|
|
How've ye been? Been a looooong time! [nt]
[View]
[Reply]
[Top]
Posted by Alpha Tr Ploy
On 2008-01-18 08:30:47
|
|
Hehe, been doing well!
[View]
[Reply]
[Top]
Posted by Ret. Lambda CinC snarkles
On 2008-01-21 19:20:37
|
Just busy w/ work and stuff. These days I do Drupal full-time.
You?
|
Not too bad, lots of work
[View]
[Reply]
[Top]
Posted by Alpha Tr Ploy
On 2008-02-02 21:50:20
|
Managed to finally work for myself with a couple of underlings :D
Drupal full-time? Sound like fun... That for CivicSpace Labs still?
iirc last time I spoke with ye I think ye said ye were with ye partner in Canada (or moving to?)? Things still going well there? :D
On 2008-01-21 19:20:37, snarkles wrote
>Just busy w/ work and stuff. These days I do Drupal full-time.
>
>You?
|
|
|
|
|
|