random bits from the weekend

Jul. 25th, 2004 10:42 pm
cellio: (sleepy-cat ((C) Debbie Ohi))
[personal profile] cellio
I just got mail from Amazon.uk telling me that the third series of 24 is being released in a couple weeks. Now I know that sometimes a "series" in the UK doesn't equal a "season" in the US, and the third season just finished here, so that made me wonder if the UK edition is breaking up seasons the way they did for West Wing early on. Near as I can tell, no. The final episode aired in May and the DVD for the season is available in August. How strange! (I'm assuming that this is a US show, not an import here, as it is a very US-centric show, but Amazon.com has nothing to say about the third season on DVD so far.) Not that I'm buying yet anyway; I just find it curious.

(Noted in passing: fourth season of West Wing in September; second season of Blake's 7 allegedly in October.)

I sometimes wonder about the security implications of the quizzes and other memes that run around LJ. Consider: your passowrd is (I think) stored in a cookie. You follow a link while reading your friends page (so you're probably logged in) to some unvouched-for site where you give your user name as part of getting some bit of content to post in your journal. I don't know a lot about cookies, but isn't it fairly straightforward for a malicious meme-writer to harvest your password that way? I try to never fill those things out while logged in, personally. (Yes, I do sometimes fill them out, out of curiosity -- the ones that are likely to have interesting content, like the mind map and the friends-list-evaluation ones, not the "what kind of eggplant are you?" ones.)

The two instances of Giant Eagle that I shop at seem to have both stopped carrying my cats' favorite food (Tender Vittles). While googling to try to find out if the product had been discontinued (no one at the store seemed to know anything), I found a place where I can mail-order it by the case for about what I normally pay for it. Ok, that works. Gee, I wonder if I can mail-order the cat litter under similar circumstances, rather than shlepping it home from the store myself? I'll have to try that.

This afternoon I attended a bridal shower for a friend. I so do not know how to be a girly girl. :-) It was a fun time, but there was a lot more estrogen in the air than I'm used to.

Tags:
Flat | Top-Level Comments Only

(no subject)

Date: 2004-07-26 12:02 am (UTC)
From: [identity profile] tangerinpenguin.livejournal.com
That is a vulnerability, because a suitably hostile script could download your private entries

Er, to the best of my knowledge, Javascript can't be used to fetch a document and send it somewhere. (VBScript and ActiveX, all bets are off). Javascript can navigate your browser window somewhere, but I don't think it can download to your machine, nor to send a copy of a retrieved webpage someplace else. So, no, I don't think you could read private entries that way.

Good point. On closer thought, I can't find a way to make this specific exploit work. I think you're on to some better examples with your brainstorming, although it's hard because LJ tries very, very hard to filter JS out of the user-modifiable parts of the journal for just that reason.

Try this: a server-side process reads your userinfo (which it can do based on your username) and dynamically generates a variation on the post-a-message-as-you javascript that submits the Modify Info form, with obvious data like the info block and interests populated from the old userinfo but with several of the privacy settings (obfuscate email, no spider indexing) quietly set to most open. That's comparatively minor (it would really only make sense to mess with the email settings if your email was at least partially visible already, or the server-side process would have nothing to work with) but might lead to some low-level chaos - if hundreds of people run the meme, at least a few "hits" where it actually caused problems for someone would be likely.

clarification

Date: 2004-07-26 06:52 am (UTC)
geekosaur: orange tabby with head canted 90 degrees, giving impression of "maybe it'll make more sense if I look at it this way?" (Default)
From: [personal profile] geekosaur
This is the basis of "cross-site scripting" (XSS) exploits.

This is the basic mechanism; the basic "trick" is trying to convince the browser to execute arbitrary JavaScript with greater access than it normally would have, ideally convincing it to execute the JS as if it were the browser's own code but more commonly (barring certain IE bugs) tricking it into thinking that JS from a malicious site came from a more trusted site with more access. IE's "security zone" implementation tends to make this really easy, because there are so many holes in its checking.

To be clear: Javascript runs "in the document"; there's no concept in the language as instantiated on client-side (browsers) of standing outside a document to manipulate it.

In theory. In practice, JavaScript is the "glue" that holds the browser together[*], so it does stand outside of the document. Browsers are supposed to "sandbox" JavaScript from outside sources so that it can't affect global browser state or documents from different sites, but all too often the sandboxes "leak".


* It's more complex than this, but basically true: if arbitrary JavaScript can escape the sandbox, it gains full control over the browser — and even limited escape grants it too much power (cf. the recent Application.Shell exploit which affected both IE and Mozilla).
Flat | Top-Level Comments Only

Expand Cut Tags

No cut tags
Top of page