Pc World, Is Web 2.0 Safe?

Discussion in 'other security issues & news' started by flinchlock, Jun 7, 2007.

Thread Status:
Not open for further replies.
  1. herbalist

    herbalist Guest

    Elio,
    I tried your links with both IE6 and Sea Monkey. I bypassed Proxomitron. JS is enabled. I get normal web pages.

    I should be getting used to this by now. With most of these tricks and the newer "serious" or "critical" exploits, nothing ever happens here, even with my defenses lowered. What's really odd is that most of the enhanced content from these sites still works.

    It seems to me that web 2.0 is fine. If you're using an up to date M$ operating system and browser, then you're at risk.

    Rick
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Web Alpha - current is fine.
    The problem is with MS "user-experience-geared" activex and crapx non-compliant inventions.
    Mrk
     
  3. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    What links? The ZoneAlarm hole and the first PC World one have been fixed (the former after one month at least of exposed vulnerability, the latter in less than 24 hours).

    Latest PC World one (post #15) looks still unpatched. I strongly believe you didn't try that.

    It seems to me you still don't grasp XSS basics: it has nothing to do with the kind of browser or OS you use, it's the web that is broken.
    Just a pity that I've received a (very friendly, BTW) "cease and desist" and I won't post any new XSS PoC here: I'm afraid that when the last one gets patched, you will simply shrug as the problem didn't ever exist. :cautious:
     
  4. herbalist

    herbalist Guest

    Elio,
    This is what I get from the link in post 15. Same with IE6 on default settings. Same as the last time. You tell me why. I have JS enabled on both browsers. I'm not using NoScript. I circled at the bottom to show I've bypassed Proxomitron. What am I supposed to see here and why am I not seeing it? Click image to enlarge.
    http://i138.photobucket.com/albums/q277/herbalist-rick/post15link50.gif
    I understand what it's supposed to be. You tell me why I'm not seeing anything, or why the latest round of exploits have no effect on my system, even with all web filtering turned off. I don't know the answer. You tell me why the ani curser exploit had no effect on IE6 on my box, or why the Yahoo messenger worm wouldn't try to execute on my system with SSM set to prompt, or why the wmf exploit does nothing, or why the last half dozen malicious pages I've visited do nothing. I used to enjoy testing my defenses with whatever I could find. I'd be just as interested to find out why none of these exploits, vulnerabilities, etc seems to have any effect on this box anymore. If anyone has or finds malicious sites, exploits, or anything that makes use of an unpatched vulnerability, I'd very much appreciate a link to it. Just PM it to me.
    Rick
     
    Last edited by a moderator: Jun 12, 2007
  5. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Could you try to forcibly bypass caches with Shift+F5 (don't just clean your cache, you may need to invalidate also intermediate caches)?
    After you do it, could you also please PM the HTML source of the page you get?
    Thanks.

    Regarding the remote execution exploits which aren't affecting you anymore, buffer overflow exploitation is usually very system dependent: Win98 is probably just "protecting" you from PoCs designed for more recent systems. This doesn't necessarily mean you're not affected by the vulnerability, but at least you're a less likely attack target, maybe.
     
  6. herbalist

    herbalist Guest

    I finally managed to see the altered page. What it took to make that happen defies explanation. In addition to using eraser on the browser cache and setting Sea Monkey to connect directly to the net, I also had to remove the system proxy settings, even though the firewall status screen verified that Sea Monkey was connecting out directly, and I had to disable the hosts file. It wasn't until I did all these together that I finally saw the altered page. The last 2 shouldn't have had any effect, but the page didn't show up until I did those too. I manually erased the browser cache with eraser each time with the browser closed and verified it to be empty. After doing all this, I started re-enabling things one at a time. Turned the hosts file on, fine. Put the system proxy settings back, still works. They shouldn't have affected anything in the first place. If I set Sea Monkey to connect thru Proxomitron, the page reverts to normal, even when Proxomitron is in bypass mode. Only by configuring Sea Monkey to connect directly out can I see the altered page. Proxomitron definitely seems to stop this, but why it would stop it in bypass mode makes no sense. Shouldn't be happening this way, but I've repeated this at least 10 times now with the same results. What I wouldn't do for enough free time to look into this.
    Rick
     
  7. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Short explanation: cache(s).

    Long explanation: this specific web page is heavily cached on more than one level (web site's accelerator/balancer, your proxy, browser cache) and all the layers are instructed to aggressively cache it, since it's ideally read-only.

    What you get when you see the correct page is a cached copy from your browser or from one of the multiple proxies between you and the real website.

    Most likely, your browser cached the page as filtered by Proxomitron, while when you enable Proxomitron it invalidates caches in order to avoid returning unfiltered pages.
     
  8. herbalist

    herbalist Guest

    It must be cached elsewhere as I shut down the browser and erased the cache between each loading. Both the Sea Monkey and IE6 browser cache are also erased on a schedule and at shutdown/reboot. Never did get the altered page with IE6.

    When I have some time, I'll try to figure out why I can't get the altered page when the connection runs thru Proxomitron. In bypass, it shouldn't be blocking anything.
    Rick
     
  9. elio

    elio Registered Member

    Joined:
    May 3, 2007
    Posts:
    77
    Have you got "block JavaScript" on pcworld.com among Proxomitron filters?
    This may be the most likely reason why Proxomitron prevents the page from being altered, since the modifications are done by code injected inside a regular <script>...</script> block of the target page, without any particular filter-evading technique.
    If this is the case, legitimate scripts won't run either, quite obviously.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.