Shaggy All American 17820 Posts user info edit post |
damnable tww url parser!
curse you.
http://www.apple.com/uk/itunes/affiliates/download/?artistName=%3Cblink%3EApple%20%3Cmarquee%3E%3Cbr/%3E%20%3Ciframe%20src=
h
ttp%3A%2F%2Fw
ww.goatse.fr%20width=800%20height=400%3E%3C/iframe%3E&thumbnailUrl=http%3A//images.apple.com/home/images/promo_mac_ads_20091022.jpg&itmsUrl=http%3A%2F%2Fitunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewAlbum%3Fid%3D330407877%26s%3D143444%26ign-mscache%3D1&albumName=%3Cblink%3Ea%20wide-open%20HTML%20injection%20hole
[Edited on November 18, 2009 at 4:48 PM. Reason : srgedrgerg] 11/18/2009 4:40:45 PM |
God All American 28747 Posts user info edit post |
this is the best part of web 2.0
BIlRL'ÄœjZˆÈÀ‚aÒbϸÀ<ª»ýZÆ©*LœÙÚDü0ËÑWó-çêÂ|ûÖ¶*Ë!OòŸâËöD⢡K‚4£8™sœÝ« §XPÃ#9ž³Ð`TµM$ ¤€cž¿ UTÑQÈ3´“œ‚ryF ¬T1m9²“©³ j“$@<UCÅd f¤tŸs8Ãz*Ù¬‘Üü°ÐÆÈ 12T F^#,4“Hê ~™‚HÄàî*µ3&Ö͇î/Û€Šä–³[ŇԜÂ+$ÆgÃ<}«¡Ê†Ôºu–ÌLŸŒ` XHR°Ì„?À&ƒnÈåª!¤¹2§8 ?nŠ¿PÔzxý«£Z=NôÁ#IEò€uv€€ã)fÙЖØ^à5kUÞt‰€>1ôn®Ñ¸Da±B ¹E¡bXí¿.ãQv¥^TÞ„+BýRgÀôÀYö ª‹YTVbÄ"<‹Ñ@iÊ2’p]žåšµZ þYRË"H£Œ§ö`$vM¶F"ÒÌÛˆÖ*#3–@Ç<ëÚ¶ŠP•@°Um`4g$>#á¯5V )pªV´PI€GÏ,weWòÖ§C¼‘Øwëßaöú«[¬(ð°¨÷8~ĺ 6ª–Aæqõ2öÏ>ý';ÃmJÂ’lW?ÊÌÀ'§Ó1‘ýØ K’yn™ÿ õ¢5ÄB¶ÝòûwÀYƒ¶½@ ³1Ô¤úàUlP Å?LÞp ÚvÂN@KY–GV^\ºŒ^§U\’|Âc¿~Ýp Þ˜)ÈÒNýF žŒ€r€<¡~AŸŒà>w´Ž¤Ì–øf_}ËZ†î–$”?Y=KOs`9Wõ:–W¿á=#%w®¨Ðuƒ’‘‘Œ¼öËîèã•-OUÅÖ ãÊ D =|åÇmu0Zƒb°Ô–L“«â``µÜлÈT«ùŸLŸ hœ´ƒ"0^#”®ÊÔ£ÊÌ` >~8ïy@µ‹VÂ)ÔKCyb:,ŒÀÈøñ|͆Ú×ÌÉk Æ™a—ŒD ÎBÏËl!Áµ¬S¤,“'<²ðá}Ë»Õ}eÌ©I`;‡öà-ü.ÿ kp-æj•$ùAXƒØί¸xÕ?¥Æ zIî¿Ø ¸ÙÝè´‚ë\V'ç€q°ôÕ”ªÂ(r€3ìOŽ_Šfk2RÌ$e¦'¤¸ ]½B¢Øć˜Æg¨ÀHUí=ÓzˆRåK2ü*3ÎH8 Ån6ÅC'D ’éÊ<c ØÖe”+1R"Lb`DÈÀFòöªõ3m*¤(2Æzç$ŸŽ+uêT*i$¸"L™’:OÏ Šè?šŠD‘¦¥ú¼ÙNFc<ž÷Ó·®Æ&»é#NFf2?˜ÛíëãÂ49ÐL¨'6“ ïÛR]eö@RiQ‘Qðé× ëe^ïNj)ò*æÇI1˜')ëã€]]önÝÔ¨ZY´DÆ^ž³óÖ[Ôc¨°"4€"?n ¿§ÎÝ+ýBï”!F»„ºA9yn«(ÀvÕTçæ\ÇO† Â’J€dâï#Ç µ¥UA"Lý_<R°=‡ìÀ%–3’g¡?íñÀ5¾ÿ åžÇ9÷`ë¾®Óÿ º&pK'ëFŸ,GOøré– ûtÓa:[ÒŒƒ ½IÌþØ8+C <bfAÒ#©ðÀ9 ÞÃN±š’Ì<@Œ |òí€"íè+¥ƒ •#ðÌwù`J5µlb$êIÿ ÓÔ`UŒ_Ó$¬ „ƒ,˜j¤3 ”R €O\û` X+b¦j¯&D+eÖ$™sÀ•Zuºs*Ç9d`ç× ]¢¶É ´õˆ9d`|¼p qÍ$+‚®ÌH…c Íè†`¶Š3”Ä“€-å}2 õ ˜‰ˆ3éß)\ƒT4©0ª"¶ ÄtÍz`"÷JÚ š™zª4(‚rÈ=<pÛõ_P˜`$2N’ ~ÜxrUXê ˜è =†~,]Ì_I{K’2üzà8ãõK]i÷¿˜dOHÛU.NgÊk“€¨ðm·¹Ô–úÐé*2‚Ó¨ÁêGË þº©]ùkiZÙAÕhiR ˆD´|pxí£¢¿¦)•ÒM„ôÕ9#·Ç?·ßUuuUê8Ž :]ˆLàuŽwˆª¸n4.Ie„¾U âORNs€á·MªôÛ: H" ‰Äl{…šÕQƒ*‘’Àcnãm") ]C!”ÁS”LŒ°..ËSl]Ùl6Ο4Cà‰™8·wö†pX– kC‘ÐA茺`-[kw¬±´ Ò¤I2倰û^ijnë¬.˜‰ f tð0p›Á¸ž Ø—¬okÔPl©Ö2ë—ÇjV©ìp±¤ä 9g¤Nn¬t’A%§Çà ‘¥Î‘¨H2s‰\¼AÀ…¥³Ë!®W§‡Ë D¯J§©ô±ê2lÿ ~ ÊP ý=Ç_Ùž6×S©4©ÌÀ™ÓŸöà5ïÜú‘jGõ SÑL,ß#€åÕ`–ᬆoK“P¤:G¦àN]0úÍÕ¶ÕS‰:L¤ ©'>°zFxn_r]Ùë ‹›«Žú§.¢b#Û˜•Ôƒù, ÿ ™¤Çc&0uo¬¤¥Lñq_˜N—c€]ÛÚî,ò¬¼ª°œäö8ÜYDZ”åáÕ¥…Œ&ƒÒpkmþ’V<ÉX%bé“œñÀ8㨩™,UTùc8##×´x`,_?èùA 99ŒÄàÝÈź”à“h'çÓ Þ„_3yœ•‘cÐÁÎp^M %WQ:Ô€ÐSÓ÷xà&8¿j¾›-(}6Ru—CŸ\·ÉU¾*²Ê`ÈAè`ØNÏÛ~E–×UU*× ˜ øøà#¹Š V£H!ÇBÐG¤e€r;¶Á§5ˆAŸV0#!8Þ–°–Ö6¥?H“=;þ# ÃœÙ\Œª+ôëh ™=È?ŽX\Obb¨ÑI+«3øöøàÉ5z‚êhSÖ Ÿ1'©™1€"ª áëPŽ±× ®È¥‚kÔX| 0'ñÀIÑMuÕPFÿ 1$É" &HŽS€sE[ZÙ;•!ÄÚˆ=?fï¶ê¨µÜ¸±ó%cÞrížy~‡ÝOê:”Sæ~'yÖcJ½Dvœð¦ÊJêOyëŸËà Z“LF}çáø`•´t2Žøªy„ôñ?MÆä€@ÈŽ]ÎŽâÙfÌø+¤‰Ÿóý‘Ûåæ!á 11/18/2009 4:43:24 PM |
Shaggy All American 17820 Posts user info edit post |
hah, they already fixed it.
tl;dr super fun iframe injection into apple.com leads to scrolling goatse! 11/18/2009 4:50:55 PM |
qntmfred retired 40818 Posts user info edit post |
i take it this is about http://news.ycombinator.com/item?id=948757 11/18/2009 4:51:32 PM |
Shaggy All American 17820 Posts user info edit post |
yea 11/18/2009 4:52:07 PM |
Shaggy All American 17820 Posts user info edit post |
can the tww parser be fixed to ignore everything in the code tags ? 11/18/2009 4:52:58 PM |
qntmfred retired 40818 Posts user info edit post |
i mean it prolly could. i'm sure another edge case would pop up though. eventually i'll get around to trying to fix it completely 11/18/2009 4:54:15 PM |
qntmfred retired 40818 Posts user info edit post |
i like how everybody is picking on Apple when probably at least 2/3 of sites are open to XSS, CSRF or SQL Injection
edit: not to say they shouldn't pick on them. that's they only way people learn. the fact that they fixed it within hours says a lot though
[Edited on November 18, 2009 at 4:57 PM. Reason : .] 11/18/2009 4:56:05 PM |
Shaggy All American 17820 Posts user info edit post |
its only fun when its a common name cause then you can send people a link w/ apple.com and they think well this is sure to be safe and then they get a big ol face of the goatman. 11/18/2009 4:56:59 PM |