Shaggy
All American
17820 Posts
user info
edit post |
damnable tww url parser!
curse you.
http://www.apple.com/uk/itunes/affiliates/download/?artistName=%3Cblink%3EApple%20%3Cmarquee%3E%3Cbr/%3E%20%3Ciframe%20src=
h
ttp%3A%2F%2Fw
ww.goatse.fr%20width=800%20height=400%3E%3C/iframe%3E&thumbnailUrl=http%3A//images.apple.com/home/images/promo_mac_ads_20091022.jpg&itmsUrl=http%3A%2F%2Fitunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewAlbum%3Fid%3D330407877%26s%3D143444%26ign-mscache%3D1&albumName=%3Cblink%3Ea%20wide-open%20HTML%20injection%20hole
[Edited on November 18, 2009 at 4:48 PM. Reason : srgedrgerg]  11/18/2009 4:40:45 PM
|
God
All American
28747 Posts
user info
edit post |
this is the best part of web 2.0
BI�lRL�'Äœ�jZ�ˆÈÀ‚��aÒb�ϸÀ<ª»ýZÆ©*LœÙÚDü0�ËÑWó�-çêÂ�|û��Ö¶*Ë�!OòŸâËöD��⢡K�‚4��£8™�sœ�Ý«
§X��PÃ#9ž³Ð`�TµM$ ¤�€�cž¿ UTÑQÈ3´“œ‚�r�yF ¬T1m9²“©³ j“$@�<�UCÅd ��f¤tŸ�s8�Ãz*��Ù¬��‘Üü°�ÐÆÈ 12T� ��F^#,�4“Hê� ~™‚H�Äà�î*�µ3&Ö͇î�/Û€Šä–³[ŇԜÂ+$ÆgÃ<�}«¡Ê†Ôºu–ÌL��ŸŒ` XH�R�°Ì„��?�À&ƒnÈåª!¤¹2§8� ?n�Š¿PÔzxý«£Z=NôÁ#IEò€uv�€€ã)fÙЖØ^à5kU�Þt‰€>1��ôn®Ñ¸Da�±B ¹E¡b�X�í¿.ãQv¥^TÞ„+BýR�gÀôÀYö �ª‹YTVbÄ"<‹Ñ@iÊ2’p�]žåšµZ þYRË"H�£�Œ§ö`$vM¶F"ÒÌÛˆÖ��*#�3–@Ç<�ëÚ¶�ŠP•@°Um`4g$�>#�á¯5V
)pªV´P�I€GÏ,�w�eWòÖ§C¼‘Øwëß�aöú«[¬�(��ð°�¨÷8�~ĺ
6ª–Aæqõ2öÏ>ý'�;ÃmJÂ’lW?ÊÌÀ'§Ó1‘ýØ K’yn�™ÿ õ¢5ÄB¶Ýò�ûwÀYƒ¶½@ ³1Ô�¤�úà�UlP �Å?LÞp
�ÚvÂN@KY–GV^\ºŒ�^�§U\’|Âc¿~Ýp
�Þ˜�)�ÈÒ�NýF žŒ€r€<¡~�AŸŒà>w´�Ž¤Ì–��øf�_}ËZ†î–$”?Y=KOs�`9Wõ:–W¿á=#%w®¨Ð�uƒ’‘‘Œ�¼öËîèã•-OUÅÖ
ãÊ
D =|��åÇmu0Z�ƒb°Ô–L“«â``�µÜлÈT«ùŸLŸ hœ´ƒ"0�^#”®ÊÔ�£ÊÌ`
�>~8�ïy@µ‹VÂ)Ô�KCyb:,ŒÀÈ�ø�ñ|͆Ú×ÌÉk
Æ™a—ŒD�� ÎBÏËl!Áµ¬S¤,��“'<²�ð�á}Ë»Õ�}eÌ©I`;�‡öà-ü.ÿ kp-æj•$ùA��XƒØÎ�¯¸xÕ?¥�Æ zIî��¿�Ø
¸ÙÝè´‚ë\��V'ç€q°ôÕ”ªÂ(�r€3ìOŽ�_Šfk2RÌ$e�¦'¤�¸ ]½��B¢ØÄ��‡˜Æg¨ÀHUí=Ózˆ�RåK2ü*3ÎH8�
Ån6ÅC'D ’éÊ<c ØÖe”+1R"Lb`DÈÀFòöª�õ3m*¤(2Æzç$ŸŽ�+uêT*i$¸"L™’:OÏ Šè?š�ŠD‘¦¥ú¼ÙNFc<�ž÷Ó·®Æ&»�é#NFf2?��˜ÛíëãÂ49ÐL¨'6“� ïÛ��R]eö@�R�iQ‘Qðé× ëe^ïNj�)ò*æÇI1˜')ëã€]�]önÝ�Ô¨ZY´DÆ^��ž�³óÖ[�Ôc¨°"�4€"?n� ¿§ÎÝ+ýBï”!F»„ºA9yn«(ÀvÕTçæ\ÇO† Â’J€dâï#Ç µ¥UA"Lý_<�R°�=‡ìÀ%–3’g¡?íñÀ5¾ÿ åžÇ9��÷`�ë¾®Ó�ÿ º&p�K'ë�FŸ,GOøré– ûtÓa:[ÒŒƒ ½IÌþØ8�+C� <bfAÒ#©ðÀ9 ÞÃN±š’Ì<@Œ |òí€"íè+¥ƒ •#ðÌwù`�J5µlb$êIÿ Ó��Ô`�UŒ_Ó$�¬ �„�ƒ,�˜j�¤3 ”R €O\û`
X+b¦j¯&D+eÖ$™�sÀ�•Zu�ºs*Ç9�d`ç× ]¢�¶É ´õˆ9d`|¼p� q�Í$+‚®Ì�H…�c �Íè†`¶�Š�3”Ä“€-å}2 õ �˜‰ˆ3éß)��\ƒT4©0ª"¶ ÄtÍz`"÷JÚ
š™zª4(‚rÈ�=<p�Ûõ_P˜`$2N’ ~Ü�xrUXê
˜è =†~�,�]�Ì_I{�K�’2üzà8ãõK]i÷¿˜dOHÛU.�NgÊk“��€¨ðm·¹Ô�–úÐé*�2‚�Ó¨ÁêGË þº©]ùkiZÙAÕhiR ˆ�D��´|p�xí£¢¿¦)•ÒM„ôÕ9�#·Ç�?·ßUuu�Uê8�Ž :]ˆLàuŽ�wˆª¸�n4.Ie„�¾U �âORN�s€á·MªôÛ���:� H�"��
‰Äl�{…šÕQƒ*‘’À�c�nãm")
]C�!”ÁS”LŒ°�..ËSl]Ùl6Ο4C�à‰™8��·wö†pX– kC‘ÐAè�Œº`-[kw�¬±´�� Ò¤I2��倰û^ijnë¬.˜‰ f tð0p�›Á¸�ž
Ø—¬okÔ�Pl©Ö2ë—Ç�jV©ìp±¤ä� 9�g¤N�n¬t’A�%§Çà ‘¥Î‘¨H2s‰\¼AÀ�…¥³Ë!®W§‡Ë D¯J§©ô±ê2lÿ ~ Ê�P ý=Ç_Ùž�6×S�©4©ÌÀ™ÓŸöà5ïÜú‘jGõ SÑL,ß#€åÕ`–ᬆoK“P¤�:G¦à��N]0�úÍÕ¶ÕS‰:L¤ �©'>°zFx�n_r]Ùë
‹›«Žú§.¢b#��Û˜•Ô�ƒù, ÿ ™�¤Çc&0�uo¬¤¥Lñq�_˜N��—c€]ÛÚî�,ò¬�¼ª°�œäö8�ÜYDZ”åáÕ¥…Œ�&�ƒ�Òp�kmþ’V<ÉX%�bé“œñÀ8㨩™,U�Tùc8##×´x`,�_?è�ù�A� 9�9ŒÄà�ÝÈź”�à“h�'çÓ Þ„_3yœ•�‘cÐÁÎp��^�M %WQ:Ô€Ð�SÓ÷xà&8¿j¾›-(}6Ru���—CŸ\�·�ÉU¾*²Ê`È�Aè`��Ø�NÏÛ~E–×UU*�× ��˜� øøà#¹��Š� V£H!ÇBÐ�G¤e€r�;¶Á§5ˆAŸV�0#!8�Þ–°–Ö6¥?H“=;þ# ÃœÙ\Œª+ôëh �™=È?ŽX�\O�bb¨Ñ�I+«3øöøà�É5z‚êhS�Ö Ÿ1'©™1€"��ª áë�P�Ž±× �®È¥‚kÔX| 0'ñÀIÑMuÕPFÿ 1$É" &H�ŽS€sE�[ZÙ;•!�Ä�Ú�ˆ=?f�ï¶ê�¨µÜ¸±ó%cÞríž�y~‡ÝOê:”Sæ~'yÖcJ½Dvœð�¦ÊJê�OyëŸËà Z“LF}çáø`�•´t�2Žø��ª�y�„ôñ?��MÆä€@È�Ž]Î�ŽâÙf��Ì�ø�+¤‰Ÿ�óý‘Û�å�æ!á 11/18/2009 4:43:24 PM |
Shaggy
All American
17820 Posts
user info
edit post |
hah, they already fixed it.
tl;dr super fun iframe injection into apple.com leads to scrolling goatse! 11/18/2009 4:50:55 PM |
qntmfred
retired
40551 Posts
user info
edit post |
i take it this is about http://news.ycombinator.com/item?id=948757 11/18/2009 4:51:32 PM |
Shaggy
All American
17820 Posts
user info
edit post |
yea 11/18/2009 4:52:07 PM |
Shaggy
All American
17820 Posts
user info
edit post |
can the tww parser be fixed to ignore everything in the code tags ? 11/18/2009 4:52:58 PM |
qntmfred
retired
40551 Posts
user info
edit post |
i mean it prolly could. i'm sure another edge case would pop up though. eventually i'll get around to trying to fix it completely 11/18/2009 4:54:15 PM |
qntmfred
retired
40551 Posts
user info
edit post |
i like how everybody is picking on Apple when probably at least 2/3 of sites are open to XSS, CSRF or SQL Injection
edit: not to say they shouldn't pick on them. that's they only way people learn. the fact that they fixed it within hours says a lot though
[Edited on November 18, 2009 at 4:57 PM. Reason : .] 11/18/2009 4:56:05 PM |
Shaggy
All American
17820 Posts
user info
edit post |
its only fun when its a common name cause then you can send people a link w/ apple.com and they think well this is sure to be safe and then they get a big ol face of the goatman. 11/18/2009 4:56:59 PM |
