Conversation

Notices

1. ReportBot (reportbot@detroitriotcity.com)'s status on Thursday, 22-Jun-2023 14:33:45 JST ReportBot

   • Soy_Magnus
   @Soy_Magnus scores a new received report! Excellent work! :vegeta_kneel:
   • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Thursday, 22-Jun-2023 14:33:42 JST pistolero :thispersondoesnotexist:

     in reply to

     • Soy_Magnus
     @Soy_Magnus @reportbot
     
     > I don't understand why it doesn't render sometimes
     
     Here's a problem: how much escaping/embedding is there? Say you've got two data sources: one of them escapes its data and one does not. (Or, often, you have a plethora of sources of data and one of the sources escapes *sometimes*.) It's never safe to assume it's escaped (external data is always considered untrusted), so you usually escape it again before sending it back to the client. So data source A says "<p>I&39;m so happy!</p>" and then data source B says "&lt;p&gt;I&amp;39;m so happy!&lt;/p&gt;", an extra level of escaping. You can extend this an arbitrary number of times.
     
     So it's not really bad code per se, just a disagreement between two systems about how much escaping should be done, and often for things like an admin interface, for obvious reasons, you just escape it anyway and leave it escaped, because it's better for it to be ugly than to let some potentially maliciously crafted text through.
     
     This is a fun one: some webservers would just put raw data into the logs, notably Apache did this. So a normal HTTP request looks like `GET / HTTP/1.1` but if you connect to a webserver and then, instead of sending a request, just put in some terminal control codes (which are escaped using the raw escape character; have a look at an ASCII table some time), those get escaped in most webserver log files. Before those were escaped, though, the raw characters would be shat into the log file, and someone had the clever idea of using these terminal control codes to control the terminal of anyone that cat'd or tail'd a log file. So the simple version was to start shoving stuff in the input buffer: ^C a few times to interrupt `tail` or `cat` or whatever, and then shove in a command that gave remote access, and finally one last command to alert whoever was running the exploit of the success. I don't know how many people got owned by that, but Apache was vulnerable to it for a while and at the time, Apache was something like 90% of the webservers on the internet (the other 10% being mostly IIS and a small fraction of miscellaneous servers).
   • Soy_Magnus (soy_magnus@detroitriotcity.com)'s status on Thursday, 22-Jun-2023 14:33:43 JST Soy_Magnus

     in reply to

     • pistolero :thispersondoesnotexist:
     @p @reportbot thank you =}. I tried looking it up and I saw a lot about ASCII and Unicode but I don't understand why it doesn't render sometimes is it a mastodon issue or some other part of the exchange of hands that causes it to not work sometimes¿ I first noticed it with the bot bot and I've seen it a few times since is it poor coding on their side? It happens everytime with that bot that made me think it was his instance that had a glitch/exploit
     Machismo repeated this.
   • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Thursday, 22-Jun-2023 14:33:44 JST pistolero :thispersondoesnotexist:

     in reply to

     • Soy_Magnus
     @Soy_Magnus @reportbot
     
     > why does an apostrophe show up as &#39; in some places¿
     
     Basically, HTML uses, for example, "<" and ">" to identify tags. But this means that there'd be no reliable way for the parser to, say, differentiate between the "<p>" tag and someone that wants "<p>" to appear on the screen instead of creating a new paragraph. So to repesent "<p>" in HTML, there's an escaping method. (They're called "HTML entities" and it is always frustrating when something is named "entity" or "object" or something like that because it's a meaningless term, but they are basically characters that have been escaped for HTML.) In the case of "<", that's "&gt;", or "&#60;" (because the ASCII code is 60), or "&#x3c;" (ASCII code, but hex). If you have guessed by this point that "39" is the ASCII code for an apostrophe, then you've got the answer.
   • Soy_Magnus (soy_magnus@detroitriotcity.com)'s status on Thursday, 22-Jun-2023 14:33:45 JST Soy_Magnus

     in reply to

     • pistolero :thispersondoesnotexist:
     @reportbot @p hey buddy this is the third time I've seen this before, why does an apostrophe show up as &#39; in some places¿ I asked someone else but I don't believe they we're quite sure tho they did joke it could be exploited
   • Soy_Magnus (soy_magnus@detroitriotcity.com)'s status on Thursday, 22-Jun-2023 14:48:56 JST Soy_Magnus

     in reply to

     • pistolero :thispersondoesnotexist:
     @p @reportbot okay so that's what the joke he made about it being the next exploit was I see. I asked if it would be an injection attack cause that was what made sense that's crazy how data nerds figure this stuff out to trick systems to act up. Do you think ai can possibly help as malicious attack deterents in the future or do you think static programing has its place better cemented¿
     Machismo repeated this.
   • pistolero :thispersondoesnotexist: (p@freespeechextremist.com)'s status on Thursday, 22-Jun-2023 14:48:56 JST pistolero :thispersondoesnotexist:

     in reply to

     • Soy_Magnus
     @Soy_Magnus @reportbot
     
     > Do you think ai can possibly help as malicious attack deterents in the future or do you think static programing has its place better cemented¿
     
     I don't know what that means, really. Some IDSs use ML, there are a lot of automated fuzzing tools and I suspect that some of them will try to incorporate some AI stuff, but AI is vague and I don't know what "static programming" means.