Its rare to find devs anticipating Unicode control characters showing up in user input. And the most fun when unanticipated is the Right-To-Left Override character U+202E. Unicode characters have an implicit direction so that for example by default Hebrew characters are rendered from right to left, and English characters are rendered left to right. The override characters force an explicit direction for all the text that follows.
I chose my Twitter display name to include the HTML encoding of the Right-To-Left Override character #x202E; as a sort of joke or shout out to my favorite Unicode control character.
I did not anticipate that some Twitter clients in some of their UI would fail to encode it correctly. There's no way I can remove that from my display name now.
Try it on Amazon.
Eich's Law: "If you are liberal in what you accept, others will utterly fail to be
conservative in what they send." https://bugzilla.mozilla.org/show_bug.cgi?id=310993 …
According to the links within this article, although the root URI of the router requires authentication, the /password.cgi URI doesn’t and the resulting returned HTML contains (but does not display) the plaintext of the password, as well as an HTML FORM to modify the password that is exploitable by CSRF.
The attack… infected more than 4.5 million DSL modems… The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple script to steal passwords required to remotely log in to and control the devices. The attackers then configured the modems to use malicious domain name system servers that caused users trying to visit popular websites to instead connect to booby-trapped imposter sites.
CGI for the IKEA catalog:
That couch catching your eye in the 2013 edition of IKEA’s new catalog may not be a couch at all. It is likely the entire living room was created by a graphic artist. In fact, much of the furniture and settings in the 324-page catalog are simply a collection of pixels and polygons arranged on a computer.
Another Comedy Bang Bang preview clip this time with Zach Galifianakis.
By the URI RFC there is only one way to represent a particular IPv4 address in the host of a URI. This is the standard dotted decimal notation of four bytes in decimal with no leading zeroes delimited by periods. And no leading zeros are allowed which means there's only one textual representation of a particular IPv4 address.
However as discussed in the URI RFC, there are other forms of IPv4 addresses that although not officially allowed are generally accepted. Many implementations used inet_aton to parse the address from the URI which accepts more than just dotted decimal. Instead of dotted decimal, each dot delimited part can be in decimal, octal (if preceded by a '0') or hex (if preceded by '0x' or '0X'). And that's each section individually - they don't have to match. And there need not be 4 parts: there can be between 1 and 4 (inclusive). In case of less than 4, the last part in the string represents all of the left over bytes, not just one.
For example the following are all equivalent:
The bread and butter of URI related security issues is when one part of the system disagrees with another about the interpretation of the URI. So this non-standard, non-normal form syntax has been been a great source of security issues in the past. Its mostly well known now (CreateUri normalizes these non-normal forms to dotted decimal), but occasionally a good tool for bypassing naive URI blocking systems.
BE EXCITED.Promo on IFC for the upcoming Comedy Bang Bang TV show!!!
I am excited Paul.
Looking at the HTTP traffic of Netflix under Fiddler I could see the HTTP request that added a movie to my queue and didn't see anything obvious that would prevent a CSRF. Sure enough its pretty easy to create a page that, if the user has set Netflix to auto-login, will add movies to the user's queue without their knowledge. I thought this was pretty neat, because I could finally get people to watch Primer. However, when I searched for Netflix CSRF I found that this issue has been known and reported to Netflix since 2006. Again my thoughts stolen from me and the theif doesn't even have the common decency to let me have the thought first!
With this issue known for nearly three years its hard to continue calling it an issue. Really they should just document it in their API docs and be done with it. Who knows what Netflix based web sites and services they'll break if they try to change this behavior? For instance, follow this link to add my Netflix recommended movies to your queue.
The weekend before last Sarah and I went down to Gas Works Park in Seattle. Gas Works Park is a former Seattle Gas Light Company gasification plant now turned into a
park with the machinery kept intact and found right on the shore of Lake Union. There's a large hill right next to the plant with an embedded art installation from which you get an excellent view
of the park and the lake. Anyway a very cool place. Afer, we ate at Julia's of Wallingford where I stereotypically had the Santa Cruz
omelet. Good food, nice place, nice neighborhood.
This past weekend was Halloween weekend. On Halloween at Microsoft parents bring their kids around the office buildings and collect candy from those who
have candy in their office. See Matt's photo of one such hallway at Microsoft. The next day Sarah and I went to two birthday parties the second of which required costume. I went as House (from the
television show House) by putting on a suit jacket and carrying a cane. Sarah wore scrubs to lend cred. to my lazy costume. Oh yeah and on Sunday Sarah bought a new car.
After Carissa and Elijah's wedding Sarah and I went to San Francisco. We drove in, well Sarah drove anyway, still in
the PT Cruiser Sunday morning and checked into our hotel, Hotel Diva. I was originally concerned that I wouldn't fit in as I don't really consider myself a
diva, however the hotel was cool. They have Internet rooms setup in various themes, the front desk is always staffed, our room had a very modern look, and when we entered the flat-screen over the
front desk was playing an episode of Aqua Teen Hunger Force.
We walked around a bit before going to the SF Museum of Modern Art. There was a Picasso exhibit at the time
which we could see for only $3 more. It felt kind of wrong like my ticket was super-sized. I think the most memorable piece I saw was three white
panels which consisted of three blank panels. Art. Sure. After that Sarah wanted to see the giant Hello Kitty store she had heard of from her sister. We ended up going to the Westfield Shopping
center which has a disappointingly average sized Hello Kitty store. Apparently the giant one is gone. That night we went to First Crush for dinner. I had a
flight of wine which consists of three one-third sized glasses of various but complimentary wines. It was a great restaurant in terms of food, drink, atmosphere and service.
The next morning we were even more the tourists when we went down to Fisherman's Wharf and Pier 39. We visited the famous wax museum and purchased multiple
pounds of taffy. On the way back to the Oakland airport we got to experience a little traffic as part of the
580 freeway had collapsed the morning we arrived and was still under repair on our way out. We survived of course and I think the trip went rather well.
If your account information is not updated within 48 hours then your ability to sell or bid on Citibank will become restricted.
This account has been locked down and is now on schedule for deletion. If we can further assist you please let us know.
Some rights reserved