On 04/09/2013 03:42 PM, barsalou wrote:
> Quoting bryanm@acsalaska.net:
>
>
> Am I being too narrow in my thinking or can this be thwarted by copying
> and pasting that code into something like notepad?
>
> That would certainly expose any hidden code.
>
> Of course folks may not be thinking of that as they are copying and
> pasting code.
>
> Mike B.
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
The vulnerability is based on CSS styling. So there are two tricks that
can be easily used to defeat it:
1) Disable CSS for the page. Firefox: View >> Page Style >> No Style.
2) View the page in Links, a text mode Web browser.
Here is the errant code:
code:
--------
git clone
<span style="position: absolute; left: -100px; top:
-100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e
'!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t
trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1
/etc/passwd<br>git clone </span>
git://git.kernel.org/pub/scm/utils/kup/kup.git
--------
Typically absolute positioned elements are displayed at a absolute
position on the page. I wonder what negative offsets in absolute
positions are /supposed/ to do, according to the standard, or if that is
even defined.
-- frigidcode.com
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2.1.8 : Thu Apr 11 2013 - 07:01:32 AKDT