Posts Tagged with "code"

BUG: Unclosed Firefox Attack Vector

November 6th, 2008 at 8:45 pm by Mark
Tags: , , , ,

     Firefox still sucks.  I don’t care what everyone else in the world thinks, and I know it’s an unpopular opinion, but it’s the truth.  While they bitch about “standards” all the time, the fact is, 95% of what Firefox calls “a standard” isn’t even ratified yet.  When developers can’t tell a “Standard” from a “Request For Comment,” all sorts of malady ensues.
     It’s also disingenuous on the part of Web Developers to say, “It won’t render right in IE because IE sucks!” when the fact is, any Web Developer worth their salt would make an attempt to make a page render right in the predominant browser and its inferior counterpart.  Yet, for some reason, the call is to “blame Microsoft” every time a Developer makes a stupid mistake or doesn’t know what the Hell they’re doing…

     There’s also this ridiculous assertion that Firefox is inherently bullet-proof as far as being hackable.  The case is that IE is the predominant browser, so it makes sense to use it as the target for widespread attacks.  Firefox is an even more broken mess from a Security standpoint, and the veracity of its issues span across multiple platforms, despite claims otherwise.

     A nice little case in point of “shitty code” in Firefox is this attack vector I found two years ago and apparently still isn’t fixed…

     Get out your favorite PHP editor, and send an image in a stream… but in the header, use these two lines instead of something normal:

echo "Content-type: image/jpg";
echo "Content-length: 0";

     Now, with every other user-agent in the world, this won’t work for two very important reasons:

  1. “image/jpg” is not a valid content-type.  “image/jpeg” is.
  2. A connection-length of zero bytes tells the user-agent not to receive any data.

     Firefox, on the other hand, will go ahead and render the invalid content-type, zero-byte image at whatever size the Server streams to it, proving that it doesn’t care what’s actually being received from a possibly malicious host.

     Can you say, “Exploitable,” boys and girls?

     I knew you could…

Effects of Drugs on Spiders

January 18th, 2007 at 12:24 am by Mark
Tags: , , , , , ,

     Apparently, Monty’s opened up a can of worms that can’t be shut.  Again, I get put in the position to bring it down a notch.

     In the immortal words of Reinhold Niebuhr:

God grant me the serenity
to accept the things I cannot change;
courage to change the things I can;
and wisdom to know the difference.

Living one day at a time;
Enjoying one moment at a time;
Accepting hardships as the pathway to peace;
Taking, as He did, this sinful world
as it is, not as I would have it;
Trusting that He will make all things right
if I surrender to His Will;
That I may be reasonably happy in this life
and supremely happy with Him
Forever in the next.
Amen.

     To put it bluntly, “Shit happens.  We deal with it, or we don’t.”

     Recompense helps.

     But when even that fails…

     Laughter always makes us feel better.

     Let’s leave our apprehension, anger and fear at the door for a moment.  I mean, hey, it’d do us all good to just sit back, take a deep breath, and have a good laugh.
     Shall we?

Tip: Thanks, Zacque!

Stock Photos

CSS & The Whine of the Uberdork

November 17th, 2005 at 6:30 pm by Sam
Tags: , , , ,

Man! While Monty’s on the subject of zealots (which, let’s be honest, is always a great topic), why am I getting so many e-mail complaints and comment spams dogging this site for nothing other than its lack of CSS?

Firstly, I simply don’t care if you’re running the latest piece of animal dung with a name stolen from a deplorable 1982 movie starring Clint Eastwood. You’re a 7% minority by our statistics.

Secondly, if you consider yourself a web designer and you can’t make a page that looks right in all browsers, you need to find another form of employment. Or maybe find a form of employment — the real world detests your kind of attitude.

Thirdly, we have no intention of validating with XHTML 4.01 Strict. Why bother, when what we’re doing works? The page you’re looking at looks exactly the same in every single browser that comes here save for Lynx.

Fourthly, if you have no other complaint about this site than its lack of CSS, then obviously we’re doing something right.

CSS has become the Whine of the Uberdork: “Technical people can be creative, too!”

Regardless of what an Uberdork can do making a Round CSS Layout, it still won’t give them any sense of design skill or color coordination. It expands their possibilities, yes, but for the most part, their sites are still going to be ugly. Form & Function will most always be at odds.

It’s a fact that the *vast* majority of sites carrying those “CSS Certified!” banners DO NOT conform the specification they’re carrying the banner for. I’m one of those freaks who clicks it on every site I see it on, and I rarely hit a single site that conforms with no errors — and I’ve only ever seen two sites at all that got no errors, and no warnings.

With the majority of the published Templates, Skins and Designs out there using CSS, at least 50% of them will not work in one browser or another. Commonly, those designs carry the banner, “Your browser sucks! Download TPFKAN Now!” Logic dictates that they should instead read:

“I don’t like your browser because I’m too much of a zealot to believe real-world statistics showing a super-high IE market share, and thus the entire market share is using an inferior product which does not conform to specifications, and even though 50% of the people in the world are using IE, the specification is what is standard and not what people are using. Therefore, you should go and download TPFKAN because I’m too much a lazy prick to fix my code which is most probably based on an RFC rather than an actual, certified standard.”

 

Thus far, the majority of the CSS styles you see out there are written by Technical Programmers who do it just so they can complain about the limitations of the most popular browser by far (kudos to Mr. Bill).

I have no problem with CSS, but some common sense needs to be used when designing pages with it. We do make use of CSS — a lot of it! We have a tabular structure, all decked out with CSS inside. It’s relatively tidy, and people seem to think it’s a decent design, aside from complaining that it’s not in such-and-such DTD.

As for TPFKAN, I hate it. The best way to screw up IE forever is to install TPFKAN. Actually, an even better way is to uninstall TPFKAN, which will take half of the settings and HKLMClasses with it, just like its mother product did.

People love to complain about how bad Netscape was, and forget that Firefox is just a new version of the same old junk.