Open source programming and Microsoft: two incompatible worlds? Microsoft is partnering with renowned actors of the open-source community to organise the Jump In! Developers’ Camp in an effort to combat this misperception. Twenty-five knowledge-hungry open source application developers from all over Europe will be invited to spend four unforgettable days of dialogue, networking and workshops at the beautiful Panorama Resort & Spa Feusisberg in Switzerland.

The Jump In! Developers’ Camp is designed primarily for open-source application developers who are interested in increasing their skills in a range of specific areas. Here they will be able to experiment with ways of combining open-source technologies with Microsoft products to optimize applications. But don’t worry: no one is out to ‘convert’ anybody! The aim instead is to promote interoperability, problem-solving and enhance programming skills. Software experts will be on hand to provide tips and advice, and a range of workshops will be held on topics including Azure, IIS, Silverlight and more in combination with open-source applications. Plenty of time for actual coding will be available.

Potential participants are invited to file an application at www.jumpincamp.com, outlining their profile. The 25 developers who are creating the most “buzz” for themselves and their programming abilities will then be selected. Attendees of the JumpIn! Developers’ Camp will then record their impressions and experiences in a live blog for their community of ‘followers’. The Camp will be held between 6 – 9 April 2010.

Lloyds TSB Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales, number 2065. Telephone: 020 7626 1500.

Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland, number 327000. Telephone: 0870 600 5000

Lloyds TSB Scotland plc. Registered Office: Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone: 0131 225 4555.
Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales, number 2299428. Telephone: 01452 372372.

Lloyds TSB Bank plc, Lloyds TSB Scotland plc, Bank of Scotland plc and Cheltenham & Gloucester plc are authorised and regulated by the Financial Services Authority.
Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds TSB Bank plc.
HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland, number 218813. Telephone: 0870 600 5000

Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland, number 95000. Telephone: 0131 225 4555

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.

Telephone calls may be monitored or recorded.

I removed the double line spacing as well!

The big kicker for me is the breaking of VLC and/or Gnome Screensaver, now VLC fails to suppress the screensaver in full screen which is kind of useless when you want to watching anything over 5 minutes long. To workaround this I use gnome-screensaver-command --inhibit to prevent the screensaver from activating, and set a command to kill that after 2 hours. The next problem I’ve observed is that even when the suppression and the film have both ended, the screensaver still doesn’t want to activate for ages; leaving my desktop burning the image into the screen until I lock the screen myself. Not a problem but I often hit the hay with a film on and usually fall asleep midway through, got up yesterday morning to find my desktop sat there still being projected from my display. LP #428884.

My second gripe is Flash player under a x86-64 installation using nspluginwrapper and the x86 Flash player provided in the repositories works, what’s so bad about that? Well you can’t actually click on any controls on the Flash object, which kind of rules out embedded YouTube, BBC iPlayer, etc. roll on <video> with Ogg Theora. I resolved this by purging the packaged Flash and nspluginwrapper, and then installing the native 64 bit alpha version from Adobe.

Finally Firebug 1.5 doesn’t support 64 bit builds of Firefox, which to be fair Mozilla don’t support so I don’t really have a problem with this. You need to get an older release from the 1.4 branch, I’ve heard that the 1.6 alphas work again.

Good grumbling done for the morning!

I’m sorry to hear about this, but thank you for letting us know.

I’ve just sent a request for a new one to be sent out to you, so you should receive it soon.

There’s no need to return the broken one, we wouldn’t want the posties to be carrying around broken pottery in their bags – they have enough to complain about! Just take care and dispose of it safely.

I hope this helps a wee bit?

Thanks Will! and Kenny.

Dec 31 23:56:15 sandman rsnapshot[11655]: /usr/bin/rsnapshot -c /etc/rsnapshot.d/mail.cs278.org hourly: completed successfully
Jan 1 01:15:30 sandman syslogd 1.5.0#5: restart.

Happy New Year to all!

1. She fell in love with his greasy machine
2. Mama told me when I was young
3. Sisters of the wayside bide their time in quiet peace
4. Say your prayers little one
5. Take heed, dear heart, once apart
6. Into the abyss I’ll fall-the eye of Horus
7. So this is dreamtime, and all is quiet
8. There once was a woman
9. I’m waiting in my cold cell, when the bell begins to chime
10. Never made it as a wise man
11. Blessed with an eye to see things as they are, will you draw me?
12. If you could see inside my heart
13. Day after day as I bodies slay
14. The words we say, old flowers fade away
15. I can see clearly now, a painful vision indeed
16. World turns black and white
17. You’re searching for your mind don’t know where to start
18. How far will a far side take me
19. Does it go from east to west
20. Die, die, die my darling
21. You need coolin’, baby, I’m not foolin’
22. Ya better come inside when you’re ready to
23. Mama take this badge from me
24. Wir teilen Zimmer und das Bett
25. I am a cleric serving god the king and queen
26. You’re holding all the pain inside
27. Rushing through 30, getting older every day
28. White man came across the sea
29. I have you here in my dreams at night
30. It’s true, we’re all a little insane

The vulnerabilities I found:

1. Non-persistent XSS in search
2. Persistent XSS in user “My details” (only affected the currently logged in user)
3. Persistent XSS in news comments

There was absolutely no input filtering at all on strings, which were just blindly echoed back to the client. I sent an e-mail to BAM regarding my finds and to be quite honest I was extremely surprised I got a reply within 24 hours. I proceeded the send more details once I knew I wasn’t conversing with the receptionist in their Swansea offices. I hoped they would have some clue with what they were doing after I pointed the issues out (misplaced confidence that was). They replied telling me the issues were fixed, I went ahead to test. Indeed they had fixed the problems using strip_tags() which is not the best solution to the problem, and it can also cause other problems. It also will not deal with attackers breaking out of attributes to add their own. I advised them they should be using htmlspecialchars() to escape strings taken from user input, which they seem to have done now. Their reply to this e-mail seems to have vanished into some sort of Internet oblivion, I’ve asked them to resend it. It has now been added below.

From: Richard Moseley <rm@[removed]>
To: chris+sumarketing.co.uk@[removed]
Date: Thu, 13 Nov 2008 09:49:57 +0000

Hi Chris,

I would be interested in hearing what security vulnerabilities you
have found in the web platform, so that we can further investigate
these problems.

I look forward to hearing from you.

Many thanks

Richard Moseley
BAM
2nd Floor
No 8 Castle Square
Swansea
SA1 1DW

Tel: 0845 1300 667
Fax: 0845 1300 668

The information in this email and any attachments is confidential and
may be legally privileged. If you are not the intended recipient's),
you must not read, use, distribute or disseminate this email or the
information in it save to the intended recipient's) nor take any
action in reliance on it. If you receive this email or any attachments
in error, please notify us immediately by email or by telephoning 0845
1300 667 and then delete the same and any copies.

BAM Agency Ltd accepts no responsibility for any loss or damage
whatsoever arising in any way from receipt or use of this email or any
attachments.this email or any attachments.

>
>
> From: hello@[removed] [mailto:hello@[removed]]
> Sent: 13 November 2008 00:01
> To: rh@[removed]
> Subject: Comments From -
> Importance: High
>
>
> BAM
> 2nd Floor
> 8 Castle Square
> Swansea
> SA1 1DW
>
> Tel: 0845 1300667  Fax: 0845 1300668  Email: hello@[removed]
>
> |
>
> This message was sent via the contact form on www.sumarketing.co.uk
>
> Name: Chris Smith
>
> Company: -
>
> Telephone: -
>
> Email: chris+sumarketing.co.uk@[removed]
>
> Comments: I have found several security vulnerabilities in your
> websites do you have a point of contact so I can report them
> responsibly?
>
> How did they here about us: Other
>
> Click to visit the site
>

Date: Thu, 13 Nov 2008 20:59:46 +0000
From: Chris Smith <chris@[removed]>
To: Richard Moseley <rm@[removed]>

Richard Moseley wrote:
> I would be interested in hearing what security vulnerabilities you have
> found in the web platform, so that we can further investigate these
> problems.

I have found three XSS issues, considering the ease it took me to find
them I expect there maybe more. The prime cause seems to be sloppy
programming by not sanitising user data before it is accessed. Two of
the XSS vulnerabilities are of the more serious persistent type and the
other is non-persistent. In order of severity:

* Non-persistent XSS in search:

- - Enter the search term:
<script>alert(document.cookie);</script>
- - Click search

Result:
Users cookies are displayed in a message box.

Severity:
Minor would require social engineering to get people to enter a
malicious search term.

* Persistent XSS in user "My details":

- - Login
- - Set first name to:
<script>alert(document.cookie);</script>
- - Click update
- - Logout
- - Login

Result:
Users cookies are displayed in a message box.

Severity:
Minor requires social engineering again to accomplish and it is per user.

Notes:
This is also a problem for "last name" and probably some of the other
fields.

* Persistent XSS in news comments:

- - Find a news article you can comment on
- - Enter the comment:
<script>alert(document.cookie);</script>
- - Click post

Result:
Users cookies are displayed in a message box.

Severity:
Severe once posted the attack works against anyone viewing the site,
with some elaborate JavaScript it would be possible to trap data entry
to the username and password box capturing the input and sending it to a
remote server. Or if a user is logged in you could combine this attack
with the second issue I mentioned to silently modify the users "first
name" using an XmlHttpRequest to include another XSS which persisted on
all pages they visited on the site.

>> How did they here about us: Other

Spelling error "here" instead of "hear".

From: Richard Moseley <rm@[removed]>
To: chris+sumarketing.co.uk@[removed]
Date: Thu, 13 Nov 2008 21:20:48 +0000

Hi Chris, thanks for bringing these items to our attention, i will get
someone onto these items in the morning, and advise when they have
been resolved.

Thanks

Richard Moseley
Web Developer
BAM
2nd Floor
No 8 Castle Square
Swansea
SA1 1DW

Tel: 0845 1300 667
Fax: 0845 1300 668

The information in this email and any attachments is confidential and
may be legally privileged. If you are not the intended recipient's),
you must not read, use, distribute or disseminate this email or the
information in it save to the intended recipient's) nor take any
action in reliance on it. If you receive this email or any attachments
in error, please notify us immediately by email or by telephoning 0845
1300 667 and then delete the same and any copies.

BAM Agency Ltd accepts no responsibility for any loss or damage
whatsoever arising in any way from receipt or use of this email or any
attachments.this email or any attachments.

Date: Sat, 15 Nov 2008 14:51:40 +0000
From: Chris Smith <chris@[removed]>
To: Richard Moseley <rm@[removed]>

Richard Moseley wrote:
>
> Hi Chris, thank you for bringing these items to our attention. These
> have now been resolved.

I notice your resolution seems to be to use strip_tags() to remove tags
while this is all well and good it doesn't address everything.
Ampersands are still inserted into the HTML un-escaped, this is not
going to cause an XSS attack but it causes invalid HTML to be outputted.
More worryingly if you have any code that inserts user input into a tag
attribute, which is not an entirely unreasonable scenario, strip_tags()
will do squat all to protect you. For example if you take a string from
the user and place it into the href attribute of an anchor and use
strip_tags() to protect yourself, I could send a string like this:

" onmouseover="alert(document.cookie);" dummy="

This assumes you have some code like

<a href="/xyz/<?php echo strip_tags($_GET['var']); ?>/index.php">

This would result in the following:

<a href="/xyz/" onmouseover="alert(document.cookie);" dummy="/index.php">

The solution is to use htmlspecialchars() which ensures double quotes,
ampersands and angle brackets are escaped. Meaning its impossible to
break out of your tags or inject new ones, one thing htmlspecialchars()
doesn't do by default is escape single quotes but you shouldn't be using
them in HTML.

It is also worth noting that strip_tags() is quite zealous with its
removal of 'tags' and will remove things like '<43' which is not
unreasonable to occur in for example a statement with a mathematical
inequality.

I would suggest either just using htmlspecialchars() or using both
functions.

I must admit I am impressed by the quick turnaround on this even if the
fix is flawed.

From: Richard Moseley <rm@[removed]>
To: chris+sumarketing.co.uk@[removed]
Date: Fri, 14 Nov 2008 08:22:13 +0000

Hi Chris, thank you for bringing these items to our attention. These
have now been resolved.

Kind Regards

Richard Moseley
Web Developer
BAM
2nd Floor
No 8 Castle Square
Swansea
SA1 1DW

Tel: 0845 1300 667
Fax: 0845 1300 668

The information in this email and any attachments is confidential and
may be legally privileged. If you are not the intended recipient's),
you must not read, use, distribute or disseminate this email or the
information in it save to the intended recipient's) nor take any
action in reliance on it. If you receive this email or any attachments
in error, please notify us immediately by email or by telephoning 0845
1300 667 and then delete the same and any copies.

BAM Agency Ltd accepts no responsibility for any loss or damage
whatsoever arising in any way from receipt or use of this email or any
attachments.this email or any attachments.

From: Richard Moseley <rm@[removed]>
Date: 15 November 2008 16:42:18 GMT
To: Chris Smith <chris@[removed]>
Subject: Re: Comments From -

Hi Chris,

Thanks for the email, we are currently doing an audit on the XSS
vulnerabilities to ensure that it does not affect any of our other
code on the system, so as a quick resolution we used the
strip_tags() route as we knew that this did not effect any of the
existing coding, while investigating any potential impact of using
htmlspecialchars() on the system including the forums, and issues
caused as a consequence.

Once we have completed this assessment we will convert the system
over to using htmlspecialchars() instead.

Thanks for the update and the feedback you have provided on this
matter.

Kind Regards

Richard Moseley
BAM
2nd Floor
No 8 Castle Square
Swansea
SA1 1DW

Tel: 0845 1300 667
Fax: 0845 1300 668

The information in this email and any attachments is confidential
and may be legally privileged. If you are not the intended
recipient's), you must not read, use, distribute or disseminate this
email or the information in it save to the intended recipient's) nor
take any action in reliance on it. If you receive this email or any
attachments in error, please notify us immediately by email or by
telephoning 0845 1300 667 and then delete the same and any copies.

BAM Agency Ltd accepts no responsibility for any loss or damage
whatsoever arising in any way from receipt or use of this email or
any attachments.