Autoplaying flash movies

By on June 7, 2009 2:09:49 PM from Demigod Forums Demigod Forums

DogMeid

Join Date 06/2009
+1

 

 

you can use html code to embed a video.

then you can add a &autoplay=1 parameter to the URI in the embed code to get that video to play automatically.

you can even hide your misdeed by reducing the video size to zero, although that doesn't protect you from code inspection.

and last but not least, you can embed all kinds of shit using code embedding ... google analytics even, just to find out who is gonna read your bloody post.

 

So the great question is how to stop this exploit without killing the cool embed fan video feature. Easy enough. Disable html embedding and create tags for allowed embeds.

So there, I spilled the beans. You can thank me for pointing you to a glaringly obvious security flaw. And now give me back my posting rights!

 

I'd quote the code but i think the code quoting feature doesn't escape the html code correcty, but here's anyway:

Code: html
  1. <object width="480" height="295">
  2.   <param name="movie" value="http://www.youtube.com/v/43p7JPqZkPg&hl=de&fs=1&hd=1&autoplay=1"></param><param name="allowFullScreen" value="true"></param>
  3.   <param name="allowscriptaccess" value="always"></param>
  4.   <embed src="http://www.youtube.com/v/43p7JPqZkPg&hl=de&fs=1&hd=1&autoplay=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="295"></embed>
  5. </object>

wow, quoting works

Locked Post 35 Replies
Search this post
Subscription Options


Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 11:01:58 AM from WinCustomize Forums WinCustomize Forums

this must be about the most stupid thing i've ever read here.

 

Since I was quoting you... no argument here

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 11:15:20 AM from Demigod Forums Demigod Forums

Quoting Aroddo,

Quoting Bichur, reply 23
html embedding is the problem.
 
no it's not

the problem is

the users abusing that feature.

oh my god.

...

this must be about the most stupid thing i've ever read here.

 

Did you read Bichur's avatar?

I think Night Train is his alter-ego too.

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 11:15:31 AM from Demigod Forums Demigod Forums

oh my god.

...

this must be about the most stupid thing i've ever read here.
He does have a point anyways. If people weren't assholes, this wouldn't be a problem.

 

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 11:20:21 AM from Demigod Forums Demigod Forums

Quoting Kitkun,

He does have a point anyways. If people weren't assholes, this wouldn't be a problem.
 

 

 But people ARE assholes, lots of them, ESPECIALLY on the internet where there's very little real life repercussions.

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 11:39:08 AM from Demigod Forums Demigod Forums

Quoting IllegalDustbin,

Quoting Kitkun, reply 3
He does have a point anyways. If people weren't assholes, this wouldn't be a problem.


 But people ARE assholes, lots of them, ESPECIALLY on the internet where there's very little real life repercussions.

And most of all: The attacker doesn't even have to be a regular user. Just guy looking for a place from where to start his attacks.

 



Did you read Bichur's avatar?

I think Night Train is his alter-ego too.

just noticed. both are veteran users judging from their member number and unloved since creation, judging from their karma.

They are probably both fake accounts from someone we all love and has to relieve him- or herself by trolling around.

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 12:19:57 PM from Demigod Forums Demigod Forums

Has this been disabled yet? I do not feel that moderating people when you catch them ( emphasis on when...) doing this is at all an adequate fix.

Bara has been on vacation this week, but he agrees that it is something that should be addressed.

both are veteran users judging from their member number and unloved since creation, judging from their karma.

Demigod isn't the only site on the network. Both of them are native to Wincustomize, where Bichur has 153 karma and Night Train has 212.

In any case, if you're so concerned of the danger of being exposed to eeeeevil html, you're free to close the browser window and not reopen it--that's only sure way to avoid it, after all. The internet is a dangerous place out there with all those links and stuff.

We're more concerned with actual cases of people causing trouble for others, as happened in this instance. And while it's annoying that people can make youtube autoplay videos, that's a function of youtube, not the html. Blocking it while still allowing inline video would require custom coding *just* for youtube.

As an example though, even if embeds were removed someone might hotlink an inappropriate image. Should we block images in posts altogether as well because some people might be too stupid or immature to use it properly? Do we have to host all image posts ourselves and moderate [approve before they appear] each and every one? Where do you draw a line?

(And FYI, things like iframes and javascripts are already stripped from posts anyway.)

 

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 12:30:08 PM from Demigod Forums Demigod Forums

Quoting kryo,

Has this been disabled yet? I do not feel that moderating people when you catch them ( emphasis on when...) doing this is at all an adequate fix.
Bara has been on vacation this week, but he agrees that it is something that should be addressed.


both are veteran users judging from their member number and unloved since creation, judging from their karma.
Demigod isn't the only site on the network. Both of them are native to Wincustomize, where Bichur has 153 karma and Night Train has 212.

In any case, if you're so concerned of the danger of being exposed to eeeeevil html, you're free to close the browser window and not reopen it--that's only sure way to avoid it, after all. The internet is a dangerous place out there with all those links and stuff.

We're more concerned with actual cases of people causing trouble for others, as happened in this instance. And while it's annoying that people can make youtube autoplay videos, that's a function of youtube, not the html. Blocking it while still allowing inline video would require custom coding *just* for youtube.

As an example though, even if embeds were removed someone might hotlink an inappropriate image. Should we block images in posts altogether as well because some people might be too stupid or immature to use it properly? Do we have to host all image posts ourselves and moderate each and every one? Where do you draw a line?

(And FYI, things like iframes and javascripts are already stripped from posts anyway.)

 

I can't scroll past a sound to avoid it, or even know the source of it if it's invisible in a post (It could of been coming from one of my other tabs or another program entirely for all I'd know). I think having something obscene screamed out my speakers which everyone in the household or workplace may hear is more disruptive than an inappropriate image could ever be. 

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 12:42:58 PM from Demigod Forums Demigod Forums

Quoting IllegalDustbin,

I think having something obscene screamed out my speakers which everyone in the household or workplace may hear is more disruptive than an inappropriate image could ever be. 

Unless your Mother or other family member happens to walk in on you at the same time you're viewing the picture. Depending on the picture, it could lead to a long and uncomfortable lecture and many awkward stares.

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 1:06:37 PM from Demigod Forums Demigod Forums

Quoting kryo,

both are veteran users judging from their member number and unloved since creation, judging from their karma.
Demigod isn't the only site on the network. Both of them are native to Wincustomize, where Bichur has 153 karma and Night Train has 212.
 

Ah, so they were only being dicks especially for me. In that case i apologize. I was wrong.

 

Quoting kryo,

In any case, if you're so concerned of the danger of being exposed to eeeeevil html, you're free to close the browser window and not reopen it--that's only sure way to avoid it, after all. The internet is a dangerous place out there with all those links and stuff.
 

That was an eminently stupid remark. 

But I'll explain to you why any sane webmaster should be concerned about eeeeeeevil html:
If a website reaches a large audience (don't know your daily hits, but I'd say it's higher than a blog dedicated to screwdrivers) AND allows malicious code which could cause every forum visitor to unwillingly participate in a DOS attack on another server, who do you think is taking the heat for the eventual damage ?
"Oh, we at SD are not responsible for not closing a 15 year old security leak in our forums. It was the evil h4XX0R!!"

Quoting kryo,

We're more concerned with actual cases of people causing trouble for others, as happened in this instance. And while it's annoying that people can make youtube autoplay videos, that's a function of youtube, not the html. Blocking it while still allowing inline video would require custom coding *just* for youtube.
 

Yeah, right. You make it sound as if it's magic to implement a regexp stripping &autoplay=1 and escaped equivalents from an url.

Quoting kryo,

As an example though, even if embeds were removed someone might hotlink an inappropriate image. Should we block images in posts altogether as well because some people might be too stupid or immature to use it properly? Do we have to host all image posts ourselves and moderate each and every one? Where do you draw a line?

(And FYI, things like iframes and javascripts are already stripped from posts anyway.)

 

Try to realize that a security leak is not the same as a shocking picture, ok ?

And YES, moderators HAVE to to moderate threads and disable whatever pics are not deemed suitable for their employer's website. That's what your report button this there for, isn't it ?

Reason for Karma (Optional)
Successfully updated karma reason!
June 13, 2009 2:01:34 PM from Demigod Forums Demigod Forums

After your ridiculous remarks in reply #20, suggesting you step away from the internet if you're that afraid of what you might come across is hardly out of line. *Any* website you visit could have a hidden reference to another site that you don't want to be associated with, and it's not something unique to embed tags.

Unintentional DOS attacks will also result from users hotlinking images, posting links to sites that can't handle the load of viewers such links bring (digg, slashdot), and more. Allowing <embed> will not increase or decrease that either.

The only realistic issue here is that people can cause threads to autoplay annoying, inappropriate, or poorly timed noises... which you've been the first and only to do.

As I said, Bara's going to look into what can be done about autoplaying videos, because we do take people causing trouble for other users very seriously. But suggesting that it presents some other legal, ethical, or security issue that isn't already otherwise present and unavoidable in numerous ways is just silly, and at this point it's pretty obvious that you're just being argumentative for the sake of it.

Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #108433  walnut3   Server Load Time: 00:00:00.0000203   Page Render Time:

Stardock Magazine | Register | Online Privacy Policy | Terms of Use

Copyright © 2016 Stardock Entertainment and Gas Powered Games. Demigod is a trademark of Gas Powered Games. All rights reserved. All other trademarks and copyrights are the properties of their respective owners. Windows, the Windows Vista Start button and Xbox 360 are trademarks of the Microsoft group of companies, and 'Games for Windows' and the Windows Vista Start button logo are used under license from Microsoft. © 2012 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo and combinations thereof are trademarks of Advanced Micro Devices, Inc.