#522 closed Task (fixed)
Spam message on BOINC user survey results page
Reported by: | mo.v | Owned by: | davea |
---|---|---|---|
Priority: | Undetermined | Milestone: | Undetermined |
Component: | Undetermined | Version: | |
Keywords: | Cc: |
Description
On this page of the BOINC user survey results available to view from the BOINC website index page http://boinc.ssl.berkeley.edu/poll_improved_text.html there's a post dated 24 Oct 2007 that contains a fairly large horizontally scrolling message saying Tlaxcala Hackers Team, plus a picture that doesn't display for me. I don't think this means the survey or the BOINC website has actually been hacked - it's just the contents of a message. But it gives a bad impression and needs to be deleted.
I quickly went through the rest of the posts on that very long page and found nothing else abnormal.
Mo
Change History (8)
comment:1 Changed 17 years ago by
comment:2 Changed 17 years ago by
Those responses need to be looked at more regularly anyway. If they'd been read by someone who knows what they're doing at the end of October or early November, this message would have been noticed much earlier.
comment:3 Changed 17 years ago by
Owner: | set to davea |
---|
comment:4 follow-up: 5 Changed 17 years ago by
Assigning to David. I can't even load the whole page without my Firefox crashing. It won't load further than the 19th of October 2006 is IE6. ;-)
comment:5 Changed 17 years ago by
I have a report of the page crashing another cruncher's Firefox. On IE the page takes ages to load. Would it be a good idea to start a new clean page for the responses?
comment:7 Changed 17 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Yes, responses are store in a DB. I fixed the long-page problem, though I notice that the results page (which is not long) makes Firefox go into 100% CPU mode for some reason
comment:8 Changed 17 years ago by
If even the text is on a DB, I may write a script to show it correctly HTML-escaped and in separate pages. Otherwise, I'd have to make it cleanup the existing big HTML files, and that could be tricky depending on what unescaped HTML code is on the text.
Just a plain old HTML injection. The bad thing is this could be used to do XSS on BOINC alpha or BOINC dev forums (same domain).
Off-topic: lots of people are (ab)using that page to ask for help. There should be a message on the poll form to tell people not to use it to ask for help; since it's unlikely somebody will find his message, and there is no way to answer them anyway.