Hard Had Area
Because he boinked some fat blonde a few times there's a photographer who now has a kid and half a billion dollars or so, proof to the porn industry that you don't have to pull out for the money shot. Had he just shot his load all over her not-inconsequential ass, we might actually hear some real news, like, say, the subpoena duces tecum Congress sent the US Department of Justice for documents on the Attorneys General firings. Or not. Blind pilots? What's next, iPods for the deaf?
It's no better here. "Check out Feature XXX! Feast your eyes on Feature YYY!! Set your very own colour scheme!!!" And what about the big, gaping CSS security hole? "Pay no attention to that monkey in the corner. We're feature-rich! We're innovating!"
We're a bunch of fuckwits.
Hey $MegaCorp! Did you notice that it's easy to take the client URL and hijack a session with CSS? I can just append any old URL and the browser will be redirected! We need a solution!Yeah, we need one, too. This one's been documented a dozen times. There are a few things to consider though:
- It can't be exploited if you're using cookies
- There's no reason not to use HTTPS in any sensitive environment
- Since the URL is coming from within the trusted system, there's not much threat
- What little threat exists is the same as any other sort of hack against your server
Yeah, well I don't want to wear pants at home but when I'm cooking chicken-fried steak, I prefer the Levi's to hot spattering oil hitting Mr Happy. If you want your highly-sensitive information available on-line, you need more than just that firewall you really only installed to prevent your employees spending their working hours on GooTube and i-am-bored.com.
Setting up HTTPS on IIS is fucking point-and-click. If your "admin" is so incompetent that he can't set up SSL on fucking IIS, fire the fuckwit and hire a high school student. All it takes is a click, a right click, a click, a check that the port is 443, three more clicks, selecting a checkbox, then two more clicks. A drunk macaque could enable SSL within a day.
Official Root cause: 1-Defect.
True Root cause: 17-Fuckwit.
x-posted from HuSi, where there's a poll.