B10[m|g]

De Telegraaf is by some considered as a trustworthy source of news. It's a website from one of the biggest newspapers in the Netherlands and, like so many other big websites, not XSS-safe.

After showing my new co-workers my eBay XSS adventure, I thought it would be nice to go see what else is out there. Heck, it's been almost a year!

My first try was this newspaper and boom, there we go. Within minutes I had some of my own text on the website and after fixing a thing or two, it also worked in Microsoft's Internet Explorer.

Since the newspaper is in Dutch, I figured my article had to be in Dutch as well and I basically copied the Webwereld article which talks about the eBay exploit (which was way more nasty and fun, but oh well).

Roughly it's talking about a Dutch guy finding the XSS leak in the website, while complaining about the security of this big "professional" website. And of course, it'll show you your telegraaf.nl cookie(s).

Click on the image to see the full size (and I apologize, for I don't know how to capture the Flash advertising on the site ;-)

The live version, if the site is still unpatched, can be viewed through my not too nicely crafted URL.

---

Update: the URL above is no longer working, for the Telegraaf patched it. Unfortunately, a patch was preferred over a full solution, for the XSS hole is still open!

And welcome Webwereld readers!

---

Update: Finally the Telegraaf is encoding user's input on search queries! It seems like they've closed this XSS hole now.

Too bad they did not respond to my email at all. A simple reply like "we're looking into it" would be nice. Guess I'll have the police at my door soon ;-)

---

Yesterday, I saw the Nintendo Wii for the first time at a birthday party and after playing for some time, I decided I really needed a Wii too! So today I went out and bought myself one. It's so much fun!

I can't believe the controls. They do work amazingly well. This definitely will be the way consoles will (or should) all work in the future. Think of it as Duck Hunt (also Nintendo (?)) but working good.

The Wii games you get with the machine (tennis, baseball, bowling, boxing and golf) are already fun. Can't wait to explore more games.

Definitely a good source of fun! Highly recommended.

Here's an action pose ;-)

We all know that Google censors the content for our Chinese friends. A simple query for tiananmen square on different google servers shows you the difference. But what some of you may not know (I stumbled upon it only today) is that Google censors not just based on domain name (google.com vs google.cn) but also on language.

Let's look at the German domain, first without language settings:

Now just add &hl=zh-CN behind the URL and Tank Man has disappeared (mostly, the images now fall through the cracks of the google filters now and then).

The reason for this was a burst of ignorance and stupidity by one of our members of parliament Geert Wilders He's notorious for his ignorant proposals like calling the immigration of Muslims a "tsunami of Islamisation" and of course he wanted a ban on burqas.

But today he went completely berserk and deemed it necessary to propose a ban of the Qu'ran, just like we still have a ban on Hitler's "Mein Kampf". But he wanted to take it a step further. He wanted to make it illegal to even possess a copy of the Qu'ran. Yeah ... and the best part, his party is called "Party for Freedom". Freedom for white, christian males, that is (probably).

Not soon after, reports were filed with the police for insulting a section of the community. Let's see if that works.

I always find it very strange that a Party for Freedom wants to ban so many things. Banning books is like being Google in China. Do we really want that? I doubt it.