funsec mailing list archives
RE: Yet another problem at whitehouse.gov
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 27 Dec 2005 16:13:49 -0500
I bet it takes 30 seconds to download all those 404 pages on a dialup
line. I'm sure they compress very well and that there's compression going on somewhere in the stack. Why don't you "Send Electronic Mail to the Web Development Team" (http://www.whitehouse.gov/contact/mail-developers.html)? Make sure they're clear that you're a red-blooded patriot looking to serve your country. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Tuesday, December 27, 2005 3:55 PM To: funsec () linuxbox org Subject: RE: [funsec] Yet another problem at whitehouse.gov Yep, this a Q/A problem and not a security problem. Except that the Whitehouse.gov site is DoSing people on dialup connections. ;-) I bet it takes 30 seconds to download all those 404 pages on a dialup line. Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Tuesday, December 27, 2005 3:39 PM To: funsec () linuxbox org Subject: RE: [funsec] Yet another problem at whitehouse.gov The page has a large group of onload= statements in the BODY tag: <BODY ... onLoad="MM_preloadImages('/images/header3/home_on_r2_c5.jpg','#1');MM_preloa dImages('/images/header3/home_on_r2_c7.jpg','#2');MM_preloadImages('/images/ header3/home_on_r2_c8.jpg','#3');MM_preloadImages('/images/header3/home_on_r 2_c11.jpg','#4');MM_preloadImages('/images/header3/home_on_r2_c15.jpg','#5') ;MM_preloadImages('/images/header3/home_on_r2_c18.jpg','#6');MM_preloadImage s('/images/header3/home_on_r3_c20.jpg','#7');MM_preloadImages('/images/heade r3/home_on_r3_c6.jpg','#8');MM_preloadImages('/images/header3/home_on_r3_c9. jpg','#9');MM_preloadImages('/images/header3/home_on_r3_c12.jpg','#10');MM_p reloadImages('/images/header3/home_on_r3_c13.jpg','#11');MM_preloadImages('/ images/header3/home_on_r3_c17.jpg','#12');MM_preloadImages('/images/header3/ home_on_r3_c10.jpg','#13')"> These appear to be attempts to preload images so that the page draws smoothly. I added them to my test page (http://www.larryseltzer.com/whtest.html) and, whaddayaknow, some of them are dead links. Sloppy programming and/or webmastering. Not a security issue. Incidentally, here's the source for the preload function: function MM_preloadImages() { //v2.0 if (document.images) { var imgFiles = MM_preloadImages.arguments; if (document.preloadArray==null) document.preloadArray = new Array(); var i = document.preloadArray.length; with (document) for (var j=0; j<imgFiles.length; j++) if (imgFiles[j].charAt(0)!="#"){ preloadArray[i] = new Image; preloadArray[i++].src = imgFiles[j]; } } } There's nothing really wrong here, it's just that (as you have pointed out) if it's called on a missing file you get the whole 404 handler. You're right, it sucks there is no image.exists() method. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Tuesday, December 27, 2005 2:13 PM To: funsec () linuxbox org Subject: RE: [funsec] Yet another problem at whitehouse.gov Hi Larry, Here are some of the missing images that I'm seeing with a packet sniffer: http://www.whitehouse.gov/images/header3/home_on_r2_c8.jpg http://www.whitehouse.gov/images/header3/home_on_r2_c11.jpg http://www.whitehouse.gov/images/header3/home_on_r2_c15.jpg http://www.whitehouse.gov/images/header3/home_on_r2_c18.jpg As you can see, they all redirect to a 404 error page. (As an aside, this is an interesting little defect in the HTTP protocol. A browser is expecting an image file, but it is getting back an HTML file. A Web site 404 hanlder might want to return an image file instead based on a .GIF or .JPG extension. Another option is to return a 404 error for image files and not redirect to an error page.) If you don't see the missing images in Firefox, it's probably because they are being loaded by JavaScript and they are not part of the DOM. I had a client making the same error. A packet sniffer is about the only way to spot this kind of problem. The Whitehouse is problably paying 4 to 5 times the amount of money for Web bandwidth than they really need to. BTW, I'm using a product called Fiddler (https://www.fiddlertool.com/fiddler/) to spot these problems. Fiddler is really a great product. It's the best packet sniffer I've run across for watching HTTP traffic. The free price is nice also. As far as Russia goes, it is a great place to visit but I wouldn't want to live there. I did find amusing the Russian supermarkets that sell American software for a couple of bucks per CD-ROM. Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Tuesday, December 27, 2005 1:16 PM To: funsec () linuxbox org Subject: RE: [funsec] Yet another problem at whitehouse.gov Yeah, go back to Russia! But in the meantime, I just made a web page (http://www.larryseltzer.com/whtest.html) which references every graphic listed on the whitehouse.gov site, as listed by the Firefox View Page Info feature. I see 59 of them and they're all hits. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of TheGesus Sent: Tuesday, December 27, 2005 12:53 PM To: funsec () linuxbox org Subject: Re: [funsec] Yet another problem at whitehouse.gov Why do you hate America? On 12/27/05, Richard M. Smith <rms () computerbytesman com> wrote:
Hi, Here's another problem I just noticed with my packet sniffer at the Whitehouse Web site. The Whitehouse home page is referencing 9 image files which don't exist on the Whitehouse server. The server instead sends back a 19K byte 404 error page for each image file. The missing image problem seems to exist on other Web pages at the Whitehouse site also. Since none of these error pages get cached, 190K bytes of junk is being continuously sent to visitors as they go through the Whitehouse Web site. This is no big deal for folks with broadband connections, but it dramatically increases the amount of data being sent to someone on a dialup connection which typically works only at 5K bytes per second. Without any 404 errors, a Whitehouse Web page should
only by 10K to 30K bytes in size.
Richard M. Smith http://www.ComputerBytesMan.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Yet another problem at whitehouse.gov Richard M. Smith (Dec 27)
- Re: Yet another problem at whitehouse.gov TheGesus (Dec 27)
- RE: Yet another problem at whitehouse.gov Larry Seltzer (Dec 27)
- RE: Yet another problem at whitehouse.gov Richard M. Smith (Dec 27)
- RE: Yet another problem at whitehouse.gov Larry Seltzer (Dec 27)
- RE: Yet another problem at whitehouse.gov Richard M. Smith (Dec 27)
- RE: Yet another problem at whitehouse.gov Larry Seltzer (Dec 27)
- RE: Yet another problem at whitehouse.gov Richard M. Smith (Dec 27)
- RE: Yet another problem at whitehouse.gov Larry Seltzer (Dec 27)
- Re: Yet another problem at whitehouse.gov TheGesus (Dec 27)
- Re: Re[2]: Yet another problem at whitehouse.gov Gadi Evron (Dec 27)
- <Possible follow-ups>
- Re: Yet another problem at whitehouse.gov Dan Renner (Dec 27)
- Re: Yet another problem at whitehouse.gov Fergie (Dec 27)
- Diebold Dies Larry Seltzer (Dec 27)
- Re: Diebold Dies Nick FitzGerald (Dec 27)
- Diebold Dies Larry Seltzer (Dec 27)