cbc message board killed by javascript?

Discussion in 'Javascript' started by Unreal, Sep 11, 2004.

  1. Unreal

    Unreal Guest

    Some porn spammer posted some javascript to this board


    http://pub.alxnet.com/guestbook?id=2009014


    and now it automatically redirects all visitors to an xxx site.

    How is he doing this mischief? Is there way to post a 2nd javascript post
    that would kill the malicious javascript?

    tia!
     
    Unreal, Sep 11, 2004
    #1
    1. Advertising

  2. Unreal

    Randy Webb Guest

    Unreal wrote:
    > Some porn spammer posted some javascript to this board
    >
    >
    > http://pub.alxnet.com/guestbook?id=2009014
    >
    >
    > and now it automatically redirects all visitors to an xxx site.


    No, it only redirects those with scripting enabled.

    > How is he doing this mischief?


    using the onload attribute of an img tag to set the location.href property.

    > Is there way to post a 2nd javascript post
    > that would kill the malicious javascript?


    Not easily. It would be easier to remove the offending post to begin with.

    <B>Name:</B> <A HREF="mailto:">tacos</A><BR>
    <B>Homepage:</B> <A HREF="http://www.kinkyshit.net"
    TARGET="_self">http://www.kinkyshit.net</A><BR>
    <B>Hometown:</B> http://www.kinkyshit.net<BR>
    <B>Sent:</B> 6.49 - 8/29<BR>
    <BR><img src="http://www.dailyfreshporn.com/x.jpg"
    onload="document.location.href='http://www.kinkyshit.net'"><BR>
    <HR>

    There is your offending code. Remove it and all problems are solved.
    Temporarily. It would be easier to change the script on the server to
    remove scripts and onload attributes.

    --
    Randy
    comp.lang.javascript FAQ - http://jibbering.com/faq
     
    Randy Webb, Sep 11, 2004
    #2
    1. Advertising

  3. Unreal <> writes:

    > Some porn spammer posted some javascript to this board


    Inventive buggers. I'm usually against the death penalty, but for
    spammers, I'm not so sure.

    > http://pub.alxnet.com/guestbook?id=2009014
    > and now it automatically redirects all visitors to an xxx site.
    >
    > How is he doing this mischief?


    The easy way to find out is to disable javascript and go look at the page.
    The offending element seems to be this one:
    ---
    <img src="http://www.dailyfreshporn.com/x.jpg"
    onload="document.location.href='http://www.kinkyshit.net'">
    ---

    > Is there way to post a 2nd javascript post
    > that would kill the malicious javascript?


    Probably not. You might, if you are lucky, have your script executed
    before his image is done loading, and then remove his onload handler.
    However, the next time a browser gets there, the image is already in the
    cache, so I doubt any script will be fast enough.

    Fixing this is a job for the site administrator. He might want to
    filter submissions in the future (no HTML input is a good beginning)
    to avoid recurring problems.

    /L
    --
    Lasse Reichstein Nielsen -
    DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
    'Faith without judgement merely degrades the spirit divine.'
     
    Lasse Reichstein Nielsen, Sep 11, 2004
    #3
  4. On Sat, 11 Sep 2004 16:44:29 GMT, Unreal <> wrote:

    > Some porn spammer posted some javascript to this board
    >
    > http://pub.alxnet.com/guestbook?id=2009014
    >
    > and now it automatically redirects all visitors to an xxx site.
    >
    > How is he doing this mischief? Is there way to post a 2nd javascript
    > post that would kill the malicious javascript?


    The user has included an image and attached the load intrinsic event to
    it. When the image is loaded, his code is called and the page is reloaded
    with the new URI.

    The simplest way to prevent this is to strip all HTML from input, or
    render it harmless by replacing angle brackets with the &lt; and &gt;
    entity references. If you do want posters to format their posts, I'd just
    do what most forum systems do: define a limited set of character
    sequences, like for italics, and replace them with the actual HTML,
    <em> or <i> in this case, when the message is uploaded to the server.

    If you want more information on how to do this, you're now in the realm of
    server-side languages, so you'll need to search for the relevant
    newsgroup(s).

    By the way, you might want to contact the service provider of that site. I
    found their terms and conditions, which specifically prohibits spamming.
    It also bans "material that is illegal, libelous, tortuous, or likely to
    result in retaliation against Phatservers.net." The adult site might be
    deemed to fall under that catagory (I didn't check).

    Address your e-mails to



    and



    but remember to keep the original data. You'll need proof to back-up a
    complaint.

    Good luck,
    Mike

    --
    Michael Winter
    Replace ".invalid" with ".uk" to reply by e-mail.
     
    Michael Winter, Sep 11, 2004
    #4
  5. Unreal

    Unreal Guest

    "Michael Winter" <> wrote in
    news:eek:psd6bsk0hx13kvk@atlantis:

    > On Sat, 11 Sep 2004 16:44:29 GMT, Unreal <> wrote:
    >
    >> Some porn spammer posted some javascript to this board
    >>
    >> http://pub.alxnet.com/guestbook?id=2009014
    >>
    >> and now it automatically redirects all visitors to an xxx site.
    >>
    >> How is he doing this mischief? Is there way to post a 2nd javascript
    >> post that would kill the malicious javascript?

    >
    > The user has included an image and attached the load intrinsic event
    > to it. When the image is loaded, his code is called and the page is
    > reloaded with the new URI.
    >
    > The simplest way to prevent this is to strip all HTML from input, or
    > render it harmless by replacing angle brackets with the &lt; and &gt;
    > entity references. If you do want posters to format their posts, I'd
    > just do what most forum systems do: define a limited set of character
    > sequences, like for italics, and replace them with the actual
    > HTML, <em> or <i> in this case, when the message is uploaded to the
    > server.
    >
    > If you want more information on how to do this, you're now in the
    > realm of server-side languages, so you'll need to search for the
    > relevant newsgroup(s).
    >
    > By the way, you might want to contact the service provider of that
    > site. I found their terms and conditions, which specifically
    > prohibits spamming. It also bans "material that is illegal, libelous,
    > tortuous, or likely to result in retaliation against
    > Phatservers.net." The adult site might be deemed to fall under that
    > catagory (I didn't check).
    >
    > Address your e-mails to
    >
    >
    >
    > and
    >
    >
    >
    > but remember to keep the original data. You'll need proof to back-up a
    > complaint.
    >
    > Good luck,
    > Mike
    >


    Thanks, fellas, I will let the board admin know and pass along all of
    your advice.
     
    Unreal, Sep 11, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jimgardener

    incorrect decryption using AES/CBC

    jimgardener, Jun 19, 2008, in forum: Java
    Replies:
    2
    Views:
    885
    Roedy Green
    Jun 20, 2008
  2. Vijay
    Replies:
    0
    Views:
    911
    Vijay
    Dec 30, 2009
  3. Homer J.
    Replies:
    3
    Views:
    131
    Homer J.
    Nov 14, 2004
  4. Hal Vaughan
    Replies:
    6
    Views:
    1,079
    Hal Vaughan
    Sep 5, 2005
  5. Replies:
    1
    Views:
    182
Loading...

Share This Page