cbc message board killed by javascript?

[Unreal]

Some porn spammer posted some javascript to this board


http://pub.alxnet.com/guestbook?id=2009014


and now it automatically redirects all visitors to an xxx site.

How is he doing this mischief? Is there way to post a 2nd javascript post
that would kill the malicious javascript?

tia!

 

[Randy Webb]

Some porn spammer posted some javascript to this board


http://pub.alxnet.com/guestbook?id=2009014


and now it automatically redirects all visitors to an xxx site.

No, it only redirects those with scripting enabled.

How is he doing this mischief?

using the onload attribute of an img tag to set the location.href property.

Is there way to post a 2nd javascript post
that would kill the malicious javascript?

Not easily. It would be easier to remove the offending post to begin with.

<B>Name:</B> <A HREF="mailto:[email protected]">tacos</A><BR>
<B>Homepage:</B> <A HREF="http://www.kinkyshit.net"
TARGET="_self">http://www.kinkyshit.net</A><BR>
<B>Hometown:</B> http://www.kinkyshit.net<BR>
<B>Sent:</B> 6.49 - 8/29<BR>
<BR><img src="http://www.dailyfreshporn.com/x.jpg"
onload="document.location.href='http://www.kinkyshit.net'"><BR>
<HR>

There is your offending code. Remove it and all problems are solved.
Temporarily. It would be easier to change the script on the server to
remove scripts and onload attributes.

 

[Lasse Reichstein Nielsen]

Some porn spammer posted some javascript to this board

Inventive buggers. I'm usually against the death penalty, but for
spammers, I'm not so sure.

http://pub.alxnet.com/guestbook?id=2009014
and now it automatically redirects all visitors to an xxx site.

How is he doing this mischief?

The easy way to find out is to disable javascript and go look at the page.
The offending element seems to be this one:
---
<img src="http://www.dailyfreshporn.com/x.jpg"
onload="document.location.href='http://www.kinkyshit.net'">
---

Is there way to post a 2nd javascript post
that would kill the malicious javascript?

Probably not. You might, if you are lucky, have your script executed
before his image is done loading, and then remove his onload handler.
However, the next time a browser gets there, the image is already in the
cache, so I doubt any script will be fast enough.

Fixing this is a job for the site administrator. He might want to
filter submissions in the future (no HTML input is a good beginning)
to avoid recurring problems.

/L

 

[Michael Winter]

Some porn spammer posted some javascript to this board

http://pub.alxnet.com/guestbook?id=2009014

and now it automatically redirects all visitors to an xxx site.

How is he doing this mischief? Is there way to post a 2nd javascript
post that would kill the malicious javascript?

The user has included an image and attached the load intrinsic event to
it. When the image is loaded, his code is called and the page is reloaded
with the new URI.

The simplest way to prevent this is to strip all HTML from input, or
render it harmless by replacing angle brackets with the &lt; and &gt;
entity references. If you do want posters to format their posts, I'd just
do what most forum systems do: define a limited set of character
sequences, like for italics, and replace them with the actual HTML,
<em> or <i> in this case, when the message is uploaded to the server.

If you want more information on how to do this, you're now in the realm of
server-side languages, so you'll need to search for the relevant
newsgroup(s).

By the way, you might want to contact the service provider of that site. I
found their terms and conditions, which specifically prohibits spamming.
It also bans "material that is illegal, libelous, tortuous, or likely to
result in retaliation against Phatservers.net." The adult site might be
deemed to fall under that catagory (I didn't check).

Address your e-mails to

(e-mail address removed)

and

(e-mail address removed)

but remember to keep the original data. You'll need proof to back-up a
complaint.

Good luck,
Mike

 

[Unreal]

Some porn spammer posted some javascript to this board

http://pub.alxnet.com/guestbook?id=2009014

and now it automatically redirects all visitors to an xxx site.

How is he doing this mischief? Is there way to post a 2nd javascript
post that would kill the malicious javascript?

The user has included an image and attached the load intrinsic event
to it. When the image is loaded, his code is called and the page is
reloaded with the new URI.

The simplest way to prevent this is to strip all HTML from input, or
render it harmless by replacing angle brackets with the &lt; and &gt;
entity references. If you do want posters to format their posts, I'd
just do what most forum systems do: define a limited set of character
sequences, like for italics, and replace them with the actual
HTML, <em> or <i> in this case, when the message is uploaded to the
server.

If you want more information on how to do this, you're now in the
realm of server-side languages, so you'll need to search for the
relevant newsgroup(s).

By the way, you might want to contact the service provider of that
site. I found their terms and conditions, which specifically
prohibits spamming. It also bans "material that is illegal, libelous,
tortuous, or likely to result in retaliation against
Phatservers.net." The adult site might be deemed to fall under that
catagory (I didn't check).

Address your e-mails to

(e-mail address removed)

and

(e-mail address removed)

but remember to keep the original data. You'll need proof to back-up a
complaint.

Good luck,
Mike

Thanks, fellas, I will let the board admin know and pass along all of
your advice.