- ARCHIVES
- » [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
Pages: 12
[color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
- November
- » n00b
55
0
1969-12-31
[color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[color=blue][b]Description:[/b][/color]
Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by inserting it through the comment.
Notice this part on the generated code..
[quote]<a href='URL OF JS' id='cradle'></a>[/quote]
that's the thing.. u can actually insert the same id on comment usually by inserting fake image with js on it.
[color=blue][b]Suggestion:[/b][/color]
Linker Users, for security reason, kindly set your comment setting to
[color=white][b]never approve comments automatically[/b][/color].
To those who dont have any idea on how to do this,
[color=blue][b]Please follow this instruction:[/b][/color]
[quote]- Login your friendster account
- Click your account setting [url=http://www.friendster.com/editaccount.php][color=yellow]here...[/color][/url]
- Set the comment setting like the image bellow :
[color=black]--[/color][img]http://h1.ripway.com/crazydavinci/thecradleboard/comments.gif[/img]
- Click Save[/quote]
Also never forget to always check the comments before approving.
If you see anything like this on the comment (on the html code or view source):
[quote][color=orange]id='cradle'[/color][/quote]
Just delete that comment and send us the profile of the one who sent it.
Send it Here:
[url=http://the-cradle.users-board.com]The Cradle Forum[/url]
[b][color=orange]Another Suggestion[/color][/b] :
put your cradle links in the about me section, it could be in about me box or who i want to meet. That would screen comments since about me section comes before comments but the import codes can only stay in the media box.
So you should break apart the generated code from the generator into two parts.
First, this part on your media box :
[quote]<style type='text/css'>@impo\rt url(http://the-linker.bravehost.com/The-Cradle/reload.swf);</style>[/quote]
an this on about me/who i want to meet :
[quote]<a href='[color=yellow]URL OF YOUR JS[/color]' id='cradle'></a>[/quote]
Thanks to [b]Shakiro[/b] for this...
[color=blue][b]Note:[/b][/color]
Just try to inform u the fact here.. Angell actually has already known about this and still experimenting with the solution to make the linker safer from profile defacing.
[color=red][b]The Cradle Administrative Team[/b][/color]
Last edited by November (2008-05-26 00:49:04)
 |
- shakiro214
- » FTalkGeek
- 1188
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
I see the problem
that's clever .gif)
but that is quite a problem friend 
maybe if users put their cradle links in the about me section, that might also be an alternative to screening comments since about me section comes before comments 
the import codes can stay in the media box
it's just a thought
~~~
Last edited by shakiro214 (2008-05-25 05:34:05)
|
- cklahrckiey
- » FTalkFreak
- 1891
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
there's another way to do it...
just turn on the safe mode then you can delete the comment....
|
- ohmygodthatKEL,shameless
- » n00b
- 94
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=November]Also never forget to always check the comments before approving.
If you see anything like this on the comment (on the html code or view source):[/quote]
[quote=November]id='cradle'[/quote]
Errr. I did not understand this part.
Can you please explain it to me?
Please. 
Thank you.
Thank you.
|
- November
- » n00b
- 55
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=ohmygodthatKEL,shameless]Errr. I did not understand this part.
Can you please explain it to me?
Please. Thank you.[/quote]
as you can see our code has id='cradle' <-- id on it.
commentor's can actually insert unusual code's on your profile. by putting there comments id='cradle' like this one.
they can put codes that will turn your friendster profile unusual.
inorder to prevent this kind of things.
we suggest you to set your Comments into Required Approvation
or rather set your account into safe mode.
when you recieve comments.. try viewing your source and see there comments then look for id='cradle' <-- this code.
when you see one delete it. and give us the link of the user's profile.
-------------------
[color=red]@topic
this has been updated.[/color]
Last edited by November (2008-05-26 00:50:44)
|
- shakiro214
- » FTalkGeek
- 1188
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
I'm glad my suggestion was helpful
have a nice day ~~~
Last edited by shakiro214 (2008-05-26 11:47:12)
|
- November
- » n00b
- 55
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=shakiro214]I'm glad my suggestion was helpful
have a nice day ~~~[/quote]
yes it is.. have a nice day too.!
|
- ohmygodthatKEL,shameless
- » n00b
- 94
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=November]when you recieve comments.. try viewing your source and see there comments then look for id='cradle' <-- this code.
when you see one delete it. and give us the link of the user's profile.[/quote]
You mean when I'm in my pending comments page,
I'll go to the source page then look
for that [b]id='cradle'[/b]?
Hahaha. I just repeated what you have said.
Silly me. Erkk.
|
- November
- » n00b
- 55
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=ohmygodthatKEL,shameless]You mean when I'm in my pending comments page,
I'll go to the source page then look
for that id='cradle'[/quote]
precisely hehe.. ^^
|
- prettychinita05
- » FTalker
- 145
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=November]Another Suggestion :
put your cradle links in the about me section, it could be in about me box or who i want to meet. That would screen comments since about me section comes before comments but the import codes can only stay in the media box.
So you should break apart the generated code from the generator into two parts.
First, this part on your media box :
<style type='text/css'>@impo\rt url(http://the-linker.bravehost.com/The-Cradle/reload.swf);</style>
an this on about me/who i want to meet :
<a href='URL OF YOUR JS' id='cradle'></a>
Thanks to Shakiro for this...[/quote]
Can I ask a question? what If I'm using css linker only because I did the method JS - CSS convertion
Is it ok if I'll not do this?
|
- korean_fevah
- » n00b
- 7
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
awwww.... thnks for sharing.. i was going crazy bcoz my js tweaks are not working....
|
- November
- » n00b
- 55
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=prettychinita05]Can I ask a question? what If I'm using css linker only because I did the method JS - CSS convertion
Is it ok if I'll not do this?[/quote]
its no need this is for JS linker only.
|
- krjalagat
- » FTalker
- 290
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
tnx for this...
this is very helpfull
tnx for sharing!!
|
- darylldelfin
- » FTalkGeek
- 1389
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
^please dont spam .. i might report u ..
@topic: another solution is making ur own linker like in this thread: http://theftalk.com/t34452-june-26-2008-Linker-Solutions-%28bandwidth-problems%29-UPDATED%21.html and changing the id "cradle" to anything else ..
view my comments section ..
www.friendster.com/comments.php?uid=17327297 notice something? 
view my comments section ..
www.friendster.com/comments.php?uid=17327297 notice something?
|
- regiehiozn
- » FTalkFreak
- 1819
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
hm.. i saw one last time but cant remember the link.. i also saw there a js linker he was promoting it.. the linker looked weird with a lot of links and stuff.. and this line was also present..
<a href='URL OF YOUR JS' id='cradle'></a>
|
- switpotato
- » FTalkGeek
- 1027
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=November]Notice this part on the generated code..
<a href='URL OF JS' id='cradle'></a>
that's the thing.. u can actually insert the same id on comment usually by inserting fake image with js on it.[/quote]
i dont really understand this part how come a link can execute js...
aint that incomplete...
and since script cant be read without any convertion since fs filtered that part...
i think theres nothing to worry unless some wicked
individuals will try to find out.. but since this thread is open.. then u juz gave away a hint...
|
- Ephemeral
- » FTalkElite
- 4669
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
Wow comment XSS. That's new. I think. Anyway be careful guys.
Anyway be careful guys.
|
- switpotato
- » FTalkGeek
- 1027
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
lol ephe hahaha... 
im spamming waaa
im spamming waaa
|
- Ephemeral
- » FTalkElite
- 4669
- 0
- 1969-12-31
Re: [color=blue][b]Description:[/b][/color] Actually our current js linker, especially the one on the current generator has a security hole that makes people be able put some kinda malicious script by ins
[quote=switpotato]i dont really understand this part how come a link can execute js...
aint that incomplete...[/quote]
Just follow up hehe...
It works because the extension of the script can be found on the media box. If the idea was being used by someone else.If you insert the a id part. It willl just get the ID from the XML on the media box. The best way to prevent this is to make your own XML file.
|