Announcement

Collapse
No announcement yet.

Injection attack--actinicextras.js?Dayno=masa

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Injection attack--actinicextras.js?Dayno=masa

    Looking through my Actinic website logs I'm getting the following


    Code:
    xxx.xxx.106.254 - - [27/Feb/2012:19:08:06 +0000] "GET /shop/theme.css HTTP/1.1" 304 176 "http://www.nippergrip.com/shop/catalog.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)"
xxx.xxx.106.254 - - [27/Feb/2012:19:08:06 +0000] "GET /shop/actiniccore.js?DAYNO=MASA HTTP/1.1" 304 153 "http://www.nippergrip.com/shop/catalog.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)"
xxx.xxx.106.254 - - [27/Feb/2012:19:08:06 +0000] "GET /shop/actinicextras.js?DAYNO=MASA HTTP/1.1" 304 153 "http://www.nippergrip.com/shop/catalog.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)"
    If I goto the pages references there are scary scripts....

    Code:
    var bPageIsLoaded = false;
/***********************************************************************
*
* setCookie -	Generic Set Cookie routine
*
* Input: sName	 -	Name of cookie to create
*	 sValue	 -	Value to assign to the cookie
*	 sExpire -	Cookie expiry date/time (optional)
*
* Returns: null
*
************************************************************************/

function setCookie(sName, sValue, sExpire) 
    {
    var sCookie = sName + "=" + escape(sValue) +"; path=/";	// construct the cookie
    if (sExpire)
    	{
    	sCookie += "; expires=" + sExpire.toGMTString();	// add expiry date if present
    	}
    document.cookie = sCookie;					// store the cookie
    return null;
    }
    etc etc etc


    and

    Code:
    /***********************************************************************
*
* getCartItem		-	Gets the Actinic Cart Value & No of Items
*
* Input: nIndex	-	Cart item index to retrieve
*							1 = TOTAL_VALUE
*							3 = CART_COUNT
*
* Returns:				Requested cart item or 0 (zero) if not found
*
************************************************************************/

//CART_CONTENT = Cookie name
//1 = TOTAL_VALUE
//3 = CART_COUNT

var PASSWORD_MATCH_ERROR = "Passwords do not match.";

function getCartItem(nIndex)
	{
	var act_cart= getCookie("CART_CONTENT")
	var sTemp =(act_cart != null) ? sTemp=act_cart.split("\t"):0;
	return (sTemp.length > 0) ? sTemp[nIndex] : 0;
	}
    Is this right?

    Seems to me that the scripts could be used for some form of URL injection attack as looking at them I can see the password validation logic, shopping cart functions, payment processing logic etc etc.

    J/.
    www.nippergrip.com
    Get a Handle on your kids
    Tags: None
    #2
    Don't panic! There are essential and benign JavaScripts. There's nothing wrong with them.

    What you refer to as password validation logic is just code running when a form is submitted and comparing the 2 password entries (Type a password / Type it again) and alerting if they're not the same. Saves a trip to / from the server for a simple test. Hardly site killer stuff.

    This isn't Hollywood where someone types frantically for about 5 seconds and manages to create a virus that can wipe out an entire interstellar faring species.
    Norman - www.drillpine.biz
    Edinburgh, U K / Bitez, Turkey

    Comment

      #3
      We (Actinic) do take security very seriously and having been in the game for nearly 16 years we have a lot of experience.

      At this point in time we are not aware of any security flaws in our code, provided you are on the latest release.

      Chris

      Comment

        #4
        Thanks Chris that's always reassuring to hear statements like that.

        This isn't Hollywood where someone types frantically for about 5 seconds and manages to create a virus that can wipe out an entire interstellar faring species.
        That one always amuses me Norman: "hero writes virus that fatally crashes a totally alien computer OS beyond all redemption", if the aliens are advanced enough to get to Earth surely they would have a self repairing computer OS, or it would be so alien we would need a lifetime to try and understand it?
        Steve Griggs.

        "People in business often miss opportunities, mainly because they usually arrive dressed in overalls and looking like work."



        www.kitchenwareonline.com
        www.microwave-repair.co.uk

        Comment

        Previous template Next
        Working...
        X