Damn! spam have just mentioned wwwboard as an example of masive trampolization. I've got a news for you - it was expected. Wwboard allow <script> insertion in their new message body and that was broadly known(google for it) since I believe 2003. Some time ago I discovered that wwwboard allows to inject javascript code into a parent page (via `Subject' field). I have to say that wwwboard is just only one example of old abandoned code all over the places here and there in the internet. Besides anchient strange scripts like matt's ones there are also some home-grown engines used at particluar web site. Need an example? Good one is yahoo groups and <iframe> by spamhuntress. Another one is xanga.com. I've just found that it vulnerable to onLoad attrubute of <img> tag (see my previous post about other possible traffic redirection tricks.)
The rule is - if there is an old unpatched/unmontained (but still working) code on an old resourse that allows third peoples to add content, and there is nobody looks at it as administrator - it will be trampolinized.
0 comments:
Post a Comment