Closed Bug 252758 Opened 21 years ago Closed 21 years ago

onload event can cause continuous prompting for extension install

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: brianr, Assigned: dveditz)

References

(
URL
)

Details

Attachments

(1 file)

Less obscured version of the evil script
63.05 KB, text/html
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5 This page will alternate beteen prompting to install an extension and displaying a javascript message box which says "Click YES to view this page". Holding down escape eventually clears up the dialogs, but an inexperienced user might click YES and install undesired software on their PC. Reproducible: Always Steps to Reproduce: 1. Visit example URL with javascript enabled Actual Results: Misleading dialogs appear encouraging installation of untrusted software. Expected Results: First time clicking cancel should have precluded appearance of further dialogs.
With a current Mozilla trunk build i get neither a install dialog for a XPI (probably because of the whitelist) nor a javascript alert (don't know why it doesn't appear here). With Firefox 0.9.0 also nothing happens. With Firefox 0.8 sometimes a dialog pops up. Maybe this site serves different content every time?
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a3) Gecko/20040723 this website tries to install several "plug-ins" following the link, I´m asked to install bridge-c8.cab this file is located at http://public.windupdates.com/cab/AgeVerifier/IE/ loading that address gives (typed in, not by clicking in the dialog box) http://static.vpptechnologies.com/blaze/landing.html Trying to load http://public.windupdates.com/cab/AgeVerifier/IE/bridge-c8.cab leads to the same address, so they mist be using the referrer to block download if tried otherways than clicking on their links. After downloading this, accepting the download, ( save to disk, not open by default applicattion PAZIP) I don´t get molested any more. That is my 2nd try to look at the site, 1st try I had a big grin saying no to the age-verifier plugin, and than got molested with the download plug-in, bridge-c5.cab I saved it to disk, and unpacked it. Inside that 19kb cab is a small .inf file, most important content below: [BridgeX.dll] file-win32-x86=thiscab clsid={15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} RegisterServer=yes and BridgeX.DLL looking at the DLL with a hex-viewer, I see that the code inside the DLL is packed with UPX. I also saved the HTML of the page, complete and HTML only. Looking at the source, I tried to load http://www.negativebeats.com/plugin.html and got offered sbc_netscape.xpi for download Save as Weppage, complete, gives a folder lola_files, and inside this folder a folder counter produced by calling a .php, and inside this folder counter three broken gifs, like top_arrow.html showing a 404 (instead of /images/top_arrow.gif), and a prompt.js, holding only document.write() lines with escaped content, like this: document.write("7b%76%61%72%20%70%4e%3b%76%61%72%20%75%47%3b%76%61%72%20%71%45%3b%76%61%72%20%63%50%3d%6e%52%2e%75%7"); people having done this site did a good job in social engineering and working around 100% width bugs, width is always specified as 99%. Guess this website would be fine for including into next release note ;-) TechEvangelism, not to the webmaster, but to the user.
website tries to install spyware TR/SPY.Briss.H.2 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BRISS.H http://www.blazefind.com/index.php?section=help-bar another user told he couldn´t get out of a loop without confirming 'O.K', so he had to kill Mozilla for leaving the loop. Maybe there should be an emergency button beneath the Location Bar, to instantly disable JS.
*** Bug 254566 has been marked as a duplicate of this bug. ***
I was working on this in another bug, taking. The URL in that case was http://www.cracks.am/cracks/a7.html but the script came from the same source and the symptoms were the same. Attachments there show the downloaded script (one version) and a broken attempt to decrypt it. Each time you download it the cryptic 3-char variable and function names are different, but otherwise the script is the same.
Assignee: xpi-engine → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
I took attachment 155355 [details] from bug 254566, defined a function expose() that pretty-prints JS, and replaced the evil script's eval() with expose(). The output from this doesn't work either -- running it results in "m0q is not defined".
WFM now. I think the onload block got this one, and if not the whitelist.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: