Cross-Site Scripting

[commentator]

When clicking on a post on these boards, my browser (IE version 9.0.8112.16421; update version 9.0.1) popped up a message that said something like, 'your browser has modified this page to prevent cross-site scripting.'

Curious, I turned to Wikipedia where I learned:

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner."

So, is that a Proboards problem or is it a vulnerability specific to notmsnmoney?

Virgil: Made this thread sticky and an announcement.

[commentator]

You don't. Either this board or ProBoards in general has a security hole that they must close.

[moon/Laura]

from the Wish List thread,

« Reply #580 on Jun 1, 2011, 9:28pm »
PI, you've run into a problem that others have seen.

Here's a brief rundown: ProBoards gives us the ability to write HTML code using scripts on the board. For example, the 'Spell Check' and 'Preview' buttons, or the smiley panel.

If this isn't done safely, it can result in a type of security attack known as an XSS attack. Basically, if I wrote my code in such a way that another webpage could redirect your browser to notmsnmoney and use an XSS vulnerability to inject HTML code, the attacker could log your keystrokes, or potentially gain access to your username/password info. To do this, the attacker would have to get you to visit his/her website (maybe by sending you an e-mail impersonating moonbeam).

Now, I assure you that none of the code I've written uses the mechanisms to write HTML that can be exploited by these kinds of attacks. Simply put: the tasks I use it for are too specific to throughput user code. I will immediately disclaim, however, that my code is only a small portion of the total client-side code being run.

Some browsers (IE 9 being one of them) are apparently 'cracking down' on scripts that, at a very cursory glance, could be used to exploit an XSS vulnerability.

I can run the site without problems on my home version of IE 9, and so there must be some other factor that the browser doesn't like. It could be that you're being redirected to notmsnmoney.proboards.com by some other site, or that your ISP runs webpages in a shell so that they can monitor your Internet activity. It could also be that one of your plugins is 'wrapping' itself around all of the webpages you view so that it can have a higher security level.

My advice is this:

disable all of your plug-ins and see if that solves the problem; if it does, you can turn them back on one-by-one to find out which one is causing the problem
see if you can get any information about this "cross-site scripting disabled" error. I cannot help you if I don't know why your browser is choking. If you can click on the error message, get detailed information, an error code, anything, it would help.
if you trust i) me, ii) ProBoards, iii) Google analytics, iv) moonbeam, and v) ProBoards advertisers, you could mark this domain as 'trusted', which would likely stop the error from popping up


Regards,

Virgil

[Virgil Showlion]

This problem has been identified by a few people lately. I haven't been able to identify the common factor, but I suspect it may be a plug-in associated with a particular anti-malware suite such as McAfee or Norton AV.

It would help if all people still affected, including those who have submitted PMs to moonbeam and/or myself, submitted to this thread:

• specific browser version info (this is usually found under Help > About... or Help > Get Browser Info...)
• name of anti-malware (antivirus) software suite being used, if any
• if possible, a screenshot of the message indicating that scripts have been disabled. The easiest way to obtain a screenshot is to press Alt+PrtScn when the message is visible. You can then open up Microsoft Paint (or similar program), select Paste from the menu, and save the image as a file in .JPG format. Then, simply attach the file to a post in this thread

We'll do our best to fix whatever is causing the problem, but be forewarned that the problem may be with the many scripts used by ProBoards advertisers, in which case there's nothing we can do about it.

Thanks, and Regards,

Virgil

[mizbear]

I have gotten the same screen message too- I will get you the info ASAP- I thought it was just my computer PMS-ing.

[Virgil Showlion]

I thought it was just my computer PMS-ing

It is, in a sense.

Panicking Malware Software

[commentator]

the problem may be with the many scripts used by ProBoards advertisers, in which case there's nothing we can do about it.

You can post the name(s) of the advertiser(s).

[moon/Laura]

how would we know which of their many is triggering it?

for those of you using IE (ewww!!) , do you get the error every page refresh? if so, then it could be ANY ad. if not, then you could make note of which ad you're seeing at that time because otherwise there is no way for virgil or i to be able to determine a problem with any specific one.

[mmhmm]

I've gotten the message, as well, but it's intermittent. I'm running IE9 with McAfee. If I see the message again, I'll get a shot of it.

[Virgil Showlion]

Comm, ads are served up by Google. We're open to literally millions of advertisers.

[Deleted]

I'm running Chrome with Norton, and I don't get that message. But I DO still have that virus protection ad popping up-- full page-- on my screen on this pro- board only, with no invite. Not as much as before, just occasionally now. Pro-boards did have some kind of attack a few days ago. Marsha made a thread about it, with a link to the Pro-Board maintenance board. I guess it is pro-boards having issues, rather than just THIS board. Chrome is MUCH faster than IE9, by the way, AND Firefox.. but it is google, not my fav company...

[nasagreen]

I get this message from OfficeScan when running IE8, Google Chrome, or MOzilla Firefox. It happens for every page refresh.

I also cannot see VSmilies with either of these browsers at all. I can see VSmilies others use in their posts fine. Also, if I use the codes in a post, I cannot see the VSmilies and others cannot either, but if they quote my post and then re-post, the VSmilies will start working again and all can see the icons.

Attachments:

[moon/Laura]

I haven't gotten any zone alarm page hijacks in a few days now..

Virgil, I don't know if you had that happen to you or not but this was actually a redirect to a zone alarm ordering page. And as far as i can tell, this didn't stem from a banner ad that was accidentally clicked. i can't and won't swear to that though because i often don't look at them and when this happens, it takes over my existing FF tab (rather than opening a new one like would normally happen).

[Deleted]

Personally, I have firefox and I block all scripts from running, but I am pretty sure that is not you would recommend for members of the board.

[moon/Laura]

nasagreen, if you have the ability to 'allow' those "yourjavascript" urls, then it is safe to do so.

that is where our scripts are stored and will directly impact the vsmilies

[mmhmm]

Jun 21, 2011 10:24:28 GMT -5 moon/Laura said:

I haven't gotten any zone alarm page hijacks in a few days now..

Virgil, I don't know if you had that happen to you or not but this was actually a redirect to a zone alarm ordering page. And as far as i can tell, this didn't stem from a banner ad that was accidentally clicked. i can't and won't swear to that though because i often don't look at them and when this happens, it takes over my existing FF tab (rather than opening a new one like would normally happen).

I haven't seen the ZoneAlarm redirect in several days. Come to think of it, I haven't seen the message about cross-site scripting since yesterday. Has anyone else seen it this morning?

[Cass]

I've been getting this message at most of the sites I visit since my machine automatically downloaded IE9. It's annoying and slows everything way down. I am officially done with IE.

[nasagreen]

moonbeam - i don't have the ability to add any sites to a trusted sites list, so that must be why i can't use vsmilies....oh well. our company is very security addicted and a little overbearing

[TheOtherMe]

Jun 21, 2011 10:26:31 GMT -5 ArchietheDragon said:

Personally, I have firefox and I block all scripts from running, but I am pretty sure that is not you would recommend for members of the board.

This is what I have and I've never gotten the message. I also have Webroot for my antivirus and it blocks most of the ad banners.

[moon/Laura]

I don't get the error myself either, because i simply REFUSE to use ie

[mmhmm]

I'm not getting the message anymore, moon. Whatever it was, IE seems to have managed to hiccup it out of its system.

[Deleted]

Virgil-- are you working on the boards?? My Karma function is kicking me to the sign in screen....

[Virgil Showlion]

Krickitt: was away on business. I have no idea why your karma function is booting you out. You've most likely set your browser to block all cookies. Whenever ProBoards requires verification that you're you, it detects that you're cookieless and sends you to the login screen.

That's the best I can figure.

[Deleted]

Very weird. I didn't change anything.. Maybe I will restart..I don't have to log in again, can just go back, but I think my Ks are sticking.. It's been a weird day for the boards.

[mizbear]

I have not seen the cross scripting thing today since I have been on- and I have been on a lot today (or off, all in how you look at it).

[commentator]

Jun 21, 2011 10:07:58 GMT -5 Virgil Showlion said:

Comm, ads are served up by Google. We're open to literally millions of advertisers.

I've only been using IE9 for a short time but this board is the only place I've seen that message. Yesterday, I saw it twice.

[Virgil Showlion]

Comm, this site is "special" in the sense that some of the code is used to generate HTML. Most of the content is user-generated to begin with.

It seems that some combination of the right ads popping up, with this site, with a finicky malware suite is what's causing the problems. If you were getting the errors consistently, I might set up a session with you where I disabled various modules and asked for your feedback on whether you were still getting the error. That might allow us to root out the specific modules giving us trouble.

But if you're only seeing the problem intermittently, that approach is useless. And as I say, I haven't been able to reproduce the problem on my end.

Somebody could try moving to FF, Chrome, or Opera and installing a plugin called AdBlock Plus. It prevents ads from showing up. It might solve the problem. ProBoards (understandably) puts language in their ToS that users shouldn't block ads--but if the ads are ruining your site experience, there's really no other recourse.

[moon/Laura]

Virgil, i use FF without the adblock, and i don't get the error..

Most folks using IE 9 are not aware of how to properly set up the Internet Options for the best mix of security and functionality.

DI, i'm sure you're right.. they've made it too complicated for the average user..

[Virgil Showlion]

I think malware detectors are causing the problem, moon. But they're reacting to something that could theoretically be remedied.

[commentator]

I only saw the problem (twice) around midnight EDT June 20/21. It hasn't occurred since.