[lug] Web crawler advice

Bear Giles bgiles at coyotesong.com
Tue May 6 18:29:43 MDT 2008 

You might ask for "foo.jpg", but you'll actually get back something with 
mimetype text/javascript.  Some browsers are dumb enough to go "oh, I 
got some javascript!  Let me execute it!" instead of saying "hey, wait, 
I should only see image/* on an <img> src."  Remember that file 
extensions don't mean squat.  (Or shouldn't mean squat.  I'm sure there 
are some that ignore the mimetype header in preference for the url's 
file extension.)

karl horlen wrote:
> I know you took the fifth and I'm not saying I would even try your 
> proposed method ;-).
>
> But how does one attach a js to an image if you don't control the page 
> that loads the image?  Since someone is deep linking the image from a 
> page you don't own, if you don't own or control the page you can't 
> insert js.
>
> I can see how if this can work if one was posting to a forum or on 
> comments that were poorly designed and did a lame job of filtering 
> input.  You could post both the image and some script in the text body 
> field.  But without access to the page, is what you describe below 
> even possible for the deeplinking redirect scenario you described below?
>
> Thanks
>
>     (I take the Fifth on how many I've done
>      accidently.)
>
>     The one that still blows my mind is the reported exploit where an <img> 
>     gets a -javascript- object back and executes it!  The JS can do nasty 
>     stuff before loading the image after itself.  How many people would 
>     think to look for malicious js code coming from an <img> tag?
>
>               
>
>
> ------------------------------------------------------------------------
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try 
> it now. 
> <http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ%20> 
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list