Elliott C. Back: In Aere Aedificare

Squidoo XSS Exploit Leads to Wordpress Spam Deluge

Posted in Spam, Wordpress, Adsense, Hacking, YouTube, WP, Monetization by Elliott Back on July 2nd, 2007.

I’ve been getting a lot of Wordpress comment / trackback spam pointing to Squidoo these days, because it doesn’t valid the HTML markup users can enter into their pages. This makes it easy for spammers to put in an iframe with an external src that basically redirects the browser to their spam (usually porn) page. If the javascript were nice it would look like this:

window.onload=function(){
    window.location = "http://wpi.biz/in.cgi?5&parameter=porn";
}

The page you get redirected looks like a bunch of adult-themed Youtube vidoes–they’re just images, actually, which I’ve censored–that prompt you to download something that’s probably spyware. I didn’t really investigate this further, it’s obviously very evil:

youtube.png

The code actually sitting on Squidoo’s servers looks like this:

squidoo-wp-spam-iframe.png

And the comments left on my blogs are of the form:

New trackback on your post #1852 "Coding Horror:  Hot Tech Blog"
Website: hot ebony men (IP: 190.72.74.193 , <a href="http://190-72-74-193.dyn.dsl.cantv.net" title="http://190-72-74-193.dyn.dsl.cantv.net" target="_blank">190-72-74-193.dyn.dsl.cantv.net</a>)
URI    : <a href="http://www.squidoo.com/some-nasty-url/" title="http://www.squidoo.com/some-nasty-url/" target="_blank">www.squidoo.com/some-nasty-url/</a>
Excerpt: hot ebony men…

I’ve sent email to both the Akismet team and the Squidoo team about this, hopefully they will:

  1. Implement kses-based filtering on their html input *immediately*
  2. Add some spam-weight to the squidoo domain until this is fixed

There’s no excuse for an XSS attack of this simplicity to exist. Javascript, iframes, etc should be disallowed. Just let basic markup through, and strip out the rest! For now, I also recommend adding the word “squidoo” to your blacklist in the Wordpress discussion options.

Update: According to the Squidoo blog, iframes will banned as of July 12th. I can’t think of anything you can do with an iframe that you can’t do with regular HTML except untrusted stuff, like redirects or arbitrary JS.

This entry was posted on Monday, July 2nd, 2007 at 7:40 pm and is tagged with html markup, ebony men, html input, deluge, spammers, dyn, simplicity, excerpt, js, squidoo, excuse, amp, uri, horror, servers, blogs, adult, blog, images. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

3 Responses to 'Squidoo XSS Exploit Leads to Wordpress Spam Deluge'

  1. Kenny said:

    on July 2nd, 2007 at 9:05 pm

    How negligent. Libraries like HTML Purifier simple enough to use — what plausible reason do they have for allowing that type of markup?

  2. Kenny said:

    on July 2nd, 2007 at 9:06 pm

    Whoops.. “Libraries like HTML Purifier are simple enough to use”

  3. Ken Savage said:

    on July 3rd, 2007 at 12:10 am

    Setting phasers to stun, I’m going in to take a closer look. Ensign Smith will you accompany me?

Leave a Reply

Powered by WP Hashcash

Fresh, related resources:

Supplied by Google Blog Search