Squidoo XSS Exploit Leads to Wordpress Spam Deluge
I’ve been getting a lot of Wordpress comment / trackback spam pointing to Squidoo these days, because it doesn’t valid the HTML markup users can enter into their pages. This makes it easy for spammers to put in an iframe with an external src that basically redirects the browser to their spam (usually porn) page. If the javascript were nice it would look like this:
window.onload=function(){
window.location = "http://wpi.biz/in.cgi?5¶meter=porn";
}
The page you get redirected looks like a bunch of adult-themed Youtube vidoes–they’re just images, actually, which I’ve censored–that prompt you to download something that’s probably spyware. I didn’t really investigate this further, it’s obviously very evil:
The code actually sitting on Squidoo’s servers looks like this:
And the comments left on my blogs are of the form:
New trackback on your post #1852 "Coding Horror: Hot Tech Blog"
Website: hot ebony men (IP: 190.72.74.193 , 190-72-74-193.dyn.dsl.cantv.net)
URI : www.squidoo.com/some-nasty-url/
Excerpt: hot ebony men...
I’ve sent email to both the Akismet team and the Squidoo team about this, hopefully they will:
- Implement kses-based filtering on their html input *immediately*
- Add some spam-weight to the squidoo domain until this is fixed
There’s no excuse for an XSS attack of this simplicity to exist. Javascript, iframes, etc should be disallowed. Just let basic markup through, and strip out the rest! For now, I also recommend adding the word “squidoo” to your blacklist in the Wordpress discussion options.
Update: According to the Squidoo blog, iframes will banned as of July 12th. I can’t think of anything you can do with an iframe that you can’t do with regular HTML except untrusted stuff, like redirects or arbitrary JS.
Google Buys YouTube
It’s official, according to a press release earlier today:
Google Inc. (NASDAQ: GOOG) announced today that it has agreed to acquire YouTube, the consumer media company for people to watch and share original videos through a Web experience, for $1.65 billion in a stock-for-stock transaction. Following the acquisition, YouTube will operate independently to preserve its successful brand and passionate community.
This is big news for YouTube who now don’t have to worry about expenses and can focus on building market share, solving their copyright issues, and being the #1 online video provider. How they will merge with Google Video is of yet unclear, but the immediate impact on Google’s share price is obvious, up $20 since the start of the month:
Congrats to both YouTube and Google. May you both integrate well! (See TechCrunch for more)
Jerry Chang Does Pachelbel’s Canon in D
The New York Times has an article about the internet-famous guitar player JerryC who published a YouTube video of himself playing an electric rock version of Pachelbel’s Canon. The movie was an instant hit, and spawned a huge number of imitations, almost none as good as Jerry C’s original, which you can view below:
Then, a guy only identified as Funtwo published his own version of the song, which was even better performed than the original:
Naturally, the Times reporter did his best to track this newcomer down:
By following a series of clues on JerryC’s message board and various Canon Rock videos, I was able to trace funtwo’s video to Jeong-Hyun Lim, a 23-year-old Korean who taught himself guitar over the course of the last six years. Now living in Seoul, he listens avidly to Bach and Vivaldi, and in 2000 he took a month of guitar lessons. He plays an ESP, an Alfee Custon SEC-28OTC with gold-colored detailing. A close analysis of his playing style and a comparison of his appearance in person with that of the figure in the video, left little doubt that Mr. Lim is the elusive funtwo.