alert no script

Ask for help about NoScript, no registration needed to post
g113

alert no script

Post by g113 » Tue Apr 07, 2009 5:53 pm

good evening,

i'm french please excuse my english, but i have a problem with my web page, i have this alert and i don't now what doing !

Image

thanks
Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.8) Gecko/2009032609 Firefox/2.0.0.7

User avatar
therube
Ambassador
Posts: 7431
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: alert no script

Post by therube » Tue Apr 07, 2009 6:13 pm

Check Error Console & see if it provides further information on the (potential) XSS & post the information here.

Link: Netvibes
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16

g113

Re: alert no script

Post by g113 » Tue Apr 07, 2009 8:52 pm

I suppose you mind that, it's the message in my console

[NoScript XSS] Nettoyé requête suspicieuse. URL originale [http://1292528297.nvmodules.netvibes.com/frames/external_widget.php?id=1292528297&NVdir=ltr&NVlang=fr_FR&NVuserId=181038653&NVlocale=fr&NVreadOnly=false&NVwidgetDomain=1292528297.nvmodules.netvibes.com&NVsubspaceDomain=netvibes.com&NVcommType=TUAcallback&code=%3Cdiv%20style%3D%22background%3A%23eaf4fb%3B%0Acolor%3A%23417fad%3B%22%3E%3Ccenter%3E%20%3Cbr%3E%3Cimg%0Awidth%3D%2250%25%22%20src%3D%22http%3A%2F%2Ffarm4.static.flickr.com%2F3447%2F3398459745_7ce7f5fc95_o.jpg%22%3E%0A%0A%3Cbr%3E%20%3Cp%3E%20et%20Netvibes%20s%27associent%20pour%3Cbr%2F%3E%20la%20semaine%20du%20D%C3%A9veloppement%0ADurable%20(du%201er%20au%207%20Avril)%3Cbr%3ED%C3%A9couvrez%20la%20s%C3%A9lection%20sp%C3%A9ciale%20de%0Awidgets%20sur%20%3Ca%20href%3D%22http%3A%2F%2Fwww.netvibes.com%2Fgoodplanet%22%0Astyle%3D%22color%3A%23417fad%3Btext-decoration%3Aunderline%3B%22%0Atarget%3D%22_blank%22%3El%27univers%20GoodPlanet%20%3C%2Fa%3E%3Cbr%3E%3Cimg%20width%3D%2280%25%22%0Asrc%3D%22http%3A%2F%2Ffarm4.static.flickr.com%2F3454%2F3397548481_c08bd8892d_o.jpg%22%3E%3C%2Fp%3E%3C%2Fcenter%3E%3C%2Fdiv%3E] demandée depuis [http://www.netvibes.com/#General]. URL nettoyée : [http://1292528297.nvmodules.netvibes.com/frames/external_widget.php?id=1292528297&NVdir=ltr&NVlang=fr_FR&NVuserId=181038653&NVlocale=fr&NVreadOnly=false&NVwidgetDomain=1292528297.nvmodules.netvibes.com&NVsubspaceDomain=netvibes.com&NVcommType=TUAcallback&code=%20div%20style%20%20background%3A%23eaf4fb%3B%20color%3A%23417fad%3B%20%3E%20center%3E%20br%3E%20img%20width%20%2050%25%20src%20%20http%3A%2F%2Ffarm4.static.flickr.com%2F3447%2F3398459745_7ce7f5fc95_o.jpg%20%3E%20br%3E%20p%3E%20et%20Netvibes%20s%20associent%20pour%20br%2F%3E%20la%20semaine%20du%20D%C3%A9veloppement%20Durable%20%20du%201er%20au%207%20Avril%20%20br%3ED%C3%A9couvrez%20la%20s%C3%A9lection%20sp%C3%A9ciale%20de%20widgets%20sur%20a%20href%20%20http%3A%2F%2Fwww.netvibes.com%2Fgoodplanet%20style%20%20color%3A%23417fad%3Btext-decoration%3Aunderline%3B%20target%20%20_blank%20%3El%20univers%20GoodPlanet%20%2Fa%3E%20br%3E%20img%20width%20%2080%25%20src%20%20http%3A%2F%2Ffarm4.static.flickr.com%2F3454%2F3397548481_c08bd8892d_o.jpg%20%3E%20%2Fp%3E%20%2Fcenter%3E%20%2Fdiv%3E#21257978285196866220].
Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.8) Gecko/2009032609 Firefox/2.0.0.7 (.NET CLR 3.5.30729)

g113

Re: alert no script

Post by g113 » Wed Apr 08, 2009 7:43 pm

up !

:(
Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.0.8) Gecko/2009032609 Firefox/2.0.0.7 (.NET CLR 3.5.30729)

User avatar
Giorgio Maone
Site Admin
Posts: 8715
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: alert no script

Post by Giorgio Maone » Wed Apr 08, 2009 9:07 pm

NoScript is correct.
That page is actually vulnerable to XSS: try to open this url on a browser without NoScript.
IE8 will detect the XSS. Other browsers (including Firefox without NoScript) will show a XSS popup I'm injecting on the target page.
I strongly advidse to disable the Good Planet widget.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)

g113

Re: alert no script

Post by g113 » Thu Apr 09, 2009 3:12 pm

thanks, but i can't disable this widget :cry:
Opera/9.64 (Windows NT 6.0; U; fr) Presto/2.1.1

User avatar
Giorgio Maone
Site Admin
Posts: 8715
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: alert no script

Post by Giorgio Maone » Thu Apr 09, 2009 3:31 pm

g113 wrote:thanks, but i can't disable this widget :cry:

Then the less risky thing you can do then is granting the netvibes.com main page a free pass for sending XSS like request, by adding the following line in NoScript Options|Advanced|XSS|Exceptions:

Code: Select all

^@http://www.netvibes.com/
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)

g113

Re: alert no script

Post by g113 » Thu Apr 09, 2009 6:21 pm

thank you very much

it works ;)
Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.8) Gecko/2009032609 Firefox/2.0.0.7

Post Reply