Evil NoScript logo apperaring on website

eradic8 · Post by **eradic8** » Sat Nov 13, 2010 2:58 pm

I just visited this site http://www.manifestchange.blogspot.com and noticed that there was the evil blue NoScript logo appearing next to the original logo in the bottom right hand side of my computer screen. Hovering over it I could see it had a 4shared.com link with XXS before it, am I right in assuming this is a warning of a cross site scripting. I cannot find a lot of info on this logo, or what it does, I'm just assuming it shows it is blocking a possible cross site scripting. Unfortunately there are some files I want to download on that site which I believe are hosted on 4shared.com, but I dare not click on the links in case it is not safe. Can anyone give us any advise as to whether it is safe to download from this site or not.

Post by **Giorgio Maone** » Sat Nov 13, 2010 3:21 pm

It was most likely this.

Post by **Alan Baxter** » Sat Nov 13, 2010 3:31 pm

Giorgio Maone wrote:It was most likely this.

That looks like the wrong link, Giorgio. Did you mean something like
Why are Flash applets originating from trusted sites (e.g. youtube.com movies) blocked if embedded on untrusted sites?

Post by **Giorgio Maone** » Sat Nov 13, 2010 3:35 pm

Alan Baxter wrote:
Giorgio Maone wrote:It was most likely this.
That looks like the wrong link, Giorgio. Did you mean something like
Why are Flash applets originating from trusted sites (e.g. youtube.com movies) blocked if embedded on untrusted sites?

Maybe you're right. Since the OP said "A logo with a link", I just supposed it was JS redirection detection. Let's see what he meant.

Post by **Alan Baxter** » Sat Nov 13, 2010 3:36 pm

By the way, I see the XSS icon on the status bar even if I Allow the main site blogspot.com to make it a trusted site. Bug?

Post by **Alan Baxter** » Sat Nov 13, 2010 3:54 pm

Giorgio Maone wrote:Maybe you're right. Since the OP said "A logo with a link", I just supposed it was JS redirection detection. Let's see what he meant.

I'm sure eradic8 didn't mean a JS redirection detection. I see the blue XSS icon appearing on the status bar next to the NoScript icon, just like eradic8 described. That's the only indicator I see. I do not see the XSS notification bar, even though I have that enabled.
NoScript 2.0.5.1.rc1, no other extensions.
Default settings except Allowed blogspot.com and 4shared.com.
Error Console:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc198.4shared.com/img/423107939/f16fd708/dlink__2Fdownload_2FRrpqWJW1_3Ftsid_3D20101113-105020-b316a86d/preview.mp3&logo=http://dc198.4shared.com/images/logo.png&image=http://dc198.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas&ltas.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/RrpqWJW1/talents_silent.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/423107939/f16fd708%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc198.4shared.com/img/423107939/f16fd708/dlink__2Fdownload_2FRrpqWJW1_3Ftsid_3D20101113-105020-b316a86d/preview.mp3%26logo%20http%3A//dc198.4shared.com/images/logo.png%u2111%20http%3A//dc198.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/RrpqWJW1/talents_silent.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/423107939/f16fd708%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#06796907919681006389].
 ----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc178.4shared.com/img/421994600/ccab2589/dlink__2Fdownload_2FXxeS-Kyj_3Ftsid_3D20101113-105020-49595bdb/preview.mp3&logo=http://dc178.4shared.com/images/logo.png&image=http://dc178.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas&ltas.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/XxeS-Kyj/box_music.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/421994600/ccab2589%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc178.4shared.com/img/421994600/ccab2589/dlink__2Fdownload_2FXxeS-Kyj_3Ftsid_3D20101113-105020-49595bdb/preview.mp3%26logo%20http%3A//dc178.4shared.com/images/logo.png%u2111%20http%3A//dc178.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/XxeS-Kyj/box_music.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/421994600/ccab2589%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#6236703122236116230].
 ----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc271.4shared.com/img/415938415/dcf8b0c0/dlink__2Fdownload_2FVCMIidmS_3Ftsid_3D20101113-105020-82e9cb9/preview.mp3&logo=http://dc271.4shared.com/images/logo.png&image=http://dc271.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas&ltas.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/VCMIidmS/grateful_heart_silent.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/415938415/dcf8b0c0%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc271.4shared.com/img/415938415/dcf8b0c0/dlink__2Fdownload_2FVCMIidmS_3Ftsid_3D20101113-105020-82e9cb9/preview.mp3%26logo%20http%3A//dc271.4shared.com/images/logo.png%u2111%20http%3A//dc271.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/VCMIidmS/grateful_heart_silent.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/415938415/dcf8b0c0%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#5214300847812627802].
 ----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc271.4shared.com/img/415938421/f0b8271a/dlink__2Fdownload_2Fp6n5_5FOXj_3Ftsid_3D20101113-105020-cef2b978/preview.mp3&logo=http://dc271.4shared.com/images/logo.png&image=http://dc271.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas&ltas.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/p6n5_OXj/grateful_heart_music.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/415938421/f0b8271a%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc271.4shared.com/img/415938421/f0b8271a/dlink__2Fdownload_2Fp6n5_5FOXj_3Ftsid_3D20101113-105020-cef2b978/preview.mp3%26logo%20http%3A//dc271.4shared.com/images/logo.png%u2111%20http%3A//dc271.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/p6n5_OXj/grateful_heart_music.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/415938421/f0b8271a%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#04209431392342588698].
 ----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc178.4shared.com/img/421994599/66f3983d/dlink__2Fdownload_2FKIlzX2dM_3Ftsid_3D20101113-105023-cb92827f/preview.mp3&logo=http://dc178.4shared.com/images/logo.png&image=http://dc178.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas&ltas.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/KIlzX2dM/box_silent.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/421994599/66f3983d%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc178.4shared.com/img/421994599/66f3983d/dlink__2Fdownload_2FKIlzX2dM_3Ftsid_3D20101113-105023-cb92827f/preview.mp3%26logo%20http%3A//dc178.4shared.com/images/logo.png%u2111%20http%3A//dc178.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/KIlzX2dM/box_silent.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/421994599/66f3983d%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#5134521852349114828].
 ----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc198.4shared.com/img/423107949/be2e41cf/dlink__2Fdownload_2F841bA9Cq_3Ftsid_3D20101113-105020-6922e675/preview.mp3&logo=http://dc198.4shared.com/images/logo.png&image=http://dc198.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas&ltas.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/841bA9Cq/Talents_music.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/423107949/be2e41cf%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc198.4shared.com/img/423107949/be2e41cf/dlink__2Fdownload_2F841bA9Cq_3Ftsid_3D20101113-105020-6922e675/preview.mp3%26logo%20http%3A//dc198.4shared.com/images/logo.png%u2111%20http%3A//dc198.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/841bA9Cq/Talents_music.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/423107949/be2e41cf%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#15988173549644358103].

Post by **Giorgio Maone** » Sat Nov 13, 2010 4:07 pm

OK, I can see it. That's the sharing_code=<embed...[/url] URL parameter that is triggering the XSS warning because it actually contains potentially dangerous HTML code.
You don't get the usual notification bar because the load is not in a document, but in a OBJECT element.
I'm gonna work-around in next dev build by skipping the sharing_code parameter in XSS checks on 4shared requests, since it's actually innocuous.

In the meanwhile, you can work-around by adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^http://www\.4shared\.com/flash/player\.swf\?

eradic8 · Post by **eradic8** » Sun Nov 14, 2010 8:42 pm

Thanks Alan and Giorgio, I think I will wait till it is sorted out in the next build of NoScript.

Post by **Giorgio Maone** » Sun Nov 14, 2010 9:51 pm

Fixed in latest development build

InformAction Forums

Evil NoScript logo apperaring on website

Evil NoScript logo apperaring on website

Re: Evil NoScript logo apperaring on website

Re: Evil NoScript logo apperaring on website

Re: Evil NoScript logo apperaring on website

Re: Evil NoScript logo apperaring on website

Re: Evil NoScript logo apperaring on website

Re: Evil NoScript logo apperaring on website

Re: Evil NoScript logo apperaring on website

Re: Evil NoScript logo apperaring on website