Page 1 of 1
Evil NoScript logo apperaring on website
Posted: Sat Nov 13, 2010 2:58 pm
by eradic8
I just visited this site
http://www.manifestchange.blogspot.com and noticed that there was the evil blue NoScript logo appearing next to the original logo in the bottom right hand side of my computer screen. Hovering over it I could see it had a 4shared.com link with XXS before it, am I right in assuming this is a warning of a cross site scripting. I cannot find a lot of info on this logo, or what it does, I'm just assuming it shows it is blocking a possible cross site scripting. Unfortunately there are some files I want to download on that site which I believe are hosted on 4shared.com, but I dare not click on the links in case it is not safe. Can anyone give us any advise as to whether it is safe to download from this site or not.
Re: Evil NoScript logo apperaring on website
Posted: Sat Nov 13, 2010 3:21 pm
by Giorgio Maone
Re: Evil NoScript logo apperaring on website
Posted: Sat Nov 13, 2010 3:31 pm
by Alan Baxter
Re: Evil NoScript logo apperaring on website
Posted: Sat Nov 13, 2010 3:35 pm
by Giorgio Maone
Maybe you're right. Since the OP said "A logo with a link", I just supposed it was JS redirection detection. Let's see what he meant.
Re: Evil NoScript logo apperaring on website
Posted: Sat Nov 13, 2010 3:36 pm
by Alan Baxter
By the way, I see the XSS icon on the status bar even if I Allow the main site blogspot.com to make it a trusted site. Bug?
Re: Evil NoScript logo apperaring on website
Posted: Sat Nov 13, 2010 3:54 pm
by Alan Baxter
Giorgio Maone wrote:Maybe you're right. Since the OP said "A logo with a link", I just supposed it was JS redirection detection. Let's see what he meant.
I'm sure eradic8 didn't mean a JS redirection detection. I see the blue XSS icon appearing on the status bar next to the NoScript icon, just like eradic8 described. That's the only indicator I see. I do not see the XSS notification bar, even though I have that enabled.
NoScript 2.0.5.1.rc1, no other extensions.
Default settings except Allowed blogspot.com and 4shared.com.
Error Console:
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc198.4shared.com/img/423107939/f16fd708/dlink__2Fdownload_2FRrpqWJW1_3Ftsid_3D20101113-105020-b316a86d/preview.mp3&logo=http://dc198.4shared.com/images/logo.png&image=http://dc198.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas<as.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/RrpqWJW1/talents_silent.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/423107939/f16fd708%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc198.4shared.com/img/423107939/f16fd708/dlink__2Fdownload_2FRrpqWJW1_3Ftsid_3D20101113-105020-b316a86d/preview.mp3%26logo%20http%3A//dc198.4shared.com/images/logo.png%u2111%20http%3A//dc198.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/RrpqWJW1/talents_silent.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/423107939/f16fd708%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#06796907919681006389].
----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc178.4shared.com/img/421994600/ccab2589/dlink__2Fdownload_2FXxeS-Kyj_3Ftsid_3D20101113-105020-49595bdb/preview.mp3&logo=http://dc178.4shared.com/images/logo.png&image=http://dc178.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas<as.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/XxeS-Kyj/box_music.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/421994600/ccab2589%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc178.4shared.com/img/421994600/ccab2589/dlink__2Fdownload_2FXxeS-Kyj_3Ftsid_3D20101113-105020-49595bdb/preview.mp3%26logo%20http%3A//dc178.4shared.com/images/logo.png%u2111%20http%3A//dc178.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/XxeS-Kyj/box_music.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/421994600/ccab2589%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#6236703122236116230].
----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc271.4shared.com/img/415938415/dcf8b0c0/dlink__2Fdownload_2FVCMIidmS_3Ftsid_3D20101113-105020-82e9cb9/preview.mp3&logo=http://dc271.4shared.com/images/logo.png&image=http://dc271.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas<as.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/VCMIidmS/grateful_heart_silent.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/415938415/dcf8b0c0%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc271.4shared.com/img/415938415/dcf8b0c0/dlink__2Fdownload_2FVCMIidmS_3Ftsid_3D20101113-105020-82e9cb9/preview.mp3%26logo%20http%3A//dc271.4shared.com/images/logo.png%u2111%20http%3A//dc271.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/VCMIidmS/grateful_heart_silent.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/415938415/dcf8b0c0%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#5214300847812627802].
----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc271.4shared.com/img/415938421/f0b8271a/dlink__2Fdownload_2Fp6n5_5FOXj_3Ftsid_3D20101113-105020-cef2b978/preview.mp3&logo=http://dc271.4shared.com/images/logo.png&image=http://dc271.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas<as.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/p6n5_OXj/grateful_heart_music.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/415938421/f0b8271a%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc271.4shared.com/img/415938421/f0b8271a/dlink__2Fdownload_2Fp6n5_5FOXj_3Ftsid_3D20101113-105020-cef2b978/preview.mp3%26logo%20http%3A//dc271.4shared.com/images/logo.png%u2111%20http%3A//dc271.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/p6n5_OXj/grateful_heart_music.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/415938421/f0b8271a%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#04209431392342588698].
----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc178.4shared.com/img/421994599/66f3983d/dlink__2Fdownload_2FKIlzX2dM_3Ftsid_3D20101113-105023-cb92827f/preview.mp3&logo=http://dc178.4shared.com/images/logo.png&image=http://dc178.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas<as.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/KIlzX2dM/box_silent.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/421994599/66f3983d%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc178.4shared.com/img/421994599/66f3983d/dlink__2Fdownload_2FKIlzX2dM_3Ftsid_3D20101113-105023-cb92827f/preview.mp3%26logo%20http%3A//dc178.4shared.com/images/logo.png%u2111%20http%3A//dc178.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/KIlzX2dM/box_silent.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/421994599/66f3983d%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#5134521852349114828].
----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.4shared.com/flash/player.swf?file=http://dc198.4shared.com/img/423107949/be2e41cf/dlink__2Fdownload_2F841bA9Cq_3Ftsid_3D20101113-105020-6922e675/preview.mp3&logo=http://dc198.4shared.com/images/logo.png&image=http://dc198.4shared.com/images/icons/misc/mp3_200x180.jpg&plugins=revolt-1,sharing,ltas<as.cc=rvlfdyginfjkpdu&sharing.link=http://www.4shared.com/audio/841bA9Cq/Talents_music.html&sharing.code=%3Cembed%20src%3D%22http://www.4shared.com/embed/423107949/be2e41cf%22%20width%3D%22420%22%20height%3D%22250%22%20allowfullscreen%3D%22true%22%20allowscriptaccess%3D%22always%22%20%2F%3E] requested from [http://manifestchange.blogspot.com/]. Sanitized URL: [http://www.4shared.com/flash/player.swf?file%20http%3A//dc198.4shared.com/img/423107949/be2e41cf/dlink__2Fdownload_2F841bA9Cq_3Ftsid_3D20101113-105020-6922e675/preview.mp3%26logo%20http%3A//dc198.4shared.com/images/logo.png%u2111%20http%3A//dc198.4shared.com/images/icons/misc/mp3_200x180.jpg%26plugins%20revolt-1%2Csharing%2Cltas%26ltas.cc%20rvlfdyginfjkpdu%26sharing.link%20http%3A//www.4shared.com/audio/841bA9Cq/Talents_music.html%26sharing.code%20%20embed%20src%20http%3A//www.4shared.com/embed/423107949/be2e41cf%20width%20420%20height%20250%20allowfullscreen%20true%20allowscriptaccess%20always%20/%3E#15988173549644358103].
Re: Evil NoScript logo apperaring on website
Posted: Sat Nov 13, 2010 4:07 pm
by Giorgio Maone
OK, I can see it. That's the
sharing_code=<embed...[/url] URL parameter that is triggering the XSS warning because it actually contains potentially dangerous HTML code.
You don't get the usual notification bar because the load is not in a document, but in a OBJECT element.
I'm gonna work-around in next dev build by skipping the sharing_code parameter in XSS checks on 4shared requests, since it's actually innocuous.
In the meanwhile, you can work-around by adding the following line to your NoScript Options|Advanced|XSS exceptions box:
Code: Select all
^http://www\.4shared\.com/flash/player\.swf\?
Re: Evil NoScript logo apperaring on website
Posted: Sun Nov 14, 2010 8:42 pm
by eradic8
Thanks Alan and Giorgio, I think I will wait till it is sorted out in the next build of NoScript.
Re: Evil NoScript logo apperaring on website
Posted: Sun Nov 14, 2010 9:51 pm
by Giorgio Maone