InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[SOLVED] Site that won't work properly with NoScript

https://forums.informaction.com/viewtopic.php?t=6599

Page 1 of 1

[SOLVED] Site that won't work properly with NoScript

Posted: Tue Jun 07, 2011 10:19 pm
by Train_Person
Site has worked until today--and does require log-in: http://trn.trains.com/ . When I try to log in with NoScript running, I get taken not to the magazines but, rather to the publisher's subscription web site. At the latter site, i can log on; both sites use the same log-in information.

I can log-in to the magazine site running IE8 inside Firefox 4.0.1 with IE Tab 2, and also with Firefox if I turn off NoScript.

The Firefox error console generates a very large number of errors, including one of which I'm unable to get a complete screen capture as it is incredibly long, much of it on one line. This specific error starts with "A sanitized suspicious upload to [https://secure.kalmbach.com/customer....."; that's is the subscription site. The error ends with "[from http://trn.trains.com/ transformed into a download only GET request."

I tried to white list the site in NoScript, but that did not help.

I have no idea what that means, only that I suspect something has crept into the log-on for http://trn.trains.com/, keeping me from actually logging in. I would, of course, appreciate any assistance possible. If I can provide further information, I'll try to so do, and if someone can tell me what I should be reporting to Kalmbach, that I would do also.

Re: Site that won't work properly with NoScript

Posted: Wed Jun 08, 2011 2:37 pm
by therube
If you leave NoScript enabled, but disable XSS?
(NoScript | Options | Advanced -> XSS => uncheck the two boxes)

An invalid login attempt rolls over to kalmbach.com regardless of the browser used (i.e., IE too).

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://secure.kalmbach.com/customer/Default.aspx###DATA###%2FwEPDwULLTE5MjExMzk4MjkPZBYCAgUQZGQWBAIHD2QWBGYPZBYCZg9kFg4CBw9kFgJmD2QWAgIBD2QWAmYPDxYCHgtQb3N0QmFja1VybAUxaHR0cHM6Ly9zZWN1cmUua2FsbWJhY2guY29tL2N1c3RvbWVyL0RlZmF1bHQuYXNweGRkAgkPZBYCZg9kFgJmD2QWAgIBDw9kFgQeB29uZm9jdXMFElJlbW92ZUVtYWlsKHRoaXMpOx4Gb25ibHVyBRFSZXNldEVtYWlsKHRoaXMpO2QCDQ8WAh4EaHJlZgUpL2VuL1JhaWxyb2FkIFJlZmVyZW5jZS9SYWlscm9hZCBNYXBzLmFzcHhkAg8PFgIeCWlubmVyaHRtbAUCMzVkAhEPZBYGAgEPEGQQFQUWLS0gU2VsZWN0IGEgTWFwIEVyYSAtLQ4xOTUwcyB0byAxOTYwcw4xOTcwcyB0byAxOTgwcxAxOTkwcyB0byBwcmVzZW50CFByZS0xOTUwFQUAJnszQkJFQzBBNy0wMTM0LTRDN0QtOUJDMS01Nzc3QkM2MUY2OUN9Jns0OTBGQzFFNi1CNzNELTRBNEUtOEEzOS0zRDkzN0EzNTUzQTF9Jns2ODg4NDhFMS00QkE2LTQ2RTItOEJGMy0wMzlEQkUyRTVEOTN9Jns0NEUzNEIxRC1BRUFDLTRGQTctOTgwRi01QzIyQ0RCOEFDMDV9FCsDBWdnZ2dnZGQCAw8QZBAVBxctLSBTZWxlY3QgYSBNYXAgVHlwZSAtLRtDaXRpZXMsIFN0YXRlcywgYW5kIFJlZ2lvbnMLQ29tbW9kaXRpZXMUSGlzdG9yaWNhbCBTbmFwc2hvdHMOSW5mcmFzdHJ1Y3R1cmUZTWVyZ2VyczogQmVmb3JlIGFuZCBBZnRlcglQYXNzZW5nZXIVBwAmezBCRTgxNDY3LUVFOTUtNDRBNi05NTlFLUI5QUZDRDIwRTA3MH0mezQ5NTRFOUQ3LTZFOTgtNDZCMy04NjhFLUQ2NjIzRERFM0Q1M30mezlDRTlGMjI1LTI0RkUtNDU3Mi1BOTlELTlGRDI1RDFFQkU3Qn0mezBCQzJCODZELTQwMDktNDgyQy1BNEVGLTRGM0Y1OUMxOTMzQn0me0U5MkRFMERDLUI4NzItNDRFMS1CQTJBLUFGMjMwMjk2OUUyNX0me0I0MzA3ODJGLTI2MDUtNDVGMC04NTRGLUVCRDM0QkEyQjJEMX0UKwMHZ2dnZ2dnZ2RkAgUPD2QWBB8BBRpSZW1vdmVNYXBzU2VhcmNoVGV4dCh0aGlzKR8CBRlSZXNldE1hcHNTZWFyY2hUZXh0KHRoaXMpZAIZDxYCHwQFyQk8dWwgY2xhc3M9ImhvbWVwYWdlLWJsb2dwb3N0Ij48bGk%2BPGEgaHJlZj0iaHR0cDovL2NzLnRyYWlucy5jb20vVFJDQ1MvYmxvZ3Mvc3RhZmYvYXJjaGl2ZS8yMDExLzA2LzAzL29mLWZpc2hpbmctYW5kLXBob3RvZ3JhcGhpbmctdGhlLW1vbnRhbmEtcmFpbC1saW5rLmFzcHgiIHRpdGxlPSJPZiBmaXNoaW5nIGFuZCBwaG90b2dyYXBoaW5nIHRoZSBNb250YW5hIFJhaWwgTGluayI%2BT2YgZmlzaGluZyBhbmQgcGhvdG9ncmFwaGluZyB0aGUgTW9udGFuYSBSYWlsIExpbms8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iaHR0cDovL2NzLnRyYWlucy5jb20vVFJDQ1MvYmxvZ3Mvc3RhZmYvYXJjaGl2ZS8yMDExLzA1LzIwLzIwMTAtdHJhaW5zLXBob3RvLWNvbnRlc3Qtd2lubmVycy5hc3B4IiB0aXRsZT0iMjAxMCBUcmFpbnMgcGhvdG8gY29udGVzdCB3aW5uZXJzIj4yMDEwIFRyYWlucyBwaG90byBjb250ZXN0IHdpbm5lcnM8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iaHR0cDovL2NzLnRyYWlucy5jb20vVFJDQ1MvYmxvZ3Mvc3RhZmYvYXJjaGl2ZS8yMDExLzA1LzE4L3JhaWxmYW5uaW5nLXRoZS1tb250YW5hLXJhaWwtbGluay5hc3B4IiB0aXRsZT0iVHJhaW5zIG1hZ2F6aW5lIGFydCBkaXJlY3RvciByYWlsZmFucyB0aGUgTW9udGFuYSBSYWlsIExpbmsiPlRyYWlucyBtYWdhemluZSBhcnQgZGlyZWN0b3IgcmFpbGZhbnMgdGhlIE1vbnRhbmEgUmFpbCBMaW5rPC9hPjwvbGk%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly9jcy50cmFpbnMuY29tL1RSQ0NTL2Jsb2dzL3N0YWZmL2FyY2hpdmUvMjAxMS8wNS8xNy9qdXN0LXdoZW4teW91LXRoaW5rLXRvdXJpc3QtcmFpbHJvYWRpbmctaXMtdGFtZS13YXRjaC1vdXQuYXNweCIgdGl0bGU9Ikp1c3Qgd2hlbiB5b3UgdGhpbmsgdG91cmlzdCByYWlscm9hZGluZyBpcyB0YW1lLCB3YXRjaCBvdXQiPkp1c3Qgd2hlbiB5b3UgdGhpbmsgdG91cmlzdCByYWlscm9hZGluZyBpcyB0YW1lLCB3YXRjaCBvdXQ8L2E%2BPC9saT48bGk%2BPGEgaHJlZj0iaHR0cDovL2NzLnRyYWlucy5jb20vVFJDQ1MvYmxvZ3Mvc3RhZmYvYXJjaGl2ZS8yMDExLzA1LzEyL21lZXQtbmV2YWRhLWJvYi5hc3B4IiB0aXRsZT0iTWVldCBOZXZhZGEgQm9iIj5NZWV0IE5ldmFkYSBCb2I8L2E%2BPC9saT48bGkgY2xhc3M9InNlZS1hbGwiPjxhIGhyZWY9Ii90cmNjcy9ibG9ncy9zdGFmZi9kZWZhdWx0LmFzcHgiPlNlZSBtb3JlIHBvc3RzICYjMTg3OzwvYT48L2xpPjwvdWw%2BZAIdDxYCHwQFvgk8dWwgY2xhc3M9ImhvbWVwYWdlLWJsb2dwb3N0Ij48bGk%2BPGEgaHJlZj0iaHR0cDovL2NzLnRyYWlucy5jb20vVFJDQ1MvYmxvZ3MvZnJlZC1mcmFpbGV5L2FyY2hpdmUvMjAxMS8wNS8yMC9pbi1wcmFpc2Utb2Ytam9lLWJvYXJkbWFuLmFzcHgiIHRpdGxlPSJJbiBwcmFpc2Ugb2YgSm9lIEJvYXJkbWFuIj5JbiBwcmFpc2Ugb2YgSm9lIEJvYXJkbWFuPC9hPjwvbGk%2BPGxpPjxhIGhyZWY9Imh0dHA6Ly9jcy50cmFpbnMuY29tL1RSQ0NTL2Jsb2dzL2ZyZWQtZnJhaWxleS9hcmNoaXZlLzIwMTEvMDUvMTgvdGhlLXR3by1mYWNlcy1vZi1mbG9yaWRhLWVhc3QtY29hc3QuYXNweCIgdGl0bGU9IlRoZSB0d28gZmFjZXMgb2YgRmxvcmlkYSBFYXN0IENvYXN0Ij5UaGUgdHdvIGZhY2VzIG9mIEZsb3JpZGEgRWFzdCBDb2FzdDwvYT48L2xpPjxsaT48YSBocmVmPSJodHRwOi8vY3MudHJhaW5zLmNvbS9UUkNDUy9ibG9ncy9mcmVkLWZyYWlsZXkvYXJjaGl2ZS8yMDExLzA1LzEzL2lzLXRoZS1ub3J0aGVhc3QtY29ycmlkb3ItcmVhbGx5LXByb2ZpdGFibGUuYXNweCIgdGl0bGU9IklzIHRoZSBOb3J0aGVhc3QgQ29ycmlkb3IgcmVhbGx5IHByb2ZpdGFibGU%2FIj5JcyB0aGUgTm9ydGhlYXN0IENvcnJpZG9yIHJlYWxseSBwcm9maXRhYmxlPzwvYT48L2xpPjxsaT48YSBocmVmPSJodHRwOi8vY3MudHJhaW5zLmNvbS9UUkNDUy9ibG9ncy9mcmVkLWZyYWlsZXkvYXJjaGl2ZS8yMDExLzA1LzA5L2JsdWVzLWluLXRoZS1uaWdodC10aGUtd2hpc3RsZS10by1lbmQtYWxsLXdoaXN0bGVzLmFzcHgiIHRpdGxlPSJCbHVlcyBpbiB0aGUgbmlnaHQ6IFRoZSB3aGlzdGxlIHRvIGVuZCBhbGwgd2hpc3RsZXMiPkJsdWVzIGluIHRoZSBuaWdodDogVGhlIHdoaXN0bGUgdG8gZW5kIGFsbCB3aGlzdGxlczwvYT48L2xpPjxsaT48YSBocmVmPSJodHRwOi8vY3MudHJhaW5zLmNvbS9UUkNDUy9ibG9ncy9mcmVkLWZyYWlsZXkvYXJjaGl2ZS8yMDExLzA1LzA1L3RoZS13YXliYWNrLW1hY2hpbmUtYW10cmFrLWluLTE5NzUuYXNweCIgdGl0bGU9IlRoZSBXYXliYWNrIE1hY2hpbmU6IEFtdHJhayBpbiAxOTc1Ij5UaGUgV2F5YmFjayBNYWNoaW5lOiBBbXRyYWsgaW4gMTk3NTwvYT48L2xpPjxsaSBjbGFzcz0ic2VlLWFsbCI%2BPGEgaHJlZj0iL3RyY2NzL2Jsb2dzL3N0YWZmL2ZyZWQtZnJhaWxleS5hc3B4Ij5TZWUgbW9yZSBwb3N0cyAmIzE4Nzs8L2E%2BPC9saT48L3VsPmQCAQ9kFgJmD2QWAmYPZBYCAgMPZBYCAgMPZBYCZg9kFgICAw8QZGQWAGQCCQ8WAh4HVmlzaWJsZWgWBgIDDxYCHgVzdHlsZQUVcGFkZGluZzowIDEwcHggMTBweCAwFgICAQ9kFgQCAQ8PFgIfBWhkZAIDDw8WAh8FaGRkAgkPZBYCZg9kFgICAQ9kFgJmDw8WAh8ABTFodHRwczovL3NlY3VyZS5rYWxtYmFjaC5jb20vY3VzdG9tZXIvRGVmYXVsdC5hc3B4ZGQCCw9kFgJmD2QWAmYPZBYCAgEPD2QWBB8BBRJSZW1vdmVFbWFpbCh0aGlzKTsfAgURUmVzZXRFbWFpbCh0aGlzKTtkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYEBRpob21lcGFnZV8wJGN0bDAwJGJ0blNlYXJjaAUZaG9tZXBhZ2VfMCRjdGwwMSRidG5Mb2dpbgUaaG9tZXBhZ2VfMCRjdGwwMiRidG5TdWJtaXQFGGhvbWVwYWdlXzAkYnRuU2VhcmNoTWFwc23RBDpABF2eL6cIF2MGTF8MpAg%2F] from [http://trn.trains.com/]: transformed into a download-only GET request.

Re: Site that won't work properly with NoScript

Posted: Wed Jun 08, 2011 3:15 pm
by Train_Person
Thanks for the reply. As requested, I disabled the two XSS options, and then I was able to log on to the Trains forums.

Given my immense lack of knowledge of such matters, a. What risk(s) do I face by the disabling of XSS?; b. any idea as to what might have changed on the forum site since last week to cause the problem?; c. and, most importantly, everything else?...

Re: Site that won't work properly with NoScript

Posted: Wed Jun 08, 2011 4:03 pm
by therube
For the time being, better to re-check those two & either use the kalmbach.com for the login.
Then see if someone (Giorgio) can't come up with a work-around, exception for you.

Re: Site that won't work properly with NoScript

Posted: Wed Jun 08, 2011 6:37 pm
by Train_Person
So, you are trying to be helpful, yes? I guess you just don't understand the world, no?

Oh, dear, I almost forgot to express my appreciation for your assistance. I just followed your advice; when I tried to log on, I was again taken directly to the Kalmbach site, where, at the top of the page, is a link for returning to the web site. I clicked on that link, and found that I was logged on to the web site for the forums, etc., so that will work. (If an exception can be created, well, that would certainly cut down on the incredible amount of effort required to click on all of one extra link.

Re: Site that won't work properly with NoScript

Posted: Wed Jun 08, 2011 9:46 pm
by dhouwn
Here you go:

Code: Select all

^https://secure.kalmbach.com/customer/Default.aspx###DATA###%2F[a-zA-Z0-9]+%2F

Re: Site that won't work properly with NoScript

Posted: Fri Jun 10, 2011 2:30 pm
by Train_Person
Given my vast lack of knowledge, I assumed that the code kindly provided should simply be pasted into the NoScript Anti-XSS Protection Exceptions box, so that is what I did. Unfortunately, either the code was placed in the correct location and does not work, or else I did not do something correctly to cause the kindly-provided code to function.

Re: Site that won't work properly with NoScript

Posted: Fri Jun 10, 2011 3:01 pm
by Giorgio Maone
dhouwn wrote:Here you go:

Code: Select all

^https://secure.kalmbach.com/customer/Default.aspx###DATA###%2F[a-zA-Z0-9]+%2F
Should be just

Code: Select all

^https://secure.kalmbach.com/customer/Default.aspx$
(the part after ".aspx" is just a convention to show the offending chunk of the POST payload)

Re: Site that won't work properly with NoScript

Posted: Fri Jun 10, 2011 6:36 pm
by Train_Person
Grazie, I've now been saved the horror of the extra mouse click or two.

I certainly appreciate the assistance rendered in solving something that is totally beyond my comprehension.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited