View Full Version : Cross site scripting
When i came on the Org just now.
Internet Explorer said, it had modified the web page to prevent cross site scripting.
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
I've been getting this notice for the past weeks... Your ref is blank....I dunno/ Several years ago it was simple!
I have just got it today. I clicked on the refs, and it works for me.
When i came on the Org just now.
Internet Explorer said, it had modified the web page to prevent cross site scripting.
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS (https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS))
http://en.wikipedia.org/wiki/Cross-site_scripting
doesn't sound good.
torisdale
30-Jul-11, 18:07
it's a vulnerability in the site, should be fixed when an administrator has a chance.
it's a venerability in the site, should be fixed when an administrator has a chance.
Does that mean we all Doomed? I don't want my Lappy full of Worms and other 'orrible things!!!!
C3....:roll:;)
torisdale
30-Jul-11, 18:36
Depends on if somone takes advantage of the situation, from there they can do things like make the page show a pop up, horrible image etc..
It could get one of those things where it shows a fake notice saying you have a virus and to download [x] then some fool actually downloads it.
DeHaviLand
30-Jul-11, 20:19
it's a venerability in the site, should be fixed when an administrator has a chance.
I thought venerability was a good thing, but vulnerabilities could be exploited! Shows you how much I know!
torisdale
30-Jul-11, 20:35
I thought venerability was a good thing, but vulnerabilities could be exploited! Shows you how much I know!
You are correct, my built in spell checker on this browser changed the word it's supposed to say "vulnerability".
For example an Elderly person poses a risk of being vulnerable to the cold in the winter but in this case it would be a website being vulnerable to infections.
Niall Fernie
31-Jul-11, 07:59
Any further clues?
Like, what page did you visit?
What was the exact URL?
What was the exact warning message?
Niall. I got this message, as soon as i got on the forum. I have the first page of the forum, saved to favourites. That is the only time i have ever received the waring though.
The message was exactly how i got it, on my first post on this thread.
This is the URL that is saved to my favourites.
http://forum.caithness.org/
Niall Fernie
31-Jul-11, 17:05
I can't seem to replicate this error.
What version of IE are you using?
Has anyone else had this?
BTW do you get the same error when visiting Facebook?
I have had it for the past few weeks/ not only your site/ a few others/ seems to have gone today/ tks..s
Ie 9............
No to FB
oldmarine
01-Aug-11, 00:33
When i came on the Org just now.
Internet Explorer said, it had modified the web page to prevent cross site scripting.
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Internet Explorer advises me with the same message. I have no idea what it means. I don't know enough about computers.
Cross scripting msg again this pm on the ORG
I thought cross scripting was like when one orger takes exception to another orgers post and posts a reply. Like with weazer and corrie 3 :mad:
I thought cross scripting was like when one orger takes exception to another orgers post and posts a reply. Like with weazer and corrie 3 :mad:
No Duke, we are both into cross dressing....It's much more fun!!!!
C3.....:roll:;)
torisdale
01-Aug-11, 13:09
I can't seem to replicate this error.
What version of IE are you using?
Has anyone else had this?
BTW do you get the same error when visiting Facebook?
Hi Niall,
Why don't you check the website event log from the cpanel (not sure if your hosting allows this), it should help you understand where the error occurred and then you can rectify the issues?
Niall Fernie
01-Aug-11, 17:14
As far as I can tell this is an issue related to IE and not the site.
I've not been able to replicate the error but do get similar errors when visiting Google or Facebook (probably lots of other web sites). It seems to be a false positive otherwise we would be getting in reports left right and centre.
Thankfully I don't use IE on a regular basis so I'm not plagued with its problems.
As far as I can tell this is an issue related to IE and not the site.I've not been able to replicate the error but do get similar errors when visiting Google or Facebook (probably lots of other web sites). It seems to be a false positive otherwise we would be getting in reports left right and centre.Thankfully I don't use IE on a regular basis so I'm not plagued with its problems. Nice to see the org is taking potentially serious security issues as seriously as usual. A lot of people use this site and a lot won't be any kind of computer savvy. So your response is to laugh at them for using IE and the classic excuse "cannot replicate the error". This is a response as disgusting and arrogant as the one after the hacking incident.A responsible community website would surely try and get a bb expert in. It shouldn't take long to make sure everything is safe. Maybe people would even do it for free and some credit?
Niall Fernie
01-Aug-11, 19:29
Serenity, just because I've not explained fully to your satisfaction what I have done to trace this does not mean that I have not taken this seriously.
I have checked log files, no clues there.
I have installed the latest version of IE on a clean PC, no clues there.
I have also been reading a great deal about this type of error and everything seems to point to a false positive from the browser.
I have not received any other reports of this type of problem nor does it seem to be a reoccurring problem for the OP.
Our forum software is at the latest stage of security patches with no issues currently on the horizon.
So, if I cannot find a problem, the problem has not reoccurred, the problem does not seem to be affecting anyone else and the creators of the forum software have no current security issues, where else would you like me to look?
As for laughing about someone using IE, where do you read that? Simply because I prefer to use a browser that does not cause me as many headaches as Internet Explorer does in no way suggest that I would laugh at anyone who chooses to use it. I'm pretty sure that there are vast numbers of PC configurations with millions of possible combinations of operating system, hardware drivers, patches and plugins that work just fine. It simply does not work for me with my setup so I choose not to use it.
Disgusting and arrogant? I feel that you have more of an issue against me or the website than you are willing to admit.
I do not know you, so could not have any issue with you. I do not have any issue with the website either. But in both these instances you start by dismissing it, then when someone questions it say you have done more. I just think a forum this size should have someone professional to check the security. The consequences can be quite bad. I do not know much about this problem but is it possible it is coming from one of the adverts? Hence why only some people are seeing the issue sometimes.I admit I do not know what exactly you have checked but I think you should at least act less dismissive to reports like this. I stress the word act.
Niall Fernie
01-Aug-11, 20:07
OK lets pick though my responses on this thread:
Any further clues?
Like, what page did you visit?
What was the exact URL?
What was the exact warning message?
I thought I was trying to find out more about what had happened? Seems you think this is dismissive.
I can't seem to replicate this error.
What version of IE are you using?
Has anyone else had this?
BTW do you get the same error when visiting Facebook?
After not being able to get the same error on my set up I asked for some more detail and if anyone else has had the problem. That must look like dismissing the problem to you.
As far as I can tell this is an issue related to IE and not the site.
I've not been able to replicate the error but do get similar errors when visiting Google or Facebook (probably lots of other web sites). It seems to be a false positive otherwise we would be getting in reports left right and centre.
Thankfully I don't use IE on a regular basis so I'm not plagued with its problems.
So now I must be dismissing the problem as I'm unable to find it. I've not been given any further information or any other reports of this happening to other people. Without immediately describing what I've done in the background to trace this I have given my current conclusion based on the evidence so far. I have not closed the thread in case any further information comes to light but instead find myself having to defend my actions when I have seen no need, until challenged, to describe them to anyone.
torisdale
01-Aug-11, 20:32
i'll have a hunt for the xss problem and get back to you with what is causing it then hopefully you could sort it to keep the peace.
I have to be honest. I think the Fernies along with Colin Manson have created something very special when they created the org. I'm not knocking anyone who has an opinion about how the site could be made faster but as an ordinary non paying punter I'm grateful for their efforts. Maybe they need to hear more of that.
That doesnt mean they are any less a numpty than the best of us when it comes to an opinion but it does mean they have a special status in my book. Respect.
I was going to send this as a PM but well I want to make my thoughts clear. I wasn't trying to pick apart your response Niall, sorry if it felt that way, and like gleeber I agree this is a great website. Just your replies (in this and other threads about possible security issues) have come across as high and mighty, and dismissive in tone. To me at least. Maybe I'm just being touchy.I can understand that you may get annoyed when you get criticism and questions on what (I believe) is something you run on a part time basis. So that may be why your responses sometimes come across that way.
I didn't start this thread, to cause arguments. but to warn of the message i got. It only happened the once, on this site, and has not happened again.
IE9 has cross scripting built in, and to be honest i did not know this. or what cross scripting was. I just thought people should know, and maybe someone, with a better knowledge then me. Would be able to see if something untoward was going on.
Powered by vBulletin® Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.