Tags

, , , ,

It came to me as a utter surprise, when I saw LIGATT Security International’s site suffering from some of the very basic flaws which intend to embed any object into their portal.Actually, it does not seems ‘that good’ to gaze at a security firm with much reputation still persisting with a basic flaw in their web site.

The Flaw: ‘iFrame injection’

The iframe injection is an kind of injection of one or more iframe tags into a page’s content. The iframe can typically do many not-so-good things such as downloading an executable application that may contain a kind of malwares or so which may directly compromise a visitors system.

Its now one of the popular methods of loading malwares onto users PC’s without having them going to a compromised website. An IFrame (stands for “inline frame”) is just a way of loading one web page inside another, more commonly from a different server. Now this is one of those things which can be useful for building online applications. But malware writers can create the included page just ‘one pixel square’ – meaning you can’t even see it’s actually residing there – and obfuscate the JavaScript that will run automatically from that included page so that it looks something like %6D%20%6C%72%61%6D%65%62%6F – leaving no obvious clue that it’s malicious.

Ways worms could inject, a class of iFrames aka hidden iframes to files

  • Server’s getting compromised : This is one of the most common way. Some of the websites residing in the same web server as your website may be compromised (or it may also be some vulnerabilities in ones web app. itself) that caused the web server to get compromised. Once the server is compromised, the worm automate itself spreading to rest other websites in the server.
  • Compromising through client side FTP : The worm may be residing in some/any of the client computers one use’s for accessing the ftp/control panel accounts of your hosting server. When you type in the credentials for the control panel or so the worm closemouthed reading the credentials access the portal and initiates infecting files found on the server. It adds the following code to all the index.* files.
To the html pages the following piece of code gets added:
To PHP pages it adds:

Detecting iFrame Injections

To detect a kind of iframe injections, one should look through the HTML what your web server is sending. Open a page in your browser and then look for iframe tags. Injections usually insert iframes that point to raw IP addresses (something like “64.76.7.101″) instead of domain names. Treat these as suspicious. Once you’ve found an iframe and have determined that it’s not legitimate, you have to remove it from the page or database it’s coming from. On a WordPress blog you simply edit the page in question and look for the “&lgt;iframe>?” and remove it.

Alas! hope that LIGATT rectifies these kinds of basic flaws in their portal thus withstanding its reputation.

This post can also be viewed here.

//Abhiraj

Advertisements