FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


How to make javascript alert bomb work on operamini browser?





ogah
from my error404 file loger i have found someone try to inject my site with malscript.
he access my site with url like this http://mydomain/wp-content/themes/Avenue/timthumb.php?src=http://url_with_malscript

i not have folder wp-content and not use timthumb

then i put code like this to my erro404 file
Code:

<?php
if(preg_match('/wp-content/si', $_SERVER["REQUEST_URI"])) {
?>
<script type="text/javascript">
for(i = 0; i < 1000; i++){
   alert("What are you doing?");
}
</script>
<?php
}
?>

i want this bomb also work on operamini browser. possible or not?
jmraker
With that kind of thinking if your site has a broken link, or if links change, you're pretty much insulting, confusing and annoying your users when they see that. (without that if statement)

The computer program (bot) toying with your site won't execute the javascript at all. If the timthumb.php doesn't exist it won't do anything unless it's part of a denial of service attack

It might be better to put a rewrite rule to all /wp-content/* requests to redirect to a plain page saying "wordpress is not installed" in your .htaccess file
Fire Boar
Doing that breaks one of the most important rules of good site design: design your website for legitimate users. 404 errors are common and should be friendly ideally, informative at least. Dropping an alert bomb like this is the absolute worst possible choice you could possibly make, and I hope to dissuade you from this stupidity with this post.

Attacks like the one you saw are typically done by bots on a mass scale, targeting a list of known website domains in the hope of compromising a known software weakness in those websites that use it. That sort of request is made on a fire-forget basis - it's most likely that the mere acceptance of the request by the server will affect your site, IF you run the vulnerable software. If not, then the request made does nothing and returns 404 (as it should for any invalid request), and you have nothing to worry about.

So, just make sure that the software you do run is up to date and you'll be fine. Don't try and take proactive measures like this - it's completely unnecessary and just annoys people. If I noticed any website with this kind of alert bomb on ANY page (including things like the "wrong password for the admin section" page), I would make a point of never visiting that site again.
ogah
@jmraker & Fire Boar thanks for your advice
Related topics
php / javascript script works in FireFox browser, but not IE
Ajax Stack Overflow IE
HTML/CSS menu replacement
How to design a theme?
I need a fool-proof anti-source view javascript.
Pop-Ups
How can I disable the back button of my browser?
think its nice?
Javascript
Need CSS layout readjusted to work Cross-browser
AJAX + PHP, UPDATE mysql table nto working.
Stranged thing ever happend on your pc
Brutally honest citique requested.
How Java is different than Javascript !!
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.