mailing list archives
RE: Part of the web page being MODIFIED !
From: Chris Santerre <csanterre () MerchantsOverseas com>
Date: Wed, 27 Nov 2002 14:52:27 -0500
Out of curiosity, this pic wouldn't happen to be on a page that is a forum
would it? If so, check to see if you allow scripts in HTML posts. If so, it
would be easy for a user to post a message that would change the pic.
From: Bryan Wagstaff [mailto:bryanw () xmission com]
Sent: Tuesday, November 26, 2002 1:24 PM
To: Frank Cheong
Cc: security-basics () securityfocus com
Subject: Re: Part of the web page being MODIFIED !
Quoting Frank Cheong <chocobofrank () hotmail com>:
I received complains regarding one of the image on my web site has been
modified by a PORN picture ! While the image have resumed normal during
the second visit.
You say you have had complaints, but don't state if you have seen it or
not. Can YOU repeat the problem?
Therefore, the image haven't been modified. So I do want to know what is
the possibilities in doing this ?
(Like HTTP session hijack, proxy poisoning, someone doing man in the
middle etc) any other ways to do that ?
There are many ways of that sort of thing happening, but you need to do
more research to find it.
If this is something you can verify and repeat, I would first check your
Has the machine been compromized? If no, are you sure?
If using unmodified versions of the http server, do the checksums match
those of the source? (assuming you are using Apache or some other Free/Open
server) When posting back to the group, please include the versions of the
software you are using.
Does the problem appear on another similarly configured machine?
As these activities mostly happens outside my server boundry, I assume I
can't do anything with it, how about any outside parties ?
You say 'mostly happens outside my server boundary'. Please be more
Do those outside your network ALWAYS see the corrupted pages then the
proper image? Does everyone inside your network see the corrupted pages?
If only some machines inside your 'server boundary' see the corrupted
pages, are those machines within a NAT device? For example, are machines
within a 192.168.1.* seeing the corrupted pages while 192.168.0.* are
seeing the original?
As I know going for SSL maybe one of the alternative to stop this but
this will add on extra processing on my website and it will make it slow.
So I don't want to go for it, any other way to secure against this ?
You need to know where the problem is beore you can fix it. Right now I
would say you have some script kiddie playing with the site, but I wouldn't
remove other posibilities without more research.
If you have a corrupted web server, moving to SSL would not solve the
problem, it would actually make it appear that you are intentionally
sending the images.
For the man-in-the-middle attack, you could test that out by changes to
your network or Internet connections. If you are a small business, your
ISP would probably help.
If someone were performing a targeted man-in-the-middle attack, you need to
have a trusted root CA give you a cert. (If you have a self-signed or
unsigned cert, then they could easily forge one.) If you don't already
have one, those can take a little work and money to get.
Best of luck!
bryanw () xmission com
- <Possible follow-ups>
- RE: Part of the web page being MODIFIED ! Chris Santerre (Nov 28)