Things I Learn From Spammers
Thanks to the diligence of comment spammers I have learned something interesting.
I’m not sure if ny.com is affiliated with the New York City in any way - it looks like a big commercial link site for NY related content. This may or may not be sanctioned by the city itself. What I do know, is that they have an interesting script in their cgi-bin which will load any URL passed via GET in the page’s lower frame. Let me illustrate this - please check out the link below:
http://www.ny.com/cgibin/frame.cgi?url=http://google.com
I’m loading Google page within the NY page’s frame. I already sent them an email about this, so perhaps they will be fixing it soon. In case this is gone tomorrow, here is a screenshot of how it looked:
click to enlarge
Allot of the comment spam that is getting caught in my filters lately uses this technique to push their free ringtone downloads and other garbage. If they were smarter, they would of course obfuscate the address to make it look like this:
http://www.ny.com/cgibin/frame.cgi?url= %68%74%74%70%3A%2F%2F1208930147
It still works, but the URL is obfuscated so it may not be entirely obvious that the script is loading an external page just by looking at the URL. Now, just imagine how many nasty things can you do with this little trick. Can you say cross-site scripting?
Related Posts:
May 4th, 2007 at 4:13 am (4298) [Quote]
As a note … your link to
Posted usinghttp://www.ny.com/cgibin/frame.cgi?url=http://google.com
is still available. Surprised?
September 28th, 2007 at 10:17 am (6326) [Quote]
Heh.. They still haven’t fixed it. It’s been over a year now! LOL
Posted using