Thanks to the diligence of [tag]comment spammers[/tag] I have learned something interesting.
I’m not sure if [tag]ny.com[/tag] is affiliated with the New York City in any way – it looks like a big commercial link site for NY related content. This may or may not be sanctioned by the city itself. What I do know, is that they have an interesting script in their [tag]cgi-bin[/tag] which will load any [tag]URL[/tag] passed via GET in the page’s lower frame. Let me illustrate this – please check out the link below:
http://www.ny.com/cgibin/frame.cgi?url=http://google.com
I’m loading Google page within the NY page’s frame. I already sent them an email about this, so perhaps they will be fixing it soon. In case this is gone tomorrow, here is a screenshot of how it looked:
Allot of the comment spam that is getting caught in my [tag]filters[/tag] lately uses this technique to push their free ringtone downloads and other garbage. If they were smarter, they would of course obfuscate the address to make it look like this:
http://www.ny.com/cgibin/frame.cgi?url= %68%74%74%70%3A%2F%2F1208930147
It still works, but the URL is [tag]obfuscate[/tag]d so it may not be entirely obvious that the script is loading an external page just by looking at the URL. Now, just imagine how many nasty things can you do with this little trick. Can you say [tag]cross-site scripting[/tag]?
As a note … your link to
http://www.ny.com/cgibin/frame.cgi?url=http://google.com
is still available. Surprised?
Heh.. They still haven’t fixed it. It’s been over a year now! LOL
Its been 2.5 years now and ny.com still hasn’t fixed it.