Terminally Incoherent

Thanks to the diligence of comment spammers I have learned something interesting.

I’m not sure if ny.com is affiliated with the New York City in any way – it looks like a big commercial link site for NY related content. This may or may not be sanctioned by the city itself. What I do know, is that they have an interesting script in their cgi-bin which will load any URL passed via GET in the page’s lower frame. Let me illustrate this – please check out the link below:

http://www.ny.com/cgibin/frame.cgi?url=http://google.com

I’m loading Google page within the NY page’s frame. I already sent them an email about this, so perhaps they will be fixing it soon. In case this is gone tomorrow, here is a screenshot of how it looked:

click to enlarge

Allot of the comment spam that is getting caught in my filters lately uses this technique to push their free ringtone downloads and other garbage. If they were smarter, they would of course obfuscate the address to make it look like this:

http://www.ny.com/cgibin/frame.cgi?url= %68%74%74%70%3A%2F%2F1208930147

It still works, but the URL is obfuscated so it may not be entirely obvious that the script is loading an external page just by looking at the URL. Now, just imagine how many nasty things can you do with this little trick. Can you say cross-site scripting?

This entry was posted on Saturday, September 2nd, 2006 at 5:21 pm and is filed under security, spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Related Posts: