CSS Trick Hijacks MySpace Pages, Blogs...

So, I got a friend request on my MySpace account today. It looked like it might be from a musician (she was holding a violin in her photo) and I tend to accept friend requests from bands and musicians if their music is interesting. Unfortunately, her profile was porn spam and she used a trick that I hadn't encountered to make any click anywhere in the profile go to a porn site.

It's actually a quite simple CSS trick. Here's the CSS they used, placing it in the "who I'd like to meet" field, though it could be placed elsewhere.


<a href="Target URL" style="position:absolute; top:0px;left:0px; height:980px; width:1300px;">


That's it. I've tried it on my blog and on another that use Akismet filtering and Akismet doesn't seem to catch it (yet). I've reported it to them. If you have a homebrew comments system, you'll want to filter for href's with styles in them. If you have a blog, you may want to turn on moderation of all posts to pre-check them for this little hijack.

Also, if you're running Wordpress or another system, you may find your moderation page hijacked if the comment is rendered as HTML instead of displaying the source of the comment. In a situation like that, you'll actually need to get the source of the moderation page so you can find the "delete" or "report as spam" link for the comment, and cut and paste it into your browser to be able to kill the comment.

Another way to deal with it, if you're running WordPress, is to go to the "mass edit mode" in your comments management. You can do that by going into your admin menu, selecting "Manage", and then "Comments" as what you want to edit. The "mass edit mode" link will be hijacked, but you can just add "?mode=edit" onto the end of the URL to get to it. It won't render the HTML and you'll be able to edit the HTML out of the comment, mark it as spam (you may have to edit the comment to get that option), delete it, etc.

A SOLUTION

Here's a quick and dirty piece of PHP code to catch and disable href links with style tags in them. Assuming $tofilter is the content you want to check...


if(preg_match("/href/",$tofilter)){
       preg_match_all("/<a.+>|<.+a.+href.+>/",$tofilter,$catchit);
       for($i=0;$i<count($catchit[0]);$i++){
       $checkit = $catchit[0][$i];
       if(preg_match("/\"style| style/",$checkit)){
          //
          // CODE TO DEAL WITH COMMENT WHEN STYLE'S FOUND
          //
          $holdit = $checkit;
          $checkit = str_replace("<","&lt;",$checkit);
          $checkit = str_replace(">","&gt;",$checkit);
          $tofilter = str_replace($holdit,$checkit,$tofilter);
          }
       }
}


This will turn...


<a href="Target URL" style="position:absolute; top:0px;left:0px; height:980px; width:1300px;">

... into...


<a href="Target URL" style="position:absolute; top:0px;left:0px; height:980px; width:1300px;">

And you can also add in additional handling code as you like.

This entry was posted on Monday, April 2nd, 2007 at 12:57 pm and is filed under Techno Thoughts, Web Programming.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.