JQuery :: Potential "blind Sql Injection" Vulnerability With Superfish JS?
Jun 19, 2009
The client we're building a site for recently had a server wide scan done by [UR] for PCI compliance. This was required by their banks commercial credit card service. The report came back with a "Possible blind sql injection" vulnerability warning level 4 out of 7 for the Superfish menu javascript. Anything 4 and above keeps them out of compliance. This file is for the Superfish menu. Is there a workaround for this potential issue?
I'm having trouble with the blind effect in the jQuery UI. I hope someone out here has used it! Anyway, it's supposed to be a fluid movement where it reveals a DOM element like opening blinds. Here is my website: [URL]
Click the comments for any of the entries, then try doing it in FF or chrome. Anyone else have this issue?
A very brief background before my question - I run a forum where it has recently been reported that the signature used by one of the members includes a URL which is reported by Kaspersky antivirus to contain some malware, specifically "Trojan-Downloader.JS.Remora.w" (a trojan about which I can find very little information). Well, I didn't have anything better to do yesterday so I thought I'd take a deeper look into this and, while taking some precautions, did indeed find some obfuscated JavaScript on the page in question. I should state at this stage that I'm not a programmer but after a bit of Googling discovered that I could de-obfuscate (is that a word?) the code using an online script which turned it into something fairly readable. However, as I say I have virtually no programming knowledge and what the code does, or attempts to do, is completely beyond me, although from what I read yesterday I believe that the JavaScript functions uncovered are probably designed to create another bunch of JS code which actually does the damage.
Having come so far I'm now really intrigued to find out what the code does but I don't have the knowledge to go that one final step. My question here is simply is this an appropriate place to post the code and ask if anyone can explain it? I'm aware that as this looks like something undesirable there may be good reasons for not posting it and if that's the case does anyone know where might be a more appropriate forum? Alternatively, if anyone wants to take a crack at it individually please let me know and I'll be happy to send through what I've come up with.
I've implemented jQuery within a web application where a very large number of DOM elements, comments in this case, are injected post-load by a 'Show all' button. Returned via JSON is a HTML string of <li> elements, to be injected into a pre-existing <ul> element. I'm looking to make this more efficient, as reading various sites I've been led to believe that wrapping new elements in a parent wrapper node before injecting would yield the best speed. Here, however, I'm injecting into an <ul> element that already has elements in, so can't wrap it.
What's the most efficient way of tackling this? a) Wrap them in an element, inject, then unwrap and move into the target? b) Clone the existing <ul>, add the elements in-memory and then replace in the DOM with the consolidated version
I was basically trying to follow several tutorials to get a superfish menu working on my website, but I don't seem to be able to get it to work.I included both the superfish.css and the superfish.js in my website's header; both paths are corrent and point to the designated file.I then included the superfish function in my header like this:
<script> $(document).ready(function(){ $('ul.sf-menu').superfish({ delay: 1000, // one second delay on mouseout animation: {opacity:'show',height:'show'}, // fade-in and slide-down animation
[code]....
The corresponding <ul> element has the required sf-menu class, but still there are no animations, no fading, no delays, just the plain css functionality provided by the superfish.css.
I'm diong a little rummaging around for a nearby school who said they are having a bit of trobule with their digital library system. I was recommended and said I would take an initial look at the system. Mind you if you know about infosec than this is grey box testing.
THe application I'm focusing on is alexandria v5.5.67 which is a library management and interface tool. I've found a number of pretty serious XSS and even SQLinjection errors in their coding. I believe these are new and I've reproted them to Alexandria but the problem lies within me fixing this.
I was able to give a proof of concept test on URL piping commands with the python used to drive it and a proof of concept for the login system using their poorly coded perl. I'm having a bit of trouble and I'm a little new to this. I'm attempting to do a proof of concept on their main page using their search function. I've already exploited using a basic
What I"m trying to do is actually edit the elements of a div container on the page. I've never actually used DIV's with javascript or any scripting for that matter other than Server side includes in PHP, but thats not client side and I don't know much about Javascript. What I'm looking to do is change or alter the content of a particular div, its not necessarily a div but rather a class. I'm having trouble even using javscript URL commands to get the contents of a particular Div to display.
I've read enough about email validation to know that the only real validation is having a user respond to a confirmation message you've sent them. However, I want to store the address temporarily, so I want to make sure what is entered is safe to work with.
I have a basic understanding of regexps, so I could write one that checks for a simple format like: something followed by @ followed by something followed by .. followed by something. I can also make a good guess at understanding the regexps I come across in validation schemes people have posted. However, each scheme that is posted seems to get criticized for invalidating some esoteric, but valid, addresses.
I'm wondering if there is a minimum validation you can do that will prevent basic attacks like sql injection attacks. For example, if I weed out anything with single and double quotes, and semicolons, am I barring some people unnecessarily? Seems like you'd be trying to mess with people by putting a semicolon in your email address.
In Chrome, the login page on my schools educational online platform [URL] doesn't remember the login info. So i made a bookmark with this javascript injection, that fills in the info, and focusses on the 'aanmelden' button (='login' in dutch), so that i only have to press enter to continue. Here's the javascript injection:
This works fine but i'd like to make it happen faster. I wish i could let the script be activated instantly when the page loads, so i only have to press enter, or if possible, let the script click the login button itself.
if i have a java interface on a website and that interface contains a box where a user enters a string and then submits it. If I wanted to rapidly submit strings from a list I had (in a text file say), how would I go about doing this?
I have looked at the source code for the interface but I don't really know java that well. There must be a way to "connect" to the interface and rapidly submit strings.
So what happens is that I have a page that uses a Javascript tab navigation div, named 'Tabber', working perfectly. Basically it picks up HTML tags with a specific classname and after the page is loaded it creates a small portion of HTML to create the desired effect. The problem is that it only does it after the page is loaded, which I am fine with it, but before that, the contents of that same div (that come from a SQL query) are not formated and the page just breaks apart untill the document is fully loaded (my current workaround is an overflow:hidden but...it is still ugly to watch), and only then it adjusts itself due to the right CSS propreties.
Now, it would be great if I could just have a loading icon showing up inside the div while the page is not loaded, so I can manage to hide that Javascript HTML injection process.
i want to ask that is it possible that using javascript injection the contents of a web page can be altered (add / edit / deleted) in Line of Code.Since, this has happened with me couple of times,talking to the support team at my hosting provider, they say that its due to the security holes in the Coding, but i think that its the security issue at the hosting side (since modifying the web pages code)i've found this code immediately after the opening of the body tagearlier the page snoofing for the above URL was working, but now its not producing the output. (so can not post whats inside it).My Another website (hosted by the same provider) is also infected. there the code immediately after the body tag is again the page snoofing yeilds no output with the error
I'm trying to create my first theme and I'm new to both PHP and jQuery. I have been trying to get Superfish working on Wordpress for too long now.I have placed a directory called "js" in my theme's folder. jQuery 1.4 is in there with the Superfish, HoverIntent, and CSS files. This is the code...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11">[code]....
The only thing that shows up is a list of the Pages without any CSS or fancy menu happening.
Trying to use superfish / jquery navigation on a site. Works great on my Mac (Safari & Firefox), but in IE (not sure of the version) the drop-downs go behind the SWFs that sit just below the nav. Here's a link to the site: [URL]
I need to change the background color of all my <li> buttons and child buttons, the color that appears on hover and the color of the text. This is superfish.css below. Does anyone know where to change for these items?
I ma just trying to figure out how I might center a superfish menu - and possibly make the top level LIs 'auto size'. It sees the menu will only float left or right. Of course I am not a css guru either - it could be staring me in the face.
Cycle and Superfish. I have just tested my site [URL] on IE9beta. and discovered that the superfish dropdown menus are hidden by the cycle slideshow. I clicked the Compatability button - still the same - then clicked it again. Problem has now gone away.
I want to make a dynamic menu where the items being shown depends on the access of the user. I tried having a code in codebehind of my aspx page that will set a certain li to style display none, but when viewed in IE6 I get a white space within the menu.
i've made a horizontal Superfish menu which fills the containing div entirely, based on the description given here:[URL]Basically that is:
#menu { width: 100%; float: left; display: table;} #menu > ul { display: table-row; } #menu > ul > li { display: table-cell; min-width: 20%; }
However, this causes the effect of the Supersubs plugin to stop working. Is there a way of providing a dynamic submenu width when having a "full width" Superfish menu as described above?
I installed Superfish, use the menus, everything is ok.how can Supersubs be enabled in Joomla? I cannot find a tweak in the Superfish backend module? Does any filehave to be edited by hand?
I am using the Superfish Module and have been able to successfully install and use it. The problem I am having is that the sub menus are being drawn behind the banner / header area and therefore you are not able to see them or click on them.
Please let me know whether to change the index.php or .css file to see
the drop down menus properly. Following are details you might need [code]...
I want to use this menu but i have so many main items that there are 2 rows. The first row is always on top. How can i get the second level menu to be on top of the fisrt item menu-item1 menu-item2 menu-item3 menu-item4 menu-item5 menu-item6 menu-item7 menu-item8 menu-item9
