X
Tap here to go to the mobile version of the site.

Support Forum

need to report a vulnerability in java in firefox

Posted

Hello, I am managing a website for a client. Noticed today that there are links showing up at the end of one of our pages, but only with FireFox 4.01. Earlier versions and IE to not show the links.

We are thinking it is a java script vulnerability. Just started today. Directions to view it below.

go to americanaexchange.com Click on AEMonthly (top right of the page)

Next page, right on side, in the search box put in Potter, run the search (any search will work but we are using this one)

On the next page click on the Read More button for any of the results.

Next page look at the bottom of the page and you will see all the links for the drug advertisement.

We are checking everything on our end. We have an excellent team that runs the firewall and the security and they are looking.

Again, the links only show up in FireFox 4.01. No other browser, and so far only this page.

If you know of an issue, please let us know.

Hello, I am managing a website for a client. Noticed today that there are links showing up at the end of one of our pages, but only with FireFox 4.01. Earlier versions and IE to not show the links. We are thinking it is a java script vulnerability. Just started today. Directions to view it below. go to americanaexchange.com Click on AEMonthly (top right of the page) Next page, right on side, in the search box put in Potter, run the search (any search will work but we are using this one) On the next page click on the Read More button for any of the results. Next page look at the bottom of the page and you will see all the links for the drug advertisement. We are checking everything on our end. We have an excellent team that runs the firewall and the security and they are looking. Again, the links only show up in FireFox 4.01. No other browser, and so far only this page. If you know of an issue, please let us know.

Additional System Details

This happened

Not sure how often

This started when...

Today

Installed Plug-ins

  • Shockwave Flash 10.3 r181
  • Next Generation Java Plug-in 1.6.0_24 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • 4.0.60310.0
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
  • Adobe PDF Plug-In For Firefox and Netscape 10.0.1

Application

  • User Agent: Mozilla/5.0 (Windows NT 5.2; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

More Information

Tested with FireFox 4.01, 64 bit windows and Unix. Both show the links.
Earlier versions for Mac and PC do not show the links. Tried 3.09 and 3.15 version. Links are not there.
Links do not show in any IE versions that we tested.
Let me know if you can help.
Laurie Anderson
Americana Support
615-758-6483

jscher2000
  • Top 10 Contributor
8792 solutions 71898 answers

Helpful Reply

Those links are in your page in Firefox 3.6 and IE8, but you can't see them. In those browsers, you can confirm by using their view source feature and searching for:

<span style='display:none'>

This persists even if I disable JavaScript and reload the page.

Because Firefox 4 has a stricter interpretation of HTML, the intended hiding of that content does not work. (Specifically, the code places a <p> inside a <span> which technically is not permitted.)

To compare Firefox 4 without the new rules, you can turn off the HTML5 parser like this:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the filter box, type or paste html5 and pause while the list is filtered

(3) Double-click html5.parser.enable to toggle it to false (line should turn bold).

Then reload the problem page and the links should be hidden again.

So this suggests your server application has been exploited, perhaps by an include in one of your templates.

Those links are in your page in Firefox 3.6 and IE8, but you can't see them. In those browsers, you can confirm by using their view source feature and searching for: '''&lt;span style='display:none'&gt;''' This persists even if I disable JavaScript and reload the page. Because Firefox 4 has a stricter interpretation of HTML, the intended hiding of that content does not work. (Specifically, the code places a &lt;p&gt; inside a &lt;span&gt; which technically is not permitted.) To compare Firefox 4 ''without'' the new rules, you can turn off the HTML5 parser like this: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter. Click the button promising to be careful. (2) In the filter box, type or paste '''html5''' and pause while the list is filtered (3) Double-click '''html5.parser.enable''' to toggle it to false (line should turn bold). Then reload the problem page and the links should be hidden again. So this suggests your server application has been exploited, perhaps by an include in one of your templates.

Modified by jscher2000