views:

486

answers:

4

There's been a rash of strange HTML form elements showing up in javascript-based rich text editors all around the web. The first evidence I can find of this is in the joomla forums a little under a month ago. Since then there have also been reports from drupal users and wordpress users, and there's now evidence of this all over the web -- and finally, we've just had a report of this on a site I'm responsible for. It seems to be limited to firefox.

Any ideas where this is coming from, and how to stop it? There are some vague mentions of uninstalling firefox and running malware scanners, but nothing specific.

A: 

From the links you gave, it doesn't sound too vague to me. It's some sort of malware that auto-inserts the javascript into things you post, probably to attack visitors to your site somehow. Having it set up to insert into common CMS editors will probably get a large number of people to post it unknowingly.

There were various instructions given for removing it, this post seems like it would probably work: Problem is in browsers - remove and reinstall

Chad Birch
Completely uninstalling firefox and reinstalling is exactly what I'd call vague. It doesn't explain what exactly is causing this in the first place. Is it a piece of malware? Does it have a name?
Frank Farmer
Does it really matter? Firefox is infected. Remove the infection.
Chad Birch
I don't know about your users, but mine aren't terribly pleased with "Download a 3rd party uninstaller and uninstall firefox. I don't know what's wrong, but this supposedly fixes it." as an answer to support requests.
Frank Farmer
And they'll be more pleased with "Oh, that's the Gnarflaxer.B malware, download a 3rd party uninstaller and uninstall firefox."? Because that'll still be the fix. I don't know about your users, but mine are happier when you resolve their issues. Unless your job is "security researcher", use the fix that people have found, report it somewhere (since it seems like it only affects Firefox, probably the Mozilla support forums), and move on.
Chad Birch
+4  A: 

This line of code is definitively clear:

<input type="hidden" id="gwProxy" /><!--Session data--><input type="hidden" id="jsProxy" /><div id="refHTML">&nbsp;</div>

gwProxy / jsProxy code being embedded into posts

Weird gwProxy code is inserted in WYSIWYG textareas

iT seems that there is a proxy that's been embeeded into users code using a FCKeditor an JCE editor due to a malicious theme or add-on.

From support.mozilla.com:

You can start Firefox in Safe Mode to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes). See Troubleshooting extensions and themes If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears. You can use "Disable all add-ons" on the Safe mode start window. You have to close and restart Firefox after each change (File > Exit).

Sorry about my english! Don't hesitate to comment over this post.

backslash17
A: 

What do you mean by "stop it"? If you know that there is problem that is specific to a particular version of Firefox and you want to prevent it you either check for the issue when someone submits the field before you save it, you remove it from the data after its saved but before you load it, or you check for that version of Firefox and prevent users with it from making a submission on your site (which I wouldn't recommend).

I hardly think you can tell your users to uninstall Firefox, but you have these other options to deal with how the problem affects your site.

jarrett
+2  A: 

By chance do you have a Firefox add-on called 'Browser Highlighter' [1] installed? It might have been installed with a Skype add-on or independently (supposedly it has some connection to eBay).

I've seen two people [2], [3] post that uninstalling the 'Browser Highlighter' add-on does the trick. It's probably not a malicious widget, just a malfunctioning one. Uninstall it or disable it and let us know?

If that is the case, you can instruct your users on removing or disabling the add-on on their side (in their browser).

You will also have to remove it from posted data to your site. If you're using a third-party CMS (Wordpress, Joomla, etc) and you're not a programmer, you're going to have to get someone to watch for the offending text and strip it out.

[1] http://www.browserhighlighter.com/

[2] Case #1

[3] Case #2

GuyIncognito