tags:

views:

486

answers:

4
+1  Q: 

Strange elements appearing in javascript rich text editors

There's been a rash of strange HTML form elements showing up in javascript-based rich text editors all around the web. The first evidence I can find of this is in the joomla forums a little under a month ago. Since then there have also been reports from drupal users and wordpress users, and there's now evidence of this all over the web -- and finally, we've just had a report of this on a site I'm responsible for. It seems to be limited to firefox.

Any ideas where this is coming from, and how to stop it? There are some vague mentions of uninstalling firefox and running malware scanners, but nothing specific.

A: 

From the links you gave, it doesn't sound too vague to me. It's some sort of malware that auto-inserts the javascript into things you post, probably to attack visitors to your site somehow. Having it set up to insert into common CMS editors will probably get a large number of people to post it unknowingly.

There were various instructions given for removing it, this post seems like it would probably work: Problem is in browsers - remove and reinstall

Chad Birch  2009-05-05 18:14:53
Completely uninstalling firefox and reinstalling is exactly what I'd call vague. It doesn't explain what exactly is causing this in the first place. Is it a piece of malware? Does it have a name?
Frank Farmer  2009-05-05 18:17:54
Does it really matter? Firefox is infected. Remove the infection.
Chad Birch  2009-05-05 18:18:45
I don't know about your users, but mine aren't terribly pleased with "Download a 3rd party uninstaller and uninstall firefox. I don't know what's wrong, but this supposedly fixes it." as an answer to support requests.
Frank Farmer  2009-05-05 18:22:59
And they'll be more pleased with "Oh, that's the Gnarflaxer.B malware, download a 3rd party uninstaller and uninstall firefox."? Because that'll still be the fix. I don't know about your users, but mine are happier when you resolve their issues. Unless your job is "security researcher", use the fix that people have found, report it somewhere (since it seems like it only affects Firefox, probably the Mozilla support forums), and move on.
Chad Birch  2009-05-05 18:32:29
+4  A: 

This line of code is definitively clear:

<input type="hidden" id="gwProxy" /><!--Session data--><input type="hidden" id="jsProxy" /><div id="refHTML">&nbsp;</div>

gwProxy / jsProxy code being embedded into posts

Weird gwProxy code is inserted in WYSIWYG textareas

iT seems that there is a proxy that's been embeeded into users code using a FCKeditor an JCE editor due to a malicious theme or add-on.

From support.mozilla.com:

You can start Firefox in Safe Mode to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes). See Troubleshooting extensions and themes If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears. You can use "Disable all add-ons" on the Safe mode start window. You have to close and restart Firefox after each change (File > Exit).

Sorry about my english! Don't hesitate to comment over this post.

backslash17  2009-05-09 15:05:25
A: 

What do you mean by "stop it"? If you know that there is problem that is specific to a particular version of Firefox and you want to prevent it you either check for the issue when someone submits the field before you save it, you remove it from the data after its saved but before you load it, or you check for that version of Firefox and prevent users with it from making a submission on your site (which I wouldn't recommend).

I hardly think you can tell your users to uninstall Firefox, but you have these other options to deal with how the problem affects your site.

jarrett  2009-05-13 03:52:14
+2  A: 

By chance do you have a Firefox add-on called 'Browser Highlighter' [1] installed? It might have been installed with a Skype add-on or independently (supposedly it has some connection to eBay).

I've seen two people [2], [3] post that uninstalling the 'Browser Highlighter' add-on does the trick. It's probably not a malicious widget, just a malfunctioning one. Uninstall it or disable it and let us know?

If that is the case, you can instruct your users on removing or disabling the add-on on their side (in their browser).

You will also have to remove it from posted data to your site. If you're using a third-party CMS (Wordpress, Joomla, etc) and you're not a programmer, you're going to have to get someone to watch for the offending text and strip it out.

[1] http://www.browserhighlighter.com/

[2] Case #1

[3] Case #2

GuyIncognito  2009-05-13 16:09:35

related questions

Firefox vs. IE: innerHTML handling
Firefox add-ons
How do you make a post request into a new browser tab using JavaScript / XUL?
Checking if userinput is a valid URI in XUL
Ubiquity Hack
Printing DOM Changes
HTML Select Tag with black background - dropdown triangle is invisible in Firefox 3
What is your best tool or techniques for getting the same display on IE6/7 and Firefox?
SPAN Height in Firefox
Debugging asp.net with firefox and visual studio.net - very slow compared to IE
How do I write a Firefox Addon?
Is there a way to make Firefox ignore invalid ssl-certificates?
Convince Firefox to send an If-Modified-Since header over HTTPS
Firefox extension for website interaction recording and repetition
Browser Sync accross many machines
Firefox plugin - sockets
Printing Flex components in FireFox 3
Some kind of task manager for JavaScript in Firefox 3?
How to make a Flash movie with a transparent background
Why no favicon for my web site?
FF3 WinXP != FF3 Ubuntu - why?
Firebug won't display console feeds for some of my sites
Upload form does not work in Firefox 3 with Mac OS X
Http Auth in a Firefox 3 bookmarklet
How can I turn a string of HTML into a DOM object in a Firefox extension?