Results 1 to 5 of 5

Thread: Any Security problems in rollover.js many versions past?

  1. #1
    Junior Member
    Join Date
    Aug 2015
    Posts
    4

    Default Any Security problems in rollover.js many versions past?

    This isn't going to be the most detailed of posts.
    I'm helping out a chap who has health issues, and his site has been penetrated. He created his site, which is static and not regularly updated, back in 2010, and the files tell me he used netobjects fusion essentials.
    <META NAME="Generator" CONTENT="NetObjects Fusion*Essentials*(http://www.netobjects.com)">.
    Unfortunately he's having trouble locating the site parent and the software. Fortunately he has got a backup of the html, so we've fixed the damage, but I'm trying to work out how it got hit. Guessing the ftp password is one possibility of course, but I've identified three different assaults, apparently for different lowlives, so it seems unlikely.

    Another possibility is some kind of assault via a netobjects feature. He is using a rollover.js for navigation menus, which I am sure would have come with his version of Essentials, which version I'm unable to identify. It starts with

    // Handles rollover images for NN3+ and IE4+
    var loaded = new Array();
    var F_menuIsEntered = false;
    var F_menuIsCreated = false;
    var F_menuAgt = navigator.userAgent.toLowerCase();
    var F_menuIsGecko = (F_menuAgt.indexOf('gecko') != -1);
    var F_menuIsOpera = (F_menuAgt.indexOf('opera') != -1);
    var F_menuSubmenu;
    var F_menuTable = new Array();

    function F_loadRollover(image,imageName,menu) {


    Unfortunately js is not in my skill set. Is it known whether there are any css injection or other vulnerabilities in this, and if so is an improved version available? Other than that there's no js or anything else that looks like a potential vector.

    The third possibility, and my favourite to be honest, is that the problem lies elsewhere in the hoster, but there's nothing we can do about that.

  2. #2
    Senior Member gotFusion's Avatar
    Join Date
    Jan 2010
    Location
    www.gotHosting.biz
    Posts
    4,526

    Default

    More than likely a password/access has been breached. Either his or the hosts.

    This is assuming that they do not use any database content where a injection attack could occur

    I recommend to my customers to use passwords between 17 and 19 characters made up of random upper/lower case letters, numbers and special characters and to NOT let their computer remember the password for web based log ins (control panel etc).

    A password like admin will be hacked instantly whereas one like jYv4X9Lsq$zg&xWud is a bit harder to crack and not worth the time or effort for prankster hackers.

    Oh... javascripts routines are not insecure as they do not allow server side access
    NetObjects Fusion Cloud Linux enabled Web Hosting, support + training starts at $14.95
    NetObjects Fusion web Hosting and support + ASP + PHP + ColdFusion + MySQL + MS SQL
    FREE NetObjects Fusion Support & training comes with all web hosting accounts
    NetObjects Fusion Web Hosting: http://www.gotHosting.biz

  3. #3
    Junior Member
    Join Date
    Aug 2015
    Posts
    4

    Default

    Quote Originally Posted by gotFusion View Post
    More than likely a password/access has been breached. Either his or the hosts.
    Reasonable passwords (12 character random), no databases, no active or dynamic content, no forms, nothing writing to server. No edits to the site since 2010. Apparently three or 4 small penetrations some months apart, but all in last 18 months. I suspect the hosting company have been compromised elsewhere, but there are no logs available from the hosting company so how to tell. Anyway, if I can cross rollover.js off the list that's good.

  4. #4
    Senior Member gotFusion's Avatar
    Join Date
    Jan 2010
    Location
    www.gotHosting.biz
    Posts
    4,526

    Default

    The host should be able to tell you how and where the breech occurred.

    If they can't, you need to find another host.
    NetObjects Fusion Cloud Linux enabled Web Hosting, support + training starts at $14.95
    NetObjects Fusion web Hosting and support + ASP + PHP + ColdFusion + MySQL + MS SQL
    FREE NetObjects Fusion Support & training comes with all web hosting accounts
    NetObjects Fusion Web Hosting: http://www.gotHosting.biz

  5. #5
    Junior Member
    Join Date
    Aug 2015
    Posts
    4

    Default

    Thanks for the assistance.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •