...

View Full Version : Shoutbox JavaScript Security



mrkfc
09-15-2011, 10:15 PM
My shoutbox is constantly getting hacked the JavaScript code is below. I suspect they are exploiting the same origin policy. The hackers are using administrator's usernames and spamming lots of offensive messages into the database. Any help would be much appreciated, thank you.


/***************************/
//@Author: Adrian "yEnS" Mato Gondelle & Ivan Guardado Castro
//@website: www.yensdesign.com
//@email: yensamg@gmail.com
//@license: Feel free to use it, but keep this credits please!
/***************************/

$(document).ready(function(){
//global vars
var inputUser = $("#nick");
var inputMessage = $("#message");
var loading = $("#loading");
var messageList = $(".content > ul");

//functions
function updateShoutbox(){
//just for the fade effect
messageList.hide();
loading.fadeIn();
//send the post to shoutbox.php
$.ajax({
type: "POST", url: "shoutbox.php", data: "action=update",
complete: function(data){
loading.fadeOut();
messageList.html(data.responseText);
messageList.fadeIn(2000);
}
});
}
//check if all fields are filled
function checkForm(){
if(inputUser.attr("value") && inputMessage.attr("value"))
return true;
else
return false;
}

//Load for the first time the shoutbox data
updateShoutbox();

//on submit event
$("#form").submit(function(){
if(checkForm()){
var nick = inputUser.attr("value");
var message = inputMessage.attr("value");
//we deactivate submit button while sending
$("#send").attr({ disabled:true, value:"Sending..." });
$("#send").blur();
//send the post to shoutbox.php
$.ajax({
type: "POST", url: "shoutbox.php", data: "action=insert&nick=" + nick + "&message=" + message,
complete: function(data){
messageList.html(data.responseText);
updateShoutbox();
//reactivate the send button
$("#send").attr({ disabled:false, value:"Shout it!" });
}
});
}
else alert("Please fill all fields!");
//we prevent the refresh of the page after submitting the form
return false;
});
});

Fou-Lu
09-15-2011, 11:01 PM
This has nothing to do with Java, moving to Javascript.
If the 'hacker' is using administrative usernames, then change the usernames.

mrkfc
09-15-2011, 11:28 PM
They are using usernames of already existing administrators and impersonating them they must be changing a variable somehow.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum