Now delivering a 404: https://www.virustotal.com/en/url/6ba734d4c0a6c0833184d5826e3fb9068684e083416b026c5a49767fc4a306b9/analysis/1455570393/
I was being attended to this suspicious link with a very low detection score, by our good forum friend, Be Secure,
he asked himself whether this could be abused for arbitrary file uploads (PHP)?
Saw SRI issues, but no clear sign of suspicious or malicious code even until I scanned at Quttera’s:
A home of redirects we see there: /inthenews
Severity: Malicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to malicious blacklisted domain -homebusinessmag.com
And here: cdn.jotfor.ms/js/vendor/google_caja/html-sanitizer.js?3.3.11401
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Potentially suspicious obfuscated PHP threat
Offset: 488 See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcdn.jotfor.ms%2Fjs%2Fvendor%2Fgoogle_caja%2Fhtml-sanitizer.js%3F3.3.11401
It uses javascript (regular expression) to remove characters from a string based on a whitelist.
info credits here go to matyasbynens.
See this test runner…it is the obfuscated code that is flagged, but the use could be benign here…
Also // In Internet Explorer ≤ 8, the backtick character can be used
// to break out of (un)quoted attribute values or HTML comments.
// See http://html5sec.org/#102, http://html5sec.org/#108, and
// http://html5sec.org/#133. (info AskTop in playstore app).
The active code there is runnin here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcdn.jotfor.ms%2Fstatic%2FformBuilder_en-US.1447c0.js
Results from scanning URL: -http://cdn.jotfor.ms/static/formBuilder_en-US.1447c0.js
Number of sources found: 436
Number of sinks found: 850
landing here: Results from scanning URL: -http://halva-bhf.ru/media/jui/js/jquery-noconflict.js
Number of sources found: 7
Number of sinks found: 9
and for instance here:
Results from scanning URL: -http://halva-bhf.ru/templates/at_real_estate/js/jquery.sticky.js
Number of sources found: 43
Number of sinks found: 19 (plug-in code to make an element on your page always visible)
polonus (volunteer website security analyst and website error-hunter)