Code JS Query alert on page: meta-header.php - Undefined property: stdClass::$1
PHP Error was encountered when trying to get property of non-object in www wp content content theme nieuws//…///meta-header.php on website: htxp://nieuws.nl/
echo $row->$id; should be changed to echo $row->id; Info credits: newman
db function should be used to fetch results, Info credits Girish
I use DetectJQuery user script with Tampermonkey inside Google Chrome.
There is where this webpage turned up the code alert ;D
See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http://nieuws.nl/wp-content/themes/nieuws_hoofd/assets/vendor/jquery/dist/jquery.min.js&acceptheader=&useragentheader=
Update: the alert subsided. Might have been just silenced: http://php.net/manual/en/language.operators.errorcontrol.php
polonus
My Tampermonkey detectJQuery script alerted me to JQuery version 1.7.2 used on a website
and so I could conclude this version is vulnerable to Selector XSS with class Attribute (‘. XSS_VECTOR’)
cross site scripting attacks, read:
http://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
Nice introduction to the theme and description from Mike Shema here:
http://deadliestwebattacks.com/tag/jquery/
polonus
On this site I detect jQuery 1.8.2 vulnerabilities → http://webwereld.nl/
and found it vulnerable to malicious javascript code injections, read: http://stackoverflow.com/questions/11169894/can-malicious-javascript-code-be-injected-trough
info credits go to Mahn.
And also found vulnerable here: http://domstorm.skepticfx.com/modules?id=529bbe6e125fac0000000003
polonus
Realizing the jQuery version issues everywhere, I just launched the Online Lint and had some JQuery code from here:
http://www.webpagescreenshot.info/img/5515e61ac6eb29-30626131
JQuery version 1.11.1 and the output of js! Lint Online: http://www.webpagescreenshot.info/img/5515e64d7e4495-32699518 and what should be done to comply with coding standards. → http://javascript.crockford.com/code.html
On that website:
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwhisper.pr&useragent=Fetch+useragent&accept_encoding=
we find JQuery versions 1.11.1 and 1.2.1 and again the JQuery versions are almost never updated and reflect the version of the time of creation.
polonus
Hi Polonus,
Most website owners don’t have a server script to automatically update jQuery and other libraries. Just viewing the source of a random site I use makes use of a jquery-latest.js, which is actually jQuery 1.6.2, not at all the latest.
There is a recorded vulnerability for jQuery 1.6.3 and below here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969 There could be more out there and this does not put the website in a good position, especially if it makes use of potential injection-prone code.
~!Donovan
Hi !Donovan,
I wonder if this vulnerability described in the following link is still open (well it has been patched at long last): http://webcache.googleusercontent.com/search?q=cache:UGkNI5vxC_UJ:sijmen.ruwhof.net/weblog/256-cross-site-scripting-in-millions-of-web-sites+&cd=3&hl=nl&ct=clnk&gl=nl
They finally fixed this in November 2014: http://www.securityweek.com/developers-fix-xss-vulnerability-jquery-validation-plugin-script
Most vulnerabilties for JQuery are of a Cross Site Scripting nature, well lest other security measures has not been brought into place.
In addition, developers usually use jQuery libraries as a plug-and-play product, which doesn't require maintenance apart from library updates.
Because jQuery libraries are minified and infrequently reviewed by those using them, jQuery becomes a good place to hide malicious code. Such malicious code usually attempts to deliver malware to as many users as possible.
Quote from Ben-Hayak.
Just to show how easy this is to inject JQuery onto any webpage that has not got it, use this bookmarklet
javascript:var element1=document.createElement("script");element1.src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js";element1.type="text/javascript";document.getElementsByTagName("head")[0].appendChild(element1);
Inspiration for the bookmarklet from http://ww1.tutkiun.com/2010/07/load-javascript-after-pageload.html
Info credits go to: brandonmartinez. (only use bookmarklet on sites you are authorized to)
polonus