firekeeper warns about gif images used

[vddiabolic]

Hi there,

when I visited the site the mozilla firekeeper plugin warns about hidden javascript in the gif images of the main site:

=== Triggered rule ===
alert (msg:"smuggling Javascript inside an image"; headers_content:"image"; nocase; headers_re:"/^Content-Type.*image/mi"; body_re:"/<script/i";)

=== Request URL ===
http://download.videolan.org/images/panel-blue/tl.gif

=== Response headers ===
Content-Type: image/gif
Etag: "-4592858438067298178"
Accept-Ranges: bytes
Last-Modified: Mon, 21 Aug 2006 22:19:43 GMT
Content-Length: 1509
Date: Tue, 30 Oct 2007 13:02:43 GMT
Server: lighttpd/1.4.13
Connection: Keep-Alive

=== Response body ===
GIF89a.......................................................................................................!.......,...........`%..d.h..l..p,.tm.x..|....pH,....ri"....dJ.Z...v..z...xL.....z.n....|N...x..B..$........................................#...................."..............."...............
.....................!.;<!-- BEGIN text generated by server. PLEASE REMOVE -->.
<script language='JavaScript' type='text/javascript' src='http://tag2.brinkster.com/adx.js'></script>.
<script language='JavaScript' type='text/javascript'>.
<!--.
if (!document.phpAds_used) document.phpAds_used = ',';.
phpAds_random = new String (Math.random()); phpAds_random = phpAds_random.substring(2,11);.
.
document.write ("<" + "script language='JavaScript' type='text/javascript' src='");.
document.write ("http://tag2.brinkster.com/adjs.php?n=" + phpAds_random);.
document.write ("&what=zone:1&block=1&blockcampaign=1");.
document.write ("&exclude=" + document.phpAds_used);.
if (document.referrer).
document.write ("&referer=" + escape(document.referrer));.
document.write ("'><" + "/script>");.
//-->.
</script>.
<noscript><br><br><div id="Brinkster183" style="font-family:Verdana, Arial, Helvetica, sans-serif; color:#666666; font-size:9px">Web Hosting Provided by <a href="http://www.brinkster.com/rd2.aspx?r=116 ... 7605638336" style="color:#000000" target="_blank">Brinkster</a>.</div></noscript>.
<!-- END text generated by server. PLEASE REMOVE -->.
.

Did anyone else recognize this? Is this put in by the web hoster and can be ignored?

Cheers,
vddiabolic

[Jean-Baptiste Kempf]

Euh...

[CloudStalker]

I haven't noticed this myself. Maybe you could try the Firefox plugin:NoScript.

[vddiabolic]

Hi,

I have noscript installed as well, it does not warn about it. However, could someone please do me a favor and download http://download.videolan.org/images/panel-blue/tl.gif to the desktop and browse it with a text editor?
I got this (I tried with IE this time to make sure there is no firefox plugin causing this):

GIF89aÄÛçþýþÿéïúßéýó÷ÿâëüøúÿàëÿîôÿìóÿäìûåìûñöÿÞéÿÜçþÛèÿàêüêñÿæíûãìÿëðúÿÿÿ!ù,Ä`%Žãdžhª®lë¾p,Ïtmßx®ï|ïÿÀ pH,È¤ri"Ž‚dJ­Z¯Ø¬vËíz¿à°xL.›Ïè´zÍn»ßð¸|N¯ÛïxÉBš$‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦„#§­®¯°±²³´µ¶·¸¹º»™"¼ÁÂÃÄÅÆÇÈÉÊ˶"¬ÌÑÒÓÔÕÖ×ØÙÆ
Úßàáâãäåæ·çëìíîïðñÊ!;<!-- BEGIN text generated by server. PLEASE REMOVE -->
<script language='JavaScript' type='text/javascript' src='http://tag2.brinkster.com/adx.js'></script>
<script language='JavaScript' type='text/javascript'>
<!--
if (!document.phpAds_used) document.phpAds_used = ',';
phpAds_random = new String (Math.random()); phpAds_random = phpAds_random.substring(2,11);

document.write ("<" + "script language='JavaScript' type='text/javascript' src='");
document.write ("http://tag2.brinkster.com/adjs.php?n=" + phpAds_random);
document.write ("&what=zone:1&block=1&blockcampaign=1");
document.write ("&exclude=" + document.phpAds_used);
if (document.referrer)
document.write ("&referer=" + escape(document.referrer));
document.write ("'><" + "/script>");
//-->
</script>
<noscript><br><br><div id="Brinkster183" style="font-family:Verdana, Arial, Helvetica, sans-serif; color:#666666; font-size:9px">Web Hosting Provided by <a href="http://www.brinkster.com/rd2.aspx?r=116 ... 7605638336" style="color:#000000" target="_blank">Brinkster</a>.</div></noscript>
<!-- END text generated by server. PLEASE REMOVE -->

Perhaps my computer itself is the problem?

Cheers,
vddiabolic

[joseph5]

Hi,

I have noscript installed as well, it does not warn about it. However, could someone please do me a favor and download http://download.videolan.org/images/panel-blue/tl.gif to the desktop and browse it with a text editor?
I got this (I tried with IE this time to make sure there is no firefox plugin causing this):

Me too.

[Arite]

Interesting, yes it does have some javascript in it after the GIF file data. I quickly resaved it in GIMP (with no comments), and the file is identical up to:

Code: Select all

<!-- BEGIN text generated by server. PLEASE REMOVE --> <script language='JavaScript' type='text/javascript' src='http://tag2.brinkster.com/adx.js'></script> <script language='JavaScript' type='text/javascript'> <!-- if (!document.phpAds_used) document.phpAds_used = ','; phpAds_random = new String (Math.random()); phpAds_random = phpAds_random.substring(2,11); document.write ("<" + "script language='JavaScript' type='text/javascript' src='"); document.write ("http://tag2.brinkster.com/adjs.php?n=" + phpAds_random); document.write ("&what=zone:1&block=1&blockcampaign=1"); document.write ("&exclude=" + document.phpAds_used); if (document.referrer) document.write ("&referer=" + escape(document.referrer)); document.write ("'><" + "/script>"); //-->

Where the file ends. Not sure why there is javascript there? I created an animation (two frame loop) and it was also the same, except rather than the javascript at the end, there was the details for the animation section.

Presumably it was an automatically generated *.gif, and it added the javascript at the end of the file aferwards for some reason.

Arite.