Beware Of The "onerror" Attribute On IMG HTML Tags

By Garrett Blanton posted on Thursday, March 19, 2009 @ 11:14 AM - (Web Technology)

Yesterday, we stumbled on to a link posted on the JVF Blog taking us out to a seemingly innocuous link found on my.nbc.com. What was odd was that when you clicked on the link, it would take you out to my.nbc.com, but after a few moments it would redirect you out to a site selling adult videos.


We scoured the source on my.nbc.com and found that there were no apparent "script" tags or "META" tags present to force the delayed redirect. However, after doing a little more digging we found the following tag smack dab in the middle of the page:


As always, something that was added to help aid a web master in alerting themselves or others of an error and gracefully exiting has been exploited. At least it keeps all of us on our toes!

Please beware of folks attempting to hijack your sites with leaving Blog comments, profile updates, etc with this method. If there is any way for you to have more control over your site to "strip tags" on all comments, I'd do so just to make sure you're safe.

Good luck!

Comments (2)

By Hire web designer posted on Tuesday, March 24, 2009 @ 11:55 PM

thanks for sharing such useful information.. that's very risky and we have to beware for this kind of activity. I am using Akimest tool for comment moderation so anybody can try to leave this kind of spamy comment it'll go in to spam comments..

By web design India posted on Tuesday, September 1, 2009 @ 10:30 PM

Jason,
now a days people using various methods to fishing the information and to sell their product by keeping gun on others shoulder.

i have also found various miscellaneous script in my blog previously and i have also got warning message from search engine. Here are few steps i have followed to improve the security of the website:
- Change password immediately
- Contact web hosting service provider and discuss the scene
- Ignore storing password of ftp software (i found some spyware who automatically connect through your ftp software and insert injection into code)
- scan whole system for such spyware and removed it
- check for possible sql injection vulnerability

i am sure this will help you to improve your website security

Name:
Email:
Website:
Comment:
Verification:
	(Please type what see you see above.)