Ligatt Site Still Vulnerable to Basic Code Injections

Thursday, October 07, 2010

K S Abhiraj


It came to me as an utter surprise when I saw that LIGATT Security International's site was still suffering from some of the most basic flaws which makes it vulnerable to someone embeding any object into their portal.

Actually, it does not seems 'that good' to gaze at a security firm with still exhibiting a basic flaw in their web site.

The Flaw: 'iFrame injection'

The iframe injection is a kind of injection of one or more iframe tags into a page's content.

The iframe can typically do many malicious things, such as downloading an executable application that containing malware which may directly compromise a visitor's system.

It's one of the more popular methods of loading malware onto users PC's without having them go to a compromised website.

An IFrame (stands for "inline frame") is just a way of loading one web page inside another, more commonly from a different server. Now this is one of those things which can be useful for building online applications, but malware writers can create the included page just 'one pixel square' - meaning you can't even see it's actually residing there - and obfuscate the JavaScript that will run automatically so that it looks something like %6D%20%6C%72%61%6D%65%62%6F - leaving no obvious clue that it's malicious.

How worms could inject a class of iFrames, aka hidden iframes, to files:

  • Servers getting compromised: This is one of the most common way. Some of the websites residing in the same web server as your website may be compromised (or it may also be some vulnerabilities in ones web app. itself) that caused the web server to get compromised. Once the server is compromised, the worm automate itself spreading to rest other websites in the server.
  • Compromising through client side FTP : The worm may be residing in some/any of the client computers one use's for accessing the ftp/control panel accounts of your hosting server. When you type in the credentials for the control panel or so the worm closemouthed reading the credentials access the portal and initiates infecting files found on the server. It adds the following code to all the index.* files.

To the html pages the following piece of code gets added:

To the PHP pages it adds:

Detecting iFrame Injections

To detect iframe injections, one should look through the HTML that your web server is sending. Open a page in your browser and then look for iframe tags.

Injections usually insert iframes that point to raw IP addresses (something like “″) instead of domain names. Treat these as suspicious.

Once you’ve found an iframe and have determined that it’s not legitimate, you have to remove it from the page or database it’s coming from. On a WordPress blog you simply edit the page in question and look for the "&lgt;iframe>?" and remove it.

Alas! hope that LIGATT rectifies these kinds of basic flaws in their portal thus withstanding its reputation.

Cross-posted from Sectruni0

Possibly Related Articles:
Viruses & Malware
Vulnerabilities iFrame Injection
Post Rating I Like this!
Adrian Ro Good find Mr K.S.Abhiraj. Saw your original post. It's actually really operose to collar such flaws specially in these kind of reputed security service providing companies.

Believing Gregory's team cover these loopholes as soon as possible thus avoiding further risks.
K S Abhiraj Thanks Adrian!
As soon as i caught sight of this, had send alert mails to their team and it was seen rectified in within 2 hrs.

Actually it didn't came as a surprise, as it's commonly seen that many portals which revolves around the niche of providing security services lacks security somewhere or the other; not all though!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.