RE: Part of the web page being MODIFIED !

[Chris Santerre <csanterre () MerchantsOverseas com>]

Out of curiosity, this pic wouldn't happen to be on a page that is a forum
would it? If so, check to see if you allow scripts in HTML posts. If so, it
would be easy for a user to post a message that would change the pic. 

-----Original Message-----
From: Bryan Wagstaff [mailto:bryanw () xmission com]
Sent: Tuesday, November 26, 2002 1:24 PM
To: Frank Cheong
Cc: security-basics () securityfocus com
Subject: Re: Part of the web page being MODIFIED !


Quoting Frank Cheong <chocobofrank () hotmail com>:

> I received complains regarding one of the image on my web site has been 
> modified by a PORN picture ! While the image have resumed normal during 
> the second visit. 

You say you have had complaints, but don't state if you have seen it or 
not.  Can YOU repeat the problem?

> Therefore, the image haven't been modified. So I do want to know what is
> the possibilities in doing this ?
> (Like HTTP session hijack, proxy poisoning, someone doing man in the 
> middle etc) any other ways to do that ?

There are many ways of that sort of thing happening, but you need to do 
more research to find it.

If this is something you can verify and repeat, I would first check your 
local machine.

Has the machine been compromized?  If no, are you sure?  

If using unmodified versions of the http server, do the checksums match 
those of the source? (assuming you are using Apache or some other Free/Open 
server)  When posting back to the group, please include the versions of the 
software you are using.

Does the problem appear on another similarly configured machine?

> As these activities mostly happens outside my server boundry, I assume I
> can't do anything with it, how about any outside parties ?

You say 'mostly happens outside my server boundary'.  Please be more 
specific.  

Do those outside your network ALWAYS see the corrupted pages then the 
proper image?  Does everyone inside your network see the corrupted pages?  
If only some machines inside your 'server boundary' see the corrupted 
pages, are those machines within a NAT device?  For example, are machines 
within a 192.168.1.* seeing the corrupted pages while 192.168.0.* are 
seeing the original?  

> As I know going for SSL maybe one of the alternative to stop this but
> this will add on extra processing on my website and it will make it slow. 
> So I don't want to go for it, any other way to secure against this ?

You need to know where the problem is beore you can fix it.  Right now I 
would say you have some script kiddie playing with the site, but I wouldn't 
remove other posibilities without more research.

If you have a corrupted web server, moving to SSL would not solve the 
problem, it would actually make it appear that you are intentionally 
sending the images.  

For the man-in-the-middle attack, you could test that out by changes to 
your network or Internet connections.  If you are a small business, your 
ISP would probably help.

If someone were performing a targeted man-in-the-middle attack, you need to 
have a trusted root CA give you a cert.  (If you have a self-signed or 
unsigned cert, then they could easily forge one.)  If you don't already 
have one, those can take a little work and money to get.

Best of luck!

bryanw () xmission com
--