More About IFrame Injections
My post on iframe injections generated a few questions which I thought require more public answers.
First, a brief commercial message: check out my new Toolinator Article Gatherer software, which lets you quickly find and format relevant articles from EzineArticles and Article Dashboard. On sale now at an introductory price. See these lovely testimonials for more information.
Now onto the questions…
Q: Aside from looking for a numeric IP address, how do I tell if an iFrame is good or evil? Does WordPress use them or should I just assume that an iFrame is evil if it isn’t from Google?
WordPress doesn’t use iframes, although it’s not inconceivable that a WordPress theme would use an iframe itself. An injection, however, is most likely to occur in the content of a post or page, not in the template that is part of the theme. So any iframes embedded in the middle of a post, for example, are suspicious.
While AdSense uses iframes, you won’t see an iframe directly in your content. That’s because the iframe gets inserted on the fly (when the visitor’s browser runs the JavaScript) into the body. The iframes you’re worried about are the ones that show up in the content directly.
Any unknown iframe should be looked at closely. If you’re using a different advertising program, it may well be that they are using iframes as well. It should be obvious, though, because the iframe should point back to a domain that you recognize. If you don’t recognize the domain, or it’s a numeric IP address, treat it as suspicious.
Q: Also, don’t WordPress databases (MySQL) have a password that would prevent someone from adding bad data to it?
Yes, that database is password-protected, but that’s not the problem. SQL injections occur when programmers write PHP code (or Perl or whatever) that doesn’t take the correct steps to “sanitize” input data or otherwise leave various security holes open. Hackers discover these holes and use them to muck around with the database…. they don’t need to know the login information.
Q: Finally, do iFrames work on all browsers? I thought they only worked with Internet Explorer?
Yes, iframes work on all modern browsers. What you might be thinking of is the iframe problem with ad tracking scripts. It used to be that ad tracking scripts would only work correctly (completely) with Internet Explorer, but that’s changed with Internet Explorer 7, which is more secure. Ad tracking scripts would basically attach “event handlers” to any AdSense iframes they saw (the ad tracker is a bit of JavaScript code you paste to the end of your HTML page, it runs after the AdSense code on the page has run and has created the iframes for the ad units) and using those event handlers they were able to “see” which specific ads users clicked on. Now the very latest browsers don’t let the ad trackers see any details of the content within an iframe, so now all the ad trackers can tell is if the iframe’s been clicked on or not, which isn’t anywhere near the detail they had before.
The point is, though, that iframes work pretty much everywhere. See Inline Frame for more.
BTW, anyone who buys my article grabbing software gets $30 off the Gold edition of PLRSiteBuilder. Pretty good deal!
 |
Enjoyed this post? Get free updates by mail or by RSS! |
Socialize This Post (Please!)
Tags
Comments
One Response to “More About IFrame Injections”
Eric,
THANK YOU for the additional security info.
But, one more thing…
How do you prevent it from happening in the first place?
Do you just validate your incoming (form?) data by (1)parsing strings for evil commands and (2)checking to make sure that data comes from your site and not a fake page set up by a hacker? (There must be a PHP environment variable that can tell you what page a form’s data was submitted from, right?)
Or are hackers somehow just exploiting WordPress security holes?
Regards,
Johnny