Page 1 of 2

Flying pictures

Posted: Fri Nov 03, 2006 9:26 pm
by Venatir
go to viewtopic.php?t=17
and copy
javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i<DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5;DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++} setInterval('A()',5); void( 0 )
then paste in the url

If you paste it more than once, it'll speed up.

Posted: Fri Nov 03, 2006 11:26 pm
by Francesco
Well, that's really cool... nice point!

Posted: Sat Nov 04, 2006 9:52 am
by Zomis
LOL, I must say! I didn't know that it was possible to execute javascripts that way on pages :shock: That sounds like it could be a security hack possibilty on some pages...

Posted: Sat Nov 04, 2006 10:50 am
by Holger
Funny! :-D

Posted: Mon Nov 06, 2006 6:41 pm
by Tomi
Nicely done script. BTW, setInterval(A,5) works as well. http://developer.mozilla.org/en/docs/DO ... etInterval

Zomis: yes, JavaScript can be executed that way. Even more cool is that "javascript:" urls can even be bookmarked to make "bookmarklets" which can be executed on pages to do some coolness. (For example, if you bookmark the script above, you can then execute it on any page.) "Greasemonkey" firefox extension elevates this concept even further.

And no, this is not a security hole, because the user has to type the URL in (or click on the link) anyway. However, lately there's another, related type of attack: XSS (Cross-site scripting). If phpBB had a security hole, I could insert a "script" tag inside this post, which would run the script inside it every time the post is shown. The script could consist of these steps: 1. open profile of currently logged-in user in background. 2. get his password, change his password, steal some data, make fake posts, etc. (whatever I wish). 3. send information (e.g. passwords) to intruder's server. 4. make more (fake) posts that contain the script so it spreads further.

Posted: Mon Nov 06, 2006 11:40 pm
by Daniel H.
@Tomi: How would you get or change a person's password? The user would have to type it in.

(Shouldn't this topic be in the "Off Topic" section?)

Posted: Tue Nov 07, 2006 3:44 pm
by Venatir
it wasent me who made the script

Where I found the script

Posted: Tue Nov 07, 2006 11:17 pm
by RAP
I tried but the pictures are not flying, suggestions? :?

Posted: Wed Nov 08, 2006 1:32 am
by Daniel H.
Well, does your web browser support JavaScript?

Posted: Wed Nov 08, 2006 5:21 pm
by Tomi
Daniel: you're right, getting one's password isn't very likely. (Only if the software had a button with something like "I forgot my password, but fortuately I'm logged in, please tell me what is my password".:) But the script could read user's session ID from a cookie in user's browser and notify the script author, giving him access to a session where the user is logged in, and then he could by direct access get any data he needs.

But I'm getting off topic now, so for this discussion to continue, it should be split into another thread, or continue only via PM. (The first variant is preferable, because that way other people can read it too.)

Posted: Thu Nov 09, 2006 4:34 am
by RAP
Daniel H. wrote:Well, does your web browser support JavaScript?
No, but what's that and its it a program? :?

Posted: Thu Nov 09, 2006 7:23 am
by Jannik
I couldn't get javascript-URLs to work in Internet Explorer (although Scripting was enabled), even something simple like javascript:alert('hi'); didn't work.
In Mozilla Firefox it works.

Posted: Thu Nov 09, 2006 9:48 pm
by Daniel H.
I wrote:Well, does your web browser support JavaScript?
Ryan P. wrote:No, but what's that and its it a program? :?
It's a part of most web browsers today that allows Java-style code to be executed client-side on websites.

What web browser do you use?

Posted: Thu Nov 09, 2006 11:12 pm
by RAP
Daniel H. wrote:What web browser do you use?
On my Dad's computer: Mozllia Firefox (now uninstalled for some reason)
and my computer is Internet Explorer 7! :D

Posted: Fri Nov 10, 2006 2:11 am
by Daniel H.
Well, those browsers definitely should support JavaScript. Maybe it is turned off?

:?

I don't know what else I can say.