Chrome and Firefox warning

mgloban · February 9, 2018, 11:28am

Dear Sirs,
I use OCS ver. 2.3.6. and recently I get the following warning: “Google Safe Browsing recently detected malware on ahat.rgn.hr” If you select INSPECT on the page, you’ll see 3 such warnings;
jsapi: 22 A parser-blocking, cross site (ie different eTLD + 1 script), https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js, is invoked via document. write. The network request for this script may be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See Intervention: Blocking the load of cross-origin, parser-blocking scripts inserted via document.write for users on 2G - Chrome Platform Status for more details.

How could it be corrected?

Best regards,
Mladen

asmecher · February 9, 2018, 4:02pm

Hi @mgloban,

Is your files_dir inside your web root? If so, that’s a security risk that can lead to your site being compromised.

I would suggest using a standard tool like diff to compare your source code to the stock source code, in order to see whether your OCS code has been modified. Cleaning up a compromised website is somewhat beyond the scope of this forum – you may also be able to find some helpful material e.g. on Stackoverflow.com. The process for cleaning up a potentially compromised OCS website is similar to other apps like Wordpress.

Regards,
Alec Smecher
Public Knowledge Project Team

vvucic · February 9, 2018, 9:21pm

Maybe you should firstly check is your site clean with some of online malware checkers.
I usually use this free on line malware checker
http://scanner.pcrisk.com/
In addition, there are several threads on this forum regarding permissions, security etc. so you can find a lot of information related to that topic.

mgloban · February 10, 2018, 3:51pm

Hi Alen, Hi Vedran
My files_dir is a sim link to upload → / var / rgnkonfstaff. I checked if there was a vulnerability with http://stackoverflow.com/ and nothing was found to be suspect.
I think you should still look for “parser-blocking scripts inserted through document.write for users on 2G” under the article at Intervention: Blocking the load of cross-origin, parser-blocking scripts inserted via document.write for users on 2G - Chrome Platform Status The problem is that I can not find a script that creates problems which is listed as https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js.
I also checked this web site with http://scanner.pcrisk.com/, suggested by @vvucic, but I did not receive any warning. Scaner has found 164 External links, all are correct. 36 Clean files were found. Site is not Blacklisted.
Looks like a document.write solution needs to be found, but I do not know how. Is there any idea what to do?

Best regards,
Mladen

asmecher · February 10, 2018, 7:43pm

Hi @mgloban,

A symlink from where?

We do use standard techniques to prevent the injection of harmful Javascript. This makes the approach you linked unnecessary. However, if someone modifies the code on the site via another method of compromise, approaches like that are circumvented.

Regards,
Alec Smecher
Public Knowledge Project Team