Embarrassed that their code works in IE.



  • This is from the Javascript of some forum software.  Try as I might, I can't think of a reason for this bit of code:

    this.handler = eval("new A" + "ctiv" + "eX" + "Ob" + "ject('Micr" + "osoft.XM" + "LHTTP');");



  • [quote user="Cap'n Steve"]This is from the Javascript of some forum software.  Try as I might, I can't think of a reason for this bit of code:

    this.handler = eval("new A" + "ctiv" + "eX" + "Ob" + "ject('Micr" + "osoft.XM" + "LHTTP');");
    [/quote]


    To prevent automatic filters from noticing that the code will only work on Windows, even if you tell the browser to pretend it's IE? (Although why that would be a good thing I don't know. Presumably you want people to be able to tell in advance if the page isn't going to work in their browser, before they start spending a lot of time on filling in forms and so forth...)



  • Seems like suspicious behaviour to me. Doing it like that in the hope of getting around filters or suchlike that are looking for ActiveX controls for security reasons. I wouldn't touch it with a 10 foot punt pole. The ActiveX object in question is probable malware of some sort.



  • The ActiveX object Microsoft.XMLHTTP is actually a pretty standard way of connecting back to the server from JScript/ASP/whatever... I know because I'm struggling to reproduce its functionality on a WinCE platform that doesn't seem to have it.

     

    Now, the script which calls it could certainly be using its powers for evil.

     



  • Likely, it's to get around client-side filters.

     

    Not that this is necessarily for evil.  A few months ago had a client of ours who was wondering why our site wasn't working for them.  We asked if they were using any sort of firewall, etc, and they said no; turns out, unsurprisingly, that they were.  Their particular firewall of choice had blocked the download of a Javascript file of ours named popup.js.  Changing the name of the file (but none of its contents) worked just fine.

      



  • That would make some sense.  I'm hoping these filters look for ActiveX in general and not AJAX.



  • I did something like this to get around filters at Xanga.com. They allow JavaScript, but try to limit what it can do. Obviously they fail miserably.


Log in to reply