We just became aware of something I will call Whois Injection through a weblog post by the F-Secure Anti Virus Research Team. Of course we fixed this potentially harmful vulnerability in our online whois client yourwhois.de immediately.
In related news, we added support for eu-whois earlier this month.
Shameless plug: If this post was useful to you, please consider buying yourself something from one of my Amazon stores: US store, UK store, FR store, DE store, CA store. If you're not into Amazon, why not donate something to GNOME, Mozilla or Wikipedia? Thank you!
I don’t quite understand that “injection”. By requesting the whois data of those sites, a window is opened by javascript automatically? But a whois request doesn’t contact the requested site itself, only the owner’s data on the registry company, does it? And those data are in plain text, how can they contain active scripting?
Most online whois services embed the whois output directly into the html of the site without any preprocessing. So did yourwhois.de. If the whois output (e.g. the owner contact) contains html script tags with java script instructions, the browser of the user that uses the online whois service treats those tags as regular java script and executes the instructions. That’s the injection part.
In the case F-Secure mentioned, this is only used to earn money via advertising, but you could use this method for more malicious purposes as well, I guess.
:-) Patrick