Ghostwriting

[George Hester]

I had a Windows 2000 Server that was serving ASPs. One time on my logon
page I noticed my JavaScripting was messed up. There were unnatural
characters in it. One moment the page was without errors the next it was
erroring. As I was inspecting the page to figure out was wrong I noticed the
<SCRIPT type="text/javascript" had some starnge stuff in it. Anyway I
corrected it thought for a bit about what might have happened and just
chalked it up to FrontPage 2003 and its tendency to mess with pages. Now I
know some may disagree with this but a very simple test you can try to show
that it does just that is try to change the title atrribute for the
FrontPage Hit counter. You can do it outside of the editor but as soon as
you open the page where the counter exists in FrontPage the title attribute
will change back to "Hit Counter." So it's not too hard to verify that
FrontPage CAN and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve ASP, I noticed
another one of my pages throwing an error. A long time since the issue
above occurred. The page ASP was fine and then it wasn't. So I went
through the page trying to zero in on what was the problem. Again it turned
out some JavaScript was messed up. But this time I did not correct it. I
have left it so you can see what "something" did and again I suspect
FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords: ('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible';
}
}
// End -->
</script>

I have this in a page and you can assume all this works. All it does is add
text to a floating div which is just the cursor position of the mouse as it
moves about the page. But now I would like you to look at what happened
through nothing done on my part. In fact I don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords: ("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible";
}
// End -->
</script>

Looks almost exactly the same doesn't it? But it is NOT and in fact the
change leads to an error in the browser. No it is not the use of " in the
second instead of ' as in the first. Something else. Look at the end of
the oNotice.innerText statement. Almost at the very end. You will see what
looks like to have spaces here /10)+ ")";

What I just wrote is as different as night is from day from what really
appears there; looking at the ASP in Notepad What really appears there as
shown in Notepad will not copy here. But what is actually there are two
characters áá. So in fact what were are left with is an invalid Javascript
statement. So this is what it looks like:

oNotice.innerText="Coords: ("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than this? Or that
I just woke up one day and said, "Hey I think I'll screw up my JavaScripting
and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't know. But I do
know it happens FrontPage does do stuff like this (Like the Hit Counter
issue above) and since it does I am suscpicous.

There is actually more issues with the second rendition above but it is not
important to list them all nor can I really identify them. I just know if I
retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it above except
for the spaces (áá).

 

[Jens Peter Karlsen[FP MVP]]

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it. It
might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell what
caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 00:12
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time
on my logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page
was without errors the next it was erroring. As I was
inspecting the page to figure out was wrong I noticed the
<SCRIPT type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its
tendency to mess with pages. Now I know some may disagree
with this but a very simple test you can try to show that it
does just that is try to change the title atrribute for the
FrontPage Hit counter. You can do it outside of the editor
but as soon as you open the page where the counter exists in
FrontPage the title attribute will change back to "Hit
Counter." So it's not too hard to verify that FrontPage CAN
and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve
ASP, I noticed another one of my pages throwing an error. A
long time since the issue above occurred. The page ASP was
fine and then it wasn't. So I went through the page trying
to zero in on what was the problem. Again it turned out some
JavaScript was messed up. But this time I did not correct
it. I have left it so you can see what "something" did and
again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } }
// End --> </script>

I have this in a page and you can assume all this works. All
it does is add text to a floating div which is just the
cursor position of the mouse as it moves about the page. But
now I would like you to look at what happened through nothing
done on my part. In fact I don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } //
End --> </script>

Looks almost exactly the same doesn't it? But it is NOT and
in fact the change leads to an error in the browser. No it
is not the use of " in the second instead of ' as in the
first. Something else. Look at the end of the
oNotice.innerText statement. Almost at the very end. You
will see what looks like to have spaces here /10)+ ")";

What I just wrote is as different as night is from day from
what really appears there; looking at the ASP in Notepad
What really appears there as shown in Notepad will not copy
here. But what is actually there are two characters áá. So
in fact what were are left with is an invalid Javascript
statement. So this is what it looks like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than
this? Or that I just woke up one day and said, "Hey I think
I'll screw up my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't
know. But I do know it happens FrontPage does do stuff like
this (Like the Hit Counter issue above) and since it does I
am suscpicous.

There is actually more issues with the second rendition above
but it is not important to list them all nor can I really
identify them. I just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it
above except for the spaces (áá).

 

[George Hester]

You can do it Jens. Try it. Just don't open the page in FrontPage to do
it. It will disappear and no longer work. Do it in Notepad then browse the
page. You will see that it does work.

--
George Hester
_________________________________

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it. It
might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell what
caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 00:12
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time
on my logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page
was without errors the next it was erroring. As I was
inspecting the page to figure out was wrong I noticed the
<SCRIPT type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its
tendency to mess with pages. Now I know some may disagree
with this but a very simple test you can try to show that it
does just that is try to change the title atrribute for the
FrontPage Hit counter. You can do it outside of the editor
but as soon as you open the page where the counter exists in
FrontPage the title attribute will change back to "Hit
Counter." So it's not too hard to verify that FrontPage CAN
and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve
ASP, I noticed another one of my pages throwing an error. A
long time since the issue above occurred. The page ASP was
fine and then it wasn't. So I went through the page trying
to zero in on what was the problem. Again it turned out some
JavaScript was messed up. But this time I did not correct
it. I have left it so you can see what "something" did and
again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } }
// End --> </script>

I have this in a page and you can assume all this works. All
it does is add text to a floating div which is just the
cursor position of the mouse as it moves about the page. But
now I would like you to look at what happened through nothing
done on my part. In fact I don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } //
End --> </script>

Looks almost exactly the same doesn't it? But it is NOT and
in fact the change leads to an error in the browser. No it
is not the use of " in the second instead of ' as in the
first. Something else. Look at the end of the
oNotice.innerText statement. Almost at the very end. You
will see what looks like to have spaces here /10)+ ")";

What I just wrote is as different as night is from day from
what really appears there; looking at the ASP in Notepad
What really appears there as shown in Notepad will not copy
here. But what is actually there are two characters áá. So
in fact what were are left with is an invalid Javascript
statement. So this is what it looks like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than
this? Or that I just woke up one day and said, "Hey I think
I'll screw up my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't
know. But I do know it happens FrontPage does do stuff like
this (Like the Hit Counter issue above) and since it does I
am suscpicous.

There is actually more issues with the second rendition above
but it is not important to list them all nor can I really
identify them. I just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it
above except for the spaces (áá).

 

[George Hester]

Here is the way to do it. In Notepad open a page that has the hit counter.
It looks like this:

<!--webbot bot="HitCounter" u-custom i-digits="0"
i-image="4" PREVIEW="&lt;strong&gt;[Hit Counter]&lt;/strong&gt;"
i-resetvalue="0" startspan --><img
src="_vti_bin/fpcount.exe/?Page=logon.asp|Image=4" alt="Hit
Counter"><!--webbot bot="HitCounter" endspan i-checksum="14859" -->

or close to it. Now change the alt attribute (sorry my mistake on the
actual attribute but I really don't think it matters here if you had some
idea what I was talking about) to alt="Hi"

That's it. The page will show Hi as the tooltip when the mouse is over the
counter. Unless you open the page in FrontPage. Then FrontPage does its
dirty deed.

This was just an example to show how FrontPage CAN and DOES do this type of
thing. Namely contaminate the page - Ghostwriting.

--
George Hester
_________________________________

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it. It
might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell what
caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 00:12
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time
on my logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page
was without errors the next it was erroring. As I was
inspecting the page to figure out was wrong I noticed the
<SCRIPT type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its
tendency to mess with pages. Now I know some may disagree
with this but a very simple test you can try to show that it
does just that is try to change the title atrribute for the
FrontPage Hit counter. You can do it outside of the editor
but as soon as you open the page where the counter exists in
FrontPage the title attribute will change back to "Hit
Counter." So it's not too hard to verify that FrontPage CAN
and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve
ASP, I noticed another one of my pages throwing an error. A
long time since the issue above occurred. The page ASP was
fine and then it wasn't. So I went through the page trying
to zero in on what was the problem. Again it turned out some
JavaScript was messed up. But this time I did not correct
it. I have left it so you can see what "something" did and
again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } }
// End --> </script>

I have this in a page and you can assume all this works. All
it does is add text to a floating div which is just the
cursor position of the mouse as it moves about the page. But
now I would like you to look at what happened through nothing
done on my part. In fact I don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } //
End --> </script>

Looks almost exactly the same doesn't it? But it is NOT and
in fact the change leads to an error in the browser. No it
is not the use of " in the second instead of ' as in the
first. Something else. Look at the end of the
oNotice.innerText statement. Almost at the very end. You
will see what looks like to have spaces here /10)+ ")";

What I just wrote is as different as night is from day from
what really appears there; looking at the ASP in Notepad
What really appears there as shown in Notepad will not copy
here. But what is actually there are two characters áá. So
in fact what were are left with is an invalid Javascript
statement. So this is what it looks like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than
this? Or that I just woke up one day and said, "Hey I think
I'll screw up my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't
know. But I do know it happens FrontPage does do stuff like
this (Like the Hit Counter issue above) and since it does I
am suscpicous.

There is actually more issues with the second rendition above
but it is not important to list them all nor can I really
identify them. I just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it
above except for the spaces (áá).

 

[Bob Lehmann]

Why don't you just provide a URL to the strange and unnatural goings on in
your page?

You can do it. Don't be afraid - Even though they are out there,
watching.......

That reminds me - I'm out of tin foil.

Bob Lehmann

Here is the way to do it. In Notepad open a page that has the hit counter.
It looks like this:

<!--webbot bot="HitCounter" u-custom i-digits="0"
i-image="4" PREVIEW="&lt;strong&gt;[Hit Counter]&lt;/strong&gt;"
i-resetvalue="0" startspan --><img
src="_vti_bin/fpcount.exe/?Page=logon.asp|Image=4" alt="Hit
Counter"><!--webbot bot="HitCounter" endspan i-checksum="14859" -->

or close to it. Now change the alt attribute (sorry my mistake on the
actual attribute but I really don't think it matters here if you had some
idea what I was talking about) to alt="Hi"

That's it. The page will show Hi as the tooltip when the mouse is over the
counter. Unless you open the page in FrontPage. Then FrontPage does its
dirty deed.

This was just an example to show how FrontPage CAN and DOES do this type of
thing. Namely contaminate the page - Ghostwriting.

--
George Hester
_________________________________

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it. It
might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell what
caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 00:12
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time
on my logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page
was without errors the next it was erroring. As I was
inspecting the page to figure out was wrong I noticed the
<SCRIPT type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its
tendency to mess with pages. Now I know some may disagree
with this but a very simple test you can try to show that it
does just that is try to change the title atrribute for the
FrontPage Hit counter. You can do it outside of the editor
but as soon as you open the page where the counter exists in
FrontPage the title attribute will change back to "Hit
Counter." So it's not too hard to verify that FrontPage CAN
and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve
ASP, I noticed another one of my pages throwing an error. A
long time since the issue above occurred. The page ASP was
fine and then it wasn't. So I went through the page trying
to zero in on what was the problem. Again it turned out some
JavaScript was messed up. But this time I did not correct
it. I have left it so you can see what "something" did and
again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } }
// End --> </script>

I have this in a page and you can assume all this works. All
it does is add text to a floating div which is just the
cursor position of the mouse as it moves about the page. But
now I would like you to look at what happened through nothing
done on my part. In fact I don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } //
End --> </script>

Looks almost exactly the same doesn't it? But it is NOT and
in fact the change leads to an error in the browser. No it
is not the use of " in the second instead of ' as in the
first. Something else. Look at the end of the
oNotice.innerText statement. Almost at the very end. You
will see what looks like to have spaces here /10)+ ")";

What I just wrote is as different as night is from day from
what really appears there; looking at the ASP in Notepad
What really appears there as shown in Notepad will not copy
here. But what is actually there are two characters áá. So
in fact what were are left with is an invalid Javascript
statement. So this is what it looks like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than
this? Or that I just woke up one day and said, "Hey I think
I'll screw up my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't
know. But I do know it happens FrontPage does do stuff like
this (Like the Hit Counter issue above) and since it does I
am suscpicous.

There is actually more issues with the second rendition above
but it is not important to list them all nor can I really
identify them. I just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it
above except for the spaces (áá).

 

[Stefan B Rusynko]

And FP does not touch/edit any content in scripts




| Regarding Frontpages hit counter:
| Frontpages hit counter doesn't have a title attribute. It will display
| [Hit counter] if opened from a server that doesn't have FP Extensions
| installed or if opened without a server.
| Since it doesn't have a title attribute you couldn't have changed it. It
| might have been the pages title attribute you changed.
|
| Regarding your second issue, there isn't enough information to tell what
| caused your issue.
|
| Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.
|
|
| > -----Original Message-----
| > From: George Hester [mailto:[email protected]]
| > Posted At: 14. november 2004 00:12
| > Posted To: microsoft.public.frontpage.client
| > Conversation: Ghostwriting
| > Subject: Ghostwriting
| >
| >
| > I had a Windows 2000 Server that was serving ASPs. One time
| > on my logon page I noticed my JavaScripting was messed up.
| > There were unnatural characters in it. One moment the page
| > was without errors the next it was erroring. As I was
| > inspecting the page to figure out was wrong I noticed the
| > <SCRIPT type="text/javascript" had some starnge stuff in it.
| > Anyway I corrected it thought for a bit about what might have
| > happened and just chalked it up to FrontPage 2003 and its
| > tendency to mess with pages. Now I know some may disagree
| > with this but a very simple test you can try to show that it
| > does just that is try to change the title atrribute for the
| > FrontPage Hit counter. You can do it outside of the editor
| > but as soon as you open the page where the counter exists in
| > FrontPage the title attribute will change back to "Hit
| > Counter." So it's not too hard to verify that FrontPage CAN
| > and DOES do this.
| >
| > Now after I changed to Wuindows 2000 Professional to serve
| > ASP, I noticed another one of my pages throwing an error. A
| > long time since the issue above occurred. The page ASP was
| > fine and then it wasn't. So I went through the page trying
| > to zero in on what was the problem. Again it turned out some
| > JavaScript was messed up. But this time I did not correct
| > it. I have left it so you can see what "something" did and
| > again I suspect FrontPage.
| >
| > Here is what happened:
| >
| > <script language="javascript" type="text/javascript">
| > <!-- Begin
| > function fnTrackMouse(){
| > if (!event)
| > event = window.event;
| > if (ie5 || ns6){
| > oNotice.innerText='Coords:
| > ('+10*((event.clientX+docRef.scrollLeft)/10)+',
| > '+10*((event.clientY+docRef.scrollTop)/10)+')';
| > document.all.floattrack.style.visibility = 'visible'; } }
| > // End --> </script>
| >
| > I have this in a page and you can assume all this works. All
| > it does is add text to a floating div which is just the
| > cursor position of the mouse as it moves about the page. But
| > now I would like you to look at what happened through nothing
| > done on my part. In fact I don't know what it is:
| >
| > <script language="javascript" type="text/javascript">
| > <!-- Begin
| > function fnTrackMouse(){
| > if (!event)
| > event = window.event;
| > if (docRef)
| > oNotice.innerText="Coords:
| > ("+10*((event.clientX+docRef.scrollLeft)/10)+",
| > "+10*((event.clientY+docRef.scrollTop)/10)+ ")";
| > document.all.floattrack.style.visibility = "visible"; } //
| > End --> </script>
| >
| > Looks almost exactly the same doesn't it? But it is NOT and
| > in fact the change leads to an error in the browser. No it
| > is not the use of " in the second instead of ' as in the
| > first. Something else. Look at the end of the
| > oNotice.innerText statement. Almost at the very end. You
| > will see what looks like to have spaces here /10)+ ")";
| >
| > What I just wrote is as different as night is from day from
| > what really appears there; looking at the ASP in Notepad
| > What really appears there as shown in Notepad will not copy
| > here. But what is actually there are two characters áá. So
| > in fact what were are left with is an invalid Javascript
| > statement. So this is what it looks like:
| >
| > oNotice.innerText="Coords:
| > ("+10*((event.clientX+docRef.scrollLeft)/10)+",
| > "+10*((event.clientY+docRef.scrollTop)/10)+áá")";
| >
| > in Notepad.
| >
| > So do you really think a hacker has nothing better to do than
| > this? Or that I just woke up one day and said, "Hey I think
| > I'll screw up my JavaScripting and throw this áá in somewhere nice.?"
| >
| > No. Either FrontPage does this or maybe IIS 5.0. I don't
| > know. But I do know it happens FrontPage does do stuff like
| > this (Like the Hit Counter issue above) and since it does I
| > am suscpicous.
| >
| > There is actually more issues with the second rendition above
| > but it is not important to list them all nor can I really
| > identify them. I just know if I retype everything after:
| >
| > 10*((event.clientY+docRef.scrollTop)/10)+ ")";
| >
| > Then the page is fixed. Just retype it exactly as you see it
| > above except for the spaces (áá).
| >
| > --
| > George Hester
| > _________________________________
| >
| >
|

 

[Jens Peter Karlsen[FP MVP]]

You can't edit a webbot outside of Frontpage and expect FP not to change
it back to what it should be. Use the webbots properties instead to see
what you can change.
The Alt attribute of the hitcounter are not changeable.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 03:06
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Re: Ghostwriting


Here is the way to do it. In Notepad open a page that has
the hit counter.
It looks like this:

<!--webbot bot="HitCounter" u-custom i-digits="0"
i-image="4" PREVIEW="&lt;strong&gt;[Hit Counter]&lt;/strong&gt;"
i-resetvalue="0" startspan --><img
src="_vti_bin/fpcount.exe/?Page=logon.asp|Image=4" alt="Hit
Counter"><!--webbot bot="HitCounter" endspan i-checksum="14859" -->

or close to it. Now change the alt attribute (sorry my
mistake on the actual attribute but I really don't think it
matters here if you had some idea what I was talking about)
to alt="Hi"

That's it. The page will show Hi as the tooltip when the
mouse is over the counter. Unless you open the page in
FrontPage. Then FrontPage does its dirty deed.

This was just an example to show how FrontPage CAN and DOES
do this type of thing. Namely contaminate the page - Ghostwriting.

--
George Hester
_________________________________

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it.
It might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell
what caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]] Posted At: 14.
november 2004 00:12 Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time on my
logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page was
without errors the next it was erroring. As I was inspecting the
page to figure out was wrong I noticed the <SCRIPT
type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its tendency
to mess with pages. Now I know some may disagree with this but a
very simple test you can try to show that it does just that is try
to change the title atrribute for the FrontPage Hit counter. You
can do it outside of the editor but as soon as you open the page
where the counter exists in FrontPage the title attribute will
change back to "Hit Counter." So it's not too hard to verify that
FrontPage CAN and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve ASP, I
noticed another one of my pages throwing an error. A long time
since the issue above occurred. The page ASP was fine and then it
wasn't. So I went through the page trying to zero in on what was
the problem. Again it turned out some JavaScript was messed up.
But this time I did not correct it. I have left it so you can see
what "something" did and again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } } // End
--> </script>

I have this in a page and you can assume all this works. All it
does is add text to a floating div which is just the cursor position
of the mouse as it moves about the page. But now I would like you
to look at what happened through nothing done on my part. In fact I
don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } // End -->
</script>

Looks almost exactly the same doesn't it? But it is NOT and in fact
the change leads to an error in the browser. No it is not the use
of " in the second instead of ' as in the first. Something else.
Look at the end of the oNotice.innerText statement. Almost at the
very end. You will see what looks like to have spaces here /10)+
")";

What I just wrote is as different as night is from day from what
really appears there; looking at the ASP in Notepad What really
appears there as shown in Notepad will not copy here. But what is
actually there are two characters áá. So in fact what were are left
with is an invalid Javascript statement. So this is what it looks
like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than this?
Or that I just woke up one day and said, "Hey I think I'll screw up
my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't know.
But I do know it happens FrontPage does do stuff like this (Like the
Hit Counter issue above) and since it does I am suscpicous.

There is actually more issues with the second rendition above but it
is not important to list them all nor can I really identify them. I
just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it above
except for the spaces (áá).

 

[George Hester]

I dont know if view source will show anything anything. Let me check. No
it does show the unnatural characters. It's interesting. On my other
System Windows 98 IE 5 the page doesn't work. Due to the strange
characters. But in this operating system Windows 2000 Professional where
the page sits is does work fine.

Let me get my old site together where I can use ASP and put it together for
you so you can see the issue. But actually I don't see how it matters. But
I'll give it a shot. The page is actually quite specific to my website so
I'll have to change it around some. I cannot just provide a link to it
because the page redirects if you are not logged into the site.

--
George Hester
_________________________________

Why don't you just provide a URL to the strange and unnatural goings on in
your page?

You can do it. Don't be afraid - Even though they are out there,
watching.......

That reminds me - I'm out of tin foil.

Bob Lehmann

Here is the way to do it. In Notepad open a page that has the hit counter.
It looks like this:

<!--webbot bot="HitCounter" u-custom i-digits="0"
i-image="4" PREVIEW="&lt;strong&gt;[Hit Counter]&lt;/strong&gt;"
i-resetvalue="0" startspan --><img
src="_vti_bin/fpcount.exe/?Page=logon.asp|Image=4" alt="Hit
Counter"><!--webbot bot="HitCounter" endspan i-checksum="14859" -->

or close to it. Now change the alt attribute (sorry my mistake on the
actual attribute but I really don't think it matters here if you had some
idea what I was talking about) to alt="Hi"

That's it. The page will show Hi as the tooltip when the mouse is over the
counter. Unless you open the page in FrontPage. Then FrontPage does its
dirty deed.

This was just an example to show how FrontPage CAN and DOES do this type of
thing. Namely contaminate the page - Ghostwriting.

--
George Hester
_________________________________

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it. It
might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell what
caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.


-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 00:12
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time
on my logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page
was without errors the next it was erroring. As I was
inspecting the page to figure out was wrong I noticed the
<SCRIPT type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its
tendency to mess with pages. Now I know some may disagree
with this but a very simple test you can try to show that it
does just that is try to change the title atrribute for the
FrontPage Hit counter. You can do it outside of the editor
but as soon as you open the page where the counter exists in
FrontPage the title attribute will change back to "Hit
Counter." So it's not too hard to verify that FrontPage CAN
and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve
ASP, I noticed another one of my pages throwing an error. A
long time since the issue above occurred. The page ASP was
fine and then it wasn't. So I went through the page trying
to zero in on what was the problem. Again it turned out some
JavaScript was messed up. But this time I did not correct
it. I have left it so you can see what "something" did and
again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } }
// End --> </script>

I have this in a page and you can assume all this works. All
it does is add text to a floating div which is just the
cursor position of the mouse as it moves about the page. But
now I would like you to look at what happened through nothing
done on my part. In fact I don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } //
End --> </script>

Looks almost exactly the same doesn't it? But it is NOT and
in fact the change leads to an error in the browser. No it
is not the use of " in the second instead of ' as in the
first. Something else. Look at the end of the
oNotice.innerText statement. Almost at the very end. You
will see what looks like to have spaces here /10)+ ")";

What I just wrote is as different as night is from day from
what really appears there; looking at the ASP in Notepad
What really appears there as shown in Notepad will not copy
here. But what is actually there are two characters áá. So
in fact what were are left with is an invalid Javascript
statement. So this is what it looks like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than
this? Or that I just woke up one day and said, "Hey I think
I'll screw up my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't
know. But I do know it happens FrontPage does do stuff like
this (Like the Hit Counter issue above) and since it does I
am suscpicous.

There is actually more issues with the second rendition above
but it is not important to list them all nor can I really
identify them. I just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it
above except for the spaces (áá).

 

[George Hester]

They are if you don't open the page in FrontPage. Try it.

--
George Hester
_________________________________

You can't edit a webbot outside of Frontpage and expect FP not to change
it back to what it should be. Use the webbots properties instead to see
what you can change.
The Alt attribute of the hitcounter are not changeable.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 03:06
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Re: Ghostwriting


Here is the way to do it. In Notepad open a page that has
the hit counter.
It looks like this:

<!--webbot bot="HitCounter" u-custom i-digits="0"
i-image="4" PREVIEW="&lt;strong&gt;[Hit Counter]&lt;/strong&gt;"
i-resetvalue="0" startspan --><img
src="_vti_bin/fpcount.exe/?Page=logon.asp|Image=4" alt="Hit
Counter"><!--webbot bot="HitCounter" endspan i-checksum="14859" -->

or close to it. Now change the alt attribute (sorry my
mistake on the actual attribute but I really don't think it
matters here if you had some idea what I was talking about)
to alt="Hi"

That's it. The page will show Hi as the tooltip when the
mouse is over the counter. Unless you open the page in
FrontPage. Then FrontPage does its dirty deed.

This was just an example to show how FrontPage CAN and DOES
do this type of thing. Namely contaminate the page - Ghostwriting.

--
George Hester
_________________________________

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it.
It might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell
what caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.


-----Original Message-----
From: George Hester [mailto:[email protected]] Posted At: 14.
november 2004 00:12 Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time on my
logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page was
without errors the next it was erroring. As I was inspecting the
page to figure out was wrong I noticed the <SCRIPT
type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its tendency
to mess with pages. Now I know some may disagree with this but a
very simple test you can try to show that it does just that is try
to change the title atrribute for the FrontPage Hit counter. You
can do it outside of the editor but as soon as you open the page
where the counter exists in FrontPage the title attribute will
change back to "Hit Counter." So it's not too hard to verify that
FrontPage CAN and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve ASP, I
noticed another one of my pages throwing an error. A long time
since the issue above occurred. The page ASP was fine and then it
wasn't. So I went through the page trying to zero in on what was
the problem. Again it turned out some JavaScript was messed up.
But this time I did not correct it. I have left it so you can see
what "something" did and again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } } // End
--> </script>

I have this in a page and you can assume all this works. All it
does is add text to a floating div which is just the cursor position
of the mouse as it moves about the page. But now I would like you
to look at what happened through nothing done on my part. In fact I
don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } // End -->
</script>

Looks almost exactly the same doesn't it? But it is NOT and in fact
the change leads to an error in the browser. No it is not the use
of " in the second instead of ' as in the first. Something else.
Look at the end of the oNotice.innerText statement. Almost at the
very end. You will see what looks like to have spaces here /10)+
")";

What I just wrote is as different as night is from day from what
really appears there; looking at the ASP in Notepad What really
appears there as shown in Notepad will not copy here. But what is
actually there are two characters áá. So in fact what were are left
with is an invalid Javascript statement. So this is what it looks
like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than this?
Or that I just woke up one day and said, "Hey I think I'll screw up
my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't know.
But I do know it happens FrontPage does do stuff like this (Like the
Hit Counter issue above) and since it does I am suscpicous.

There is actually more issues with the second rendition above but it
is not important to list them all nor can I really identify them. I
just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it above
except for the spaces (áá).

 

[George Hester]

I really wish that were true. I cannot explain how these scripts get messed
up in this way. I can think of only one culprit for it is only one piece of
software that accesses the page with write permissions. And that is
FrontPage. I can't explain it I refer to FrontPage because it is the only
logical alternative. I didn't do it couldn't even if I wanted to; IE I
doubt did it; a hacker come on now lets stop using that to explain
everything under the sun; IIS maybe could be. Now that I think of it I may
have had the page open in FrontPage when my power went out the other night.
Maybe that's all there was to it.

--
George Hester
_________________________________

And FP does not touch/edit any content in scripts




| Regarding Frontpages hit counter:
| Frontpages hit counter doesn't have a title attribute. It will display
| [Hit counter] if opened from a server that doesn't have FP Extensions
| installed or if opened without a server.
| Since it doesn't have a title attribute you couldn't have changed it. It
| might have been the pages title attribute you changed.
|
| Regarding your second issue, there isn't enough information to tell what
| caused your issue.
|
| Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.
|
|
| > -----Original Message-----
| > From: George Hester [mailto:[email protected]]
| > Posted At: 14. november 2004 00:12
| > Posted To: microsoft.public.frontpage.client
| > Conversation: Ghostwriting
| > Subject: Ghostwriting
| >
| >
| > I had a Windows 2000 Server that was serving ASPs. One time
| > on my logon page I noticed my JavaScripting was messed up.
| > There were unnatural characters in it. One moment the page
| > was without errors the next it was erroring. As I was
| > inspecting the page to figure out was wrong I noticed the
| > <SCRIPT type="text/javascript" had some starnge stuff in it.
| > Anyway I corrected it thought for a bit about what might have
| > happened and just chalked it up to FrontPage 2003 and its
| > tendency to mess with pages. Now I know some may disagree
| > with this but a very simple test you can try to show that it
| > does just that is try to change the title atrribute for the
| > FrontPage Hit counter. You can do it outside of the editor
| > but as soon as you open the page where the counter exists in
| > FrontPage the title attribute will change back to "Hit
| > Counter." So it's not too hard to verify that FrontPage CAN
| > and DOES do this.
| >
| > Now after I changed to Wuindows 2000 Professional to serve
| > ASP, I noticed another one of my pages throwing an error. A
| > long time since the issue above occurred. The page ASP was
| > fine and then it wasn't. So I went through the page trying
| > to zero in on what was the problem. Again it turned out some
| > JavaScript was messed up. But this time I did not correct
| > it. I have left it so you can see what "something" did and
| > again I suspect FrontPage.
| >
| > Here is what happened:
| >
| > <script language="javascript" type="text/javascript">
| > <!-- Begin
| > function fnTrackMouse(){
| > if (!event)
| > event = window.event;
| > if (ie5 || ns6){
| > oNotice.innerText='Coords:
| > ('+10*((event.clientX+docRef.scrollLeft)/10)+',
| > '+10*((event.clientY+docRef.scrollTop)/10)+')';
| > document.all.floattrack.style.visibility = 'visible'; } }
| > // End --> </script>
| >
| > I have this in a page and you can assume all this works. All
| > it does is add text to a floating div which is just the
| > cursor position of the mouse as it moves about the page. But
| > now I would like you to look at what happened through nothing
| > done on my part. In fact I don't know what it is:
| >
| > <script language="javascript" type="text/javascript">
| > <!-- Begin
| > function fnTrackMouse(){
| > if (!event)
| > event = window.event;
| > if (docRef)
| > oNotice.innerText="Coords:
| > ("+10*((event.clientX+docRef.scrollLeft)/10)+",
| > "+10*((event.clientY+docRef.scrollTop)/10)+ ")";
| > document.all.floattrack.style.visibility = "visible"; } //
| > End --> </script>
| >
| > Looks almost exactly the same doesn't it? But it is NOT and
| > in fact the change leads to an error in the browser. No it
| > is not the use of " in the second instead of ' as in the
| > first. Something else. Look at the end of the
| > oNotice.innerText statement. Almost at the very end. You
| > will see what looks like to have spaces here /10)+ ")";
| >
| > What I just wrote is as different as night is from day from
| > what really appears there; looking at the ASP in Notepad
| > What really appears there as shown in Notepad will not copy
| > here. But what is actually there are two characters áá. So
| > in fact what were are left with is an invalid Javascript
| > statement. So this is what it looks like:
| >
| > oNotice.innerText="Coords:
| > ("+10*((event.clientX+docRef.scrollLeft)/10)+",
| > "+10*((event.clientY+docRef.scrollTop)/10)+áá")";
| >
| > in Notepad.
| >
| > So do you really think a hacker has nothing better to do than
| > this? Or that I just woke up one day and said, "Hey I think
| > I'll screw up my JavaScripting and throw this áá in somewhere nice.?"
| >
| > No. Either FrontPage does this or maybe IIS 5.0. I don't
| > know. But I do know it happens FrontPage does do stuff like
| > this (Like the Hit Counter issue above) and since it does I
| > am suscpicous.
| >
| > There is actually more issues with the second rendition above
| > but it is not important to list them all nor can I really
| > identify them. I just know if I retype everything after:
| >
| > 10*((event.clientY+docRef.scrollTop)/10)+ ")";
| >
| > Then the page is fixed. Just retype it exactly as you see it
| > above except for the spaces (áá).
| >
| > --
| > George Hester
| > _________________________________
| >
| >
|

 

[Kevin Spencer]

That's weird. I ran out of tin foil this weekend!

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Neither a follower
nor a lender be.

Why don't you just provide a URL to the strange and unnatural goings on in
your page?

You can do it. Don't be afraid - Even though they are out there,
watching.......

That reminds me - I'm out of tin foil.

Bob Lehmann

Here is the way to do it. In Notepad open a page that has the hit counter.
It looks like this:

<!--webbot bot="HitCounter" u-custom i-digits="0"
i-image="4" PREVIEW="&lt;strong&gt;[Hit Counter]&lt;/strong&gt;"
i-resetvalue="0" startspan --><img
src="_vti_bin/fpcount.exe/?Page=logon.asp|Image=4" alt="Hit
Counter"><!--webbot bot="HitCounter" endspan i-checksum="14859" -->

or close to it. Now change the alt attribute (sorry my mistake on the
actual attribute but I really don't think it matters here if you had some
idea what I was talking about) to alt="Hi"

That's it. The page will show Hi as the tooltip when the mouse is over the
counter. Unless you open the page in FrontPage. Then FrontPage does its
dirty deed.

This was just an example to show how FrontPage CAN and DOES do this type of
thing. Namely contaminate the page - Ghostwriting.

--
George Hester
_________________________________

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it. It
might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell what
caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.


-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 00:12
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time
on my logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page
was without errors the next it was erroring. As I was
inspecting the page to figure out was wrong I noticed the
<SCRIPT type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its
tendency to mess with pages. Now I know some may disagree
with this but a very simple test you can try to show that it
does just that is try to change the title atrribute for the
FrontPage Hit counter. You can do it outside of the editor
but as soon as you open the page where the counter exists in
FrontPage the title attribute will change back to "Hit
Counter." So it's not too hard to verify that FrontPage CAN
and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve
ASP, I noticed another one of my pages throwing an error. A
long time since the issue above occurred. The page ASP was
fine and then it wasn't. So I went through the page trying
to zero in on what was the problem. Again it turned out some
JavaScript was messed up. But this time I did not correct
it. I have left it so you can see what "something" did and
again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } }
// End --> </script>

I have this in a page and you can assume all this works. All
it does is add text to a floating div which is just the
cursor position of the mouse as it moves about the page. But
now I would like you to look at what happened through nothing
done on my part. In fact I don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } //
End --> </script>

Looks almost exactly the same doesn't it? But it is NOT and
in fact the change leads to an error in the browser. No it
is not the use of " in the second instead of ' as in the
first. Something else. Look at the end of the
oNotice.innerText statement. Almost at the very end. You
will see what looks like to have spaces here /10)+ ")";

What I just wrote is as different as night is from day from
what really appears there; looking at the ASP in Notepad
What really appears there as shown in Notepad will not copy
here. But what is actually there are two characters áá. So
in fact what were are left with is an invalid Javascript
statement. So this is what it looks like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than
this? Or that I just woke up one day and said, "Hey I think
I'll screw up my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't
know. But I do know it happens FrontPage does do stuff like
this (Like the Hit Counter issue above) and since it does I
am suscpicous.

There is actually more issues with the second rendition above
but it is not important to list them all nor can I really
identify them. I just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it
above except for the spaces (áá).

 

[Steve Easton]

Re: GhostwritingCorrect, you can edit the contents of a web bot when you have the page open in code
/ html view.
However when you save / close the page the web bot automatically rewrites itself, correcting /
removing any changes.
This is how a web bot works.
They only way to edit web bot code and have it "stay edited" is to edit it in Notepad and then save.


--
Steve Easton
Microsoft MVP FrontPage
95isalive
This site is best viewed............
........................with a computer

You can't edit a webbot outside of Frontpage and expect FP not to change it back to what it should
be. Use the webbots properties instead to see what you can change.
The Alt attribute of the hitcounter are not changeable.
Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]]
Posted At: 14. november 2004 03:06
Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Re: Ghostwriting


Here is the way to do it. In Notepad open a page that has
the hit counter.
It looks like this:

<!--webbot bot="HitCounter" u-custom i-digits="0"
i-image="4" PREVIEW="&lt;strong&gt;[Hit Counter]&lt;/strong&gt;"
i-resetvalue="0" startspan --><img
src="_vti_bin/fpcount.exe/?Page=logon.asp|Image=4" alt="Hit
Counter"><!--webbot bot="HitCounter" endspan i-checksum="14859" -->

or close to it. Now change the alt attribute (sorry my
mistake on the actual attribute but I really don't think it
matters here if you had some idea what I was talking about)
to alt="Hi"

That's it. The page will show Hi as the tooltip when the
mouse is over the counter. Unless you open the page in
FrontPage. Then FrontPage does its dirty deed.

This was just an example to show how FrontPage CAN and DOES
do this type of thing. Namely contaminate the page - Ghostwriting.

--
George Hester
_________________________________

Regarding Frontpages hit counter:
Frontpages hit counter doesn't have a title attribute. It will display
[Hit counter] if opened from a server that doesn't have FP Extensions
installed or if opened without a server.
Since it doesn't have a title attribute you couldn't have changed it.
It might have been the pages title attribute you changed.

Regarding your second issue, there isn't enough information to tell
what caused your issue.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

-----Original Message-----
From: George Hester [mailto:[email protected]] Posted At: 14.
november 2004 00:12 Posted To: microsoft.public.frontpage.client
Conversation: Ghostwriting
Subject: Ghostwriting


I had a Windows 2000 Server that was serving ASPs. One time on my
logon page I noticed my JavaScripting was messed up.
There were unnatural characters in it. One moment the page was
without errors the next it was erroring. As I was inspecting the
page to figure out was wrong I noticed the <SCRIPT
type="text/javascript" had some starnge stuff in it.
Anyway I corrected it thought for a bit about what might have
happened and just chalked it up to FrontPage 2003 and its tendency
to mess with pages. Now I know some may disagree with this but a
very simple test you can try to show that it does just that is try
to change the title atrribute for the FrontPage Hit counter. You
can do it outside of the editor but as soon as you open the page
where the counter exists in FrontPage the title attribute will
change back to "Hit Counter." So it's not too hard to verify that
FrontPage CAN and DOES do this.

Now after I changed to Wuindows 2000 Professional to serve ASP, I
noticed another one of my pages throwing an error. A long time
since the issue above occurred. The page ASP was fine and then it
wasn't. So I went through the page trying to zero in on what was
the problem. Again it turned out some JavaScript was messed up.
But this time I did not correct it. I have left it so you can see
what "something" did and again I suspect FrontPage.

Here is what happened:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (ie5 || ns6){
oNotice.innerText='Coords:
('+10*((event.clientX+docRef.scrollLeft)/10)+',
'+10*((event.clientY+docRef.scrollTop)/10)+')';
document.all.floattrack.style.visibility = 'visible'; } } // End
--> </script>

I have this in a page and you can assume all this works. All it
does is add text to a floating div which is just the cursor position
of the mouse as it moves about the page. But now I would like you
to look at what happened through nothing done on my part. In fact I
don't know what it is:

<script language="javascript" type="text/javascript">
<!-- Begin
function fnTrackMouse(){
if (!event)
event = window.event;
if (docRef)
oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+ ")";
document.all.floattrack.style.visibility = "visible"; } // End -->
</script>

Looks almost exactly the same doesn't it? But it is NOT and in fact
the change leads to an error in the browser. No it is not the use
of " in the second instead of ' as in the first. Something else.
Look at the end of the oNotice.innerText statement. Almost at the
very end. You will see what looks like to have spaces here /10)+
")";

What I just wrote is as different as night is from day from what
really appears there; looking at the ASP in Notepad What really
appears there as shown in Notepad will not copy here. But what is
actually there are two characters áá. So in fact what were are left
with is an invalid Javascript statement. So this is what it looks
like:

oNotice.innerText="Coords:
("+10*((event.clientX+docRef.scrollLeft)/10)+",
"+10*((event.clientY+docRef.scrollTop)/10)+áá")";

in Notepad.

So do you really think a hacker has nothing better to do than this?
Or that I just woke up one day and said, "Hey I think I'll screw up
my JavaScripting and throw this áá in somewhere nice.?"

No. Either FrontPage does this or maybe IIS 5.0. I don't know.
But I do know it happens FrontPage does do stuff like this (Like the
Hit Counter issue above) and since it does I am suscpicous.

There is actually more issues with the second rendition above but it
is not important to list them all nor can I really identify them. I
just know if I retype everything after:

10*((event.clientY+docRef.scrollTop)/10)+ ")";

Then the page is fixed. Just retype it exactly as you see it above
except for the spaces (áá).