HIgh Level Kits - accessing the website

[Kenton]

Chris - I am having problems loading the website (I used to be able to see it without problems) it is coming up with a "//173.254.28.51 has requested access to your computer" :no: I think it has to so with or some cross domain issue.

 

[MikeTrice]

I can certainly get to their home page without problem.

[micklner]

Fine on Firefox

[Ian J.]

That ip address appears to have some kind of javascript that wants to run (at least that's what NoScript is indicating to me). I have it blocked and the site still loads OK.

[Kenton]

No, just tried again and the problem is all I get is a blank page with a warning with that IP is falling foul of my virus software.

 

I'm also on Firefox cookies and Javascript are enabled for www.highlevelkits.co.uk which used to be the domain name I used just fine.

 

Something has gone amiss since the website change.

 

I have just done a lookup on the IP and it points to some hosting site and not high level kits. So something VERY amiss. If this is the domain provider/host to high level then something is not right within the host or the code on the site. Misuse of IFRAME is a classic nefarious trick to perform XSS or clickjacking. But is often introduced by simple program error. The inexperienced host not providing correct domain redirection or simply just lazy. A simple request to the host to remove the iframe and ensure that the true domain is pointed at the site should resolve it.

[Ian J.]

The various href page links seem to have the ip address as their root rather than the High Level Kits domain name, so I'm not sure what's up other than possibly poor coding.

[PGC]

Works fine for me in Chrome, Firefox, IE and Opera.

 

Kenton - try clearing your DNS cache (on a W7 PC, click Start, run, type cmd and press enter. In the command prompt box type ipconfig / flushdns) and see what happens.

 

Phil

[Kenton]

 

Works fine for me in Chrome, Firefox, IE and Opera.

 

Kenton - try clearing your DNS cache (on a W7 PC, click Start, run, type cmd and press enter. In the command prompt box type ipconfig / flushdns) and see what happens.

 

Phil

Phil, tried that. no joy. As Ian commented above this is a DNS and coding issue at the source. The code is referencing a site (possibly the host) from the domain due to the poor use of frames. This is classic XSS the host could be doing all sorts of nasty stuff before sending out the true site code. In reality it is probably just incompetence (failure of the hosting site to handle domain lookup correctly) but it is not just that as the site is using IFRAME which is also poor webdesign.

 

My virus control is pretty complete and identifies both as potential security problems. As I mentioned this is almost certain to be a result of site redesign as the old site worked fine. On the plus side I expect the host/programmer has been developing the site elsewhere in the host's server and hidden from public viewing. (a development area) then made the big mistake of simply framing it to make it live rather than changing the host configuration file.

 

All it requires is a few words with the programmer and host to remove the XSS and framing.

[JeremyC]

I've just accessed the High level site from a Company computer which is pretty tight for security with no problems.

 

According to WHOIS The Domain name for High Level Kits isn't registered with the hosting company so the domain name will be 'parked' and forwarding the requests to the actual website host. I note the URL in the address bar never changes to reflect the actual page. My model railway club used to have a similar split between domain and host for a while and the domain name control panel allowed the URL to be locked to the club domain name and not to the actual URL of the page [which you can understand a company wanting]. If you right click and open in new window/tab you'll get the 'real' address.

 

One reason for maintaining this spit is it makes it easier to change hosting providers.

 

[My wife would explain it better as she's a programmer / web designer]

 

Jeremy

[Kenton]

 

I've just accessed the High level site from a Company computer which is pretty tight for security with no problems.

 

not quite tight enough it seems if it permits this type of XSS!

 

There are better ways of doing the single url for all pages in the browser using simple code on the server. The file to do this should be available to the owner of the domain on any reputable host.

 

As for owning the domain name this is best achieved by changing the registration information and then pointing it at the host provider. - Again any reputable provider will be able to do this.

 

Most of the problems of moving domains between providers equate to "scam" type providers (they have a Virtual hosting service provided and then resell space of the real host - often with restricted access to the config files) and they are often cheap for that reason.

 

It should be a simple step to remove <iframe> and point the domain directly at the main pages. Trying to fool the browser can be done with other less surreptitious and clumsy coding.

[Revolution Mike]

I'm not sure what Kenton's issue is - a domain name resolves to an IP address anyway.  For the vast majority of small companies that will be a shared server so the IP address will be shared between various virtual hosting packages (which incidentally does not make them "scam" hosts).

 

Sure from a visual perspective it isn't great having the ip address than the domain name, but it is no more or less safe going direct to the ip address than via a domain name.

 

Yes, XSS is bad but there is no evidence of that here.

 

Nor am I sure why you have an aversion to iframes - you would be surprised by some of the uses of iframes by some of the most standards compliant and reputable sites. Iframes can be sandboxed anyway. In theory an iframe could be hijacked but rather than deal in theory it is always best to deal in likelihoods - exercise caution where necessary, but don't go OTT.

[Kenton]

 

Sure from a visual perspective it isn't great having the ip address than the domain name

But it doesn't. The domain goes to a page that uses a iframe to redirect to the hosting site's IP. So you have Javascript loaded from the host prior to the html and javascript of the domain - classic XSS - what is going on behind the initial redirect and before you go to the true site?

 

The real issue is that for me (and potentially others) is that I am unable to see the true High Level site - it is a simple blank page in the browser. This error in the code is easily fixed. Simply remove all references to the IP address (ie get rid of the IFRAME).

 

BTW it is far from theoretical. The use of IFRAMES in this way has long been a serious issue and the use of IFRAMES within a page to include external content is quite a separate issue. As this can be simply blocked and only limits 3rd party content and adverts not the landing/master page content.

 

I wish I had started this as a separate topic. Just wanted to urgently make use of the site and was wondering if others were experiencing the same problem. I really didn't want to spend ages analysing the problem/code. I'm now to the point of wondering if I give a damn about being able to access the site.

[Horsetan]

.....I wish I had started this as a separate topic. Just wanted to urgently make use of the site and was wondering if others were experiencing the same problem. I really didn't want to spend ages analysing the problem/code. I'm now to the point of wondering if I give a damn about being able to access the site.

 

You and your computer are so cautious, I'm surprised anything's allowed to show up on your monitor! 

[Revolution Mike]

 But it doesn't. The domain goes to a page that uses a iframe to redirect to the hosting site's IP. So you have Javascript loaded from the host prior to the html and javascript of the domain - classic XSS - what is going on behind the initial redirect and before you go to the true site?

 

The real issue is that for me (and potentially others) is that I am unable to see the true High Level site - it is a simple blank page in the browser. This error in the code is easily fixed. Simply remove all references to the IP address (ie get rid of the IFRAME).

 

The domain resolves to one IP address (82.165.111.117) which is probably where the domain name is registered and the site is hosted at the other IP address.  It could be a registrar for the first IP and a host (or home server) for the second - hardly unusual. The sort of XSS you are describing is how millions of websites quite safely work - any site that embeds for example twitter or a google service (eg google calendar) will have exactly the same "issue".

 

So because you block iframes you don't want people to use them.  If it is a big issue for you go straight to the hosted page: http://173.254.28.51/~highlev3/chris/Pages/

[PenrithBeacon]

Works for me OK.

 

Regards

[Mike Riley]

Just tried and had no problem with IE.

 

Mike

[PGC]

Kenton - if yours is the only computer that doesn't display the site correctly, haven't you realised that there's a problem with your computer and not the website?

 

Phil

[Blue Max]

Kenton is not the only person that cannot connect directly with the new High Level Web site. I have never had a problem connecting with the old site from IE, but certainly cannot get a direct link into the new site. My only point of entry is through a hyper link form another web site, some work and some don't.

 

SteveT

[Pannier Tank]

Kenton is not the only person that cannot connect directly with the new High Level Web site. I have never had a problem connecting with the old site from IE, but certainly cannot get a direct link into the new site. My only point of entry is through a hyper link form another web site, some work and some don't.

 

SteveT

 

Have you tried:-

 

 

So because you block iframes you don't want people to use them.  If it is a big issue for you go straight to the hosted page: http://173.254.28.51/~highlev3/chris/Pages/

 

 

I am very pleased to see Chris is now posting on RMweb and hope these issues won't deter him from continuing from doing so. I am sure he has better things to do with his time.

[High Level Kits]

Hello all, just back from Railex, and Expo before that.

 

Kenton, have you had any luck getting on the site yet? I'm not well up in technical stuff, html, the web etc and just about managed to cobble the thing together. I get there OK using this   http://www.highlevelkits.co.uk/

 

which uses the domain with redirect but as far as I was aware it was working ok.  after I contacted the hosting to sort it out. Let me know if there is still an issue.  I may have changed the home page name since the old site so the only slightly sensible suggestion I can make based on my limited knowledge is that your browser has cached the old one and is using that?...

[black and decker boy]

http://www.highlevelkits.co.uk/

 

..

Works for me on Apple IOS

[John B]

No problems on IE11.0 behind a secure company firewall either!