Bitdefender Overrides Javascript Xmlhttprequest.open

For some reason Bitdefender overrides the JavaScript method for AJAX requests (XMLHttpRequest.open). This override adds a unique(?) identifier (XHR1223...1231XHR) to each URL used in an AJAX request, and this breaks a lot of functionality on AJAX-dependent sites with users using Bitdefender.

So my question is: Why do you need this identifier? My guess is that you intercept the outgoing AJAX requests in Bitdefender and validate them. This is OK I guess, but it would be nice if you also stripped the identifier afterwards. This seems to be a serious bug in Bitdefender, or am I missing something?

Find more posts tagged with

Comments

mkristo

I have temporarily fixed this in our web application now.

# Bitdefender sometimes incorrectly appends an identifier on the format XHR{32 byte hex}XHR to the URL. Hack to remove it.

if environ["PATH_INFO"][-3:] == "XHR" and environ["PATH_INFO"][-38:-35] == "XHR":

environ["PATH_INFO"] = environ["PATH_INFO"][-38:]

During the testing I also noticed that Bitdefender does not strip trailing spaces from a URL. Imagine the following scenario:

...

</form>

Note the trailing space in the action. A web browser is forgiving and strips spaces. But when Bitdefender adds the identifier "XHR1337...1337XHR" to all AJAX requests the resulting URL is "/chat/send/ XHR1337...1337XHR" and the browser is unable to clean it up. This is something that Bitdefender should do after the id has been removed from the URL.

rootkit

Hi mkristo and welcome to our forums

Sorry for the delayed reply.

Could you post here some websites so we can study the phenomenon?

Thank you in advance for your feedback. Have a nice day.

mkristo

1. We have only seen URL's with the postfix XHRB0978575529B486ABCA7EB68E0E44469XHR in the access logs. I'm sorry to say, but we have not been able to reproduce this so we simply applied the fix described above in my second post. But it seems like the Bitdefender proxy, in some cases, does not strip the identifier.

This has happened around 10.000 times the last 5 days, so I think we can agree on that it is more than one user affected. And the phenomenen happens on different URL's each time.

2. We have also added a Bitdefender specific fix for the trailing space problem server side. But I'll provide you with some code here how to reproduce.

bitdefender.html:

<html>

<head>

<****** src="http://code.jquery.com/jquery.min.js" type="text/javascript"></******>

</head>

<body>

<a href="#" onclick="$.get('bitdefender.html ')">Click me</a>

</body>

</html>

This would create an AJAX request similar to bitdefender.html%20XHRB0978575529B486ABCA7EB68E0E44469XHR. After the Bitdefender proxy has validated the request and removed XHRB0978575529B486ABCA7EB68E0E44469XHR the remaining URL is bitdefender.html%20, but it should be bitdefender.html.

I hope this helps!

rootkit

I've escalated your request yesterday and receive an answer right now: this issue will be fixed in the next build.

The next product update is scheduled to be released at the end of this month.

You can check this topic on October 28th:

http://forum.bitdefender.com/index.php?showtopic=28172

Thank you very much for the feedback. Have a nice day.

mkristo

FYI: The problem with trailing spaces has not been fixed in the build released on November 2nd.

rootkit

Hello

The latest build (34) has only some improvements to the anti-malware engine.

I wasn't talking about this build in my last post.

Thank you.

rujikin

I went onto http://www.hulu.com/genres/Animation-and-Cartoons?type=tv and did a search. it added XHRB0978575529B486ABCA7EB68E0E44469XHR onto the search query. after reloading it was fixed.

rootkit

Hello

Thank you for reporting this.

The update hasn't been released yet.

Thank you.