U.S. Government Security Site Vulnerable to Common Attack

["Fergie" <fergdawg () netzero net>]

Via Netcraft.

[snip]

The U.S. government site that tracks cyber security risks was recently found vulnerable to cross-site scripting, a 
technique commonly used in hacker attacks and web site spoofing. Several security sites have published a demonstration 
of the security hole in the web site for the National Institute of Standards and Technology (NIST), which hosts the 
U.S. National Vulnerability Database, which ironically includes numerous examples of cross-site scripting.

The cross-site scripting vulnerability in the NIST site was found in a script that warns visitors that they are about 
to leave the NIST site, a common practice on U.S. government sites. The NIST script allows potentially malicious 
Javascript to be appended to the URL and executed by the browser, a technique which works in Firefox and Internet 
Explorer. The flaw was originally reported by the RootShell Security Group. Staff at the NIST web site closed the 
security hole after being contacted by people who saw the RootShell posting.

[snip]

http://news.netcraft.com/archives/2005/12/14/us_government_security_site_vulnerable_to_common_attack.html

- ferg
--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.