RE: CSS, CSS & let me give you some more CSS

[Brian McWilliams <brian () pc-radio com>]

At 03:09 PM 1/31/2002, Joe Harrison wrote:
> I can't help feel the importance of these cross-site-scripting attacks is
> over-emphasised.

As others have pointed out, CSS bugs can be used to do some pretty 
interesting things.

FYI, the source De Vitry injected into the news site pages is here: 
http://devitry.com/mon

Brian

+++

Top News Sites Close Script Hacking Hole
NEW YORK, NEW YORK, U.S.A.,
01 Feb 2002, 7:57 PM CST

http://www.newsbytes.com/news/02/174173.html

A security flaw at leading online news providers MSNBC.com, NYTimes.com, 
and WashingtonPost.com could have allowed attackers to generate bogus 
articles using the sites.

In a demonstration of the bug, David De Vitry, an independent security 
specialist, exploited the news sites to create a phony story in which a 
NASA official claimed the space agency's moon landings were faked.

The security glitch, known as cross-site scripting (CSS), opened the door 
to what experts call subversion of information attacks. Such attacks can be 
used to spread false information, manipulate stock prices, and perform 
other malicious acts.

[snip]