http://www.newsbytes.com/news/01/170347.html By Brian McWilliams, Newsbytes DULLES, VIRGINIA, U.S.A., 20 Sep 2001, 11:29 PM CST Three leading Internet firms have fallen prey to a serious security bug identified more than 18 months ago. America Online's Shop@AOL site, along with the portal for its ICQ instant messaging product, and Yahoo's site for users in France, have been identified as vulnerable to an attack known as cross-site scripting. In February last year, a joint advisory about cross-site scripting was issued by the FBI's National Infrastructure Protection Center and the Computer Emergency Response Team (CERT). The three vulnerable sites were all reported by different individuals in the past seven days to VulnWatch, a new security mailing list. The search function on each of the vulnerable sites allows unauthorized users to inject HTML tags or scripts within the Uniform Resource Locator (URL) address of the site. As a result, an attacker could, for example, trick Web surfers into clicking on what they believe is a safe link to a trusted source in an e-mail or Web page. In fact, the URL could contain scripts which steal data input by the user and send it back to the attacker, according to CERT's advisory. Officials from the three affected sites were not available for comment this evening. According to Cabezon Aurlien of the French security portal iSecureLabs.com, he reported the vulnerability in Yahoo's French site to the firm and it has corrected the flaw. The flaw at ICQ.com was also still open, despite having been reported to the company Wednesday, according to Aurlien. The vulnerability at Shopat_private, which was identified by Jon Britton, operator of a site called BreakWindows.com, was still exploitable this evening, based on tests by Newsbytes. While Internet surfers can disable scripting in their browsers to protect against such attacks, CERT said the onus for correcting the problem falls on Web site developers. "None of the solutions that Web users can take are complete solutions. In the end, it is up to Web page developers to modify their pages to eliminate these types of problems," said the CERT advisory. CERT's advisory on cross-site scripting is online here: http://www.cert.org/advisories/CA-2000-02.html . VulnWatch is online at http://www.vulnwatch.org . - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 02:06:11 PDT