[ISN] Security Vulnerabilities Reported At Obama, Clinton Web Sites

From: InfoSec News (alerts@private)
Date: Tue Apr 22 2008 - 22:09:02 PDT


http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=207401366

By Thomas Claburn
InformationWeek
April 22, 2008 

The Web sites of Barak Obama and Hillary Clinton appear to be vulnerable 
to cross-site scripting (XSS) attacks.

XSSed.com, a site that tracks cross-site scripting vulnerabilities, 
includes reports of four XSS vulnerabilities that affect BarackObama.com 
and one that affects HillaryClinton.com.

Cross-site scripting allows an attacker to inject code into a Web site 
so that certain actions execute the code. The result can be anything 
from a harmless pop-up window to exposure to malicious software.

Zulfikar Ramzan, a senior researcher with Symantec (NSDQ: SYMC) Security 
Response, said that any time a site allows users to submit content, 
there's a risk that someone may submit malicious code.

XSSed.com lists two of the vulnerabilities, one on each candidate's 
site, as "unfixed" as of 2 p.m. PST on Tuesday, April 22.

One of the vulnerabilities reported on XSSed.com surfaced over the 
weekend and has since been fixed. It allowed an unknown hacker to 
redirect visitors who viewed the Community Blogs section on Barack 
Obama's Web site to rival Hillary Clinton's Web site. Two other 
vulnerabilities now listed only on mirror sites also appear to have been 
fixed.

Security vendors Netcraft and Symantec have both published blog posts 
about the incident. And Zenophon "Zennie" Abraham, founder and CEO of 
Sports Business Simulations, has posted a video demonstrating the hack 
on YouTube.

A Barack Obama campaign spokesperson did not immediately respond to a 
request for comment.

However, a person posting under the name "Mox" on the Obama Community 
Blog took credit for hacking BarackObama.com.

It is "Mox" who also takes credit for posting three of the XSS 
vulnerabilities on BarackObama.com and the one on HillaryClinton.com. 
The fourth XSS hole on BarackObama.com was posted by someone using the 
name "C1c4Tr1Z."

Ramzan said that while the brief redirection of visitors to the Barack 
Obama site wasn't particularly serious, an XSS vulnerability of this 
sort could potentially be exploited to inflict more significant harm. He 
suggested that a fake fund-raising solicitation window could be launched 
this way and that it would probably fool a lot of people because it 
would appear to be part of the official Barack Obama Web site.


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Apr 22 2008 - 22:22:40 PDT