At 03:09 PM 1/31/2002, Joe Harrison wrote: >I can't help feel the importance of these cross-site-scripting attacks is >over-emphasised. As others have pointed out, CSS bugs can be used to do some pretty interesting things. FYI, the source De Vitry injected into the news site pages is here: http://devitry.com/mon Brian +++ Top News Sites Close Script Hacking Hole NEW YORK, NEW YORK, U.S.A., 01 Feb 2002, 7:57 PM CST http://www.newsbytes.com/news/02/174173.html A security flaw at leading online news providers MSNBC.com, NYTimes.com, and WashingtonPost.com could have allowed attackers to generate bogus articles using the sites. In a demonstration of the bug, David De Vitry, an independent security specialist, exploited the news sites to create a phony story in which a NASA official claimed the space agency's moon landings were faked. The security glitch, known as cross-site scripting (CSS), opened the door to what experts call subversion of information attacks. Such attacks can be used to spread false information, manipulate stock prices, and perform other malicious acts. [snip]
This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 18:48:55 PST