At 03:09 PM 1/31/2002, Joe Harrison wrote:
>I can't help feel the importance of these cross-site-scripting attacks is
>over-emphasised.
As others have pointed out, CSS bugs can be used to do some pretty
interesting things.
FYI, the source De Vitry injected into the news site pages is here:
http://devitry.com/mon
Brian
+++
Top News Sites Close Script Hacking Hole
NEW YORK, NEW YORK, U.S.A.,
01 Feb 2002, 7:57 PM CST
http://www.newsbytes.com/news/02/174173.html
A security flaw at leading online news providers MSNBC.com, NYTimes.com,
and WashingtonPost.com could have allowed attackers to generate bogus
articles using the sites.
In a demonstration of the bug, David De Vitry, an independent security
specialist, exploited the news sites to create a phony story in which a
NASA official claimed the space agency's moon landings were faked.
The security glitch, known as cross-site scripting (CSS), opened the door
to what experts call subversion of information attacks. Such attacks can be
used to spread false information, manipulate stock prices, and perform
other malicious acts.
[snip]
Received on Feb 02 2002
Intro
