London mayoral candidate web sites open to XSS
Penetration testers SecureTest have found that the campaign web sites of both leading candidates in today's London mayoral election could be attacked using cross site scripting (XSS). At the time of publication, the hole had been fixed in Boris Johnson's site, but not Ken Livingstone's.
An example link was provided by SecureTest.
The vulnerability stems from failure to santitise user input to the site's registration form. User input – in this case an HTML iframe tag pair containing a link to the injected content – is echoed in its entirity, allowing any content to be added to the page at will via a manipulated link.
(mba)