No end to cross site scripting holes
The XSSed Project, which detects and discloses cross site scripting holes, recently reported numerous XSS holes in the web sites of Verisign, McAfee and Symantec.
A new edition of the German-based Phishmarkt collection of XSS holes has now appeared, this time focusing on US government and government agency pages. Phishmarkt found a total of 47 vulnerabilities on .gov pages. Although the holes were mostly found on minor town and county pages, affected agencies included the CIA and the states of Hawaii and California.
The Phishmarkt specialists even found eight holes on .mil pages. Whether XSS holes in pages such as that of the US Army "Training and Doctrine Command" can successfully be exploited for phishing attacks remains open to question, but they demonstrate that the problem isn't confined to the web pages of third class providers.
See also:
- Verisign McAfee and Symantec sites can be used for phishing due to XSS, report by XSSed
- Phishmarket :: gov && mil :: 2008, entry on Wired-Security
(mba)