Netcraft.com brings my attention to cross-site scripting security problem. I have examined this website for vulnerabilities. This problem is usually caused by systems not checking input received from user or third party before using it. One place this website receives input is the RSS new feeds. I have crafted a test RSS with embedded javascript. Some RSS feeder (including this website) display the content as is. They should have (arguably) strip off the embedded script before displaying it. I promptly plugged this by escaping the meta characters before outputting them on the web pages.

An important element for cross-site scripting is that a third party can use a reputable website as a conduit to inject questionable code in their context. In this case the news feeder's communication is only between this website and the news source. I am not aware of any loop hole for third party to get involved. But in the world of open communication it is better to be safe to test for all input before use.

2004.07.20 [web, security] - comments (0)

This August has seen two massive virus attack, with the MSBlaster followed by Sobig. Sobig is believed to have a motive other than causing damages. It creates a large number of compromised computers, which is ideal resources for email spammers to relay spams. LURHQ has analysed the virus in a series of articles, from the first Sobig.a to Sobig.e to the now well known Sobig.f. It describe how Sobig transforms itself from an email attachment to a trojan proxy server using a sophisticated multi-staged technique to elude effort to block it. Evidently spammers is associated with high-tech crime network profiting from computer vulnerability.

2003.08.29 [security] - comments (0)