back to article Holes in London Mayor websites leave them open to 'e-gaffes'

Ethical hackers have discovered potentially serious vulnerabilities on the websites of the two principal candidates in today's London Mayoral election. Both Boris Johnson’s and Ken Livingstone's campaign websites suffer from ‘cross-scripting’ (XSS) vulnerabilities that make it possible for hackers to redirect users to their …

COMMENTS

This topic is closed for new posts.
  1. Ishkandar
    Boffin

    Does this really matter...

    ...and does any Londoner of sound mind give a flying....duck....what any website says about the candidates !!

    This is an equal opportunity sneer !!

  2. Simon Kirby
    Joke

    A quick play with google image search....

    and you can make your own fun link:

    http://www.backboris.com/misc/register.php?msg=%3CIFRAME%20SRC=http://my.telegraph.co.uk/VirtualContent/86950/20070806152444.jpg%3E%3C/IFRAME%3E

    (don't worry, it's safe)

  3. Gareth
    Joke

    Very very poor scripting

    You don't even need an iframe you can directly insert an img tag or even a script tag.

    Simon's joke here with an img tag is much b=more transparent

    http://www.backboris.com/misc/register.php?msg=%3Cimg%20SRC=http://my.telegraph.co.uk/VirtualContent/86950/20070806152444.jpg%3E

  4. Anonymous Coward
    Flame

    Make trivial with it...

    This really isn't a trivial matter though - I mean some useless web development cretin actually got paid to make these sites and didn't think to sanitise the incoming data from the URI.

    The IT industry really does make me spit blood sometimes; if architectural engineering was like software engineering we'd never have been able to get anything taller than a bungalow standing.

    Web developers seem to be worse than the rest.

    Yes, I am a web developer (LAMP with the 'P' being predominantly PHP) and some of the code I've seen makes me just stare in disbelief at the screen - how the hell people can sleep at night after foisting that shit on someone is beyond me. Look at PHP written by ASP "developers" and you'll want to cry.

    [anonymous because slagging off the IT industry here, of all places, seems unwise]

  5. Ben Best
    Joke

    In their (limited) defence

    It appears that they've removed any html being posted, it's still (at time of posting) possible to do the following though.

    http://www.backboris.com/misc/register.php?msg=If%20You%20Are%20An%20Idiot

  6. Anonymous Coward
    Happy

    Now fixed on that page

    But not everywhere!

    http://www.backboris.com/contribute/index.php?msg=Vote%20for%20Ken

  7. Ru
    Go

    XSS?

    Spotted and blocked by NoScript. It's a clever little tool to be sure.

    @Ishkandar

    It matters because the trick allows you to do pretty much anything you like, under the guise of being a legitimate site. See comments about drive-by malware downloads, etc.

    Also, having a silly posting 'shtick' wasn't cool when amanfrommars did it either, though at least your effort is parseable.

  8. Gareth
    Thumb Down

    Re: Limited defence

    I'd agree if they actually applied the same logic elsewhere.

    From here you could change any part of the page as javascript runs with no problem. The number of team members for instance. But for now another proof of concept

    http://www.backboris.com/about/index.php?mtf_msg=%3Cimg%20src=http://my.telegraph.co.uk/VirtualContent/86950/20070806152444.jpg%3E

  9. Smallbrainfield
    Coat

    I take it someone

    has hacked Boris Johnson's site to include that picture of him looking gormless at the top.

    Ah.

  10. Moss Icely Spaceport
    Stop

    It's a regular feast of political choices there folks

    NOT

This topic is closed for new posts.