MoD website outflanked by XSS flaws Hackers have discovered cross-site scripting (XSS) vulnerabilities on the UK's Ministry of Defence website. The security shortcomings create a means for miscreants or pranksters to present content from a website under their control in a pop-up window that appears to come from the MoD. This class of flaw is very serious on …
Darling: What the general means, Blackadder, is: There's a leak.
Melchett: Now `leak' is a positively disgusting word.
Darling: The Germans seem to be able to anticipate our every move. We send up
an aeroplane, there's a Jerry squadron parked behind the nearest
cloud; we move troops to (??), the Germans have bought the
whole town's supply of lavatory paper. In short: A German spy is
giving away every one of our battle plans.
Melchett: You look surprised, Blackadder.
Edmund: I certainly am, sir. I didn't realise we had any battle plans.
Melchett: Well, of course we have! How else do you think the battles are
directed?
Edmund: Our battles are directed, sir?
Melchett: Well, of course they are, Blackadder -- directed according to the
Grand Plan.
Edmund: Would that be the plan to continue with total slaughter until every-
one's dead except Field Marshal Haig, Lady Haig and their tortoise,
Alan?
Melchett: Great Scott! (stands) Even you know it! Guard! Guard! Bolt all the
doors; hammer large pieces of crooked wood against all the windows!
This security leak is far worse than we'd imagined!
Cost to fix - few thousand for competent web developer - should be a few thousand pounds (though with MoD centralised IT support track record probably a few million)
cost to do real MOD stuff - billions
cost for someone to make it appear MoD supports whatever cause we'd rather they didn't - as the advert says priceless
It's rare to come across a web site (more complex than a single,static page) that *doesn't* contain XSS vulnerabilities. As the article says, for a bank this can be a major security issue since a pop-up could be used to capture identification details (and, as a result, the banks now do a pretty good job of maintaining XSS-free sites) - for a site that requires you to register in order to download marketing bumf, not so much.
Since 'Secret' info should not be held on systems that have Internet connectivity, I'm with the 10:57 post above - a slight embarrassment for the MoD, but not a top priority to fix.
What I found on the contractor's swap (popup) page:
Stephen Kring's Tommyhawkers cruise missile - Clean PVC shell, Original Estes motor(s)! Nightmares extra.
Chefton MBT - Slightly munched on right side, still little over 142.5 stone. Must pickup in Man.
Beagle Coms system - OEM, real thing; Troops don't want'em! Paypal only.
I figured someone posting about this would know more about these kind of flaws..this is harmless. What you're thinking of are things like forums, blogs, etc. where the xss code is stored and echo'd everytime someone views the page. In this case you might aswell go into your browser and type javascript:alert('hack'); because this is temporary it's only echo'd to the user who types in the arbitrary code no one else.
Please next time before instilling fear into people do research on what you're showing them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
