Advertisement
Promo

Security threats Toolkit

MoD site carried cross-site scripting flaw

Tom Espiner ZDNet.co.uk

Published: 11 Aug 2009 15:33 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The Ministry of Defence has admitted to a security flaw in its website that could have opened visitors up to attack.

The government department was alerted to the vulnerability by hacker group Team Elite, an MoD spokesperson said on Tuesday.

The cross-site scripting flaw could have allowed malicious code injection on the site, and could have led to visitors being redirected to a malicious site. However, the ministry spokesperson downplayed that possibility.

"The problem only affects one small part of the site — the A-Z index," said the spokesperson. "MoD immediately disabled the area concerned so that the vulnerability cannot be exploited and affect other websites. We are not aware that the vulnerability was exploited in any way. Work is in hand to ensure it can't happen again."

Team Elite member Maciej Bukowski, who uses the handle [-TE-]-Neo, posted details of the MoD cross-site scripting flaw on Sunday, after alerting the MoD. Bukowski posted proof-of concept code, plus a screenshot of the MoD website following code insertion, which had altered the site to read 'XSS by Team Elite', and a message to Bukowski from the MoD site administrator saying the department would "respond within 15 days" to his enquiry.

ZDNet UK was alerted to the MoD flaw by Bukowski in an email on Monday.

In July, Bukowski reported a cross-site scripting flaw in MI5's website that rendered the site breachable via its search engine.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
7 out of 7 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

C++ Developer Banking (C++/UNIX/Perl/Scripting/FX/Options/C++/Boost)

Senior Genetics Analyst - Statistician - South East

Linux Test Analyst, 30k - 40k

Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Opera censors Chinese content

Opera has updated the Chinese version of its mobile browser to stop users accessing restricted content. Opera Mini was updated on Friday from an international to a Chinese version,... More

Post a comment

Symantec website breached

Security company Symantec has said that one of its websites was successfully breached. Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday. Unu... More

Post a comment

Campaigners criticise '£10bn NHS IT ov...

The National Health Service's flagship IT project has been criticised by a tax campaign group for running billions of pounds over budget. The NHS National Programme for IT (NPfIT)... More

2 comments


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters