MoD site carried cross-site scripting flaw
Published: 11 Aug 2009 15:33 BST
The Ministry of Defence has admitted to a security flaw in its website that could have opened visitors up to attack.
The government department was alerted to the vulnerability by hacker group Team Elite, an MoD spokesperson said on Tuesday.
The cross-site scripting flaw could have allowed malicious code injection on the site, and could have led to visitors being redirected to a malicious site. However, the ministry spokesperson downplayed that possibility.
"The problem only affects one small part of the site — the A-Z index," said the spokesperson. "MoD immediately disabled the area concerned so that the vulnerability cannot be exploited and affect other websites. We are not aware that the vulnerability was exploited in any way. Work is in hand to ensure it can't happen again."
Team Elite member Maciej Bukowski, who uses the handle [-TE-]-Neo, posted details of the MoD cross-site scripting flaw on Sunday, after alerting the MoD. Bukowski posted proof-of concept code, plus a screenshot of the MoD website following code insertion, which had altered the site to read 'XSS by Team Elite', and a message to Bukowski from the MoD site administrator saying the department would "respond within 15 days" to his enquiry.
ZDNet UK was alerted to the MoD flaw by Bukowski in an email on Monday.
In July, Bukowski reported a cross-site scripting flaw in MI5's website that rendered the site breachable via its search engine.
Did you find this article useful?
7 out of 7 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
