Advertisement
Promo

Security threats Toolkit

MoD site carried cross-site scripting flaw

Tom Espiner ZDNet.co.uk

Published: 11 Aug 2009 15:33 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The Ministry of Defence has admitted to a security flaw in its website that could have opened visitors up to attack.

The government department was alerted to the vulnerability by hacker group Team Elite, an MoD spokesperson said on Tuesday.

The cross-site scripting flaw could have allowed malicious code injection on the site, and could have led to visitors being redirected to a malicious site. However, the ministry spokesperson downplayed that possibility.

"The problem only affects one small part of the site — the A-Z index," said the spokesperson. "MoD immediately disabled the area concerned so that the vulnerability cannot be exploited and affect other websites. We are not aware that the vulnerability was exploited in any way. Work is in hand to ensure it can't happen again."

Team Elite member Maciej Bukowski, who uses the handle [-TE-]-Neo, posted details of the MoD cross-site scripting flaw on Sunday, after alerting the MoD. Bukowski posted proof-of concept code, plus a screenshot of the MoD website following code insertion, which had altered the site to read 'XSS by Team Elite', and a message to Bukowski from the MoD site administrator saying the department would "respond within 15 days" to his enquiry.

ZDNet UK was alerted to the MoD flaw by Bukowski in an email on Monday.

In July, Bukowski reported a cross-site scripting flaw in MI5's website that rendered the site breachable via its search engine.

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
7 out of 7 people found this useful


Full Talkback thread

0 comments

Company/Topic Alerts

Create a new alert from the list below:






Video icon

Video

Sentry Posts Blog

Malicious Mobile Apps a Growing Concer...

Malicious Mobile Apps a Growing Concern Author: Eric Everson, MBA, MSIT-SE The phrase “mobile security” does not usually mean much to anyone, until of course they encounter their... More

Post a comment

Malicious Mobile Code: What You Need t...

Malicious Mobile Code: What You Need to Know. Author: Eric Everson, MBA, MSIT-SE The thought of someone hacking into your mobile phone to steal your personal data added to the growing... More

1 comment

Bletchley Park calls for operators for...

The home of World War II codebreaking has called for engineers to operate an electro-mechanical machine developed by mathematician Alan Turing. The Turing Bombe was a brute-force... More

2 comments


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters