RSSAOL Fixes Netscape.com XSS Hack
By Nate Mook | Published July 26, 2006, 3:00 PM
AOL's newly launched user-driven Netscape.com fell victim to a cross-site scripting (XSS) attack early Wednesday, the result of the site not properly sanitizing submitted news stories. Visitors to Netscape.com encountered crude pop-up messages and redirects to rival site Digg.
The problem stemmed from inadequate filtering of stories, which did not strip out JavaScript code that exploited an XSS issue. "The site was never compromised," an AOL spokesperson told BetaNews. "The issue lasted a couple hours before it was fixed." The company says it does not believe any malicious code was submitted during that timeframe.
lol@ "microsoft like security"
Score: 0
|Hmm, this is why you should filter all user-submitted HTML content with a WHITELIST, not a blacklist.
With a blacklist you strip out unwanted elements, but there is always the chance that you missed one, such as in this case.
With a whitelist, you only list permitted items, everything else is stripped out. In this case, if you miss something, the worst that happens is something is stripped out that doesn't need to be. No security exploit. And of course it can always be added later to the whitelist.
I should probably add that my mom has used netscape.com as her homepage for years (if only because she was used to using Netscape) and when they introduced the Digg competition stuff she thought it was stupid, and I helped her set up a Google Personalized Page.
I was glad she switched, but now I realize it would have happened sooner or later, if she had still been using netscape.com now... heh.
Score: 0
|I'm, sure the people that actually use this didn't think it was funny but.......excuse me
Score: 0
|