National Security Agency (NSA) SSL web page XSSed
Written by DP
Wednesday, 23 June 2010
Security researcher "Zeitjak", has notified us that the NSA.gov website is vulnerable to a new critical cross-site scripting vulnerability.
Malicious people can exploit the XSS by launching a client-side attack against NSA's computers or browsers, with the purpose of obtaining classified information. With the NSA providing security services to the government, military and large enterprises; botnet herders would be so proud to own NSA zombies!
What triggers the flaw, seems to be an unfiltered parameter (languageCd=) on Oracle's PeopleSoft Enterprise version 8. What is strange is that, although a search on Google revealed more than 2000 high-profile websites using this web CRM/HRMS application, and more than 200 using version 8, we could not reproduce the XSS on a few.
intitle:PeopleSoft Enterprise 8 Sign-in inurl:cmd=login
NSA has been XSSed, hacked and defaced in the past:
Source: Zone-H.org Digital Attacks/Web Defacement Archive