Barack Obama's official site hackedWritten by DPFriday, 18 April 2008Updates :
One more XSS by mox:
http://www.xssed.com/mirror/36000/ (Requires login)
Another XSS that uses a POST request (submitted on 20/04):
http://www.xssed.com/mirror/36140/
and a... script insertion (submitted on 20/04) [Mirror]:
http://my.barackobama.com/page/event/detail/4zbp
...and forgot to mention that connect.hillaryclinton.com is also vulnerable:
http://www.xssed.com/mirror/32472/
--------------------------------------------------------------------------------------
mox has just submitted a critical script insertion vulnerability affecting my.barackobama.com - Barack Obama's official social networking site for his supporters.
It is possible to inject an iFrame onto the title parameter of your personal group [Mirror]:
http://my.barackobama.com/page/group/iframesrchttpgooglecomiframe
Attackers can remotely call a JavaScript in the iFrame and infect Obama's supporters and site visitors with malware, adware and spyware. They can even display a defaced group page with pro-Hillary messages... :-P
Few days ago, C1c4Tr1Z also discovered another XSS [Mirror]:
http://my.barackobama.com/page/s/fellowsapp%22%3E%3Cimg+onerror=alert(666)+src=.%3E
Filtering "script" is obviously NOT the solution. Filtering and encoding special characters to HTML entities is a good solution. Anyway, for a title you don't need any HTML...
Have a look in the Articles section for information on preventing XSS and CSRF.
Related news (Updated):
http://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.html
[April Fools joke by 2600] / "Barack Obama's website was not hacked" - April 2 2008 (The irony)
http://www.techmeme.com/080421/p100#a080421p100
|