XSS and Iframe flaws lurk on the Pentagon’s website
by Steve Ragan - Dec 8 2009, 16:50A researcher by the name of Ne0h has discovered Cross-Site Scripting (XSS) issues in the photo gallery section of the Pentagon website. The irony is that the same flaws were discovered back in April, but appear to have never been addressed. In addition, there are also Iframe issues in the same section.
Looking into the discovery, research from Praetorian Prefect noted that, “The vulnerabilities themselves are caused by weak validation of name value pairs being received by the browser in a photo album application on the Pentagon web site…The entire web site is largely on online brochure for the Pentagon, and does not appear to host sensitive data or allow users to make sensitive requests, making the risk profile of the site low.”
Ne0h, who has posted web vulnerabilities surrounding sites maintained or owned by nVidia, Logitech, Politia Roma, MTV, and more, appears to hold the same principals as another Romanian hacker, Unu.
While some might take issues with their disclosure methods, neither one has actively harmed any of the sites they have featured. Whether the two know one another or not remains to be seen, but they both share the same home with regards to blogging about their exploits on BayWords.
The links below, including the original XSS discovery from April are all live at the time this article is written. Ne0h’s blog on the topic is here.
Comment on this Story