Advertisements

 Barack Obama's official site hacked

Written by DP

Friday, 18 April 2008

Updates :
One more XSS by mox:
http://www.xssed.com/mirror/36000/ (Requires login)

Another XSS that uses a POST request (submitted on 20/04):
http://www.xssed.com/mirror/36140/

and a... script insertion (submitted on 20/04) [Mirror]:
http://my.barackobama.com/page/event/detail/4zbp

...and forgot to mention that connect.hillaryclinton.com is also vulnerable:
http://www.xssed.com/mirror/32472/

--------------------------------------------------------------------------------------

mox has just submitted a critical script insertion vulnerability affecting my.barackobama.com - Barack Obama's official social networking site for his supporters.

It is possible to inject an iFrame onto the title parameter of your personal group [Mirror]:

http://my.barackobama.com/page/group/iframesrchttpgooglecomiframe

Attackers can remotely call a JavaScript in the iFrame and infect Obama's supporters and site visitors with malware, adware and spyware. They can even display a defaced group page with pro-Hillary messages... :-P

Few days ago, C1c4Tr1Z also discovered another XSS [Mirror]:

http://my.barackobama.com/page/s/fellowsapp%22%3E%3Cimg+onerror=alert(666)+src=.%3E


Filtering "script" is obviously NOT the solution. Filtering and encoding special characters to HTML entities is a good solution. Anyway, for a title you don't need any HTML...

Have a look in the Articles section for information on preventing XSS and CSRF.

Related news (Updated):
http://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.html
[April Fools joke by 2600]  /  "Barack Obama's website was not hacked" - April 2 2008 (The irony)
http://www.techmeme.com/080421/p100#a080421p100


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.