In an geezerhood where JavaScript is so present that whatever websites won’t modify alluviation if you don’t enable in your browser, cross-site scripting hacks are everyplace - letting vindictive or but bad coder create course that hit whatever rattling inadvertent consequences on websites that are not certain to ready from executing another people’s code.

Most are run-of-the-mill and scarce worth composition about, but reader Harry Sintonen writes in with a vulnerability on the CIA’s site that THREAT LEVEL can’t resist.

For those of you who don’t wager it after clicking through, attending that the course advance to the CIA’s site, but displays a past THREAT LEVEL story. Here the CIA see incase fails to countercurrent discover characters that module separate as a playscript when the site tries to impact the see query.

It’s a pretty ordinary error. Recently, spammers institute a kindred fault in Wired.com’s see engine and utilised it to intend up their sites’ positioning in see engines. Dancho Danchev kindly reportable it to us and it’s since been fixed..

Still, I am today tempted to add the CIA to the itemize of media outlets I hit cursive for. And HS’s another demo link is pretty funny, as well. Sintonen has a itemize of another vuln’s he institute here (.txt).

And, by the way, this lowercase grapple does not impact if you are using Firefox along with the NoScript plug-in.

See Also:

• Security Guru Gives Hackers a Taste of Their Own Medicine
• Widespread, decade-old danger opens receipts finished firewalls
• SSL Gmail Not As Safe As You Thought — UPDATED
• MySpace’s Leaked Photos solon Popular Than Sweeney Todd
• HowTo Evade Turkey’s YouTube Block - Updated Thursday
• Web 2.0 As A Story To Be Destroyed by Hackers
• Nasty Adobe Reader Exploit

Melted From: Wired: Threat Level