Vulnerabilities / Threats
4/22/2008
05:55 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Security Vulnerabilities Reported At Obama, Clinton Web Sites

Researchers said cross-site scripting problems found on the sites could result in anything from a harmless pop-up window to exposure to malicious software.

The Web sites of Barak Obama and Hillary Clinton appear to be vulnerable to cross-site scripting (XSS) attacks.

XSSed.com, a site that tracks cross-site scripting vulnerabilities, includes reports of four XSS vulnerabilities that affect BarackObama.com and one that affects HillaryClinton.com.

Cross-site scripting allows an attacker to inject code into a Web site so that certain actions execute the code. The result can be anything from a harmless pop-up window to exposure to malicious software.

Zulfikar Ramzan, a senior researcher with Symantec Security Response, said that any time a site allows users to submit content, there's a risk that someone may submit malicious code.

XSSed.com lists two of the vulnerabilities, one on each candidate's site, as "unfixed" as of 2 p.m. PST on Tuesday, April 22.

One of the vulnerabilities reported on XSSed.com surfaced over the weekend and has since been fixed. It allowed an unknown hacker to redirect visitors who viewed the Community Blogs section on Barack Obama's Web site to rival Hillary Clinton's Web site. Two other vulnerabilities now listed only on mirror sites also appear to have been fixed.

Security vendors Netcraft and Symantec have both published blog posts about the incident. And Zenophon "Zennie" Abraham, founder and CEO of Sports Business Simulations, has posted a video demonstrating the hack on YouTube.

A Barack Obama campaign spokesperson did not immediately respond to a request for comment.

However, a person posting under the name "Mox" on the Obama Community Blog took credit for hacking BarackObama.com.

It is "Mox" who also takes credit for posting three of the XSS vulnerabilities on BarackObama.com and the one on HillaryClinton.com. The fourth XSS hole on BarackObama.com was posted by someone using the name "C1c4Tr1Z."

Ramzan said that while the brief redirection of visitors to the Barack Obama site wasn't particularly serious, an XSS vulnerability of this sort could potentially be exploited to inflict more significant harm. He suggested that a fake fund-raising solicitation window could be launched this way and that it would probably fool a lot of people because it would appear to be part of the official Barack Obama Web site.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.