A cross site scripting bug patch could affect millions of websites
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 20, 2014
A cross site scripting flaw that was patched overnight could affect millions of websites due to a seven-year-old bug in a jQuery validation plugin script used for CAPTCHA, says Dutch security penetration tester Sijmen Ruwhof.
The severe vulnerability appeared to have existed in CAPTCHA since early 2007 and could lead to session hijacking through reflected cross-site scripting attacks on exposed websites that used the demo script.
Ruwhof stumbled on the then unpatched flaw in jQuery Validation Plugin during an August client penetration test which he claimed had not been patched despite his repeat disclosures over different email addresses linked to jQuery maintainers, all which allegedly fell on deaf ears.
"This security flaw seems to have spread to tens of thousands of web sites since its creation," Ruwhof said in a public disclosure.
"It's a wild guess, but I would not be surprised if there are around 20,000 web sites affected by this security flaw," he added.
jQuery developer Jorn Zaefferer committed a fix overnight. "The security bug wasn't in the plugin itself, just in one of the demo files, as the blog post describes.
Now that the details are available, I've committed a fix," Zaefferer said. Ruwhof cited instances of researchers reporting flaws that appeared to be ignored by jQuery developers, including one in 2011 by security researcher known as ACC3SS.
"This security vulnerability was introduced probably around eight years ago and copied to all kinds of web sites and software products," he said.
That dodgy code was according to Google searches cited 322,300 times. By perhaps a wild extrapolation he said that could mean the code was present in "millions of websites".
The researcher then advised site developers to remove the /demo/ folder from the jQuery Validation Plugin which should be non-disruptive for most system admins.
"When you've found out that your web site was vulnerable to this attack, then you should perform a forensic analysis to see if someone attacked your website in the past," he said.
"You can easily do this by searching for extraordinary requests that are made to the vulnerable file URLs."
Source: Lookout Internet Security.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!