Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

A cross site scripting bug patch could affect millions of websites

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 20, 2014

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

A cross site scripting flaw that was patched overnight could affect millions of websites due to a seven-year-old bug in a jQuery validation plugin script used for CAPTCHA, says Dutch security penetration tester Sijmen Ruwhof.

The severe vulnerability appeared to have existed in CAPTCHA since early 2007 and could lead to session hijacking through reflected cross-site scripting attacks on exposed websites that used the demo script.

Ruwhof stumbled on the then unpatched flaw in jQuery Validation Plugin during an August client penetration test which he claimed had not been patched despite his repeat disclosures over different email addresses linked to jQuery maintainers, all which allegedly fell on deaf ears.

"This security flaw seems to have spread to tens of thousands of web sites since its creation," Ruwhof said in a public disclosure.

"It's a wild guess, but I would not be surprised if there are around 20,000 web sites affected by this security flaw," he added.

jQuery developer Jorn Zaefferer committed a fix overnight. "The security bug wasn't in the plugin itself, just in one of the demo files, as the blog post describes.

Now that the details are available, I've committed a fix," Zaefferer said. Ruwhof cited instances of researchers reporting flaws that appeared to be ignored by jQuery developers, including one in 2011 by security researcher known as ACC3SS.

"This security vulnerability was introduced probably around eight years ago and copied to all kinds of web sites and software products," he said.

He found that the CAPTCHA demonstration script in line 69 included a PH variable printed without any user input sanitation, making JavaScript injection possible.

That dodgy code was according to Google searches cited 322,300 times. By perhaps a wild extrapolation he said that could mean the code was present in "millions of websites".

The researcher then advised site developers to remove the /demo/ folder from the jQuery Validation Plugin which should be non-disruptive for most system admins.

"When you've found out that your web site was vulnerable to this attack, then you should perform a forensic analysis to see if someone attacked your website in the past," he said.

"You can easily do this by searching for extraordinary requests that are made to the vulnerable file URLs."

Source: Lookout Internet Security.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer