Was IBM.com At Cross-Site Scripting Risk? Yup.
Author: Dave Lewis
A little late but, better that than never. I noticed this article from the site Internet News about IBM and potential cross site scripting issues in the RSS feeds for IBM.
A Japanese security researcher has alleged that an Atom format syndication feed on IBM.com was at risk from an XSS attack. The flaw would only have been exploitable for users of Microsoft’s Internet Explorer version 6 and has apparently been fixed.
Security researcher Yosuke Hasegawa told InternetNews.com that he reported the flaw to IBM through the IPA/ISEC. He said IBM replied on Aug. 30 saying the issue had been corrected.
An IBM spokesperson was not immediately available for comment.
In a public posting to a popular security list, Hasegawa posted a proof of concept URL that, when accessed by Internet Explorer 6.0, would trigger a script to operate.
Well, it wasn’t the only XSS problem on IBM’s website. I posted this after reading RSnake’s blog on the subject. The only difference being I put up a screen capture of the XSS example from IBM’s page on XSS security. The problem there has since been fixed.
Example:
Tags: IBM XSS, Cross Site Scripting, XSS, IBM RSS XSS
