Constructr CMS Cross-Site Scripting plus SQL Injection Vulnerabilities
Software: Constructr CMS 3.x
Critical Level: Medium
Impact: Cross Site Scripting
Roy or as he is also known as the Ghost of facebook discovered several security holes on facebook. One of these flaws was a XSS cross-site Scripting flaw. It appears that in an aim to make facebook aware of the risk exposed by one of these security issues ( which was the XSS Cross-site scripting flaw), he exploited this security flaw in by placing a message letting facebook users all over the world know he was “Off to Danao City”.
All the facebook members that received this message could not delete it or block Roy because Roy was not in their list of friends. This security flaw in facebook allowed Roy to contact a large number of facebook members that he did not have access to.
This security flaw should be a wakeup call to facebook because, because Roy may have drawn their attention to this security flaw by his actions, but what if this security flaw had been exploited by a cybercriminal with malicious intent towards the users of face book. Facebook has been lucky here because Roy has proven to them that if they don’t keep on top of their Internet Security is possible for someone to gain access to thousands of facebook users.
According to xssed.com a new XXS flaw was found on Facebook on January 28 2011. They report that this vulnerability leaves users at risk of scripting attacks and logins phishing. So is this the same XXS flaw that allowed Roy access. If this is the same flaw that Roy access then why did it take facebook 13 day to take action, and why did they have to be forced into taking action by Roy. We have found several sites on the internet reporting this XSS vulnerability in Facebook another example is Bkis Global Task Force Blog who reported this flaw on the 28 Jan 2011.
The action that Roy took to draw face books attention to this security hole was not correct, but its so sad to say that in today’s world it is one of the most effective way of getting people to Improve their Internet security. By this comment we are pointing out that a large percentage of website owners do not take the necessary action to ensure that their website are secure, even when vulnerabilities and security alerts are published. These type of people only take action after it becomes public knowledge that their website has been hacked. It’s so hard to say who is right and wrong in these situation because there is no proper laws in place to force website owners to have a basic level of security in place.
I do not condone hackers who exploit website just to force the owners to put correct security in place, but should we prosecute the hacker and not the website owner. We need laws and regulations in place to ensure website owner take correct action to protect their websites and users by having an acceptable level of security in place as well as forcing them to prove that they are taking necessary steps to keep their security up to date.
The fact of the matter is that Roy did not hack Facebook, he simply access facebook through an open door (a security hole). The most shocking part of all the so call big hack that are know about in the media is that most were not hacks, they were simply people access systems through open door (security holes/flaws) and which gave them access to the system. 99% of all hacking can be prevented by simply keeping your system up to date and running regular security issue.
What is a XSS Cross-Site Scripting attack?
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.