A BBC page has been detected as being at risk to cross site scripting (XSS).
ProCheckUp has published a vulnerability showing that the Betsie (BBC education text to speech internet enhancer) page is vulnerable to XSS with the ability to inject malicious characters into the requested path. Additionally, Betsie discloses the webroot when the parser.pl program is called without any parameters.
The system is designed to give people with disabilities easier access to the internet by converting web pages into graphic-free, text-only versions used by text-to-speech systems.
ProCheckUp claimed that an attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to a Betsie site and such code would run within the context of the target domain.
Rolando Fuentes, security consultant at ProCheckUp, claimed that this type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (such as session IDs) to unauthorised third parties.
“It's disappointing to find common threats such as these targeted at systems designed to support people with disabilities ,” said Fuentes.
See original article on scmagazineuk.com
Disability site vulnerable to XSS attack
By
Dan Raywood
on
Nov 10, 2009 11:09AM
Betsie under threat.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Partner Content
Matt Tett to lead essential primer session on security by design
Promoted Content
Security "mindset shift" needed to protect organisations
Promoted Content
5 essential digital transformation ideas
Partner Content
"We're seeing some good policy put in place, but that's the exception"
Sponsored Whitepapers
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
