So I fired up my blog today in an effort to pound out a story or two and work on a huge story I’ve had sitting for awhile. To my surprise, I have two comments sitting in moderation that are for different stories, different authors, same Blog URI, and the content of the stories matches the blog posts. What gets me is both are Support requests for Firefox and WordPress. I hit the link to check out the website first and I was met with a Flash Obituary of a dead singer.
After checking out the source, I found out that the blog was there, but something else was up.
Javascript is [very] Evil
Once I looked at the source, I figured out what was up. Somehow, the author’s page was being covered by Flash, but was listing itself as a Javascript with a PNG format (image).
If you haven’t figured it out, I stumbled across a Cross Site Scripting vulnerability. Check out Wikipedia’s entry on this.
The main reason I typed this story out is because, every once in awhile, the public needs to be reminded of the bad things that Javascript on a website can do. Sure, inside the WordPress Control Panel, you can’t do anything without Javascript, but in the real world, it shouldn’t be trusted - especially on a Windows Based computer.
Even Netscape was subjected to an XSS vulnerability recently from the DIGG crowd…
Now, if you ever find something fishy, do a little research and alert the website owner of the issue. This poor guy’s AdSense account has been terminated because his Blog is on a free blog website thats running an Alpha version of WordPress 1.5… Not good folks.
