Blog feeds may carry security risk

TalkBack 8 of 9:

Next »

« Previous

• Thread View
• Flat View

Really not a news, and not fair

The risk known as "Javascript injection" is wellknown wince long and that's why so many websites don't allow Javascript to be submitted and presented to visitors as Javascript, notably those sites (including online forums, or wikis) forbid Javascript or filter it on input, or process the incoming data so that it will be handlked as regular text, without setting the MIME media type in a way that could bring the client's browser or news reader to interpret this data as Javascript.

This is really different from the effective risks associated by security holes in the Javascript runtime engine in browsers.

So this is not a news. The report in fact is crap as it focuses on all blogs and oline forums in general, and this is unfair given that most blog or online forum or website with talkback(like this one) already have the feature that won't allow a Javascript to be injected and interpreted as such by client browsers.

There may be some cheap blog softwares that are bogous and don't implement the needed feature. The report should have better focused on identifying those bogous softwares (or blog hosting websites) that some unexperimented users may use to create their blog, and have their visitors ask to the blog creator that he updates his blog software against this possible risk.

Regarding the case of blogs created by spammers on random websites, the techology is not a cause of defect: even without the blogging facility, the spammers that created those blogs would have created similar content on their malicious website, so this is more related to the risk experimented by users when visiting random websites.

In other words, there's NO specific risk associated to blogs, because all the same risks may exist with traditional websites as well (and don't forget the most important risk: the injection of Javascript through online forms, or the alteration of website database with specially crafted webform data that can inject some SQL, a bug that is known for long since viral attacks like Nimda that were exploiting buffer overflows when processing form data, and that could be used in lots of server softwares parsing submitted web form data).

So this report is not fair. There's no difference in security between blogs and traditional websites. And the solutions against those risks is to inform web authors of the risks that may exist in some softwares, and have them update their server software against those bugs (and that's why blog/wiki software were created, simplifying the creation of websites, using a reusable software component easy to install and upgrade, so that website authors focus on the most important: the content itself, and its organization, including links).

Posted by: PhilippeV   Posted on: 08/04/06 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
• Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
• Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now