http://www.infosecnews.org/dod-8570-1-infosec-training-and-compliance-vendors-vulnerable-to-xss/
By William Knowles @c4i
Senior Editor
InfoSec News
July 1, 2014
XSSposed (XSS exposed) is reporting that the Web sites of both the InfoSec
Institute and the EC-Council are vulnerable to a Cross-site scripting
(XSS) attack.
Cross-Site Scripting (XSS) inserts specially crafted data into existing
applications through Web sites. XSS attacks occur when an attacker uses a
web application to send malicious code, generally in the form of a
modification to a browser script, to a different end user. XSS attacks
often lead to bypass of access controls, unauthorized access, and
disclosure of privileged or confidential information. Cross-site scripting
attacks are listed as the number three vulnerability on the OWASP Top 10
list for 2013.
According to XSSposed, the InfoSec Institute has not one, two, three,
four, five, six, but SEVEN XSS vulnerabilities discovered this week. This
most recent XSS vulnerability to the EC-Council is to their portal page
where their customers sign in. This is not the only XSS vulnerability to
their site, The Hacker News reported one back in 2011 and Rafay Baloch and
Deepanker Arora discovered another in 2013.
In a previous Web defacement statement the "EC-Council takes the privacy
and confidentiality of their customers very seriously." Regardless, the
EC-Council Web site was compromised three times during a single week in
February 2014. Since the breach, EC Council has neither confirmed nor
denied allegations that the attacker exfiltrated thousands of passports,
drivers. licenses, government and military Common Access Cards (CACs).
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
