I gave a lightning talk on XSS vulnerabilities in library software at the first Code4Lib conference.
You'll be happy to know that as bad as things are, they've improved considerably! I showed several ILS vendors how I could insert arbitrary javascripts into their products. Some of them fixed their products in the next update cycle, some took a couple of years. One particularly nasty vulnerability I am unable to talk about, it was so nasty and close to home. But the general problem persists. Perhaps an outing process would be useful.
Eric
On Dec 9, 2011, at 10:54 AM, Erin Germ wrote:
> Good morning group,
>
> I don't mean to be an alarmist but I follow some sites that list XSS and
> other vulnerabilities for web sites. Among the latest updates with site
> vulnerabilities were a few from libraries.
>
> Some of these are dated a couple months ago but they are now just being
> pushed out and still have a status of "unfixed".
>
> If you would like to know if your site(s) are on the list, I would start by
> checking http://www.xssed.com/
>
> V/R
>
> Erin
|