14 DAY TRIAL // Researchers from Secfence Technologies provided us with information that demonstrates a number of security holes which expose the official site of the US Army Corps of Engineers to malicious plots.
Information Security Analyst Prashant Uniyal revealed that the cross-site scripting (XSS), Iframe and SQL Injection vulnerabilities present on the site were found three years ago, but nothing has been done in the meantime to address them.
As some of our readers may remember, TeamHav0k also appointed the site of the US Army Corps of Engineers as being vulnerable to XSS attacks back in February, but now, Uniyal brings further evidence that highlights the issues.
“Cross site scripting aka XSS was found on the website manually. At the first sight, the scripts gets restricted due to ACL. But the ACL can be bypassed using iframe or marquee tag,” the analyst told us.
As the screenshot shows, the XSS flaws can be easily leveraged by an attacker to alter the site’s appearance and replace legitimate content with malicious one.
The Iframe Injection weakness can be used, as the second image reveals, to inject an iframe which can host a phishing page that’s designed to steal the unsuspecting victim’s most private details.
”SQL injection was also found manually on the website. An attacker can execute queries on the website and disclose sensitive information,” Uniyal explained.
“These vulnerabilities can pose serious threats for the military corps,” he added.
The website’s administrators have been informed on the existence of these issues some time ago, but until now they haven’t responded to the researchers' notifications. However, at press time the site seems to be undergoing some modifications since many of the webpages can’t be accessed.
Hopefully, this is an indication of the fact that the issues are currently being addressed.
Update. The security experts told us that the vulnerabilities that affected the site were addressed.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.
