White hat banned for revealing vulns in news sites used by London councillors (The Register)

Old-school web platform NeighbourNET, which powers the largest number of local community websites including 10 across London, contains nasty vulnerabilities that could compromise users.

The throwback sites are used for local news and by councils to communicate with residents. London districts favoured with sites powered by the service include Shepherds Bush, Wimbledon, and Hammersmith.

UK based security consultant with Pen Test Partners, Andrew Tierney, disclosed the holes to NeighbourNet two months before publishing their findings overnight.

The company says it is vulnerable to cross-site request forgery, username spoofing, and horrific logins that require only an email to access forum accounts.

“It would be fair to say the visual presentation of the sites hints at there being security problems,” Tierney says.

“A mess of security issues – considering that local councillors use these sites to communicate with the public, allowing impersonation is a serious issue.

“A user can visit another website, and that website can cause them to carry out actions on the site, such as posting messages.”

It also allows untrusted third party content to be embedded into forum posts thanks to a lack of whitelisting.

“This has only been tested with plain HTML, but if JavaScript, Flash or other content could be embedded, this would lead to cross-site scripting or malware delivery to users.”

Tierney did receive a response for disclosing the vulnerabilities in the form of his accounts being suspended. ®

Sponsored:
The Nuts and Bolts of Ransomware in 2016

Source: SANS ISC SecNewsFeed @ July 11, 2016 at 01:21AM

0