[IP] Rating the Bush and Kerry Web sites on security
Begin forwarded message:
From: "Richard M. Smith" <rms@xxxxxxxxxxxxxxxxxxxx>
Date: June 27, 2004 5:45:30 PM EDT
To: dave@xxxxxxxxxx
Subject: Rating the Bush and Kerry Web sites on security
Hi,
To rate George Bush and John Kerry on the Homeland Security issue, I
just
completed two quick security audits of the official Bush
(http://www.georgewbush.com/) and Kerry (http://www.johnkerry.com/)
campaign
Web sites. Unfortunately, I found problems at both Web sites.
Here are the results of my testing so far:
1. Both the Bush and the Kerry Web sites have cross-site scripting
errors
(XSS). These errors can allow a prankster to create fake Web pages
which
load from the Bush or Kerry Web sites but additional content can be
supplied
from a different Web server belonging to a prankster. A prankster could
then say anything they want on a Bush or Kerry Web page using a XSS
error.
Examples include fake news stories, slogans telling visitors to vote
for the
other candidate, and doctored photos of a candidate.
2. Error trapping at the Kerry Web site isn't very good. Typing
unusual
characters into Web forms at the Kerry Web site causes Web server
applications to fail and a visitor is shown very cryptic error pages.
These
problems might be a sign of SQL injection errors which can be quite
serious.
An SQL injection error can sometimes be used by an outsider to break
into a
backend database at a Web site and then to make off with private
information
from the database.
3. The Bush Web site has hired a company called Omniture to track
users at
the Bush Web site. Omniture uses hidden Web bugs to do this tracking.
Perhaps this Web site feature was requested by John Ashcroft? ;-) This
relationship with Omniture is not spelled out in the Bush Web site
privacy
policy. For more about information about Omniture, check out their Web
site
at http://www.omniture.com/company.html.
4. Both the Bush and Kerry Web sites encourage visitors to add banner
ads
for the candidates to their own Web pages. The Bush banner ad uses
JavaScript supplied from the Bush Web server (See
http://www.georgewbush.com/WStuff/BPAdFeed.aspx). The Kerry banner ads
use
an embedded IFRAME (See http://www.johnkerry.com/download/promos.html).
Both banner ad schemes allow the campaigns to track visitors to any Web
pages where the banner ads appear. In addition, the Bush JavaScript
scheme
allows the Bush Web server to run any script code inside of other
people's
Web pages. This scheme doesn't strike me as a very good idea from a
security standpoint.
5. Both candidates have good Web site privacy policies. For some odd
reason, the Kerry Web site privacy policy is also certified by Truste
and
BBBOnline.
6. It appears that the open source vs. closed source debate has also
entered the presidential campaign. The Kerry home page comes from an
Apache
Web server running on a Red Hat Linux box. The Bush Web site on the
other
hand is hosted on a more corporate Microsoft-powered IIS 5.0 server and
uses
ASP.NET. I did not check to see if this IIS server is up to date with
Microsoft security patches.
If anyone else runs across anything interesting at these two Web sites,
please let me know.
Richard M. Smith
http://www.ComputerBytesMan.com
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/