Following on from the PHP month of bugs, IDG reports that two hackers have announced they intend to make April the month of Myspace bugs. They apparently intend to publish mainly cross-site scripting (XSS) bugs.
The advisory from Adobe recommends upgrading to the latest version.
A related, but slightly different technique is the Cross-Site Request Forgery (CSRF) which (as described by Wikipedia) “exploits the trust of the origin of the request and transmits commands from a trusted user”. For example, if del.icio.us didn’t guard against this, a piece of malicious code might post a link for some undesirable site to your collected bookmarks
while you are logged in (the cookie set by del.icio.us remains active for a long time, to avoid the hassle of having to log in frequently). The CSRF FAQ offers some good advice on how to protect your application against CSRF attacks, including:
- Fix any XSS vulnerabilities first
- Set short session times
- Prompt the user to enter their login details on important pages
- Include a random token in the request page, which is then checked against a value stored in the session (read the FAQ, and Chris Shiflett’s article for further guidance)