AOH :: ISNQ5353.HTM

NHS heals serious spoof email flaw




NHS heals serious spoof email flaw
NHS heals serious spoof email flaw



http://www.theregister.co.uk/2009/08/27/nhs_spoof_email_xss_flaw/ 

By John Leyden
The Register
27th August 2009

Updated - Cross-site scripting (XSS) vulnerabilities on the National 
Health Service's website created a means to send spoofed emails with 
dodgy medical advice. The vulnerabilities, now fixed, also created a 
potential means to run information-harvesting attacks.

Various security shortcomings on the main nhs.uk website established a 
means for dodgy sorts to present content of their choosing in the 
context of the NHS site. The flaws were discovered by Phillip Clarke, a 
director at a small UK-based software development firm, who began 
looking into the issue after reading about recent cross-site scripting 
flaws on the websites of MI5 and the MoD.

Clarke also found similar XSS flaws on the website of the National 
Institute for Health and Clinical Excellence in the UK (NICE), the 
organisation that publishes clinical appraisals of medical treatments.

[...]


________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods