NHS heals serious spoof email flaw

NHS heals serious spoof email flaw
NHS heals serious spoof email flaw 

By John Leyden
The Register
27th August 2009

Updated - Cross-site scripting (XSS) vulnerabilities on the National 
Health Service's website created a means to send spoofed emails with 
dodgy medical advice. The vulnerabilities, now fixed, also created a 
potential means to run information-harvesting attacks.

Various security shortcomings on the main website established a 
means for dodgy sorts to present content of their choosing in the 
context of the NHS site. The flaws were discovered by Phillip Clarke, a 
director at a small UK-based software development firm, who began 
looking into the issue after reading about recent cross-site scripting 
flaws on the websites of MI5 and the MoD.

Clarke also found similar XSS flaws on the website of the National 
Institute for Health and Clinical Excellence in the UK (NICE), the 
organisation that publishes clinical appraisals of medical treatments.


Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods