search
Carter Cole LinkedInCarters Twitter PageCarter Cole on FacebookCarters YouTubeCarter Coles RSS

Thursday, June 10, 2010

I knew an open source CMS was a bad idea for whitehouse.gov

I like playing with security... its fun to break things (of my own or with permission) and its what makes security work. If we never tried to break the design and assumed security then the less moral of us would and they would find our code easy pickings. XSS is one of my personal favorites because they are everywhere, usually easy to find, and can be super nasty (sammy is my hero)

So when i heard that Obama was going to make the WHITEHOUSE.GOV website a Drupal site i thought it was quite dumb... i mean its the whitehouse... you need a friggen CMS? hell waste some money on an old fashion webmaster and have it all flat html (i just think that a defaced homepage for america would totally suck) with the code for the site open source I instantly now know about most of the code that whitehouse.gov runs on and i can do my own pen testing before i even try on the whitehouse.gov domain. I wasnt alone in this ha.ckers.org makes these same exact points... and i commented on it

flash forward 211 days


what happens across my RSS feed? do my eyes decieve me? zomg its an article describing how Drupal is redefining its policy to clarify it only supports security on STABLE releases
and...
The clarifications are a response to the discovery of a potentially serious XSS hole in the Drupal Context module three weeks after White House developers proudly released their own plug-in based on the buggy module.
- from The Register

i hate being right

now i haven't looked at the XSS hole myself yet but they said it was in the administrative console (they say that makes it limited i think that now i can steal the admin auth cookies) even if they caught it in time this is the exact issue i was warning about. am I crazy? what do you think? id love to spark off a good discussion on it :)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.