The U.K. Ministry of Defense (MoD) has admitted to a security flaw in its Web site that could have opened visitors up to attack.
The government department was alerted to the vulnerability by hacker group Team Elite, an MoD spokesperson said on Tuesday.
The cross-site scripting flaw could have allowed malicious code injection on the site, and could have led to visitors being redirected to a malicious site. However, the ministry spokesperson downplayed that possibility.
"The problem only affects one small part of the site--the A-Z index," said the spokesperson. "MoD immediately disabled the area concerned so that the vulnerability cannot be exploited and affect other Web sites. We are not aware that the vulnerability was exploited in any way. Work is in hand to ensure it can't happen again."
Team Elite member Maciej Bukowski, who uses the handle [-TE-]-Neo, posted details of the MoD cross-site scripting flaw on Sunday, after alerting the MoD. Bukowski posted proof-of concept code, plus a screenshot of the MoD Web site following code insertion, which had altered the site to read 'XSS by Team Elite', and a message to Bukowski from the MoD site administrator saying the department would "respond within 15 days" to his enquiry.
ZDNet Asia's sister site ZDNet UK was alerted to the MoD flaw by Bukowski in an e-mail on Monday.
In July, Bukowski reported a cross-site scripting flaw in MI5's Web site that rendered the site breachable via its search engine.
Play video
There are currently no comments for this post.