Thousands struck by AJAX security holeby Nikola Strahija on August 18th, 2005 A security hole in CPAINT, a popular development tool, has severe implications for a number of the Internet's most popular applications, including Gmail, Flikr and MSN Virtual Earth.
The CPAINT flaw could allow an attacker to execute malicious code on a server running CPAINT, or running an application built using CPAINT, the software's developers said in an advisory.
The bug affects all existing versions of CPAINT, both the ASP and PHP implementations. The project issued a patch fixing the issue, CPAINT v1.3-SP, and is creating a more comprehensive fix for the forthcoming version 2.0.0.
The bug may affect more than just CPAINT. Developers warned that the same flaw is also likely to affect other AJAX toolkits, and urged other AJAX toolkit authors and users to test for security problems.
The AJAX approach has been adopted by a number of Web developers, the best known of them being Google, whose Google Maps, Google Suggest, Gmail and other applications use AJAX. Other high-profile AJAX-based services include Microsoft's MSN Virtual Earth, Yahoo's Flickr and AOL's AIM Mail. Many lesser-known services have also adopted AJAX, such as Swiss mapping service map.search.ch and invoicing program Blinksale.
The CPAINT security flaw doesn't automatically mean such applications are vulnerable, but should be a warning to developers using toolkits to create dynamic Web applications, CPAINT developers said.