Users login

Create an account »

JOIN XATRIX

Users login

Home » News » Thousands struck by AJAX security hole

Thousands struck by AJAX security hole

by Nikola Strahija on August 18th, 2005 A security hole in CPAINT, a popular development tool, has severe implications for a number of the Internet's most popular applications, including Gmail, Flikr and MSN Virtual Earth.


Tens of thousands of companies including AOL, Google, Microsoft and Yahoo are going to be affected by the flaw in CPAINT - a toolkit used to create applications using an approach known as AJAX - short for Asynchronous JavaScript and XML. Rather than a technology in itself, AJAX is an approach to putting more dynamic interactivity into Web applications using a combination of HTML, CSS, Document Object Model, JavaScript, and XMLHttpRequest.

The CPAINT flaw could allow an attacker to execute malicious code on a server running CPAINT, or running an application built using CPAINT, the software's developers said in an advisory.

The bug affects all existing versions of CPAINT, both the ASP and PHP implementations. The project issued a patch fixing the issue, CPAINT v1.3-SP, and is creating a more comprehensive fix for the forthcoming version 2.0.0.

The bug may affect more than just CPAINT. Developers warned that the same flaw is also likely to affect other AJAX toolkits, and urged other AJAX toolkit authors and users to test for security problems.

The AJAX approach has been adopted by a number of Web developers, the best known of them being Google, whose Google Maps, Google Suggest, Gmail and other applications use AJAX. Other high-profile AJAX-based services include Microsoft's MSN Virtual Earth, Yahoo's Flickr and AOL's AIM Mail. Many lesser-known services have also adopted AJAX, such as Swiss mapping service map.search.ch and invoicing program Blinksale.

The CPAINT security flaw doesn't automatically mean such applications are vulnerable, but should be a warning to developers using toolkits to create dynamic Web applications, CPAINT developers said.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »