[Am-info] Fwd: Rating the Bush and Kerry Web sites on security

[Gene Gaines]

This is a forwarded message

=================Original message text===============

From: "Richard M. Smith" <rms@computerbytesman.com>
Date: June 27, 2004 5:45:30 PM EDT
To: dave@farber.net
Subject: Rating the Bush and Kerry Web sites on security

Hi,

To rate George Bush and John Kerry on the Homeland Security
issue, I just completed two quick security audits of the
official Bush (http://www.georgewbush.com/) and Kerry
(http://www.johnkerry.com/) campaign Web sites. Unfortunately, I
found problems at both Web sites.

Here are the results of my testing so far:

1. Both the Bush and the Kerry Web sites have cross-site
   scripting errors (XSS). These errors can allow a prankster to
   create fake Web pages which load from the Bush or Kerry Web
   sites but additional content can be supplied from a different
   Web server belonging to a prankster. A prankster could then say
   anything they want on a Bush or Kerry Web page using a XSS
   error. Examples include fake news stories, slogans telling
   visitors to vote for the other candidate, and doctored photos of
   a candidate.

2. Error trapping at the Kerry Web site isn't very good. Typing
   unusual characters into Web forms at the Kerry Web site causes
   Web server applications to fail and a visitor is shown very
   cryptic error pages. These problems might be a sign of SQL
   injection errors which can be quite serious. An SQL injection
   error can sometimes be used by an outsider to break into a
   backend database at a Web site and then to make off with private
   information from the database.

3. The Bush Web site has hired a company called Omniture to
   track users at the Bush Web site. Omniture uses hidden Web bugs
   to do this tracking. Perhaps this Web site feature was requested
   by John Ashcroft? ;-) This relationship with Omniture is not
   spelled out in the Bush Web site privacy policy. For more about
   information about Omniture, check out their Web site at
   http://www.omniture.com/company.html.

4. Both the Bush and Kerry Web sites encourage visitors to add
   banner ads for the candidates to their own Web pages. The Bush
   banner ad uses JavaScript supplied from the Bush Web server (See
   http://www.georgewbush.com/WStuff/BPAdFeed.aspx). The Kerry
   banner ads use an embedded IFRAME (See
   http://www.johnkerry.com/download/promos.html). Both banner ad
   schemes allow the campaigns to track visitors to any Web pages
   where the banner ads appear. In addition, the Bush JavaScript
   scheme allows the Bush Web server to run any script code inside
   of other people's Web pages. This scheme doesn't strike me as a
   very good idea from a security standpoint.

5. Both candidates have good Web site privacy policies. For some
   odd reason, the Kerry Web site privacy policy is also certified
   by Truste and BBBOnline.

6. It appears that the open source vs. closed source debate has
   also entered the presidential campaign. The Kerry home page
   comes from an Apache Web server running on a Red Hat Linux box.
   The Bush Web site on the other hand is hosted on a more
   corporate Microsoft-powered IIS 5.0 server and uses ASP.NET. I
   did not check to see if this IIS server is up to date with
   Microsoft security patches.

If anyone else runs across anything interesting at these two Web
sites, please let me know.

Richard M. Smith
http://www.ComputerBytesMan.com

==============End of original message text===========
-- 
Gene Gaines
gene.gaines@gainesgroup.com