126 Comments

• Digg
• Bury

so muhc o' teh awesomnesz

• Reply

• Digg
• Bury

Ok people, fact is, as has been said before the host server is not the security flaw here. The moron who didn't sanitize user input is the one who should be in trouble. Fact is, very many 'dynamic' sites do not make sure that valid html code or scripting was used where the user inputs data into a form.Read up on cross-site scripting and SQL injection techniques to see exactly how this is done. Also, SANS keeps a list of vulnerable web applications. It is so long that is is scary, because most programmers work with a mindset of 'get the s**t working' rather than, make it work securely.Moral of the story, sanitize user input.

• Reply

• Digg
• Bury

Argh, story could not have been buried...

• Reply

• Digg
• Bury

Looks like Microsoft has taken it down now

• Reply

• Digg
• Bury

Login page is down too.<a class="user" href="http://ieak.microsoft.com/1.0/login.asp&quot;&gt;http://ieak.microsoft.com/1.0/login.asp&lt;/a&gt;

• Reply

• Digg
• Bury

That's kind of the point. The defacement wasn't rewriting the HTML. All he did was manipulate unvalidated forms to inject some HTML/CSS that hides the old page and only shows the one entry making it look like the site was "hacked". Interesting but not difficult.

• Reply

• Digg
• Bury

So some asinine script kiddie with nothing better to do vandalizes some page on an MS site? You're giving this retard attention he doesn't deserve. Buried as lame.

• Reply

• Digg
• Bury

well i kind of expected it to convert them to text -- you would have got that impression if you read my post

• Reply