Fix committed for JQuery validation plugin demo script
By Darren Pauli, 20 Nov 2014 http://regmedia.co.uk/2014/11/19/gbhjklkjh.pnghttp://regmedia.co.uk/2014/11/19/ghjkijhg.pngA reflected cross site scripting flaw patched overnight may affect millions of websites due to a seven-year-old flaw in a jQuery validation plugin demo script used for CAPTCHA, Dutch penetration tester Sijmen Ruwhof says.
The "severe" vulnerability appeared to have existed in CAPTCHA since 2007 and could lead to session hijacking through reflected cross-site scripting attacks on exposed sites that used the demo script.
Ruwhof stumbled on the then unpatched flaw in jQuery Validation Plugin during an August client penetration test which he claimed had not been patched despite his repeat disclosures over different email addresses linked to jQuery maintainers, all which allegedly fell on deaf ears.
Full Article