XSS on CSI 2009 Site


Zach Lanier


The website for the Computer Security Institute’s annual computer security conference, hosted at cmpevents.com, is was vulnerable to cross-site scripting. Give me a moment to be naive and be surprised that I’m seeing Classic ASP. Anyway, this has been reported to the site owner/operator and we agreed that I’d delay posting it until it was fixed [or the end of the conference, whichever came first]). The team I chatted with about this issue seemed amicable and receptive.

(Just about the time I was debating whether or not to post this run-of-the-mill cross-site scripting finding, I stumbled upon an Imperva blog post titled Web Security at CSI Annual Conference. Thanks, Imperva, for inadvertently catalyzing my decision.)

Update 200910291001: Oops. My bad. Still vulnerable:

main page ATTRITION feedback