A BBC page has been detected as being at risk to cross site scripting (XSS).
ProCheckUp has published a vulnerability showing that the Betsie (BBC education text to speech internet enhancer) page is vulnerable to XSS with the ability to inject malicious characters into the requested path. Additionally, Betsie discloses the webroot when the parser.pl program is called without any parameters.
The system is designed to give people with disabilities easier access to the internet by converting web pages into graphic free, text only versions used by text to speech systems.
ProCheckUp claimed that an attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to a Betsie site and such code would run within the context of the target domain.
Rolando Fuentes, security consultant at ProCheckUp, claimed that this type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e session IDs) to unauthorised third parties.
“It's disappointing to find common threats such as these targeted at systems designed to support people with disabilities ,” said Fuentes.