Well known Hacker group Zer0Lulz member Pi has found a XSS in the official MIT college site. It is currently un-patched. XSS, also known as Cross Site Scripting, is an attack where a person can execute code on a website. Because this is non-persistent, a person would have to social engineer another person into visiting the link.
For example,
User 1: Hey bro, check out this site; http://www.google.com/somethinghere.php?id=
User 2 would then click the link and have his cookie, or whatever information the attacker made thescript to do, would be sent to the user. This is called cookie hijacking.For being such a big college, MIT should really step up their security. It is incredible how little security websites have these days.
Security is merely an illusion.
Poc:
http://events.mit.edu/searchresults.html?fulltext=%22--%3E%3Cscript%3Ealert%28%27Pi[Zer0Lulz]%27%29%3C%2Fscript%3E&andor=and&start.month=01&start.day=25&start.year=2012&end.month=02&end.day=25&end.year=2012
