The Web site provides a single access point for national security information from the Australian government and was launched as a part of a comprehensive public information campaign.
It provides information to Australians about potential terrorist threats, travel advice and the latest news on national security issues, such as the current expansion of Australia's counter-terrorism capabilities.
However, the Web site carries its own vulnerabilities which, while not serious, are undesirable.
Users of the website can write HTML strings directly into the page’s search function. When the results page is returned, the HTML code entered into the search function will be displayed. Most sites prevent this occurence by blocking non-alphabet characters such as "<" or="" "="" from="" the="" input="" field.="" =""> The vulnerability makes it possible to embed images and documents from other sites in the page that is returned to the user.
In the most severe instances, cross-site scripting vulnerabilities make it possible for attackers to craft links to vulnerable sites that look legitimate.
These sites could offer both the legitimate content of the target site, and malicious content such as self-installing Trojan horse programs or misleading information.
It is not known if Australia's national security Web site is vulnerable to these extreme cases, but the mere fact that a cross-site scripting vulnerability exists will surely turn a few faces red at its Attorney General’s (AG) office, who maintain the site.
The AG's office was unavailable for comment at the time of writing.