A few tens of gemeentesites appear for months prone to a xss vulnerability. Attackers had, in theory, fake code can serve or visitors unnoticed to other sites may forward. The hole is closed.
A Tweaker discovered that the website of the municipality of Valkenswaard vulnerable for xss attacks. Consequently, malicious third parties under other javascript execution, the code and, for example, the visitors will automatically redirect you to a different website.
The xss vulnerability appears not to be in the code of the municipality of Valkenswaard itself, but in a component of SIMgroep. This organization hosts a few dozens of municipalities various e-government services. Research Tweakers.net under fifteen of those websites, it appears that nine of them were vulnerable to xss attacks. It went to the sites of the municipalities of Valkenswaard, the netherlands, Zoetermeer, De Ronde Venen, Ouderkerk, Westervoort, Roerdalen, Strijen, Raalte and Reimerswaal.
After Tweakers.net SIMgroep about the xss vulnerability had been informed, the company has the leak been repaired. According to director Frank Good, it was a ‘careless mistake that had allowed it’. “We are day and night busy with checking the code. It focused us mainly on sql injections, so we did not to a xss vulnerability had thought.” Dozens of sites were, according to him, susceptible to the leak. He stresses that personal data is not in danger.
The leak at the gemeentesites follows after another leak that in the last weekend, came to light. It was said to be the private information of both citizens and officials in the proceedings. A part of those sites was hosted at Gemeenteweb, but it was after the publication of the leak to SIMgroep moved. According to The Good are those sites are not susceptible to the error. “They were on a server that was not protected. This is a vulnerability in outdated software from the gemeentesites that we already owned. The acquired web sites of Gemeenteweb are not thus susceptible.”
Despite the last weekend, identified vulnerabilities, and showed the Association of Dutch Municipalities recently to know for the time being no security guidelines for gemeentesites to oblige.