The Web site "...provides a single access point for national security information from the Australian government" and was launched as a part of a comprehensive public information campaign. It provides information to Australians about potential terrorist threats, travel advice and the latest news on national security issues, such as the current expansion of Australia's counter-terrorism capabilities.
However, the Web site carries its own vulnerabilities which, while not serious, are undesirable.
Users of the website can write HTML strings directly into the page's "search" function. When the user clicks on "search" and the results page comes back, the HTML entered into the search function will be displayed. This is prevented from happening on most sites by blocking key non-alphabet characters (such as "<" or "/") from the input field.
The vulnerability makes it possible to embed images and documents from other sites in the page that is returned to the user.
In the most severe cases, cross-site scripting vulnerabilities make it possible for attackers to craft links to vulnerable sites that look legitimate, but offer both the legitimate content of the target site, such as nationalsecurity.gov.au images and HTML, and malicious content that looks like it came from the legitimate site, such as self-installing Trojan horse programs or misleading information.
It is not known if the national security website is vulnerable to any of these worst case conditions, but the mere fact that a cross site scripting vulnerability exists will surely turn a few faces red at the Attorney General's (AG) office, who maintain the site.
The AG's office was unavailable for comment at the time of writing.
