At LinuxWorld today, SPI Dynamic's senior security engineer, Matt Fisher, talked about the vulnerabilities of Web 2.0.
One think that I found interesting about this article was when it talks about how users of social-networking can submit html code. We all know this is definitely a security risk that no one should allow to happen. How can these types of sites safely check the html code submitted from users? Are they protecting their users enough?
In particular, Fisher singled out social-networking sites. Because the site depends on user content, the site allows users to upload HTML code, and in most cases, any HTML code. Knowing this, Fisher said someone could put a malicious script code into a blog post where it would sit until someone came along and read it. What bad could possibly happen from that, you might wonder? Fisher said that when someone in a corporate environment opens it, the attacker can then execute code inside the corporate perimeter on the internal network.