Maybe the people responsible for the John Sands web site will finally do something about the web site's vulnerabilities
It is all over the popular press - Websense have announced that they have found malicious script on the John Sands web site:
http://securitylabs.websense.com/content/Alerts/3268.aspx
I can only hope that WebSense, and all of the negative press that their announcement has triggered, will finally get John Sands to clean up their act and fix the problems with their web site. Why do I say this? Because I wrote to John Sands in July and in August warning them that there were problems, yet their web site is still vulnerable. The site code has been cleaned up a few times, but the basic problem has not been resolved.
I did not receive a response to my emails.
It is an understatement, to say the least, to see that the johnsands.com.au web site is *still* vulnerable more than 5 months after my initial alert.
Email one, dated 24 July 2008:
Email two, sent after my first email was ignored - note that by this stage malicious code pointing to 26 domains was evident. The email address is taken from WHOIS, and is apparently the email address for the "Infrastructure Administrator".
