So the Australian ran this piece yesterday:

THE Liberal Party website was hacked this morning to make Prime Minister John Howard appear to enjoy engaging in a lewd homosexual act.

Under the heading, The Liberal Party of Australia, the website read: John Howard Says "I like to s... d...!"

A spokesman for the Liberal Party's federal secretariat said that officials were investigating the matter. "It appears to be a hoax, but we're checking it out," the spokesman said.

The loophole in the site's security appeared to have been closed by 11am.

The site was a victim of a HTML injection attack, whereby the hacker exploits a security flaw in the site structure to alter the content displayed to the user. It is a simple hack but can be a precursor to more malicious Cross-Site Scripting, or "XSS", attacks, which allow data to be sent to a user's computer.

Ummm... HTML injection? XSS? These aren't "hacks"... Data on the actual web-server isn't modified by these so-called "attacks". The only way to get someone to see the modified version of the page is to send them a carefully crafted link which merges content of the target pages with something else you've set up elsewhere. Alternatively, the extra content, like text, could be embedded in the link.

But it requires user intervention -- they have to click on that link!

To suggest the Lib's web-server was hacked is misleading in the EXTREME. Also, XSS attacks do not allow "data to be sent to a user's computer" unless you've tricked someone into clicking a link and THEN exploited a vulnerability on the user's side, for example a browser bug. But you still need the user to click on the link in the first place.

XSS is the most basic and least severe example of sloppy web-programming... You can't do anything useful with it, except steal session cookies under very unlikely sets of circumstances.

This whole thing boils down to some sloppy programming on behalf of the Libs, but their site was NOT pwned. In this case The Australian's reporting is much sloppier than the code-monkey who belted out the Lib's Web-site.

This is one of the poorest security related reports I've ever seen. XSS flaws were worth writing about, in context and accurately, five years ago. This is just shameless sensationalism...

Speaking of IT security reporting that doesn't suck, don't forget to check out my podcast on ITRadio.com.au. This week we're speaking to Marty Roesch about the future of Snort.