* Article in English

Security flaw found in numerous famous applications from big companies, such as Google, MSN, etc. Applications that affected are namely Google Maps, Gmail, AOL’s AIM Mail, Flikr and MSN Virtual Earth and so on.

This security flaw was actually found in a toolkit for developing those affected applications. The toolkit is called CPAINT, which is used to create applications using AJAX, which stands for Asynchronous JavaScript and XML. It is is an approach to putting more dynamic interactivity into Web applications using a combination of HTML, CSS, Document Object Model, JavaScript, and XMLHttpRequest.

The CPAINT flaw could allow an attacker to execute malicious code on a server running CPAINT, or running an application built using CPAINT

The AJAX approach has been adopted by a number of Web developers, the best known of them being Google, whose Google Maps, Google Suggest, Gmail and other applications use AJAX, although Google has since stated that Gmail is not affected. Other high-profile AJAX-based services include Microsoft’s MSN Virtual Earth, Yahoo’s Flickr and AOL’s AIM Mail. Many lesser-known services have also adopted AJAX, such as Swiss mapping service map.search.ch and invoicing program Blinksale.

The bug affects ALL existing versions of CPAINT, both the ASP and PHP implementations. The project issued a patch fixing the issue, CPAINT v1.3-SP, and is creating a more comprehensive fix for the forthcoming version 2.0.0.

So if you have any project using CPAINT, don’t forget to update to the latest version before it is too late.