Cross-Site Scripting (XSS) (define) flaws are among the most common type of Web 2.0 vulnerability. They can also occur in RSS and Atom feeds and it could happen to almost anyone. Even IBM.

A Japanese security researcher has alleged that an Atom format syndication feed on IBM.com was at risk from an XSS attack. The flaw would only have been exploitable for users of Microsoft's Internet Explorer version 6 and has apparently been fixed.

Security researcher Yosuke Hasegawa told InternetNews.com that he reported the flaw to IBM through the IPA/ISEC. He said IBM replied on Aug. 30 saying the issue had been corrected.

An IBM spokesperson was not immediately available for comment.

In a public posting to a popular security list, Hasegawa posted a proof of concept URL that, when accessed by Internet Explorer 6.0, would trigger a script to operate.

According to Hasegawa, IE6 cannot understand the "application/atom+xml" header as a Content-Type, which is the path by which the feed can be exploited.

Hasegawa explained that he discovered the IBM.com flaw while examining the problem that IE 6 disregarded the Atom Content-Type.

"At that time, I noticed the point that it was possible to make an Atom feed interpreted as HTML," Hasegawa said. "By chance, I found the IBM.com as a site that corresponded to such a case."

This article was first published on InternetNews.com. To read the full article, click here.