Hi Christian,

I spend a good part of the morning going over the (sensationalized)
articles around the issues as well as other documentation. The problems
described there are not unique to YUI or AJAX. These have been present
ever since someone figured out how to get data through JavaScript... I
have found
http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applicati\
ons
to be a good background on this issue (yes, it's focussed on the GWT. It
doesn't suffer from the need to grab attention that is afflicting the
Fortify docs.).

On a YUI specific note, there are a couple things you can do:

* Continue using your authentication and authorization framework.
That will help make it difficult to get the data.
* Add a header to each request using the
YAHOO.util.Connect.initHeader() method. We have it setup to send a
specific header with each request since this morning (in dev). Our
server side code looks for the header and refuses to service the
request if it is absent or not valid.

Although I am glad that Fortify did raise the issue, I wish that they
would have taken a less journalistic approach. The Google document
provides some good information about the problem and suggest some
solutions that go beyond GWT users.

Hope this helps.

Fred
http://blog.fredjean.net

christian.storm wrote:
>
> Does anyone know if anything is being done about the YUI! security
> vulnerability described in
> http://www.fortifysoftware.com/advisory.jsp?
> <http://www.fortifysoftware.com/advisory.jsp?>
>
> A link to this article was just posted on a Dr. Dobbs Security update.
>
>