Ajax which stands for Asynchronous JavaScript and XML is a way of programming for the Web that gets rid of the hourglass, i.e. downloading problem. Data, design and content are combined together into a seamless whole. When your client clicks on something on an Ajax driven application, there is very little lag time. The page simply displays what he is asking for. If you don’t believe this, visit Google Maps for a few seconds. Scroll around and watch as the map updates almost before your eyes blink. There is very little lag and you don’t have to wait for pages to refresh or reload. CPAINT is a popular toolkit used to build AJAX applications. But it faces with a problem recently.

A security hole in a popular development tool has harsh implications for a number of the Internet’s most well-liked applications, including Gmail, Flikr and MSN Virtual Earth. Large number of companies including AOL, Microsoft, Yahoo and Google are possibly to be affected by the flaw in CPAINT. Rather than a technology in itself, AJAX is an approach to putting more dynamic interactivity into Web applications using a combination of HTML, CSS, Document Object Model, JavaScript and XMLHttpRequest.

The CPAINT fault could allow an attacker to implement malicious code on a server running CPAINT or running an application built on CPAINT. The bug hampers all existing versions of CPAINT, both the ASP and PHP implementations. The project issued a patch fixing the issue, CPAINT v1.3-SP and is creating a more comprehensive fix for the forthcoming version 2.0.

It is highly recommended that everyone running any version of CPAINT, straight away upgrade to this patched version for security purposes. The bug may affect more than just CPAINT. In an e-mail to the Bugtraq security mailing list, CPAINT developers warned that the same flaw is also likely to affect other AJAX toolkits and urged other AJAX toolkit authors and users to test for security problems. They are all very similar in the way they execute functions on the back-end.

The AJAX approach has been adopted by a number of Web developers, the best known of them being Google, whose Google Maps, Google Suggest, Gmail and other applications use AJAX, although Google has since stated that Gmail is not affected. Other high-profile AJAX-based services include Microsoft’s MSN Virtual Earth, Yahoo’s Flickr and AOL’s AIM Mail. Many lesser-known services have also adopted AJAX, such as Swiss mapping service map.search.ch and invoicing program Blinksale.

The CPAINT security flaw doesn’t automatically mean such applications are susceptible, but should be a caution to developers using toolkits to create dynamic Web applications. The term AJAX itself is controversial, having been initiated by a consultancy firm, but has gained wide practice. Google itself calls its development approach simply JavaScript, while other Web developers have highly praised the use of the new term.

The AJAX model adds more dynamic interactivity to Web applications, making them feel more like desktop applications. On the flip side, because AJAX is made up of a number of different standards implemented in slightly different ways by browsers, it is very difficult to get AJAX applications working correctly with any browser. Scripting has become a significant source of security vulnerabilities for Web applications. In January Google patched a Gmail flaw that involved Perl script. PHP has also been hit by several major security flaws.

Tags: Security Problem in AJAX