McAfee Sites Vulnerable To XSS Attack

An anonymous reader notes that this weekend, ReadWriteWeb discovered a security hole on several McAfee sites, which lets any attacker piggyback on the company's reputation and brand in order to distribute malware, Trojans, or anything else. The submitter adds an ironic coda to McAfee's epic fail: "In the 'how to HTML Injection' section, the author provided the four steps needed to execute a simple, no-brainer injection, but unfortunately, exposed a hole in NY Times website when they republished the article. While the author changed the offending text to an image, the Times is still using the original story which redirects directly to ReadWriteWeb [via XSS]." From the RWW post: "During tests this weekend, we discovered the company who claims to 'keep you safe from identity theft, credit card fraud...' has several cross-site scripting vulnerabilities and provides the bad guys with a brilliant — albeit ironic — launching pad from which to unleash their attacks."

Syndicated version on NYT site

[Anonymous Coward]

http://www.nytimes.com/external/readwriteweb/2009/05/04/04readwriteweb-mcafee-enabling-malware-distribution-and-fr-12208.html

executes the code and redirects to readwriteweb.com

Re:Hmm.

[galego]

Hope you're not trying to "enumerate the bad" (i.e looking at $foo ~= /<script/i in the input ... or even '<'). There are lots of ways to escape such validators. A great resource on some is here: http://ha.ckers.org/xss.html [ckers.org] I say, unescape everything back to the browser (even email addresses). OWASP has a good resource: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet [owasp.org]

Re:Distribute?

[Hurricane78]

Well, it injects code that can change the download link to a trojan that wraps the original thing. In your webbrowser.

In sites with logins and other user-private data, well, let me take Slashdot as an example.
Imagine someone got some evil code into the site, that your browser would load and execute.
That code could quickly put the entire page into a frameset, with the outside being the control channel.
Then, while you were reading, it would load your unprotected profile in the background, and change your sig to that same evil code (or a link to it). So everybody else would get it too.
Then it would do a complete scan of your internal network, possibly detecting your router, and its ports. (All possible with JavaScript. Been there, seen it.)
You could click on a link in /., and the frameset would survive. You could even keep that tab open all day long, effectively making you a zombie host.
In the process, it would accept arbitrary commands from the controlling system. If you happen to go on the site or your router, it could for example try things in there too, like set an external control IP to the controlling system, and gain full access to your own network. (Unlikely, but I've seen it happening.)

And all this is just the tip of the iceberg.

Re:Epic fail

[Lobster Quadrille]

A much more serious issue- in the control panel for their web application scanning service was published yesterday.

http://skeptikal.org/2009/05/epic-failure-from-mcafee.html [skeptikal.org]

This XSS is cool, but it's not news. I've been documenting McAfee web vulnerabilities for a year now. Rest assured, there are many more, some of which will be published later this week.