Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

McAfee Sites Vulnerable To XSS Attack 84

Posted by kdawson from the unguarded-guardians dept.
An anonymous reader notes that this weekend, ReadWriteWeb discovered a security hole on several McAfee sites, which lets any attacker piggyback on the company's reputation and brand in order to distribute malware, Trojans, or anything else. The submitter adds an ironic coda to McAfee's epic fail: "In the 'how to HTML Injection' section, the author provided the four steps needed to execute a simple, no-brainer injection, but unfortunately, exposed a hole in NY Times website when they republished the article. While the author changed the offending text to an image, the Times is still using the original story which redirects directly to ReadWriteWeb [via XSS]." From the RWW post: "During tests this weekend, we discovered the company who claims to 'keep you safe from identity theft, credit card fraud...' has several cross-site scripting vulnerabilities and provides the bad guys with a brilliant — albeit ironic — launching pad from which to unleash their attacks."
This discussion has been archived. No new comments can be posted.

McAfee Sites Vulnerable To XSS Attack More

McAfee Sites Vulnerable To XSS Attack

Comments Filter:

  • Eat their own dog food (Score:3, Insightful)

    by agristin ( 750854 ) on Tuesday May 05, 2009 @05:02AM (#27827945) Journal

    Either they don't use McAfee secure ( http://www.mcafeesecure.com/us/ [mcafeesecure.com] Probably the right website, who knows really ), or their own dog food is garbage.

    Either way it is bad gaffe. XSS is pretty well known in security circles. And this mistake is a relatively simple one (output validation or output filtering? please. After you read the linked article, you'll be even more sad they didn't catch this.

  • Re:Hmm. (Score:4, Insightful)

    by 6Yankee ( 597075 ) on Tuesday May 05, 2009 @05:06AM (#27827963)

    The only time I don't do this is if the user-submitted input is first passed through an input validator that should reject anything containing dangerous characters (for example, a valid e-mail address cannot contain HTML tags, so if I reject all but a valid e-mail address, then I don't need to sanitize the e-mail address). But how can I be sure I haven't missed anything somewhere?

    Ouch. I can disable the client-side validation entirely. I can also write my own form and send you anything I like.

    Sanitize everything.

  • Re:Hmm. (Score:3, Insightful)

    by Swizec ( 978239 ) on Tuesday May 05, 2009 @05:10AM (#27827975) Homepage
    For the safety of your users, I do hope the sanitization happens on the server-side otherwise ... yikes. Then again, some clients simply don't pay enough for sanitization and I just dump anything someonen posts right back to the page. Easier spending an hour every two months deleting "spam" than spending time making sure everything gets properly sanitized.

    Yes I'm a lazy coder I know, but fuck it, you get what you pay for.

  • Re:Hmm. (Score:1, Insightful)

    by Anonymous Coward on Tuesday May 05, 2009 @05:19AM (#27827999)
    Informative? Where does he say it's client-side?

    I try to make sure I run all user-submitted text through something to escape those kinds of characters before sending it back to the browser as HTML

    Guess where he sends it back from, numbnuts.

  • Distribute? (Score:2, Insightful)

    by Haiyadragon ( 770036 ) on Tuesday May 05, 2009 @05:27AM (#27828031)
    Sure, I can use this to inject code into the html that is then processed by my webbrowser. But how I can use this type of XSS to distribute anything? The worst thing I can do is still only happening on my pc.

  • Re:Hmm. (Score:5, Insightful)

    by AlXtreme ( 223728 ) on Tuesday May 05, 2009 @05:35AM (#27828059) Homepage Journal

    Yes I'm a lazy coder I know, but fuck it, you get what you pay for.

    Do it right, or don't do it at all.

    I'm all for cutting corners when dealing with stingy clients (which tend not to be clients for long) so I get your way of thinking, but basic security shouldn't be one of the corners to cut. In the end it will be worthwhile to simply add a bit of code to sanitize user input to avoid all the hassle you'll get in the long run.

    If you are spending an hour (of your own or billed) every two months for cleaning up crap, next time please spend two hours and add some validation. Keep on billing said client for spam cleanups for all I care.

    Every time a viewer sees spam it makes your work seem poor. Even a lazy coder knows when it will cost him more work in the long run.

  • Wait one minute. (Score:4, Insightful)

    by Lifyre ( 960576 ) on Tuesday May 05, 2009 @07:08AM (#27828423)

    Is it just me or was anyone else surprised that McAfee had any reputation or brand left to piggyback upon? I though McAfee was generally worse than most viruses...

  • Re:Antivirus on Windows (Score:4, Insightful)

    by Yvanhoe ( 564877 ) on Tuesday May 05, 2009 @09:14AM (#27829437) Journal
    You have no reason to go to MacAfee pages if you don't use their products or plan to do so. You have no reason to use them if you are not on windows.

  • Great idea. (Score:2, Insightful)

    by RulerOf ( 975607 ) on Tuesday May 05, 2009 @09:44AM (#27829837)

    Firefox + noscript will block XSS attempts.

    Yes. We know.

    Firefox + NoScript will block [INSERT WEBSPLOIT HERE].

    NoScript also kinda prevents nearly everything on the web from working as intended, and is not a solution. Please shut up about how much you think it rocks.

Slashdot Top Deals

UNIX is hot. It's more than hot. It's steaming. It's quicksilver lightning with a laserbeam kicker. -- Michael Jay Tucker

Close