Not surprisingly, McAfee websites are susceptible to XSS attacks
Written by DP & KF
Wednesday, 30 March 2011
Update 31/03: McAfee has fixed all the XSS!
Update 30/03: PaPPy has submitted another XSS affecting McAfee: http://www.xssed.com/mirror/72478/
Famous antivirus-security vendor McAfee has been all over the news the past few days, regarding cross-site scripting and information disclosure vulnerabilities that affected several of its websites. It all started when the Burmese-based YGN Ethical Hacker Group published the related details to the Full Disclosure mailing list. McAfee has acknowledged the vulnerabilities in a statement sent on Monday to Angela Moscaritolo, a reporter for SCMagazineUS.com, and said that they are working to fix them.
The XSS flaws are quite dangerous as they could be exploited by phishers to trick unwitting victims into downloading a third party application (a virus for example).
In the past, McAfee were quickly fixing the XSS vulnerabilities published on our archive, so they do not really have a reason for taking so long to fix these ones (YEHG contacted them on 2011-02-10).
Note that we have a huge list of XSS to be validated, and we found two (2) more McAfee.com XSS in the "onhold" list, which we published here:
YEHG have also produced a demonstration video called "XSSing McAfee Secured".
From YEHG's video
McAfee's Web Help
McAfee's Corporate Knowledgebase which appears to be running InQuira Information Center, developed by InQuira Inc.
McAfee working to fix XSS, information disclosure flaws - Angela Moscaritolo - SCMagazineUS.com - 29 March 2011
Vulnerabilities in McAfee.com - YGN Ethical Hackers Group - 27 March 2011
McAfee site crawling with scripting bugs say researchers - John Layden - The Register - 29 March 2011
From XSS to root: Lessons Learned from a Security Breach - Toralv Dirro- McAfee Labs Blog - 14 April 2010
Related News on XSSed:
XSS, Iframe injections and XMLHTTP post request errors on McAfee sites - [-TE-] Methodman and DP - 3 May 2009
Verisign, McAfee and Symantec sites can be used for phishing due to XSS - DP - 9 June 2008
Hacker Safe or not? Read on, watch the video and vote now! - DP - 28 April 2008
ScanAlert's "Hacker Safe" badge not so safe and PCI compliant - DP - 21 January 2008