Full Disclosure mailing list archives
Re: Vulnerabilities in *McAfee.com
From: Ryan Sears <rdsears () mtu edu>
Date: Wed, 30 Mar 2011 13:45:03 -0400 (EDT)
Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that matter), if anyone should understand that a XSS should really only be construed a 'criminal act' if it's indeed used to attack someone. If a group is taking the time out of their day to find and disclose issues to Mcafee, they should probably be thankful. What about finding a vulnerability in Mcafee's virus scanner? Could that be construed as a 'criminal act' if they disclose it? Where do you draw the line? Basically this sort of thing pushes the community into silence until something truly criminal happens. I'm not saying give anyone massive amounts of credit for publishing a few XSS bugs (because there's millions of them out there), but don't label them as a criminal for trying to help. That's just idiotic IMO. If you run an enterprise level solution for antivirus AND web vulnerability testing, the community understands that it's a process not unlike any other. There will be bugs, but it only demolishes the image of Mcafee to see them handle it like this in particular. If they would have been appreciative about it, and promptly fixed their website (or at the very least maintained friendly contact) this incident would have pretty much gone un-noticed. Look at LastPass as an example. http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html They had someone poking at their site, who managed to find a XSS bug using CRLF injections. They were appreciative of the find, 2.5 hrs later the issue was fixed, and there was that blog post about exactly what they were going to do about it. They took full responsibility for the fact that THEIR coding was to blame, and basically said 'This is what happened, and this is why it will probably never happen again'. This spoke hugely to me (as I'm sure it did the rest of the community) because it shows a company that's willing to admit it made a mistake, as opposed to sitting on their haunches and blaming people for looking for these sorts of bugs. Oh and not every customer of their service has to pay massive licensing fees, as there's a free version as well. In my mind at least this equates to a company that cares more about their customers that don't pay a single dime, then a company who forces people to pay massive amounts of coin for shaky automated scanning and services. That's just the way I see it though. Someone's gotta tell the emperor he has no clothes on. Ryan ----- Original Message ----- From: "Jeffrey Walton" <noloader () gmail com> To: "YGN Ethical Hacker Group" <lists () yehg net> Cc: "full-disclosure" <full-disclosure () lists grok org uk> Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group <lists () yehg net> wrote:
According to xssed.com, there are two remaining XSS issues: https://kb.mcafee.com/corporate/index?page=content&id="; alert(1); // https://kc.mcafee.com/corporate/index?page=content&id="; alert(1); // You guys know our disclosed issues are very simple and can easily be found through viewing HTML/JS source codes and simple Google Hacking (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). However, it was criticized as 'illegal break-in' by Cenzic's CMO, http://www.cenzic.com/company/management/khera/, according to Network World News editor - Ellen Messmer. Thus, the next target is Cenzic web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner is.
Too funny.... I wonder is Aaron Barr is consulting for Cenzic. Jeff
[SNIP]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Vulnerabilities in *McAfee.com, (continued)
- Re: Vulnerabilities in *McAfee.com Pablo Ximenes (Mar 28)
- Re: Vulnerabilities in *McAfee.com Pablo Ximenes (Mar 29)
- Re: Vulnerabilities in *McAfee.com YGN Ethical Hacker Group (Mar 30)
- Re: Vulnerabilities in *McAfee.com Benji (Mar 30)
- Re: Vulnerabilities in *McAfee.com Cal Leeming (Mar 30)
- Re: Vulnerabilities in *McAfee.com Benji (Mar 30)
- Re: Vulnerabilities in *McAfee.com Pablo Ximenes (Mar 29)
- Re: Vulnerabilities in *McAfee.com Thor (Hammer of God) (Mar 30)
- Re: Vulnerabilities in *McAfee.com Christian Sciberras (Mar 30)
- Re: Vulnerabilities in *McAfee.com Cal Leeming (Mar 31)
- Re: Vulnerabilities in *McAfee.com Pablo Ximenes (Mar 28)
- Re: Vulnerabilities in *McAfee.com Jeffrey Walton (Mar 30)
- Re: Vulnerabilities in *McAfee.com Ryan Sears (Mar 30)
- Re: Vulnerabilities in *McAfee.com Thor (Hammer of God) (Mar 30)
- Re: Vulnerabilities in *McAfee.com Cal Leeming (Mar 27)
- Re: Vulnerabilities in *McAfee.com Thor (Hammer of God) (Mar 30)
- Re: Vulnerabilities in *McAfee.com Jeffrey Walton (Mar 30)
- Re: Vulnerabilities in *McAfee.com Cal Leeming (Mar 31)
- Re: Vulnerabilities in *McAfee.com BlackHawk (Mar 31)
- Re: Vulnerabilities in *McAfee.com Jacqui Caren-home (Mar 31)
- Re: Vulnerabilities in *McAfee.com Valdis . Kletnieks (Mar 31)