back to article McAfee site crawling with scripting bugs say researchers

Flaws on McAfee's website leave it vulnerable to cross-site scripting and other attacks, security researchers warn. YGN Ethical Hacker Group also discovered various lesser information disclosure bugs on the security firm's website, according to an advisory published on a full disclosure mailing list on Monday. YGN said it …


This topic is closed for new posts.
  1. Banther dodo
    Thumb Down


    Maybe that explains how they took my renewal subscription but failed to renew it, the thiefs.

    1. Blitterbug

      @dodo... RENEWED? Ooohh, you masochist.

  2. CD001


    Doesn't bode well if they've used their own McAfee Secure product to scan their sites to look for vulnerabilities now does it?

    Considering you _need_ some kind of accredited, automated penetration testing software to maintain PCI DSS compliance - and McAfee IS one of those accredited suppliers - it doesn't exactly inspire confidence in the system as a whole.

  3. Daniel 1

    There's so much bad code, though

    So many instances of the raw data from the user being echoed directly back int the page:

    echo $_SERVER['PHP_SELF'];

    ...and it's variants from other languages - and plenty of books that are only a few years old, where programmers are actively being taught to do this sort of thing. Combine that with all those aging websites that are being "given a new lease of life" by wrapping them in AJAX guff (which no one on the development team really understands) and you've a recipe for ongoing disaster.

    "Yeah, let's just response.write everything the user inputs back into the page in real time. If we're really lucky, they might get it into the database - in which case it could lurk there waiting to do its freaky shit, for years to come (because we never sanitise what comes back out of the database, either)."

  4. David Simpson 1


    Great story for all the McAfee flashing ads, hilarious that anyone still pays these jokers, everything they make attracts flies very quickly, until it stops steaming.

  5. JarekG

    That's OK

    Intel will fix it and put it in the next version of their "Pentionium"* chips.

    We are all gone be safe....we all are

    *The name has been made up, like the rest of them.

  6. Steve Evans

    Hardly a shock...

    The only machines I've seen with McAfee running on them are ones that were purchased with the infection already installed!

    1. Anonymous Coward


      The numpties in the IT support here at work use it on all the corp desktops (XP, I feel like Fred Flintstone)

  7. Joe User

    How typical...

    "Early on Monday March 28, 2011, various online news outlets reported on vulnerabilities in McAfee Web sites. McAfee is aware of these vulnerabilities and we are working to fix them."

    In other words, "We've known about the problems for a while now but couldn't be bothered to fix them until someone aired our dirty laundry in public."

  8. Muckminded
    Thumb Up

    It was all a test...

    and we passed. They are glad we finally noticed so that they may put up the real site. A drumroll if you please.

  9. Anonymous Coward
    Anonymous Coward

    upgrade upgrade upgrade

    Intel bought McAfee because it slows PC's down so much you have to upgrade, imagine that upgrade enforcing mechanism built in rather than a user option.

    Bring back Dr. Solomons Magic Bullet disks!

  10. John Smith 19 Gold badge

    Call me dumb but

    1) A software company specializing in *security* software is only as good as its reputation. It takes years to build up and days to destroy. RSA springs to mind.

    2) Tools exists to scan websites for vulnerabilities. If McAfee can't find one they should have the skills in house to write it.

    3)Being owned by Intel should give them access to the corporate coffers if they are stupidly expensive.

    Given what they do 1 month should have been *more* than enough time to get the problem elements disabled or replaced.

  11. Beau

    MaAfee, must be very good?

    After all it comes pre-installed on nearly all the computers in our local supermarket, and even if it's not, the McAfee box on the software shelf look just wonderful!!

  12. PeterM42
    Thumb Down

    McAfee is an Anti-virus product???...........

    ...........I thought it was a performance slug to stop people computing too quickly.

  13. NigelMellish

    Wow, The Reg has balls...

    the industry is entitled to hold McAfee to a higher standard than other organisations, especially given it markets its McAfee Secure service as a way for enterprises to identify problems on their websites. ®

    Uh, that would be like holding The Reg to a higher standard of Journalism. No one expects it, and the staff there isn't smart enough to accomplish it.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019