McAfee site crawling with scripting bugs say researchers Flaws on McAfee's website leave it vulnerable to cross-site scripting and other attacks, security researchers warn. YGN Ethical Hacker Group also discovered various lesser information disclosure bugs on the security firm's website, according to an advisory published on a full disclosure mailing list on Monday. YGN said it …
Doesn't bode well if they've used their own McAfee Secure product to scan their sites to look for vulnerabilities now does it?
Considering you _need_ some kind of accredited, automated penetration testing software to maintain PCI DSS compliance - and McAfee IS one of those accredited suppliers - it doesn't exactly inspire confidence in the system as a whole.
So many instances of the raw data from the user being echoed directly back int the page:
echo $_SERVER['PHP_SELF'];
...and it's variants from other languages - and plenty of books that are only a few years old, where programmers are actively being taught to do this sort of thing. Combine that with all those aging websites that are being "given a new lease of life" by wrapping them in AJAX guff (which no one on the development team really understands) and you've a recipe for ongoing disaster.
"Yeah, let's just response.write everything the user inputs back into the page in real time. If we're really lucky, they might get it into the database - in which case it could lurk there waiting to do its freaky shit, for years to come (because we never sanitise what comes back out of the database, either)."
"Early on Monday March 28, 2011, various online news outlets reported on vulnerabilities in McAfee Web sites. McAfee is aware of these vulnerabilities and we are working to fix them."
In other words, "We've known about the problems for a while now but couldn't be bothered to fix them until someone aired our dirty laundry in public."
1) A software company specializing in *security* software is only as good as its reputation. It takes years to build up and days to destroy. RSA springs to mind.
2) Tools exists to scan websites for vulnerabilities. If McAfee can't find one they should have the skills in house to write it.
3)Being owned by Intel should give them access to the corporate coffers if they are stupidly expensive.
Given what they do 1 month should have been *more* than enough time to get the problem elements disabled or replaced.
the industry is entitled to hold McAfee to a higher standard than other organisations, especially given it markets its McAfee Secure service as a way for enterprises to identify problems on their websites. ®
Uh, that would be like holding The Reg to a higher standard of Journalism. No one expects it, and the staff there isn't smart enough to accomplish it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
