Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee Sites Vulnerable To XSS Attack

Posted by kdawson on from the unguarded-guardians dept.

An anonymous reader notes that this weekend, ReadWriteWeb discovered a security hole on several McAfee sites, which lets any attacker piggyback on the company's reputation and brand in order to distribute malware, Trojans, or anything else. The submitter adds an ironic coda to McAfee's epic fail: "In the 'how to HTML Injection' section, the author provided the four steps needed to execute a simple, no-brainer injection, but unfortunately, exposed a hole in NY Times website when they republished the article. While the author changed the offending text to an image, the Times is still using the original story which redirects directly to ReadWriteWeb [via XSS]." From the RWW post: "During tests this weekend, we discovered the company who claims to 'keep you safe from identity theft, credit card fraud...' has several cross-site scripting vulnerabilities and provides the bad guys with a brilliant — albeit ironic — launching pad from which to unleash their attacks."

2 of 84 comments (clear)

  1. Re:Hmm. by 6Yankee · · Score: 4, Insightful

    The only time I don't do this is if the user-submitted input is first passed through an input validator that should reject anything containing dangerous characters (for example, a valid e-mail address cannot contain HTML tags, so if I reject all but a valid e-mail address, then I don't need to sanitize the e-mail address). But how can I be sure I haven't missed anything somewhere?

    Ouch. I can disable the client-side validation entirely. I can also write my own form and send you anything I like.

    Sanitize everything.

  2. Re:Hmm. by AlXtreme · · Score: 4, Insightful

    Yes I'm a lazy coder I know, but fuck it, you get what you pay for.

    Do it right, or don't do it at all.

    I'm all for cutting corners when dealing with stingy clients (which tend not to be clients for long) so I get your way of thinking, but basic security shouldn't be one of the corners to cut. In the end it will be worthwhile to simply add a bit of code to sanitize user input to avoid all the hassle you'll get in the long run.

    If you are spending an hour (of your own or billed) every two months for cleaning up crap, next time please spend two hours and add some validation. Keep on billing said client for spam cleanups for all I care.

    Every time a viewer sees spam it makes your work seem poor. Even a lazy coder knows when it will cost him more work in the long run.

    --
    This sig is intentionally left blank