Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Hello YGN Ethical Hacker Group! Just after you've disclosed your finding at McAfee's sites, I have congratulated you with nice disclosure and started to wait for reaction. And few days later I've read in Network World few articles about this issue (http://www.networkworld.com/news/2011/032811-mcafee-security-holes.html and http://www.networkworld.com/news/2011/033011-hackers-ygn-mcafee.html). So the reaction and buzz have came quickly. And in large scale - as simple google dork shows there are a lot of sites (up to 128000 results) posted this news. Mostly it's reposting of the same news, but still large attention to your disclosure. In February in our conversation I told that publishing of the video about holes at McAfee's sites would must bring attention, but in this case most attention was brought by disclosure in FD mailing list :-) (and a lot of attention). But that video can still come in handy for creating even more buzz about this issue. The most important thing in all this news articles is that they are claiming about defying of USA law. All these journalists and news copy-pasters are not familiar with laws (USA laws in particular), so they're just incorrectly blaming on YGN Ethical Hacker Group. As I wrote in 2009 in my article Hacking of web sites, security researches, disclosure and legislation (http://websecurity.com.ua/articles/security_researches_and_legislation/eng/), which was published in The Web Security Mailing List, particularly in item 5 of the article (where I wrote about legislations of Ukraine and USA), security researches, including finding and disclosing of vulnerabilities at web sites, are legal. So journalists must first get familiar with their own legislation, before writing such articles with such incorrect statements about other people. P.S. Cenzic is hole-loving company - earlier I wrote in my news about hole in their site's search engine which I found in 2006. And it's quite possible that from that time they haven't came far away from such approach. So I wish you good luck in your quest for Cenzic's holes ;-). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Vulnerabilities in *McAfee.com From: YGN Ethical Hacker Group Date: Mon, 28 Mar 2011 00:02:47 +0800 Vulnerabilities in *McAfee.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
+1. I've come across countless companies who had idiotic technical directors who didn't even want you speaking up in meetings about how bad their network was, let alone in public. A lot of it comes down to pride/image, if someone starts questioning their job worth, they get all pissy about it, plus a lot of people find it *extremely* difficult to take constructive criticism and/or advice within their own remit. Personally, I'm completely honest and open when I fuck something up. If a clients network goes down cos I accidently plugged a 12v cable tester into core switch gear causing a site wide telecoms outage for 20 minutes (lol), I'll come right out and say "Yeah, I did bad.". Where as most people try and cover it up. Different scenario, but same principle. On Thu, Mar 31, 2011 at 1:13 PM, BlackHawk wrote: > Nothing new under the sun.. i have done some security testing on _open > source_ webapps, and most of the time > if you allert the publisher of your founding ( most of the time remote > code executions, not "boring" XSS ) the answer is tipically "F*** off, > we do not need your help / you are lying / you are a criminal / > etc.etc." showing that bug founding is still looked with diffidence > from many people; > > on the other side admins are so proud of themselfs that they do not > want other people to know they have bad coded something, look at > this: > http://forums.pligg.com/questions-comments/23065-pligg-1-1-3-security-vulnerabilities.html#post103328 > > to close with a semi-serious joke: put all this together and you will > know why black market selling of exploit is increasing his size: at > least someone will appreciate your work and eventually recompensate > you for it.. > > On Wed, Mar 30, 2011 at 9:33 PM, Cal Leeming wrote: > > > > > > > > Like with most laws, the key point is "intent". If your intention was > > clearly not malicious, then you are safe. > > > > -- > BlackHawk - hawkgot...@gmail.com > > Sent with Gmail > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
On Thu, Mar 31, 2011 at 3:30 PM, wrote: > ... > Ask Randall Schwartz how that worked out for him. "intent" doesn't > enter into it as much as a defendant may like. intel has a long history of strong arming legal strong-arming against those who provoke the beast's wrath. it doesn't help that ORS 164.377 is overly broad for selective prosecution; factor in the InfraGard partnership direct-line with technical and economic clout and you've got influence over legal levers too large and plentiful to resist beating convenient targets with. so perhaps this example is not most representative of the typical and certainly not to title 18. as for agro intel some early indicators are they have improved on this posture. i hope they keep it up. by the way Intel Corp., i'm still waiting on that apology for the internal smearing in the company newsletter to pimp centrino security and fear monger wifi back in the day. if you're truly sorry you could cover the cost of compromised equipment from the black bag you sabre rattled for. :/ call me! [ not holding my breath... ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
I should clarify my use of "intent" in previous replies - The "intent" part of the process would be from the judges point of view even in the absence of "concrete" evidence. As you know, actual court cases are not what we see on TV, and the judge has far more power than one may think. Even if the defense argues that the actions by the defendant were acceptable, if the judge thinks that the intent of the individual was to exceed access, then they are hosed. It wasn't meant to imply that saying "I didn't intend to bring their network down" would be of any benefit to a defendant. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: Thursday, March 31, 2011 3:30 PM To: Cal Leeming Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com On Wed, 30 Mar 2011 20:33:56 BST, Cal Leeming said: > Like with most laws, the key point is "intent". If your intention was > clearly not malicious, then you are safe. Ask Randall Schwartz how that worked out for him. "intent" doesn't enter into it as much as a defendant may like. http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_1030000-.html Intent is not mentioned at all. You exceed the authorized access, you're guilty under 18 USC 1030. 1030 (a)(2)(C) is the really expansive one, as "protected computer" is defined down in (e)(2)(B) to include anything used in interstate commerce (and yes, DA's *HAVE* argued "The computer has a web browser and thus could get to amazon.com, so it's interstate commerce time"). Doesn't matter if you were trying to save the world at the time (as Gary McKinnon found out). A better approach is to argue the definition of "authorized access" as it applies to an Internet-facing server... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
On Wed, 30 Mar 2011 20:33:56 BST, Cal Leeming said: > Like with most laws, the key point is "intent". If your intention was > clearly not malicious, then you are safe. Ask Randall Schwartz how that worked out for him. "intent" doesn't enter into it as much as a defendant may like. http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_1030000-.html Intent is not mentioned at all. You exceed the authorized access, you're guilty under 18 USC 1030. 1030 (a)(2)(C) is the really expansive one, as "protected computer" is defined down in (e)(2)(B) to include anything used in interstate commerce (and yes, DA's *HAVE* argued "The computer has a web browser and thus could get to amazon.com, so it's interstate commerce time"). Doesn't matter if you were trying to save the world at the time (as Gary McKinnon found out). A better approach is to argue the definition of "authorized access" as it applies to an Internet-facing server... pgptNaZ6sPlTc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
On Thu, 31 Mar 2011 15:18:08 BST, Jacqui Caren-home said: > A lot of businesses do not consider "constructive criticism" as positive and > will sometimes do everything in thier power to "PR" you to death - its > often seen as cheaper than fixing the problem. In fact, it often *is* cheaper than actually fixing the problem (especially when the reported problem is "3 pages are vulnerable to XSS", but the actual problem is "48,394 pages are vulnerable to XSS" or similar). pgpyNmLOmxyW5.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
On 31/03/2011 13:13, BlackHawk wrote: > to close with a semi-serious joke: put all this together and you will > know why black market selling of exploit is increasing his size: at > least someone will appreciate your work and eventually recompensate > you for it.. Everyone makes mistakes. Being unable to admit fault is a serious character flaw for a developer. However for a business, this may be a commercially sensible strategy. A long time ago I was asked to demo a MAC web server memory leak to a .mil address. I declined but provided the details and test script to the contact and left him to run his own tests. The server turned into a linux box a few months later. My worry was my demo would be construed as an attack by his "higher ups". A lot of businesses do not consider "constructive criticism" as positive and will sometimes do everything in thier power to "PR" you to death - its often seen as cheaper than fixing the problem. Jacqui ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Nothing new under the sun.. i have done some security testing on _open source_ webapps, and most of the time if you allert the publisher of your founding ( most of the time remote code executions, not "boring" XSS ) the answer is tipically "F*** off, we do not need your help / you are lying / you are a criminal / etc.etc." showing that bug founding is still looked with diffidence from many people; on the other side admins are so proud of themselfs that they do not want other people to know they have bad coded something, look at this: http://forums.pligg.com/questions-comments/23065-pligg-1-1-3-security-vulnerabilities.html#post103328 to close with a semi-serious joke: put all this together and you will know why black market selling of exploit is increasing his size: at least someone will appreciate your work and eventually recompensate you for it.. On Wed, Mar 30, 2011 at 9:33 PM, Cal Leeming wrote: > > > > Like with most laws, the key point is "intent". If your intention was > clearly not malicious, then you are safe. -- BlackHawk - hawkgot...@gmail.com Sent with Gmail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
On Wed, Mar 30, 2011 at 8:29 PM, Ryan Sears wrote: > > How about the scenario in which one statically audit's some javascript > sitting on a site, to notice it does something in an unsafe manner, and can > be used in a XSS attack without actually making it happen?. There was no > actual 'attacking' done, but there was still a vulnerability discovered. Is > THAT considered an illegal act? Is putting a '<3' into a web form/comment > section considered attacking it if you look at the source to see how the > character translated? What if you just wanted to make an ascii heart? My > point is it's a very blurry line, and there are a lot of scenarios where one > may discover a vulnerability without even having to do anything. > Like with most laws, the key point is "intent". If your intention was clearly not malicious, then you are safe. > > As for the source code disclosures, there was absolutely no 'attacking' > done. This was a huge oversight in the site devs, and they were giving that > information to anyone who requested it, plain and simple. What about the > Tumblr incident that happened a while ago? Just because they screwed up a > production script, they ended up leaking massive amounts of internal > infrastructure details, as well as private API keys, and other stuff that > could be used for nefarious means. Is it illegal to visit that page? I think > not, as THEY were putting the information out there (albeit by accident), > but I as a user have no way to know that. > > I understand what you're saying about them not asking people to look for > bugs, but it IS the internet. Companies don't typically ask external people > to audit their executables either, but people do it for a number of reasons > (mainly education). > > If they leave their site up, people will potentially poke at it. That's > just the way it is. If I have a vested interest in a company (be it monetary > or simply supporting it's cause), I personally want to see the site > flourish, because I am then a part of that site. I want to make sure that my > personal information is protected, and if I do find a bug somewhere, I > report it. I recently found a XSS in OpenDNS's landing page, and they were > very appreciative, very professional, and prompt to respond. This made me > WANT to work with them further to ensure that their infrastructure was > hardened to other forms of attack as well. I don't disclose these sorts of > issues publicly, because I give the developers a chance to fix it, and in my > past experience most companies are happy that I reported an issue, because I > could have just as easily not said anything. If it does come down to it > though, I follow my own public disclosure policy ( > http://talesofacoldadmin.com/disclosure.html) based off Rain Forest > Puppy's. It basically just asks for somewhat consistent lines of > communication after I disclose something. If the communication drops (or is > non-existent), then it's at my own discretion to disclose it in a public > forum. > > I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but > if choosing to disclose something (even in private) means potential legal > troubles, then that takes away the motivation for me to disclose it in any > form. I'm still going to be finding bugs for my own educational purposes, > but I'll just stop disclosing them. That in itself starts to undermine the > internet as a whole, leading to the restriction of information exchange, > which is appalling. > > It IS technically illegal to do these sorts of tests without consent, but > at what point DOES it become a 'test'? There's some cases, granted, in which > the intention is clear (testing for blind SQL injections, etc) as they leave > a huge footprint, but there's no explicitly clear line in which it becomes > illegal. Is adding a ' to my name illegal? What if my 70+ year old > grandmother did it by accident? Could she be persecuted as well? You can't > apply the law to only some situations and not others. > > I also point you to one of my favorite XKCD's => http://xkcd.com/327/ > > Is naming your kid something like that technically illegal? Then that > starts getting into free-speech issues, which are most certainly protected > by the constitution. If I want my name to be "Ann Hero", and > the site doesn't explicitly tell me I can't do so, then how can I be > expected to reasonably know where their boundaries are? I don't see any > terms of use for using their website anywhere. > > This is all just my opinion though, and sorry for the long message! > > Ryan > > - Origina
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
An interesting notion. I have to say their mailing list comment didn't exactly shine with professionalism, but there again, nor do mine. So I dunno :p On Wed, Mar 30, 2011 at 9:10 PM, andrew.wallace < andrew.wall...@rocketmail.com> wrote: > Guys, > > Is it because these are Burmese hackers as to why everyone is getting in a > pickle, e.g eastern hackers attacking western companies? I feel an Obama > moment coming on, where he condemns the group known as YGN. > > Andrew > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Ohh now I get it. I thought they had just copy and pasted someone else. My response is now: LOLOLOLOL. On Wed, Mar 30, 2011 at 4:22 PM, Thor (Hammer of God) wrote: > Let's see here... As an "ethical hacker group," you don't like being > criticized by someone as engaging in illegal activities, so you announce on > a public site that you are going to attack the company? Brilliant. > t > > > -Original Message- > From: full-disclosure-boun...@lists.grok.org.uk [mailto: > full-disclosure-boun...@lists.grok.org.uk] On Behalf Of YGN Ethical Hacker > Group > Sent: Wednesday, March 30, 2011 5:44 AM > To: Pablo Ximenes > Cc: full-disclosure > Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com > > According to xssed.com, there are two remaining XSS issues: > > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // > > > You guys know our disclosed issues are very simple and can easily be found > through viewing HTML/JS source codes and simple Google Hacking ( > http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). > > However, it was criticized as 'illegal break-in' by Cenzic's CMO, > http://www.cenzic.com/company/management/khera/, according to Network > World News editor - Ellen Messmer. Thus, the next target is Cenzic web > site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner is. > > > - > Best regards, > YGN Ethical Hacker Group > Yangon, Myanmar (Burma) > http://yehg.net > Our Lab | http://yehg.net/lab > Our Directory | http://yehg.net/hwd > > > > > On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes wrote: > > FIY > > > > http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-S > > ecurity-Holes > > > > > > Pablo Ximenes > > http://ximen.es/ > > http://twitter.com/pabloximenes > > > > > > > > > > 2011/3/28 Pablo Ximenes : > >> blog post about this: http://ximen.es/?p=469 > >> > >> Please, don't throw stones at me. > >> > >> []'s > >> > >> > >> Pablo Ximenes > >> http://ximen.es/ > >> http://twitter.com/pabloximenes > >> > >> > >> > >> 2011/3/27 YGN Ethical Hacker Group > >>> > >>> Vulnerabilities in *McAfee.com > >>> > >>> > >>> 1. VULNERABILITY DESCRIPTION > >>> > >>> -> Cross Site Scripting > >>> > >>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.l > >>> ocation.replace('attacker.in') > >>> > >>> -> Information Disclosure > Internal Hostname: > >>>http://www.mcafee.com/js/omniture/omniture_profile.js > >>> > >>>($ ruby host-extract.rb -a > >>> http://www.mcafee.com/js/omniture/omniture_profile.js) > >>> > >>> -> Information Disclosure > Source Code Disclosure: > >>> > >>> > >>> > >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/coo > >>> kiecommon.asp > >>> > >>> > >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/app > >>> common.asp > >>> > >>> > >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/par > >>> tnerCodesLibrary.asp > >>> > >>> view-source:http://download.mcafee.com/clinic/Includes/common.asp > >>> > >>> view-source:http://download.mcafee.com/updates/upgrade_patches.asp > >>> > >>> > >>> view-source:http://download.mcafee.com/updates/common/dat_common.asp > >>>view-source:http://download.mcafee.com/updates/updates.asp > >>>view-source:http://download.mcafee.com/updates/superDat.asp > >>>view-source:http://download.mcafee.com/eval/evaluate2.asp > >>> > >>> view-source:http://download.mcafee.com/common/ssi/conditionals.asp > >>> > >>> > >>> view-source:http://download.mcafee.com/common/ssi/errHandler_soft.as > >>> p > >>> > >>> view-source:http://download.mcafee.com/common/ssi/variables.asp > >>> > >>> > >>> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_c > >>> ontrols.asp > >>> > >>> view-source:http://do
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Thanks for all your inputs and discussions. We believe keeping these information as secret is unethical and irresponsible. For those who think/criticize we're unethical /illegal, there is so-called "Passive Scanning" technique in security testing. Passive scanning (a.k.a Passive Reconnaissance) is basically examining web site work flows and its involved source codes for identifying vulnerabilities without ever attacking the target itself. Contrary to what most of people think, passive scanning allows everyone to audit any web sites without breaking the laws and without alarming firewalls in-front. Basically it starts as: 1. Do Google Hacking and look for potential information leakage. (Most of the tools allow you to add your own GH Dorks). 2. Browse the target web site with a scanner that has passive vulnerability scanning capability - ratproxy, zaproxy, webscarab, fiddler+watcher,/ burp-pro or you name it Also use meta data extraction tools. And look for potential information leakage & others 3. Examine all contents of JavaScript & decompiled Flash/Silverlight/Java Applet 4. Look for common vulnerable points and mis-uses e.g., for JS files, examine calls like document.URLUnencoded, document.referer, document.location, window.location, location.href,document.URL ...etc Passive scan is just a small subset of assessment realm. Findings are very limited. Our recent disclosure of Plesk open redirect flaw was a result from purely passive scan on a static HTML web site - http://yehg.net/lab/pr0js/advisories/%5Bplesk_7.0-8.2%5D_open_url_redirection ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Agreed, If you put your site on the open internet, you have to take into account the inherent hostilities that go along with that action. A security firm like Mcafee /knows/ about these vulnerabilities. Guaranteed. If they offer services to make other's sites 'hacker proof', their first order of business should make sure that their infrastructure doesn't have blatantly obvious security holes. I'm not saying that they should catch EVERYTHING, but these are bugs that an automated scanner could easily pick up. I do understand that a large infrastructure like theirs has pages that have been created by people with varying degrees of competence, but that's why they need to do inclusive penetration tests of their own network. At the very least they need to have some mechanism in place to detect (and possibly defer) these sorts of attacks. The way I see it, when a company hides behind legal threats to deter people from finding and reporting bugs, all they're doing is hurting themselves. Look at how Microsoft has turned around. 10 years ago they weren't dealing with people reporting issues in the right way, but they soon came to realize that by listening to the hackers that ARE coming forward with issues, they not only help themselves, but help the community as well. It's a win/win scenario for EVERYONE. You can tell a vast amount about how an infrastructure is run from just a bit of poking. If there are blatant security holes everywhere, then they clearly don't take security seriously. If they filter for SQL injections in javascript, then the dev's have no clue what they're actually trying to do. If you see SQL errors, chances are there are more serious issues to boot. I usually limit my poking to the very basic of basics when I do use a new service, and the more transparent they are (think reddit) the more I trust them. They even have a full subreddit devoted to finding and learning about XSS attacks. One word, awesome. Simply put, in my opinion you can't blame a pen-tester for looking for bugs in a site. The only time it should be considered malicious is when it's used in a malicious way. If I find a XSS in a webform, and I report it along with re-mediation suggestions I feel as though I'm doing the site a favor. It's unfortunate to think that some see this as a criminal activity. Ryan - Original Message - From: "Jeffrey Walton" To: "Thor (Hammer of God)" Cc: "Ryan Sears" , "full-disclosure" Sent: Wednesday, March 30, 2011 5:28:59 PM GMT -05:00 US/Canada Eastern Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com On Wed, Mar 30, 2011 at 4:36 PM, Thor (Hammer of God) wrote: > I have that very strip printed and on the wall in my office :) You make > several points, but the response that immediately comes to mind is that I > actually see a difference between actively scanning content for > structural/coding vulnerabilities, and entering data in a search box. I > don't know if there is any basis for this legally, but I feel that if you put > a box up and I can search for something, then I can put whatever I want in > that box. You (the royal you) are basically soliciting people to put data in > the box. However, you are not asking anyone to spider your site or run > scans against it. > If a person or company places a host on the public internet and offers a service, I don't think its reasonable to claim some input is "fair" and other input is "unfair". Perhaps the person or company should not offer public services in the first place. It seems reasonable (to me) that users of the site expect that the site is relatively defect free and secure. A tech-savy user who tests the site through its public interface is simply exercising due diligence before using the services of the site. I personally feel that individuals and companies which want to criminalize 'due diligence' is cowardly at best. I don't want to use the services of such a site; nor do I want to have an account on such a system. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
On Wed, Mar 30, 2011 at 4:36 PM, Thor (Hammer of God) wrote: > I have that very strip printed and on the wall in my office :) You make > several points, but the response that immediately comes to mind is that I > actually see a difference between actively scanning content for > structural/coding vulnerabilities, and entering data in a search box. I > don't know if there is any basis for this legally, but I feel that if you put > a box up and I can search for something, then I can put whatever I want in > that box. You (the royal you) are basically soliciting people to put data in > the box. However, you are not asking anyone to spider your site or run > scans against it. > If a person or company places a host on the public internet and offers a service, I don't think its reasonable to claim some input is "fair" and other input is "unfair". Perhaps the person or company should not offer public services in the first place. It seems reasonable (to me) that users of the site expect that the site is relatively defect free and secure. A tech-savy user who tests the site through its public interface is simply exercising due diligence before using the services of the site. I personally feel that individuals and companies which want to criminalize 'due diligence' is cowardly at best. I don't want to use the services of such a site; nor do I want to have an account on such a system. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
I have that very strip printed and on the wall in my office :)You make several points, but the response that immediately comes to mind is that I actually see a difference between actively scanning content for structural/coding vulnerabilities, and entering data in a search box. I don't know if there is any basis for this legally, but I feel that if you put a box up and I can search for something, then I can put whatever I want in that box. You (the royal you) are basically soliciting people to put data in the box. However, you are not asking anyone to spider your site or run scans against it. That said, my guess is that it would all come down to intent. If I put ' or 1=1-- (like the site I had that some camper sniped) in, it's a pretty sure bet that I'm looking for SQL injection. But I don't know if the search box "entitles" me to do that. It certainly is interesting list fodder though... >-Original Message- >From: Ryan Sears [mailto:rdse...@mtu.edu] >Sent: Wednesday, March 30, 2011 12:30 PM >To: Thor (Hammer of God) >Cc: full-disclosure; noloa...@gmail.com >Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com > > >How about the scenario in which one statically audit's some javascript sitting >on a site, to notice it does something in an unsafe manner, and can be used in >a XSS attack without actually making it happen?. There was no actual >'attacking' done, but there was still a vulnerability discovered. Is THAT >considered an illegal act? Is putting a '<3' into a web form/comment section >considered attacking it if you look at the source to see how the character >translated? What if you just wanted to make an ascii heart? My point is it's a >very blurry line, and there are a lot of scenarios where one may discover a >vulnerability without even having to do anything. > >As for the source code disclosures, there was absolutely no 'attacking' done. >This was a huge oversight in the site devs, and they were giving that >information to anyone who requested it, plain and simple. What about the >Tumblr incident that happened a while ago? Just because they screwed up a >production script, they ended up leaking massive amounts of internal >infrastructure details, as well as private API keys, and other stuff that >could be >used for nefarious means. Is it illegal to visit that page? I think not, as >THEY >were putting the information out there (albeit by accident), but I as a user >have no way to know that. > >I understand what you're saying about them not asking people to look for >bugs, but it IS the internet. Companies don't typically ask external people to >audit their executables either, but people do it for a number of reasons >(mainly education). > >If they leave their site up, people will potentially poke at it. That's just >the way >it is. If I have a vested interest in a company (be it monetary or simply >supporting it's cause), I personally want to see the site flourish, because I >am >then a part of that site. I want to make sure that my personal information is >protected, and if I do find a bug somewhere, I report it. I recently found a >XSS >in OpenDNS's landing page, and they were very appreciative, very >professional, and prompt to respond. This made me WANT to work with them >further to ensure that their infrastructure was hardened to other forms of >attack as well. I don't disclose these sorts of issues publicly, because I >give the >developers a chance to fix it, and in my past experience most companies are >happy that I reported an issue, because I could have just as easily not said >anything. If it does come down to it though, I follow my own public disclosure >policy (http://talesofacoldadmin.com/disclosure.html) based off Rain Forest >Puppy's. It basically just asks for somewhat consistent lines of communication >after I disclose something. If the communication drops (or is non-existent), >then it's at my own discretion to disclose it in a public forum. > >I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but if >choosing to disclose something (even in private) means potential legal >troubles, then that takes away the motivation for me to disclose it in any >form. I'm still going to be finding bugs for my own educational purposes, but >I'll just stop disclosing them. That in itself starts to undermine the >internet as a >whole, leading to the restriction of information exchange, which is appalling. > >It IS technically illegal to do these sorts of tests without consent, but at >what >point DOES it become a 'test'? There's some cases, granted, in which the >intention is cl
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Nah, not from my POV anyway… I’m not concerned with who is attacking whom from where – I just tend to say something when people claim to be “ethical hackers” but then say they are going to target a security company because they criticizing the group for targeting people. It seems redundantly ironic. Or would that be ironically redundant? t From: andrew.wallace [mailto:andrew.wall...@rocketmail.com] Sent: Wednesday, March 30, 2011 1:10 PM To: noloa...@gmail.com; n...@myproxylists.com; c...@foxwhisper.co.uk; pa...@ximen.es; m...@b3nji.com; Thor (Hammer of God); uuf6...@gmail.com; rdse...@mtu.edu Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com Guys, Is it because these are Burmese hackers as to why everyone is getting in a pickle, e.g eastern hackers attacking western companies? I feel an Obama moment coming on, where he condemns the group known as YGN. Andrew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
How about the scenario in which one statically audit's some javascript sitting on a site, to notice it does something in an unsafe manner, and can be used in a XSS attack without actually making it happen?. There was no actual 'attacking' done, but there was still a vulnerability discovered. Is THAT considered an illegal act? Is putting a '<3' into a web form/comment section considered attacking it if you look at the source to see how the character translated? What if you just wanted to make an ascii heart? My point is it's a very blurry line, and there are a lot of scenarios where one may discover a vulnerability without even having to do anything. As for the source code disclosures, there was absolutely no 'attacking' done. This was a huge oversight in the site devs, and they were giving that information to anyone who requested it, plain and simple. What about the Tumblr incident that happened a while ago? Just because they screwed up a production script, they ended up leaking massive amounts of internal infrastructure details, as well as private API keys, and other stuff that could be used for nefarious means. Is it illegal to visit that page? I think not, as THEY were putting the information out there (albeit by accident), but I as a user have no way to know that. I understand what you're saying about them not asking people to look for bugs, but it IS the internet. Companies don't typically ask external people to audit their executables either, but people do it for a number of reasons (mainly education). If they leave their site up, people will potentially poke at it. That's just the way it is. If I have a vested interest in a company (be it monetary or simply supporting it's cause), I personally want to see the site flourish, because I am then a part of that site. I want to make sure that my personal information is protected, and if I do find a bug somewhere, I report it. I recently found a XSS in OpenDNS's landing page, and they were very appreciative, very professional, and prompt to respond. This made me WANT to work with them further to ensure that their infrastructure was hardened to other forms of attack as well. I don't disclose these sorts of issues publicly, because I give the developers a chance to fix it, and in my past experience most companies are happy that I reported an issue, because I could have just as easily not said anything. If it does come down to it though, I follow my own public disclosure policy (http://talesofacoldadmin.com/disclosure.html) based off Rain Forest Puppy's. It basically just asks for somewhat consistent lines of communication after I disclose something. If the communication drops (or is non-existent), then it's at my own discretion to disclose it in a public forum. I don't HAVE to disclose anything to anyone, I CHOOSE to disclose it, but if choosing to disclose something (even in private) means potential legal troubles, then that takes away the motivation for me to disclose it in any form. I'm still going to be finding bugs for my own educational purposes, but I'll just stop disclosing them. That in itself starts to undermine the internet as a whole, leading to the restriction of information exchange, which is appalling. It IS technically illegal to do these sorts of tests without consent, but at what point DOES it become a 'test'? There's some cases, granted, in which the intention is clear (testing for blind SQL injections, etc) as they leave a huge footprint, but there's no explicitly clear line in which it becomes illegal. Is adding a ' to my name illegal? What if my 70+ year old grandmother did it by accident? Could she be persecuted as well? You can't apply the law to only some situations and not others. I also point you to one of my favorite XKCD's => http://xkcd.com/327/ Is naming your kid something like that technically illegal? Then that starts getting into free-speech issues, which are most certainly protected by the constitution. If I want my name to be "Ann Hero", and the site doesn't explicitly tell me I can't do so, then how can I be expected to reasonably know where their boundaries are? I don't see any terms of use for using their website anywhere. This is all just my opinion though, and sorry for the long message! Ryan - Original Message - From: "Thor (Hammer of God)" To: "Ryan Sears" , noloa...@gmail.com Cc: "full-disclosure" Sent: Wednesday, March 30, 2011 2:12:37 PM GMT -05:00 US/Canada Eastern Subject: RE: [Full-disclosure] Vulnerabilities in *McAfee.com Well, I think there is a flip side to this, and that is the fact that no one is asking these people to inspect their sites for vulnerabilities. They are taking it upon themselves to scan the sites actively looking for
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Well, I think there is a flip side to this, and that is the fact that no one is asking these people to inspect their sites for vulnerabilities. They are taking it upon themselves to scan the sites actively looking for vulnerabilities for the sole purpose of exposing them. They may say that they are doing it "to ensure that the vendors fix their problems" but it's not really any of their business to do so. I think someone would be hard pressed to justify (defend) their actions when they basically "attack" a site that they don't own, without permission, with the express intent of finding a vulnerability. That's the difference between a "test" and an "attack." It doesn't matter how trivial their finds are, or what the outcome of the scan is, it is the fact that no one asked, nor wants them to do this. Technically, what they are doing is in fact illegal - in the US anyway. So there is another aspect of this that deserves some discussion, I think. t >-Original Message- >From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- >boun...@lists.grok.org.uk] On Behalf Of Ryan Sears >Sent: Wednesday, March 30, 2011 10:45 AM >To: noloa...@gmail.com >Cc: full-disclosure >Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com > >Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that >matter), >if anyone should understand that a XSS should really only be construed a >'criminal act' if it's indeed used to attack someone. If a group is taking the >time >out of their day to find and disclose issues to Mcafee, they should probably be >thankful. What about finding a vulnerability in Mcafee's virus scanner? Could >that be construed as a 'criminal act' if they disclose it? Where do you draw >the >line? > >Basically this sort of thing pushes the community into silence until something >truly criminal happens. I'm not saying give anyone massive amounts of credit >for publishing a few XSS bugs (because there's millions of them out there), >but don't label them as a criminal for trying to help. That's just idiotic IMO. > >If you run an enterprise level solution for antivirus AND web vulnerability >testing, the community understands that it's a process not unlike any other. >There will be bugs, but it only demolishes the image of Mcafee to see them >handle it like this in particular. If they would have been appreciative about >it, >and promptly fixed their website (or at the very least maintained friendly >contact) this incident would have pretty much gone un-noticed. > >Look at LastPass as an example. > >http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html > >They had someone poking at their site, who managed to find a XSS bug using >CRLF injections. They were appreciative of the find, 2.5 hrs later the issue >was >fixed, and there was that blog post about exactly what they were going to do >about it. They took full responsibility for the fact that THEIR coding was to >blame, and basically said 'This is what happened, and this is why it will >probably never happen again'. This spoke hugely to me (as I'm sure it did the >rest of the community) because it shows a company that's willing to admit it >made a mistake, as opposed to sitting on their haunches and blaming people >for looking for these sorts of bugs. Oh and not every customer of their service >has to pay massive licensing fees, as there's a free version as well. In my >mind >at least this equates to a company that cares more about their customers that >don't pay a single dime, then a company who forces people to pay massive >amounts of coin for shaky automated scanning and services. That's just the >way I see it though. > > >Someone's gotta tell the emperor he has no clothes on. > >Ryan > >- Original Message - >From: "Jeffrey Walton" >To: "YGN Ethical Hacker Group" >Cc: "full-disclosure" >Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern >Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com > >On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group >wrote: >> According to xssed.com, there are two remaining XSS issues: >> >> https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // >> https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // >> >> >> You guys know our disclosed issues are very simple and can easily be >> found through viewing HTML/JS source codes and simple Google Hacking >> >(http://www.google.com/search?q=%22%3C%25+Dim++site%3Adown
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Seriously. I gotta say I feel like people at Cenzic (and Mcafee for that matter), if anyone should understand that a XSS should really only be construed a 'criminal act' if it's indeed used to attack someone. If a group is taking the time out of their day to find and disclose issues to Mcafee, they should probably be thankful. What about finding a vulnerability in Mcafee's virus scanner? Could that be construed as a 'criminal act' if they disclose it? Where do you draw the line? Basically this sort of thing pushes the community into silence until something truly criminal happens. I'm not saying give anyone massive amounts of credit for publishing a few XSS bugs (because there's millions of them out there), but don't label them as a criminal for trying to help. That's just idiotic IMO. If you run an enterprise level solution for antivirus AND web vulnerability testing, the community understands that it's a process not unlike any other. There will be bugs, but it only demolishes the image of Mcafee to see them handle it like this in particular. If they would have been appreciative about it, and promptly fixed their website (or at the very least maintained friendly contact) this incident would have pretty much gone un-noticed. Look at LastPass as an example. http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html They had someone poking at their site, who managed to find a XSS bug using CRLF injections. They were appreciative of the find, 2.5 hrs later the issue was fixed, and there was that blog post about exactly what they were going to do about it. They took full responsibility for the fact that THEIR coding was to blame, and basically said 'This is what happened, and this is why it will probably never happen again'. This spoke hugely to me (as I'm sure it did the rest of the community) because it shows a company that's willing to admit it made a mistake, as opposed to sitting on their haunches and blaming people for looking for these sorts of bugs. Oh and not every customer of their service has to pay massive licensing fees, as there's a free version as well. In my mind at least this equates to a company that cares more about their customers that don't pay a single dime, then a company who forces people to pay massive amounts of coin for shaky automated scanning and services. That's just the way I see it though. Someone's gotta tell the emperor he has no clothes on. Ryan - Original Message - From: "Jeffrey Walton" To: "YGN Ethical Hacker Group" Cc: "full-disclosure" Sent: Wednesday, March 30, 2011 1:05:42 PM GMT -05:00 US/Canada Eastern Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group wrote: > According to xssed.com, there are two remaining XSS issues: > > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // > > > You guys know our disclosed issues are very simple and can easily be > found through viewing HTML/JS source codes and simple Google Hacking > (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). > > However, it was criticized as 'illegal break-in' by Cenzic's CMO, > http://www.cenzic.com/company/management/khera/, according to Network > World News editor - Ellen Messmer. Thus, the next target is Cenzic > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner > is. Too funny I wonder is Aaron Barr is consulting for Cenzic. Jeff >> [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
On Wed, Mar 30, 2011 at 8:44 AM, YGN Ethical Hacker Group wrote: > According to xssed.com, there are two remaining XSS issues: > > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // > > > You guys know our disclosed issues are very simple and can easily be > found through viewing HTML/JS source codes and simple Google Hacking > (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). > > However, it was criticized as 'illegal break-in' by Cenzic's CMO, > http://www.cenzic.com/company/management/khera/, according to Network > World News editor - Ellen Messmer. Thus, the next target is Cenzic > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner > is. Too funny I wonder is Aaron Barr is consulting for Cenzic. Jeff >> [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Thor, that's just a marketing adjective. Just like when you're asked to buy authentic replica r0lex watches. Cheers, Chris. On Wed, Mar 30, 2011 at 5:22 PM, Thor (Hammer of God) wrote: > Let's see here... As an "ethical hacker group," you don't like being > criticized by someone as engaging in illegal activities, so you announce on a > public site that you are going to attack the company? Brilliant. > t > > > -Original Message- > From: full-disclosure-boun...@lists.grok.org.uk > [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of YGN Ethical > Hacker Group > Sent: Wednesday, March 30, 2011 5:44 AM > To: Pablo Ximenes > Cc: full-disclosure > Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com > > According to xssed.com, there are two remaining XSS issues: > > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // > > > You guys know our disclosed issues are very simple and can easily be found > through viewing HTML/JS source codes and simple Google Hacking > (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). > > However, it was criticized as 'illegal break-in' by Cenzic's CMO, > http://www.cenzic.com/company/management/khera/, according to Network World > News editor - Ellen Messmer. Thus, the next target is Cenzic web site. Let's > see how strong the Kung-Fu of Cenzic HailStorm scanner is. > > > - > Best regards, > YGN Ethical Hacker Group > Yangon, Myanmar (Burma) > http://yehg.net > Our Lab | http://yehg.net/lab > Our Directory | http://yehg.net/hwd > > > > > On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes wrote: >> FIY >> >> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-S >> ecurity-Holes >> >> >> Pablo Ximenes >> http://ximen.es/ >> http://twitter.com/pabloximenes >> >> >> >> >> 2011/3/28 Pablo Ximenes : >>> blog post about this: http://ximen.es/?p=469 >>> >>> Please, don't throw stones at me. >>> >>> []'s >>> >>> >>> Pablo Ximenes >>> http://ximen.es/ >>> http://twitter.com/pabloximenes >>> >>> >>> >>> 2011/3/27 YGN Ethical Hacker Group >>>> >>>> Vulnerabilities in *McAfee.com >>>> >>>> >>>> 1. VULNERABILITY DESCRIPTION >>>> >>>> -> Cross Site Scripting >>>> >>>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.l >>>> ocation.replace('attacker.in') >>>> >>>> -> Information Disclosure > Internal Hostname: >>>> http://www.mcafee.com/js/omniture/omniture_profile.js >>>> >>>> ($ ruby host-extract.rb -a >>>> http://www.mcafee.com/js/omniture/omniture_profile.js) >>>> >>>> -> Information Disclosure > Source Code Disclosure: >>>> >>>> >>>> >>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/coo >>>> kiecommon.asp >>>> >>>> >>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/app >>>> common.asp >>>> >>>> >>>> view-source:http://download.mcafee.com/clinic/includes/commoninc/par >>>> tnerCodesLibrary.asp >>>> >>>> view-source:http://download.mcafee.com/clinic/Includes/common.asp >>>> >>>> view-source:http://download.mcafee.com/updates/upgrade_patches.asp >>>> >>>> >>>> view-source:http://download.mcafee.com/updates/common/dat_common.asp >>>> view-source:http://download.mcafee.com/updates/updates.asp >>>> view-source:http://download.mcafee.com/updates/superDat.asp >>>> view-source:http://download.mcafee.com/eval/evaluate2.asp >>>> >>>> view-source:http://download.mcafee.com/common/ssi/conditionals.asp >>>> >>>> >>>> view-source:http://download.mcafee.com/common/ssi/errHandler_soft.as >>>> p >>>> >>>> view-source:http://download.mcafee.com/common/ssi/variables.asp >>>> >>>> >>>> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_c >>>> ontrols.asp >>>> >>>> view-source:http://download.mcafee.com/common/ssi/errHandle
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
Let's see here... As an "ethical hacker group," you don't like being criticized by someone as engaging in illegal activities, so you announce on a public site that you are going to attack the company? Brilliant. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of YGN Ethical Hacker Group Sent: Wednesday, March 30, 2011 5:44 AM To: Pablo Ximenes Cc: full-disclosure Subject: Re: [Full-disclosure] Vulnerabilities in *McAfee.com According to xssed.com, there are two remaining XSS issues: https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // You guys know our disclosed issues are very simple and can easily be found through viewing HTML/JS source codes and simple Google Hacking (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). However, it was criticized as 'illegal break-in' by Cenzic's CMO, http://www.cenzic.com/company/management/khera/, according to Network World News editor - Ellen Messmer. Thus, the next target is Cenzic web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner is. - Best regards, YGN Ethical Hacker Group Yangon, Myanmar (Burma) http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes wrote: > FIY > > http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-S > ecurity-Holes > > > Pablo Ximenes > http://ximen.es/ > http://twitter.com/pabloximenes > > > > > 2011/3/28 Pablo Ximenes : >> blog post about this: http://ximen.es/?p=469 >> >> Please, don't throw stones at me. >> >> []'s >> >> >> Pablo Ximenes >> http://ximen.es/ >> http://twitter.com/pabloximenes >> >> >> >> 2011/3/27 YGN Ethical Hacker Group >>> >>> Vulnerabilities in *McAfee.com >>> >>> >>> 1. VULNERABILITY DESCRIPTION >>> >>> -> Cross Site Scripting >>> >>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.l >>> ocation.replace('attacker.in') >>> >>> -> Information Disclosure > Internal Hostname: >>> http://www.mcafee.com/js/omniture/omniture_profile.js >>> >>> ($ ruby host-extract.rb -a >>> http://www.mcafee.com/js/omniture/omniture_profile.js) >>> >>> -> Information Disclosure > Source Code Disclosure: >>> >>> >>> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/coo >>> kiecommon.asp >>> >>> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/app >>> common.asp >>> >>> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/par >>> tnerCodesLibrary.asp >>> >>> view-source:http://download.mcafee.com/clinic/Includes/common.asp >>> >>> view-source:http://download.mcafee.com/updates/upgrade_patches.asp >>> >>> >>> view-source:http://download.mcafee.com/updates/common/dat_common.asp >>> view-source:http://download.mcafee.com/updates/updates.asp >>> view-source:http://download.mcafee.com/updates/superDat.asp >>> view-source:http://download.mcafee.com/eval/evaluate2.asp >>> >>> view-source:http://download.mcafee.com/common/ssi/conditionals.asp >>> >>> >>> view-source:http://download.mcafee.com/common/ssi/errHandler_soft.as >>> p >>> >>> view-source:http://download.mcafee.com/common/ssi/variables.asp >>> >>> >>> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_c >>> ontrols.asp >>> >>> view-source:http://download.mcafee.com/common/ssi/errHandler.asp >>> >>> view-source:http://download.mcafee.com/common/ssi/common_subs.asp >>> >>> >>> view-source:http://download.mcafee.com/us/upgradeCenter/productCompa >>> rison_top.asp >>> view-source:http://download.mcafee.com/us/bannerAd.asp >>> >>> >>> view-source:http://download.mcafee.com/common/ssi/standard/global_fo >>> ot_us.asp >>> >>> >>> 2. RECOMMENDATION >>> >>> - Fully utilize Mcafee FoundStone Experts >>> - Use outbound monitoring of traffic to detect potential information >>> leakag
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
? On Wed, Mar 30, 2011 at 1:49 PM, Benji wrote: > I'm sure they pjear the xss 4nd w3bbug f1nd1ng sk1llz of the renowned > ethical hacking group YGN!!!111 > > > (Plzdontxssme) > > On 3/30/11, YGN Ethical Hacker Group wrote: > > According to xssed.com, there are two remaining XSS issues: > > > > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // > > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // > > > > > > You guys know our disclosed issues are very simple and can easily be > > found through viewing HTML/JS source codes and simple Google Hacking > > ( > http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). > > > > However, it was criticized as 'illegal break-in' by Cenzic's CMO, > > http://www.cenzic.com/company/management/khera/, according to Network > > World News editor - Ellen Messmer. Thus, the next target is Cenzic > > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner > > is. > > > > > > - > > Best regards, > > YGN Ethical Hacker Group > > Yangon, Myanmar (Burma) > > http://yehg.net > > Our Lab | http://yehg.net/lab > > Our Directory | http://yehg.net/hwd > > > > > > > > > > On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes wrote: > >> FIY > >> > >> > http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes > >> > >> > >> Pablo Ximenes > >> http://ximen.es/ > >> http://twitter.com/pabloximenes > >> > >> > >> > >> > >> 2011/3/28 Pablo Ximenes : > >>> blog post about this: http://ximen.es/?p=469 > >>> > >>> Please, don't throw stones at me. > >>> > >>> []'s > >>> > >>> > >>> Pablo Ximenes > >>> http://ximen.es/ > >>> http://twitter.com/pabloximenes > >>> > >>> > >>> > >>> 2011/3/27 YGN Ethical Hacker Group > > Vulnerabilities in *McAfee.com > > > 1. VULNERABILITY DESCRIPTION > > -> Cross Site Scripting > > > http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in > ') > > -> Information Disclosure > Internal Hostname: > http://www.mcafee.com/js/omniture/omniture_profile.js > > ($ ruby host-extract.rb -a > http://www.mcafee.com/js/omniture/omniture_profile.js) > > -> Information Disclosure > Source Code Disclosure: > > > view-source: > http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp > > view-source: > http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp > > view-source: > http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp > view-source: > http://download.mcafee.com/clinic/Includes/common.asp > > view-source:http://download.mcafee.com/updates/upgrade_patches.asp > > view-source:http://download.mcafee.com/updates/common/dat_common.asp > view-source:http://download.mcafee.com/updates/updates.asp > view-source:http://download.mcafee.com/updates/superDat.asp > view-source:http://download.mcafee.com/eval/evaluate2.asp > > view-source:http://download.mcafee.com/common/ssi/conditionals.asp > > view-source: > http://download.mcafee.com/common/ssi/errHandler_soft.asp > view-source: > http://download.mcafee.com/common/ssi/variables.asp > > view-source: > http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp > view-source: > http://download.mcafee.com/common/ssi/errHandler.asp > view-source: > http://download.mcafee.com/common/ssi/common_subs.asp > > view-source: > http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp > view-source:http://download.mcafee.com/us/bannerAd.asp > > view-source: > http://download.mcafee.com/common/ssi/standard/global_foot_us.asp > > > 2. RECOMMENDATION > > - Fully utilize Mcafee FoundStone Experts > - Use outbound monitoring of traffic to detect potential information > leakage > > > 3. VENDOR > > McAfee Inc > http://www.mcafee.com > > > 4. DISCLOSURE TIME-LINE > > 2011-02-10: reported vendor > 2011-02-12: vendor replied "we are working to resolve the issue as > quickly as possible" > 2011-03-27: vulnerability found to be unfixed completely > 2011-03-27: vulnerability disclosed > > > 5. REFERENCES > > Original Advisory URL: > > > http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak > Former Disclosure, 2008: > http://www.theregister.co.uk/2008/06/13/security_giants_xssed/ > Former Disclosure, 2009: > > > http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml > Former Disclosure, 2010: > > > http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html > host
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
"However, it was criticized as 'illegal break-in' by Cenzic's CMO, http://www.cenzic.com/company/management/khera/, according to Network World News editor - Ellen Messmer. Thus, the next target is Cenzic web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner is." On Wed, Mar 30, 2011 at 2:57 PM, Cal Leeming wrote: > ? > > > On Wed, Mar 30, 2011 at 1:49 PM, Benji wrote: > >> I'm sure they pjear the xss 4nd w3bbug f1nd1ng sk1llz of the renowned >> ethical hacking group YGN!!!111 >> >> >> (Plzdontxssme) >> >> On 3/30/11, YGN Ethical Hacker Group wrote: >> > According to xssed.com, there are two remaining XSS issues: >> > >> > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // >> > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // >> > >> > >> > You guys know our disclosed issues are very simple and can easily be >> > found through viewing HTML/JS source codes and simple Google Hacking >> > ( >> http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com >> ). >> > >> > However, it was criticized as 'illegal break-in' by Cenzic's CMO, >> > http://www.cenzic.com/company/management/khera/, according to Network >> > World News editor - Ellen Messmer. Thus, the next target is Cenzic >> > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner >> > is. >> > >> > >> > - >> > Best regards, >> > YGN Ethical Hacker Group >> > Yangon, Myanmar (Burma) >> > http://yehg.net >> > Our Lab | http://yehg.net/lab >> > Our Directory | http://yehg.net/hwd >> > >> > >> > >> > >> > On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes wrote: >> >> FIY >> >> >> >> >> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes >> >> >> >> >> >> Pablo Ximenes >> >> http://ximen.es/ >> >> http://twitter.com/pabloximenes >> >> >> >> >> >> >> >> >> >> 2011/3/28 Pablo Ximenes : >> >>> blog post about this: http://ximen.es/?p=469 >> >>> >> >>> Please, don't throw stones at me. >> >>> >> >>> []'s >> >>> >> >>> >> >>> Pablo Ximenes >> >>> http://ximen.es/ >> >>> http://twitter.com/pabloximenes >> >>> >> >>> >> >>> >> >>> 2011/3/27 YGN Ethical Hacker Group >> >> Vulnerabilities in *McAfee.com >> >> >> 1. VULNERABILITY DESCRIPTION >> >> -> Cross Site Scripting >> >> >> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in >> ') >> >> -> Information Disclosure > Internal Hostname: >> http://www.mcafee.com/js/omniture/omniture_profile.js >> >> ($ ruby host-extract.rb -a >> http://www.mcafee.com/js/omniture/omniture_profile.js) >> >> -> Information Disclosure > Source Code Disclosure: >> >> >> view-source: >> http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp >> >> view-source: >> http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp >> >> view-source: >> http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp >> view-source: >> http://download.mcafee.com/clinic/Includes/common.asp >> >> view-source:http://download.mcafee.com/updates/upgrade_patches.asp >> >> view-source: >> http://download.mcafee.com/updates/common/dat_common.asp >> view-source:http://download.mcafee.com/updates/updates.asp >> view-source:http://download.mcafee.com/updates/superDat.asp >> view-source:http://download.mcafee.com/eval/evaluate2.asp >> >> view-source:http://download.mcafee.com/common/ssi/conditionals.asp >> >> view-source: >> http://download.mcafee.com/common/ssi/errHandler_soft.asp >> view-source: >> http://download.mcafee.com/common/ssi/variables.asp >> >> view-source: >> http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp >> view-source: >> http://download.mcafee.com/common/ssi/errHandler.asp >> view-source: >> http://download.mcafee.com/common/ssi/common_subs.asp >> >> view-source: >> http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp >> view-source:http://download.mcafee.com/us/bannerAd.asp >> >> view-source: >> http://download.mcafee.com/common/ssi/standard/global_foot_us.asp >> >> >> 2. RECOMMENDATION >> >> - Fully utilize Mcafee FoundStone Experts >> - Use outbound monitoring of traffic to detect potential information >> leakage >> >> >> 3. VENDOR >> >> McAfee Inc >> http://www.mcafee.com >> >> >> 4. DISCLOSURE TIME-LINE >> >> 2011-02-10: reported vendor >> 2011-02-12: vendor replied "we are working to resolve the issue as >> quickly as possible" >> 2011-03-27: vulnerability found to be unfixed completely >> 2011-03-27: vulnerability disclosed >> >> >> 5. REFERENCES
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
I'm sure they pjear the xss 4nd w3bbug f1nd1ng sk1llz of the renowned ethical hacking group YGN!!!111 (Plzdontxssme) On 3/30/11, YGN Ethical Hacker Group wrote: > According to xssed.com, there are two remaining XSS issues: > > https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // > https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // > > > You guys know our disclosed issues are very simple and can easily be > found through viewing HTML/JS source codes and simple Google Hacking > (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). > > However, it was criticized as 'illegal break-in' by Cenzic's CMO, > http://www.cenzic.com/company/management/khera/, according to Network > World News editor - Ellen Messmer. Thus, the next target is Cenzic > web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner > is. > > > - > Best regards, > YGN Ethical Hacker Group > Yangon, Myanmar (Burma) > http://yehg.net > Our Lab | http://yehg.net/lab > Our Directory | http://yehg.net/hwd > > > > > On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes wrote: >> FIY >> >> http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes >> >> >> Pablo Ximenes >> http://ximen.es/ >> http://twitter.com/pabloximenes >> >> >> >> >> 2011/3/28 Pablo Ximenes : >>> blog post about this: http://ximen.es/?p=469 >>> >>> Please, don't throw stones at me. >>> >>> []'s >>> >>> >>> Pablo Ximenes >>> http://ximen.es/ >>> http://twitter.com/pabloximenes >>> >>> >>> >>> 2011/3/27 YGN Ethical Hacker Group Vulnerabilities in *McAfee.com 1. VULNERABILITY DESCRIPTION -> Cross Site Scripting http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in') -> Information Disclosure > Internal Hostname: http://www.mcafee.com/js/omniture/omniture_profile.js ($ ruby host-extract.rb -a http://www.mcafee.com/js/omniture/omniture_profile.js) -> Information Disclosure > Source Code Disclosure: view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp view-source:http://download.mcafee.com/clinic/Includes/common.asp view-source:http://download.mcafee.com/updates/upgrade_patches.asp view-source:http://download.mcafee.com/updates/common/dat_common.asp view-source:http://download.mcafee.com/updates/updates.asp view-source:http://download.mcafee.com/updates/superDat.asp view-source:http://download.mcafee.com/eval/evaluate2.asp view-source:http://download.mcafee.com/common/ssi/conditionals.asp view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp view-source:http://download.mcafee.com/common/ssi/variables.asp view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp view-source:http://download.mcafee.com/common/ssi/errHandler.asp view-source:http://download.mcafee.com/common/ssi/common_subs.asp view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp view-source:http://download.mcafee.com/us/bannerAd.asp view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp 2. RECOMMENDATION - Fully utilize Mcafee FoundStone Experts - Use outbound monitoring of traffic to detect potential information leakage 3. VENDOR McAfee Inc http://www.mcafee.com 4. DISCLOSURE TIME-LINE 2011-02-10: reported vendor 2011-02-12: vendor replied "we are working to resolve the issue as quickly as possible" 2011-03-27: vulnerability found to be unfixed completely 2011-03-27: vulnerability disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak Former Disclosure, 2008: http://www.theregister.co.uk/2008/06/13/security_giants_xssed/ Former Disclosure, 2009: http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml Former Disclosure, 2010: http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html host-extract: http://code.google.com/p/host-extract/ Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/ xssed: http://www.xssed.com/search?key=mcafee.com Lessont Learn: http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach #yehg [2011-03-27] ___
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
According to xssed.com, there are two remaining XSS issues: https://kb.mcafee.com/corporate/index?page=content&id=";; alert(1); // https://kc.mcafee.com/corporate/index?page=content&id=";; alert(1); // You guys know our disclosed issues are very simple and can easily be found through viewing HTML/JS source codes and simple Google Hacking (http://www.google.com/search?q=%22%3C%25+Dim++site%3Adownload.mcafee.com). However, it was criticized as 'illegal break-in' by Cenzic's CMO, http://www.cenzic.com/company/management/khera/, according to Network World News editor - Ellen Messmer. Thus, the next target is Cenzic web site. Let's see how strong the Kung-Fu of Cenzic HailStorm scanner is. - Best regards, YGN Ethical Hacker Group Yangon, Myanmar (Burma) http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd On Tue, Mar 29, 2011 at 9:01 PM, Pablo Ximenes wrote: > FIY > > http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes > > > Pablo Ximenes > http://ximen.es/ > http://twitter.com/pabloximenes > > > > > 2011/3/28 Pablo Ximenes : >> blog post about this: http://ximen.es/?p=469 >> >> Please, don't throw stones at me. >> >> []'s >> >> >> Pablo Ximenes >> http://ximen.es/ >> http://twitter.com/pabloximenes >> >> >> >> 2011/3/27 YGN Ethical Hacker Group >>> >>> Vulnerabilities in *McAfee.com >>> >>> >>> 1. VULNERABILITY DESCRIPTION >>> >>> -> Cross Site Scripting >>> >>> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in') >>> >>> -> Information Disclosure > Internal Hostname: >>> http://www.mcafee.com/js/omniture/omniture_profile.js >>> >>> ($ ruby host-extract.rb -a >>> http://www.mcafee.com/js/omniture/omniture_profile.js) >>> >>> -> Information Disclosure > Source Code Disclosure: >>> >>> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp >>> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp >>> >>> view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp >>> view-source:http://download.mcafee.com/clinic/Includes/common.asp >>> view-source:http://download.mcafee.com/updates/upgrade_patches.asp >>> >>> view-source:http://download.mcafee.com/updates/common/dat_common.asp >>> view-source:http://download.mcafee.com/updates/updates.asp >>> view-source:http://download.mcafee.com/updates/superDat.asp >>> view-source:http://download.mcafee.com/eval/evaluate2.asp >>> view-source:http://download.mcafee.com/common/ssi/conditionals.asp >>> >>> view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp >>> view-source:http://download.mcafee.com/common/ssi/variables.asp >>> >>> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp >>> view-source:http://download.mcafee.com/common/ssi/errHandler.asp >>> view-source:http://download.mcafee.com/common/ssi/common_subs.asp >>> >>> view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp >>> view-source:http://download.mcafee.com/us/bannerAd.asp >>> >>> view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp >>> >>> >>> 2. RECOMMENDATION >>> >>> - Fully utilize Mcafee FoundStone Experts >>> - Use outbound monitoring of traffic to detect potential information >>> leakage >>> >>> >>> 3. VENDOR >>> >>> McAfee Inc >>> http://www.mcafee.com >>> >>> >>> 4. DISCLOSURE TIME-LINE >>> >>> 2011-02-10: reported vendor >>> 2011-02-12: vendor replied "we are working to resolve the issue as >>> quickly as possible" >>> 2011-03-27: vulnerability found to be unfixed completely >>> 2011-03-27: vulnerability disclosed >>> >>> >>> 5. REFERENCES >>> >>> Original Advisory URL: >>> >>> http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak >>> Former Disclosure, 2008: >>> http://www.theregister.co.uk/2008/06/13/security_giants_xssed/ >>> Former Disclosure, 2009: >>> >>> http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml >>> Former Disclosure, 2010: >>> >>> http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html >>> host-extract: http://code.google.com/p/host-extract/ >>> Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/ >>> xssed: http://www.xssed.com/search?key=mcafee.com >>> Lessont Learn: >>> http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach >>> >>> #yehg [2011-03-27] >>> >>> ___ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
FIY http://it.slashdot.org/story/11/03/28/209230/McAfees-Website-Full-of-Security-Holes Pablo Ximenes http://ximen.es/ http://twitter.com/pabloximenes 2011/3/28 Pablo Ximenes : > blog post about this: http://ximen.es/?p=469 > > Please, don't throw stones at me. > > []'s > > > Pablo Ximenes > http://ximen.es/ > http://twitter.com/pabloximenes > > > > 2011/3/27 YGN Ethical Hacker Group >> >> Vulnerabilities in *McAfee.com >> >> >> 1. VULNERABILITY DESCRIPTION >> >> -> Cross Site Scripting >> >> http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in') >> >> -> Information Disclosure > Internal Hostname: >> http://www.mcafee.com/js/omniture/omniture_profile.js >> >> ($ ruby host-extract.rb -a >> http://www.mcafee.com/js/omniture/omniture_profile.js) >> >> -> Information Disclosure > Source Code Disclosure: >> >> >> view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp >> >> view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp >> >> view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp >> view-source:http://download.mcafee.com/clinic/Includes/common.asp >> view-source:http://download.mcafee.com/updates/upgrade_patches.asp >> >> view-source:http://download.mcafee.com/updates/common/dat_common.asp >> view-source:http://download.mcafee.com/updates/updates.asp >> view-source:http://download.mcafee.com/updates/superDat.asp >> view-source:http://download.mcafee.com/eval/evaluate2.asp >> view-source:http://download.mcafee.com/common/ssi/conditionals.asp >> >> view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp >> view-source:http://download.mcafee.com/common/ssi/variables.asp >> >> view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp >> view-source:http://download.mcafee.com/common/ssi/errHandler.asp >> view-source:http://download.mcafee.com/common/ssi/common_subs.asp >> >> view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp >> view-source:http://download.mcafee.com/us/bannerAd.asp >> >> view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp >> >> >> 2. RECOMMENDATION >> >> - Fully utilize Mcafee FoundStone Experts >> - Use outbound monitoring of traffic to detect potential information >> leakage >> >> >> 3. VENDOR >> >> McAfee Inc >> http://www.mcafee.com >> >> >> 4. DISCLOSURE TIME-LINE >> >> 2011-02-10: reported vendor >> 2011-02-12: vendor replied "we are working to resolve the issue as >> quickly as possible" >> 2011-03-27: vulnerability found to be unfixed completely >> 2011-03-27: vulnerability disclosed >> >> >> 5. REFERENCES >> >> Original Advisory URL: >> >> http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak >> Former Disclosure, 2008: >> http://www.theregister.co.uk/2008/06/13/security_giants_xssed/ >> Former Disclosure, 2009: >> >> http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml >> Former Disclosure, 2010: >> >> http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html >> host-extract: http://code.google.com/p/host-extract/ >> Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/ >> xssed: http://www.xssed.com/search?key=mcafee.com >> Lessont Learn: >> http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach >> >> #yehg [2011-03-27] >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
blog post about this: http://ximen.es/?p=469 Please, don't throw stones at me. []'s Pablo Ximenes http://ximen.es/ http://twitter.com/pabloximenes 2011/3/27 YGN Ethical Hacker Group > Vulnerabilities in *McAfee.com > > > 1. VULNERABILITY DESCRIPTION > > -> Cross Site Scripting > > http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in > ') > > -> Information Disclosure > Internal Hostname: >http://www.mcafee.com/js/omniture/omniture_profile.js > >($ ruby host-extract.rb -a > http://www.mcafee.com/js/omniture/omniture_profile.js) > > -> Information Disclosure > Source Code Disclosure: > >view-source: > http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp >view-source: > http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp >view-source: > http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp >view-source:http://download.mcafee.com/clinic/Includes/common.asp >view-source:http://download.mcafee.com/updates/upgrade_patches.asp >view-source: > http://download.mcafee.com/updates/common/dat_common.asp >view-source:http://download.mcafee.com/updates/updates.asp >view-source:http://download.mcafee.com/updates/superDat.asp >view-source:http://download.mcafee.com/eval/evaluate2.asp >view-source:http://download.mcafee.com/common/ssi/conditionals.asp >view-source: > http://download.mcafee.com/common/ssi/errHandler_soft.asp >view-source:http://download.mcafee.com/common/ssi/variables.asp >view-source: > http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp >view-source:http://download.mcafee.com/common/ssi/errHandler.asp >view-source:http://download.mcafee.com/common/ssi/common_subs.asp >view-source: > http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp >view-source:http://download.mcafee.com/us/bannerAd.asp >view-source: > http://download.mcafee.com/common/ssi/standard/global_foot_us.asp > > > 2. RECOMMENDATION > > - Fully utilize Mcafee FoundStone Experts > - Use outbound monitoring of traffic to detect potential information > leakage > > > 3. VENDOR > > McAfee Inc > http://www.mcafee.com > > > 4. DISCLOSURE TIME-LINE > > 2011-02-10: reported vendor > 2011-02-12: vendor replied "we are working to resolve the issue as > quickly as possible" > 2011-03-27: vulnerability found to be unfixed completely > 2011-03-27: vulnerability disclosed > > > 5. REFERENCES > > Original Advisory URL: > http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak > Former Disclosure, 2008: > http://www.theregister.co.uk/2008/06/13/security_giants_xssed/ > Former Disclosure, 2009: > > http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml > Former Disclosure, 2010: > > http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html > host-extract: http://code.google.com/p/host-extract/ > Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/ > xssed: http://www.xssed.com/search?key=mcafee.com > Lessont Learn: > http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach > > #yehg [2011-03-27] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
GROUP HUG! On Sun, Mar 27, 2011 at 9:02 PM, wrote: > > On Sun, Mar 27, 2011 at 7:45 PM, wrote: > >>> Vulnerabilities in *McAfee.com > >> > >> Am I right? Do they offer "Verified by McAfee" security services but are > >> too lazy to fix their own shit? If so, LOL :D > > > > Maybe you should grow up you little twerp. > > > > Andrew > > > > > > > > > > Are you trying to make love with me? No thanks. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
> On Sun, Mar 27, 2011 at 7:45 PM, wrote: >>> Vulnerabilities in *McAfee.com >> >> Am I right? Do they offer "Verified by McAfee" security services but are >> too lazy to fix their own shit? If so, LOL :D > > Maybe you should grow up you little twerp. > > Andrew > > > > Are you trying to make love with me? No thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in *McAfee.com
> Vulnerabilities in *McAfee.com > > Am I right? Do they offer "Verified by McAfee" security services but are too lazy to fix their own shit? If so, LOL :D > 1. VULNERABILITY DESCRIPTION > > -> Cross Site Scripting > > http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in') > > -> Information Disclosure > Internal Hostname: > http://www.mcafee.com/js/omniture/omniture_profile.js > > ($ ruby host-extract.rb -a > http://www.mcafee.com/js/omniture/omniture_profile.js) > > -> Information Disclosure > Source Code Disclosure: > > > view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp > > view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp > > view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp > view-source:http://download.mcafee.com/clinic/Includes/common.asp > view-source:http://download.mcafee.com/updates/upgrade_patches.asp > view-source:http://download.mcafee.com/updates/common/dat_common.asp > view-source:http://download.mcafee.com/updates/updates.asp > view-source:http://download.mcafee.com/updates/superDat.asp > view-source:http://download.mcafee.com/eval/evaluate2.asp > view-source:http://download.mcafee.com/common/ssi/conditionals.asp > view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp > view-source:http://download.mcafee.com/common/ssi/variables.asp > > view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp > view-source:http://download.mcafee.com/common/ssi/errHandler.asp > view-source:http://download.mcafee.com/common/ssi/common_subs.asp > > view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp > view-source:http://download.mcafee.com/us/bannerAd.asp > > view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp > > > 2. RECOMMENDATION > > - Fully utilize Mcafee FoundStone Experts > - Use outbound monitoring of traffic to detect potential information > leakage > > > 3. VENDOR > > McAfee Inc > http://www.mcafee.com > > > 4. DISCLOSURE TIME-LINE > > 2011-02-10: reported vendor > 2011-02-12: vendor replied "we are working to resolve the issue as > quickly as possible" > 2011-03-27: vulnerability found to be unfixed completely > 2011-03-27: vulnerability disclosed > > > 5. REFERENCES > > Original Advisory URL: > http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak > Former Disclosure, 2008: > http://www.theregister.co.uk/2008/06/13/security_giants_xssed/ > Former Disclosure, 2009: > http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml > Former Disclosure, 2010: > http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html > host-extract: http://code.google.com/p/host-extract/ > Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/ > xssed: http://www.xssed.com/search?key=mcafee.com > Lessont Learn: > http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach > > #yehg [2011-03-27] > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in *McAfee.com
Vulnerabilities in *McAfee.com 1. VULNERABILITY DESCRIPTION -> Cross Site Scripting http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in') -> Information Disclosure > Internal Hostname: http://www.mcafee.com/js/omniture/omniture_profile.js ($ ruby host-extract.rb -a http://www.mcafee.com/js/omniture/omniture_profile.js) -> Information Disclosure > Source Code Disclosure: view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp view-source:http://download.mcafee.com/clinic/Includes/common.asp view-source:http://download.mcafee.com/updates/upgrade_patches.asp view-source:http://download.mcafee.com/updates/common/dat_common.asp view-source:http://download.mcafee.com/updates/updates.asp view-source:http://download.mcafee.com/updates/superDat.asp view-source:http://download.mcafee.com/eval/evaluate2.asp view-source:http://download.mcafee.com/common/ssi/conditionals.asp view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp view-source:http://download.mcafee.com/common/ssi/variables.asp view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp view-source:http://download.mcafee.com/common/ssi/errHandler.asp view-source:http://download.mcafee.com/common/ssi/common_subs.asp view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp view-source:http://download.mcafee.com/us/bannerAd.asp view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp 2. RECOMMENDATION - Fully utilize Mcafee FoundStone Experts - Use outbound monitoring of traffic to detect potential information leakage 3. VENDOR McAfee Inc http://www.mcafee.com 4. DISCLOSURE TIME-LINE 2011-02-10: reported vendor 2011-02-12: vendor replied "we are working to resolve the issue as quickly as possible" 2011-03-27: vulnerability found to be unfixed completely 2011-03-27: vulnerability disclosed 5. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak Former Disclosure, 2008: http://www.theregister.co.uk/2008/06/13/security_giants_xssed/ Former Disclosure, 2009: http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110667.shtml Former Disclosure, 2010: http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-defacement.html host-extract: http://code.google.com/p/host-extract/ Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/ xssed: http://www.xssed.com/search?key=mcafee.com Lessont Learn: http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-from-a-security-breach #yehg [2011-03-27] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/