According to the Full Disclosure site, McAfee.com is full of security mistakes that could lead to cross-site scripting and other attacks.
The holes were found by the YGN Ethical Hacker Group and reported to McAfee last month.
In addition to cross-site scripting, YGN discovered numerous information disclosure holes with the site including seeing an internal hostname and finding 18 source code disclosures.
The bit of the site that could be used for XC scripting attack hosted some of McAfee’s files for downloading software.
If only there were some software which could scan a site to detect such errors.
McAfee peddles a McAfee Secure service to enterprises to make sure their their customer-facing websites are secure. McAfee Secure scans a website daily for “thousands of hacker vulnerabilities and if a site gets McAfee’s “high standard of security,” then users of McAfee anti-malware products see a “McAfee Secure” label in their browsers.
The security product claims to test for personal information access, links to dangerous sites, phishing, and other embedded malicious dangers that a website might unknowingly be hosting.
YGN said that after reporting the flaws on the McAfee website, McAfee responded that it was working to resolve the problems as quickly as possible.
However by 27 March, McAfee had not fixed any of them.
YGN suggested that McAfee should make better use of its own internal website security experts from Foundstone, a Web security services company McAfee acquired in 2004. Perhaps it should “use outbound monitoring of traffic to detect potential information leakage.”
Actually McAfee’s website is regularly found to be lacking in security. In 2008 it was found to be suffering from cross-site scripting (XSS) errors by security outfit XSSed.
In 2009, white-hat hacker going by Methodman published proof-of-concept attacks against websites kc.mcafee.com and mcafeerebates.com and in April 2010, the McAfee.com community forums were defaced via an XC scripting attack.