In association with heise online

29 March 2011, 12:23

Holes in McAfee's web site

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

McAfee Logo Until last weekend, the web site of security firm McAfee contained several security vulnerabilities that are detailed in an advisory released by the Burmese security lab, YEHG, who discovered the holes.

Problems reportedly included a cross-site scripting (XSS) hole at and a flaw that allowed the source code of various ASP.NET pages to be retrieved. Whether these pages contained sensitive information remains unknown. Occasionally, however, such files can contain valuable information for attackers who are in the process of compromising a server.

Apparently, a JavaScript file at also disclosed host names in McAfee's infrastructure, and the server addresses reportedly still contained the vendor's old name, Network Associates (NAI). In 2004, the vendor's name was changed from NAI back to McAfee. YEGH said that McAfee had already been informed of the issues in February but had failed to respond. Shortly after the advisory was released last weekend, McAfee started to solve the problems. Talking to the US media, McAfee said that the vulnerabilities did not expose any of McAfee's customer, partner or corporate information at any time.

McAfee has already had to fix vulnerabilities in its pages before. In 2009, a particularly embarrassing vulnerability affected McAfee's Secure security portal, which was vulnerable to cross-site request forgeries (CSRF). McAfee Secure is a service that allows customers to check their own site or online store for security holes and for conformity with the PCI DSS standard which is important for credit card transactions.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit