From: InfoSec News (alertsinfosecnews.org)
Date: Thu Apr 16 2009 - 00:09:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.theregister.co.uk/2009/04/15/symantec_xss_bugs/

By Dan Goodin in San Francisco
The Register
15th April 2009

Symantec has been outed for hosting gaping security holes on its website
that could allow miscreants to remotely execute malicious code on the
computers of people who visit it.

The XSS, or cross-site scripting, bugs allow attackers to steal the web
cookies Symantec sets on visitors' hard drives. Such cookies are
frequently used to prove a visitor has already entered a valid password,
so the ability to lift the file could be a non-trivial lapse of
Symantec's security.

Other exploits showed it was possible to inject images from third-party
websites such as imageshack.us. They were documented by a hacking
collective that calls itself t3am3lite. Less-charitable hackers could
exploit the hole to inject javascript or other types of code that
exploits unpatched vulnerabilities or carries out other malicious acts.

It's the latest example of a large company or organization that should
know better succumbing to garden-variety web bugs that put their users
at risk. Along with SQL injections and CSRFs, or cross-site request
forgeries, XSS attacks leave end-users open to malware and phishing
attacks while visiting trusted websites.

[...]

_______________________________________________
Best Selling Security Books and More!
http://www.shopinfosecnews.org/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]