Update: Vulnerabilities in Websites of 6 Antivirus Vendors
This is an update to our earlier post, Vulnerabilities in Websites of 6 Antivirus Vendors enable Phishing Attacks.
All Antivirus vendors except Symantec corrected the problems, some of them didn't admit that they had a problem but they all corrected them. From all companies we notified, we got only 1 response from Trend Micro,
| Rik_Ferguson wrote: | Hi,
This is Rik from Trend Micro. Just wanted to thank you for highlighting this flaw and to let you know that we had it fixed by 00:27 UTC on the 12th May.
Thanks again for bringing it to our attention.
Best,
Rik Ferguson
Trend Micro |
|
According to The Register, Symantec fixed last month the XSS found by Methodman on their 404 page.
| The Register wrote: | | Symantec said the reported vulnerability on its site was discovered and fixed last month. "Symantec was notified of a reported security vulnerability on a webpage within Symantec's website back in April," a spokeswoman explained. "Upon notification of the potential vulnerability, Symantec immediately conducted comprehensive testing and fixed the vulnerability. Symantec takes the security of its website very seriously and can confirm that no company or customer information was exposed." |
|
The problem is, the website is still vulnerable to exactly the same XSS they say it was fixed last month and reported 2 days ago. While it doesn't expose customer information, it exposes visitors to phishing attacks. This is a screenshot made today:
Proof of concept link that loads a parody image from http://encyclopediadramatica.com in their 404 page (IE only): https://www.symantec.com/connect/endpoint-management-virtualization/forums")}}document.write(String.fromCharCode(60, 105,109,103,32,115,114,99,61,34,104, 116,116,112,58,47,47,105,109,97,103,101, 115,46,101,110,99,121,99,108,111,112,101,100,105,97,100, 114,97,109,97,116,105,99,97,46,99,111,109,47,105,109,97,103,101,115,47, 97,47,97,50,47,87,104,101,114,101,105,115,121,111,117,114,110,111, 114,116,111,110,110,111,119,46,106,112,103,34,62))</script>
The problem is a java script that is present in almost all pages on their website. A malformed URL redirects to the 404 page which still has that script.
| Code: | <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Page not found | Symantec Connect</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<script type="text/javascript">
var cookies = document.cookie.split(';');
for (var i=0; i < cookies.length; i++) {
var cookie = cookies[i].split('=');
if (cookie[0].match('li') && cookie[1] == 'T') {
window.location.replace("https://www-secure.symantec.com/connect/endpoint-management-virtualization/forums%22");
}
}
</script>
|
|
Anything appended to "/forums" is not correctly escaped. Their tests probably failed because only IE unescapes %22's to quotes when the location is relaced by a javascript.
You need to be logged in to be able to post comments
|
