Advertisements

 F-Secure.com vulnerable to cross-site scripting

Written by DP

Thursday, 17 June 2010

*UPDATE 18/06/10*

#1 - Issue quickly corrected as expected, F-Secure's chief security researcher Mikko responded 

#2 - Xylitol tweeted: "Already on the past stats.f-secure.com, http://bit.ly/cAWIAM "Keep up the good work". So stop to say: "It's because he hates this company" and "F-secure is the best security suite, if i've searched a XSS... That  is just to say this." (supported by a later tweet: "About my XSS work, all vulnerabilities found will be never a personal story, advisory only.")

The Helsinki-based security vendor F-Secure is vulnerable to cross-site scripting (XSS) according to security researcher "Xylitol". Combining phishing techniques when exploiting XSS  vulnerabilities, evidently could lead to serious breaches. The F-Secure people surely have the essential awareness and strong security defenses to protect against this scenario.

F-Secure.com XSS Mirror

On February 2009, a Romanian cracker - or as the media would say, a "hacker" - from hackersblog.org, gained access to a non-critical F-Secure server hosting statistical data for marketing purposes and published the details.

F-Secure has been XSSed, hacked and defaced in the past: 

 

Time Notifier H M R Domain OS View
2010/02/23 HcJ H     www.f-secure.gr Linux mirror
2009/12/28 HcJ H M   ativacao.f-secure.com.br Linux mirror
2009/05/02 S4udi-S3curity-T3rror H M   www.f-secure.rs FreeBSD mirror
2009/04/29 S4udi-S3curity-T3rror H M   www.f-secure.hr FreeBSD mirror
2009/04/25 S4udi-S3curity-T3rror H M   www.f-secure.si FreeBSD mirror
2009/04/25 S4udi-S3curity-T3rror H M   mss.f-secure.si FreeBSD mirror
2009/04/25 S4udi-S3curity-T3rror H M   sola.f-secure.si FreeBSD mirror
2009/04/25 S4udi-S3curity-T3rror H     upr.f-secure.si FreeBSD mirror
2009/04/21 rx5 H M   www.f-secure.co.nz Linux mirror
2007/12/16 BoZKuRTSeRDaR       forum.f-secure.com/down.asp Win 2003 mirror
2006/06/06 Digital-club   M     www.f-secure.com.tr/fckeditor Win 2003 mirror

 

Source: Zone-H.org Digital Attacks/Web Defacement Archive


We are sure that F-Secure will remediate this security issue in dt time.

Screenshot:

 

Related News:

Forbes.com - Security Firm F-Secure Has Flaw in Web Site - 17 Jun 2010 - Daniel Kennedy

Praetorian Prefect - F-Secure XSS on Anti-Theft Website - 17 Jun 2010


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.