Security firms ignore CSRF holes in their products

A BUG IN AS MANY AS EIGHT web security products that can easily be exploited is largely being ignored by their vendors.

Dan Weber, a security engineer who found the cross-site request forgery bug, said that only Checkpoint has bothered to fix the hole, all the others have ignored him.

According to darkreading.com, Weber, who works for Calyptix in North Carolina, first found the bug in one of Calyptix's competitor's applications, and decided to see if others suffered. He said that within an hour, he had an exploit written that if you logged onto that device, it opened up remote management on the machine.

He said that all that was needed was for a malicious site to be open at the same time the Web interface is, and the attacker is home and hosed.

If that does not work an attacker can also submit a malicious "form" to your device via JavaScript.

Weber found he could run his script to exploit holes in eight security products. Checkpoint, he said, was the only firm that fixed the bug. The seven others he wouldn't name. Many of them couldn't be bothered to get back to him let alone fix the hole µ