Security firms ignore CSRF holes in their products

Bovvered

By Nick Farrell

Fri Jun 29 2007, 09:37

A BUG IN AS MANY AS EIGHT web security products that can easily be exploited is largely being ignored by their vendors.

Dan Weber, a security engineer who found the cross-site request forgery bug, said that only Checkpoint has bothered to fix the hole, all the others have ignored him.

According to darkreading.com, Weber, who works for Calyptix in North Carolina, first found the bug in one of Calyptix's competitor's applications, and decided to see if others suffered. He said that within an hour, he had an exploit written that if you logged onto that device, it opened up remote management on the machine.

He said that all that was needed was for a malicious site to be open at the same time the Web interface is, and the attacker is home and hosed.

If that does not work an attacker can also submit a malicious "form" to your device via JavaScript.

Weber found he could run his script to exploit holes in eight security products. Checkpoint, he said, was the only firm that fixed the bug. The seven others he wouldn't name. Many of them couldn't be bothered to get back to him let alone fix the hole µ

Facebook shuts off its porn spam flood Normal service has resumed Wednesday, 16 November 2011, 12:54 PM Read more	Newly patched Safari flaws pose serious risks A proof-of-concept remote code execution exploit is available Thursday, 13 October 2011, 11:26 AM Read more
Adobe patches critical vulnerabilities in Flash Player Attacks are already seen in the wild Thursday, 22 September 2011, 10:06 AM Read more	McAfee warns of security holes in car computer systems Safety of drivers is threatened by car hacking Wednesday, 7 September 2011, 13:21 PM Read more
Microsoft fixes Pwn2own Internet Explorer hole Along with 63 other software vulnerablities Wednesday, 13 April 2011, 11:14 AM Read more	Facebook patches automatic wall posting XSS worm Targeted smartphones, spread like wildfire Wednesday, 30 March 2011, 13:51 PM Read more

< Previous article| Next article >

Comments

There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.

INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage

INQ Jobs

Trade floor Support Analys

Service Desk Analyst 1st / ...

INQ Poll

Authorities in several countries raided Megaupload recently, shut down all of its services, seized hundreds of servers and arrested several of its executives on criminal charges.

Do you think the move was justified?

Yes, companies should suffer an immediate death penalty upon being accused of copyright infringement.

Yes, the coppers said the company was breaking the law so it must be guilty.

No, the company and the people accused are innocent until proven guilty.

No, the company had millions of customers who have been harmed by having access to their data files cut off.

I don't care, I never used Megaupload anyway.

View other polls

© Incisive Media Investments Limited 2012, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093

SEARCH :

Site Credentials:

Business & Technology websites:

Business research resources:

Products:

Investment Market IT websites:

Find out what you are worth:

Salary Calculator

Search for a job:

Recruitment Agency A-Z Directory

Accreditations:

Digital Publisher of the Year 2010

Security firms ignore CSRF holes in their products

Share this:

RIM Playbook OS 2.0 and Blackberry 7.1 video demo

Nokia Lumia 710 video review