Fair play to McAfee for fixing these issues, giving an accurate description of the issues and crediting me with the discovery. This is probably one of the best customer notifications I have seen from the vendors I have dealt with during my research project.
https://kc.mcafee.com/corporate/index?page=content&id=SB10020
Affected Software: McAfee Email and Web Security 5.x, McAfee Email Gateway 7.0
NGS00153 – Reflected XSS
McAfee Email and Web Security Appliance Software 5.x/ McAfee Email Gateway 7.0 is prone to reflective XSS allowing an attacker to gain session tokens and run arbitrary Javascript in the context of the administrators browser and the McAfee Security Appliance Management Console/Dashboard.
NGS00154 – Logout Failure (I would have called this session-management issues, but whatever)
When an administrator closes the Management console/Dashboard without clicking logout and returns to the Dashboard later, they appear to be logged out, however, this is simply the state of the Javascript in his browser, and the session-token is still be active on the server-side. If an attacker gains a session-cookie (perhaps using XSS, or by some other means), they can make a dummy login attempt (with a dummy password) and simply edit the (failure) response. They will then be logged-in, and can use the Dashboard as if he had logged-in as the administrator.
NGS00155 – Password Reset issue
Any logged-in user can bypass controls to reset passwords of other administrators.
NGS00156 – Session Disclosure
Active session tokens of other users are disclosed within the Dashboard.
NGS00157 – Weak Encryption of Backups
Password hashes can be recovered from a system backup and easily cracked.
NGS00158 – File Download Issue
Arbitrary file download is possible with a crafted URL, when logged in as any user.
NGS00159 – File Content Leakage
File contents disclosure as if root user, when logged in as any user.
Thanks for such a nice information.
ReplyDeleteQUALITY SSN DOB DL HIGH CREDIT SCORES Leads
DeleteCC with CVV Fullz (USA, UK, CANADA)
Tutorials & E-Books For Ethical Hacking
Tools For Everything You Need
I'm On Telegram = @killhacks & I C Q = 752822040
Stuff available for
(Spamming, Carding, Ethical Hacking, LINUX, Programming, Scripting, etc. )
Deals in all kind of Tools, Tutorials, E-books, Leads/Fullz/Pros
Availability 24/7
FASTEST DELIVERY
Build Your Own Business with proper guide & Legit Tools
Always glad to serve
GOOD LUCK
Here I'm:
I C Q = 752822040
Tele-gram = @killhacks
Very Knowledgeable and helpful post..
ReplyDeleteBecause of the trending virus attacks such post would certainly to get the right antivirus support
ReplyDeleteNice Blog!!
ReplyDeleteAt Computer Repair Online, you an fix your PC issues at home. Just visit here at:
Computer Repair Online
Computer Repair Near Me
yurtdışı kargo
ReplyDeleteresimli magnet
instagram takipçi satın al
yurtdışı kargo
sms onay
dijital kartvizit
dijital kartvizit
https://nobetci-eczane.org/
ATP
صيانة بوتاجاز مكة rc6Bp4VnBq
ReplyDeleteتسليك مجاري بالاحساء YEKEqjPLdX
ReplyDelete