Vulnerabilities Revealed on ESET-regulated Websites

According to reports, there is a continuous rise in hackers' attacks against security agencies' websites controlled by security company ESET as these websites are vulnerable to SQL injection and XSS (cross-site scripting) assaults.

A computer hacker calls himself Methodman and is associated with Team Elite, which constitutes a collection of some security enthusiasts, has issued proof-of-concept exploit codes against https://secure.eset.co.uk, http://www.virus-radar.com and http://www.eset.com.tw. The documented vulnerabilities are capable of allowing session cookies compromising, phishing, malware distribution and other attacks.

The hacking team revealed the loopholes on ESET's co.uk and com.tw sites on February 22, 2009. Also, Methodman immediately contacted ESET on the following day when he came to know about the flaws.

The reports said that the XSS flaws affecting the Taiwanese site could be exploited to shoot arbitrary alerts due to improper input-sanitation on account of a particular type of search. This tendency could be employed to wage attacks with social engineering techniques.

Conversely, the SQL injection vulnerabilities affecting the UK site could be carried out over HTTPS.

Meanwhile, in the third case, an improper input-sanitation for a search form affecting the virus-radar.com site (utilized to publish figures on e-mail attacks like cookie compromises) could be exploited for unauthorized redirections. The loophole could also be exploited to insert destructive iframes using malicious codes or other malware.

Christopher Dale, Public Relations Manager, ESET, states that the company's staff acted fast and patched the vulnerabilities. It was observed that these kinds of assaults are frequently receives and got utmost attention of security officials, as reported by SOFTPEDIA on February 28, 2009.

Moreover, Dale assured that ESET had validated that its client data was stored in a different place and was not in any kind of danger to be compromised.

Meanwhile, Methodman, in another similar instance, recently published XSS flaws in Kaspersky Labs' website as well. The hacker most likely got his inspiration to aim at antivirus companies from HackersBlog a group that proclaims itself as ethical hackers and which revealed different SQL injection flaws in websites belonging to Symantec, F-Secure, Kaspersky and BitDefender the security vendors.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 3/7/2009