AppliCure's dotDefender version 4.0 had a security flaw in the log viewing feature of the administrative interface. We just published an advisory for this vulnerability. Here's the interesting part:
"The log viewer facility in dotDefender does not properly htmlencode user supplied input. This leads to a cross site scripting vulnerability when the log viewer displays HTTP headers."
The following video shows how an attacker can make use of cross site scripting to get the system administrator to automatically switch off dotDefender. This effectively disables the WAF, leaving the web application exposed to any attacks that said WAF was supposed to protect against.
Video demo: http://vimeo.com/12132622
But doesn't the attacker need to reach the administrator interface?