Following are the latest addition to the Web Hacking
Incidents Database
(WHID), a Web Application Security Consortium project. For
further
information about the incidents including reference to
further
information about each incident, refer to WHID's site at
http://www.we
bappsec.org/projects/whid/
WHID 2007-48: MSU investigating hacking incident
Reported: 17 October 2007
Occured: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Information including birth date and social security number
of 1400
students who enrolled online to the Montana State University
has been
stolen by hackers. While no technical explanation is
provided, the fact
that only students who enrolled online where affected points
to a web
site breach.
WHID 2007-47: Commerce Bank, a US regional bank, hacked
Reported: 12 October 2007
Occured: 10 October 2007
Incident Type: Security Breach
WASC Threat Classification: SQL Injection
3,000 records were exposed and 20 actually stolen at
Commerce Bank, a
small bank in Central USA. While the vulnerability exploited
is not
clear, SQL injection was mentioned. Therefore the record is
uncertain
and based on further information, it might be withdrawn.
WHID 2007-46: School Web site breached? Personal info of
Pembroke
workers, volunteers accessible for months
Reported: 11 October 2007
Occured: 02 October 2007
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization
Personal information on anyone who worked or volunteered for
the
Pembroke schools in the last four years was accessible via
the Internet
because of a weakness in the district's computer system.
The
information, including names, birth dates and Social
Security numbers,
was available from May until Oct. 2, when school officials
learned of
the problem.
WHID 2007-45: XSS flaw makes PM say: "I want to suck
your blood"
Reported: 10 October 2007
Occured: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Cross-site Scripting
Using XSS on the sites of both Australian major political
parties a
security researcher nicknamed Bsoric caused the Liberal
Party's Web site
to read: "John Howard says: I want to suck your
blood", while another
script caused a window to pop up on the Labor Party's Web
site, urging
viewers to "Vote Liberal!"
WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users
Out
Reported: 10 October 2007
Occured: 06 October 2007
Incident Type: Security Breach
WASC Threat Classification: Other
A hacker exploited a leftover admin function on eBay to
block users and
close sales.
---
About WHID: The web hacking incident database (WHID) is a
Web
Application Security Consortium project dedicated to
maintaining a list
of web applications related security incidents.
The database is unique in tracking only media reported
security
incidents that can be associated with a web application
security
vulnerability. We also try to limit the database to targeted
attacks
only. Please refer to the FAQ for further information on
what you will
find and what you will not find in WHID.
WHID goal is to serve as a tool for raising awareness of the
web
application security problem and provide information for
statistical
analysis of web applications security incidents. WHID has
been features
in Information Week and slash dot.
Ofer Shezaf
ofers breach.com, Phone:+972-9-9560036 #212, Cell:
+972-54-4431119
CTO, Breach Security;
Chair, OWASP Israel;
Leader, ModSecurity Core Rule Set Project;
Leader, WASC Web Hacking Incidents Database Project
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common
application-level
attacks that hackers use to sneak into web applications
today. This
whitepaper will discuss how traditional XSS attacks are
performed, how to
secure your site against these attacks and check if your
site is protected.
Cross-Site Scripting Explained - Download this whitepaper
today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701700000009405
------------------------------------------------------------
-------------
|