lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 7 Jan 2008 16:09:39 +0200
From: Ofer Shezaf <ofers@...ach.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: New Web Hacking Incidents at WHID


Gearing towards WHID 2007 annual report, 2007 I came across many new
interesting web hacking incidents that I missed this year and added them to
the database (more details at WHID site at
http://www.webappsec.org/projects/whid):

So what's new at WHID this week?

+ A lot of problems for web hosting companies: In one of them a subsidiary
of British Telecom suffered a major intrusion where someone stole all its
clients e-mails, used it for spam and planted malware on their sites. All
due to a programming mistake of one their programmers:  WHID 2007-75:
PlusNet blames itself for webmail spamfest
(http://www.webappsec.org/projects/whid/byid_id_2007-75.shtml). Other
hosting incidents: WHID 2007-74: Web host breach may have exposed passwords
for 6,000 clients, WHID 2007-77: HostGator: cPanel Security Hole Exploited
in Mass Hack, WHID 2007-76: A large web hosting firm inflicted by mass
malware installation.

+ The first CSRF entry in WHID, and a really bad one: CSRF in g-mail cost
someone his very successful domain, stolen by a blackmailer (WHID 2007-72:
Gmail CSRF exploited to hijack a domain
(http://www.webappsec.org/projects/whid/byid_id_2007-72.shtml)

+ Our first story from Brazil. It is not new, but the exposure to the
project led someone from Brazil to send it to me. It shows how many stories
we do not discover due to language barrier: WHID 2007-78: A Brazilian
banking site allows users to views receipts intended for others
(http://www.webappsec.org/projects/whid/byid_id_2007-78.shtml)

+ Among the newly defaced: MSNBC in Turkey (WHID 2007-81) & Vodafone in
India (WHID 2007-80).

If you have more stories - e-mail me!

~ Ofer


Ofer Shezaf
Work: ofers@...ach.com, +972-9-9560036 #212 
Personal: ofer@...zaf.com, +972-54-4431119

VP Security Research, Breach Security
Chair, OWASP Israel 
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ