Date: Wed, 30 Jan 2008 15:31:16 +0200
From: Ofer Shezaf <ofers@...ach.com>
To: "Bugtraq" <bugtraq@...urityfocus.com>
Subject: Recent Web Hacks: WHID update for Janury 30th 2008


Here is the latest bunch of hacking incidents added to WHID, the Web Hacking
Incident Database (http://www.webappsec.org/projects/whid)

+ A particularly juicy one was an SQL injection at the site of RIAA
(Recording Industry Association of America), one of the most hated
organizations on the planet
(http://www.webappsec.org/projects/whid/byid_id_2008-04.shtml)

+ Yet another state government site (Pennsylvania,
http://www.webappsec.org/projects/whid/byid_id_2008-06.shtml) and another
University (MSU,
http://www.webappsec.org/projects/whid/byid_id_2007-83.shtml) suffered
serious hacking.

+ Hackers are actively exploiting CSRF to hack home ADSL routers in Mexico
(http://www.webappsec.org/projects/whid/byid_id_2008-05.shtml). This
incident also prompted me to write a blog entry about "client side web
hacking" (http://www.xiom.com/?p=12)

+ For a second year in a row Kurt Grutzmacher was able to get a free
MacWorld pass by cracking the conference web site
(http://www.webappsec.org/projects/whid/byid_id_2008-07.shtml)

+ and lastly the FTC settles with retailer "life is good" over lack of
reasonable and appropriate security, forcing the retailer to spend much more
money on info sec.
(http://www.webappsec.org/projects/whid/byid_id_2008-03.shtml)

~ Ofer

Ofer Shezaf
Work: ofers@...ach.com, +972-9-9560036 #212 
Personal: ofer@...zaf.com, +972-54-4431119

VP Security Research, Breach Security
Chair, OWASP Israel 
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project

Powered by blists - more mailing lists