Release Date: 2009/10/29 Author: Bogdan Calin (bogdan [at] acunetix [dot] com) Severity: Critical Vendor Status: Vendor has released an updated version Release Date : 2009/10/29 Author : Bogdan Calin (bogdan [at] acunetix [dot] com) Severity : Critical Vendor Status : Vendor has released an updated…
Statistics from 10,000 leaked Hotmail passwords
An anonymous user posted usernames and passwords for over 10,000 Windows Live Hotmail accounts to web site PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list and quickly generated some statistics from these passwords. First, my impression…
SQL injection used in largest data security breach in U.S. history to date
Three men, responsible for the largest data security breach in U.S. history, stole 130 million credit and debit card numbers from five leading companies. They took advantage of a coding error, and allegedly used a SQL injection attack to compromise a web application, which was…
2 of SANS’s top 25 most dangerous programming errors led to more than 1.5 million website security breaches in 2008
Earlier on this year, a report from SANS institute showed that two of the twenty five most dangerous programming errors, led to more than 1.5 million website security breaches in 2008. The report is a joint effort from more than 30 US and international cyber…
Every website is a target; hacktivism
As stated in previous blog posts, hackers don’t just hack websites to steal online databases and credit card details. Hacktivism, where innocent websites are defaced from malicious users to transmit their political view or opinion, is on the increase. In many major world political events,…
U.S. Dept. of Defence publishes attack details of two successful U.S. Army web servers’ breaches
Department of Defence and other investigators, are investigating two U.S. Army web server breaches which were never publicly disclosed. On 19th September 2007, and 26th January 2008, a Turkish hacker group known as “m0sted” successfully probed 2 U.S. Army web servers, by running a SQL…
New Acunetix WVS 6.5 sets new standards in web vulnerability scanning
Unique Acunetix WVS vulnerability checks save businesses time, money and embarrassment London 20th May 2009 – Acunetix (www.acunetix.com), a pioneer in web application security scanning technology, has announced new ‘file upload forms vulnerability checks’ in version 6.5, an industry first and only Web Vulnerability Scanner…
Implementing a web application firewall is not enough to secure web applications
As demonstrated during an OWASP Europe 2009 presentation, WAFs (web application firewalls) also have vulnerabilities. Sandro Gauci (founder and CSO for EnableSecurity) and Wendel Henrique (member of SpiderLabs) showed how an attacker can easily identify and bypass several well known web application firewalls using XSS…
OpenX 2.6.4 vulnerabilities were identified with Acusensor
If you are making use of OpenX, the following update fixes a number of security flaws that were identified when we made use of Acunetix WVS with the Acusensor technology enabled. Released an advisory detailing these vulnerabilities here. The SQL injection vulnerabilities abuse an INSERT…