Eight in ten major Web sites highly vulnerable to attack

Link to original

April 19, 2007 (PC World) -- Eight out of ten Web sites contain common flaws that can allow attackers to steal customer data, create phishing exploits, or craft a variety of other attacks, a security company reported today.

WhiteHat Security regularly scans hundreds of "very popular, very high-traffic sites" for its online business customers, says Jeremiah Grossman, the company's founder. "More than likely, you have shopped there, or bank there," he says. Thirty percent of scanned sites contain an urgent vulnerability, such as one that allows direct access to a company database with customer information, he says.

Two out of three scanned sites have one or more cross-site scripting (XSS) flaws, which take advantage of problems with sites' programming and are increasingly used in phishing attacks. A recent eBay scam used a now-fixed XSS hole on the auction site to direct anyone who clicked on a phony car auction to a phishing site.

Glitch Gives Woman Access To Others' Turbo Tax Information

Many people use Turbo Tax to help them file their taxes, but one woman discovered an error in the program that could cost users thousands of dollars and their identities.The woman discovered a key to the backdoor of some tax returns filed online through Turbo Tax."It's ALWAYS a good idea to input your SSN and bank info into a web app!"



read more | digg story

DVD Security Group Says It Fixed Flaws

http://ibtimes.com/articles/20070409/dvd-security.htm When will the industry come to understand that this is a loosing battle. Rather than make the distribution of the media more expensive by trying in a futile manner to protect the un-protectable why not simply lower the price such that reasonable people will simply buy the product?



read more | digg story

Researcher has new attack for embedded devices

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9015618&taxonomyId=17

It was only a matter of time. The attackers go after our networks, and we protect them with firewalls, IDS/IPS, and ect., they go after our applications and we firewall, proxy, and securly code them. Now our "little helper" devices have become our enemy. What will be next?

PHP Hash Table Overwrite Arbitrary Code Execution Vulnerability

The session extension does not set the correct reference count value for the session variables, because it does not include the internal pointer from within the session globals. Due to this unsetting _SESSION and HTTP_SESSION_VARS will destroy the Hashtable containing the session data although the session extension still has an internal pointer toUpgrade you PHP people...



read more | digg story

Exploiting Microsoft DNS Dynamic Updates for Fun and profit

By default, most Microsoft DNS servers integrated with active directory allowinsecure dynamic updates for dns records.This feature allows remote users to create, change and delete DNS records.There are several attack scenarios:You ARE using Microsoft for you DNS right? NOT!!!



read more | digg story

Microsoft Windows Animated Cursor Handling Vulnerability

A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. Successful exploitation allows execution of arbitrary code.



read more | digg story

PHP Insecurity - Register_Globals = off

SummaryWhen register_globals is activated the deserialization of the session data can overwrite any global variable, including the _SESSION array. Because of its special implementation this can result in arbitrary code execution.Affected versionsAffected are PHP 4 < 4.4.5 and PHP 5 < 5.2.1



read more | digg story