Surviving the Week 07/27/2012

CodeIgniter 2.1.1 Cross Site Scripting Bypass

CodeIgniter is an open source Web Application Framework that helps authors write PHP applications. Version 2.1.1 of CodeIgniter suffers from a cross site scripting filter bypass vulnerability.

Filtering only is not a good approach to protect against cross site scripting attack. Cross Site scripting is a very common attack with high success. Test your application with NTOSpider to verify whether your application is XSS proof.

http://packetstormsecurity.org/files/114923/codeigniter-bypass.txt

Drupal Location 6.x / 7.x Access Bypass

Drupal is a free and open-source content management system (CMS) and content management framework (CMF) written in PHP. It is used as a back-end system for at least 2.1% of all websites worldwide ranging from personal blogs to corporate, political, and government sites including whitehouse.gov and data.gov.uk. It is also used for knowledge management and business collaboration. Drupal Location third party module versions 6.x and 7.x suffer from an access bypass vulnerability.

http://packetstormsecurity.org/files/115014/DRUPAL-SA-CONTRIB-2012-117.txt

Record number of phishing websites in the wild

Is it any surprise that USA remains the top nation for hosting phishing based trojans? If this were an Olympic event, we’d get an easy gold!  Also China continues to be the most affected country. Another gold winner!
http://www.net-security.org/secworld.php?id=13302

SQL injections becoming favored attack route

SQL injections were the attack vector for the recent compromises at LinkedIn, Yahoo and eHarmony.  A cloud hosting company, Firehost, has posted their findings on attack traffic blocked for their customers over the past quarter.  It appears that more automated tools are out searching for more lucrative targets vulnerable to SQLi.
http://security.cbronline.com/news/sql-injections-becoming-favoured-attack-route-240712

DEF CON to Host NSA Chief General Alexander – He’s Off Limits for ‘Spot the Fed’

If you were at DefCon and missed General Alexander’s talk, you really missed out. He is a highly engaging speaker. If you were there, post a comment to this post and let us know what you took away from it.
http://www.securityweek.com/def-con-host-nsa-chief-general-alexander-hes-limits-spot-fed

Last updated by at .

About Dan Kuykendall

Dan Kuykendall is the CTO and Co-CEO at NT OBJECTives. Dan is a founder of NT OBJECTives and has been with the company for more than 10 years. He is responsible for the strategic direction and development of products and services and works closely with technology partners to make sure integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated automation techniques. Dan joined NT OBJECTives from Foundstone, where he was responsible for the portal interface to the company’s flagship product, FoundScan. Prior to Foundstone, Dan was the founder of the Information Security team in the United States branches of Fortis. Dan is a regular blogger on web application security issues on ManVsWebApp.com and co-hosts An Information Security Place Podcast. His has presented on the topics of mobile and application security at many of the top security industry conferences such as ISSA (2011), B-Sides (2012-2013), OWASP AppSecUSA (2012), HouSecCon (2010-2012), ToorCon (2013) and THOTCON (2013). Dan has been involved with Web Application Security Consortium and is a regular contributor to many open source development projects including founding the RPM Builder, phpGroupWare and podPress projects. Connect with Dan on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *