What’s HOT in Application Security Vol #16

WHMCS still vulnerable after latest string of attacksdescribe the image

WHMCS is a UK supplier of technical support and customer service is yet again the victim of a Ddos attack, due to its inability to mend an already known SQL Injection vulnerability.

The embarrassment continued for the company in the days following where a hacker was auctioning the rights to abuse the weakness using an underground forum.

A notice came after the latest patch release, where WHMCS claim that they were notified of the apparent vulnerability by an “ethical programmer”:

“Within the past few hours, an ethical programmer disclosed to us details of an SQL Injection Vulnerability present in current WHMCS releases.
The potential of this is lessened if you have followed the further security steps, but not entirely avoided.
And so we are releasing an immediate patch before the details become widely known.
Installing the patch is simply a case of uploading a single file to your root WHMCS directory. This one file works for all WHMCS versions V4.0 or Later.
The events of last week have obviously put a lot of focus on WHMCS in recent days from undesirable people. But please rest assured that we take security very seriously in the software we produce, and will never knowingly leave our users at risk. And on that note if any further issues come to light, we will not hesitate to release patches for them – as we hope our past history demonstrates.”

Strong words from WHCMS, who are undoubtedly troubled by recent events.

For more information please go to:
http://www.theregister.co.uk/2012/06/01/whmcs_ddos_follows_patching/

Cloud Security, the saga continues…

The use of cloud computing to deliver business-critical applications to employees is becoming ever more popular. Relying on the cloud for enterprise applications has several advantages; Supporters claim that cloud-based mobile application delivery models can be more sophisticated than traditional enterprise applications.  Cloud computing can also offer better security and can store sensitive data on a cloud platform so employees don’t have to store information on their own devices to access it. Also, companies can reduce exposure by using mobile device management (MDM) software.

Has Linkedin finally learned from its mistakes?

Linkedin has been quick to come out with new developments in their security capabilities after the recent embarrassment of the many thousands of users’ passwords which were recently compromised.

According to their security experts they have been ‘working round the clock’; since it was made aware of the compromised passwords and have come up with a solution to safeguard their users’ passwords.

The solution? The technology team at Linkedin finally finished a long awaited transition from a regular password database system that hashes the passwords to a system which combines hashing with salting passwords to go a step further in protecting users’ passwords.

http://www.ciol.com/Security/Tips-and-Tricks/LinkedIn-hack-and-lessons-for-your-company/163613/0/

Web Applications: Still failing Security Quality Control?

According to a report released this week by an American security company, SQL Injection and cross site scripting remain the two most abused vulnerabilities but the ability to write them has increased.

The report found that more than 89% of applications that failed to achieve security standards were able to pass quality controls within one week, but presumably could have been fixed in a matter of minutes if the vulnerabilities were not left to the end of development to discover.

For more information please go to:

http://www.scmagazineuk.com/web-applications-continue-to-fail-security-tests-as-xss-and-sql-flaws-remain-a-problem/article/218434/

Eugene schools – District Computer Attacked

Eugene school district underwent an attack this past week where information such as names, dates of birth, addresses, phone numbers and in some cases, Social Security numbers were exposed. Spokeswoman Kerry Delf refused to comment as to how someone without authorization could access student files and records due to confidentiality during police investigations. However, it appears that someone managed to gain control over the district computer. Superintendent Sheldon Berman said “the district was assessing its information security systems to make certain that we have all appropriate measures in place to ensure students’ personal information is secure.”

The following two tabs change content below.

Checkmarx

Latest posts by Checkmarx (see all)

Jump to Category