Slashdot Mirror

LordNikon writes "According to this CERT advisory: 'Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system.' A proof of concept affecting IIS is already being posted to security mailing lists. Cisco IPS and other IDS products are also affected." The CERT advisory lists 93 systems, with 6 reported as vulnerable (including 3com, Cisco, and Snort), 5 known not vulnerable (including Apple and HP), and the rest unknown.

LordNikon writes "According to this CERT advisory: 'Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system.' A proof of concept affecting IIS is already being posted to security mailing lists. Cisco IPS and other IDS products are also affected." The CERT advisory lists 93 systems, with 6 reported as vulnerable (including 3com, Cisco, and Snort), 5 known not vulnerable (including Apple and HP), and the rest unknown.

QASec.com writes to mention that Stefano Di Paola and Giorgio Fedon discovered an unpatched vulnerability in Adobe Acrobat Reader that can allow an attacker to execute arbitrary JavaScript on any hosted PDF file. People are reporting different results based on browser and Acrobat versions. Most of the major sites discussed have already fixed the problem, but many smaller sites may still need to be patched.

An anonymous reader writes "According to an article at Information Week, 'Web site hacks are on the rise and pose a greater threat than the broad-based network attacks...' Citing statistics from the Web Hacking Incidents Database, 'Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet.'"

Security Test writes "Yair Amit posted a message early this morning to The Web Security Mailing List outlining a Cross Site Scripting flaw in Google that allows an attacker to carry out Phishing Attacks."

Security Test writes "Yair Amit posted a message early this morning to The Web Security Mailing List outlining a Cross Site Scripting flaw in Google that allows an attacker to carry out Phishing Attacks."

An anonymous reader writes "For those slashdotters interested in web application security, WASC (Web Application Security Consortium) has created a new mailing list aply named 'The Web Security Mailing List.' The list is open for discussing important topics such as new attacks types and vulnerabilities, software development, solutions, application firewalls, web servers, database security, tools, etc."

An anonymous reader writes "For those slashdotters interested in web application security, WASC (Web Application Security Consortium) has created a new mailing list aply named 'The Web Security Mailing List.' The list is open for discussing important topics such as new attacks types and vulnerabilities, software development, solutions, application firewalls, web servers, database security, tools, etc."

An anonymous reader writes "Take a look at 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' by Amit Klein. This is a new article about 'insecure indexing.' It's a good read -- shows you how to find 'invisible files' on a web server and moreover, how to see contents of files you'd usually get a 401/403 response for, using a locally installed search engine that indexes files (not URLs)."

Joe Barr writes "NewsForge [ed. note: part of OSTG along with Slashdot] is running its concluding piece on the week-long Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11? Or how a very large goon known only as Priest prevented outright political violence at a DEFCON presentation on Civil Disobedience? Or which of the two conferences is right for you? It's all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications' document. This document attempts to clarify web security terminology such as Cross Site Scripting, Session Fixation, Cookie poisoning, and HTTP response splitting (to name a few)."

Joe Barr writes "NewsForge [ed. note: part of OSTG along with Slashdot] is running its concluding piece on the week-long Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11? Or how a very large goon known only as Priest prevented outright political violence at a DEFCON presentation on Civil Disobedience? Or which of the two conferences is right for you? It's all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications' document. This document attempts to clarify web security terminology such as Cross Site Scripting, Session Fixation, Cookie poisoning, and HTTP response splitting (to name a few)."