Showing 10 results for: March 2012 ×Application Security ×

LIKE, omg!

If you read this blog, you might have seen my earlier post regarding my configurable SQL injection testbed, SQLol. It comes with challenges which I've seen some buzz about. In the latest version, there is a challenge involving use of...

[Honeypot Alert] Zen Cart 'admin/sqlpatch.php' SQL Injection Attacks

Our web honeypot sensors picked up attacks aimed at exploiting a Zen Cart SQL Injection vulnerability. The attacks send a POST request to the following URLs: POST /admin/sqlpatch.php/password_forgotten.php?action=execute POST /black_market/admin/sqlpatch.php/password_forgotten.php?action=execute POST /cart/admin/sqlpatch.php/password_forgotten.php?action=execute POST /product_info.php/products_id/1658/admin/sqlpatch.php/password_forgotten.php?action=execute POST /shop/admin/sqlpatch.php/password_forgotten.php?action=execute POST /shopping/admin/sqlpatch.php/password_forgotten.php?action=execute POST /store/admin/sqlpatch.php/password_forgotten.php?action=execute...

[Honeypot Alert] Status Report for February 2012

Monthly Web Honeypot Status Report We have received a tremendous amount of positive feedback on our web-based honeypot alert blog posts. While we agree that this data is useful for raising awareness of individual attack details, we feel that what...

OWASP Virtual Patching Survey Results

In a previous blog post, we issued a call for assistance to help OWASP with a virtual patching survey. The survey was open for about 2 weeks and we received a pretty fair turnout as 44 organizations participated. Here are...

Virtual Patch for Movable Types XSS (CVE 2012-1262)

My SpiderLabs Research colleague Jonathan Claudius recently identified an XSS flaw in the Movable Types application which was outlined in Trustwave Security Advisory TWSL2012-003. Here is the quick overview of the issue: After extracting the Moveable Type CGI files and...