Template:Application Security News


 * Mar 15 - local IE 7 phishing hole
 * Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a story.


 * Mar 14 - GMail Information Disclosure
 * Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.


 * Mar 8 - Anurag Agarwal's reflection series
 * Anurag Agarwal maintains an interesting blog on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!


 * Mar 2 - Wordpress (popular blog software) backdoored
 * "Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately."


 * Mar 1 - the Month of PHP Bugs "formerly known as March"
 * "This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core."


 * Feb 26 - Building Secure Applications: Consistent Logging
 * SecurityFocus article, "This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code."


 * Older news...