Following are the latest addition to the Web Hacking Incidents Database (WHID), a Web Application Security Consortium project. For further information about the incidents including reference to further information about each incident, refer to WHID's site at http://www.webappsec.org/projects/whid/ WHID 2007-48: MSU investigating hacking incident Reported: 17 October 2007 Occured: 09 October 2007 Incident Type: Security Breach WASC Threat Classification: Unknown Information including birth date and social security number of 1400 students who enrolled online to the Montana State University has been stolen by hackers. While no technical explanation is provided, the fact that only students who enrolled online where affected points to a web site breach. WHID 2007-47: Commerce Bank, a US regional bank, hacked Reported: 12 October 2007 Occured: 10 October 2007 Incident Type: Security Breach WASC Threat Classification: SQL Injection 3,000 records were exposed and 20 actually stolen at Commerce Bank, a small bank in Central USA. While the vulnerability exploited is not clear, SQL injection was mentioned. Therefore the record is uncertain and based on further information, it might be withdrawn. WHID 2007-46: School Web site breached? Personal info of Pembroke workers, volunteers accessible for months Reported: 11 October 2007 Occured: 02 October 2007 Incident Type: Vulnerability Disclosure WASC Threat Classification: Insufficient Authorization Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem. WHID 2007-45: XSS flaw makes PM say: "I want to suck your blood" Reported: 10 October 2007 Occured: 09 October 2007 Incident Type: Security Breach WASC Threat Classification: Cross-site Scripting Using XSS on the sites of both Australian major political parties a security researcher nicknamed Bsoric caused the Liberal Party's Web site to read: "John Howard says: I want to suck your blood", while another script caused a window to pop up on the Labor Party's Web site, urging viewers to "Vote Liberal!" WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out Reported: 10 October 2007 Occured: 06 October 2007 Incident Type: Security Breach WASC Threat Classification: Other A hacker exploited a leftover admin function on eBay to block users and close sales. --- About WHID: The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database to targeted attacks only. Please refer to the FAQ for further information on what you will find and what you will not find in WHID. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. WHID has been features in Information Week and slash dot. Ofer Shezaf ofers@breach.com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119 CTO, Breach Security; Chair, OWASP Israel; Leader, ModSecurity Core Rule Set Project; Leader, WASC Web Hacking Incidents Database Project