An update of phpBB has been released to address new security holes in the open source application. The disclosure comes on the heels of several recent security incidents involving phpBB, which is among the web's most popular web forum programs.
"One of the potential exploits addressed in this release could be serious in certain situations and thus we urge all users to upgrade to this release as soon as possible," the phpBB Group said in its advisory. The security fixes address multiple bugs that disclose the full path to system files in phpBB, which is powered by the PHP server-side scripting language. A vulnerability reported by iDefense could, under some configurations, allow malicious users to view system files.(more...)
The Mozilla development team said today that it will disable a browser feature that allows URL spoofing and could leave users open to scams. Upcoming releases of the Firefox and Mozilla browsers will turn off support for Internationalized Domain Names (IDN) by default to protect users from the spoofing, which works in current versions of Firefox, Mozilla, Opera and the Safari browser for Macs. The affected browsers support IDN, while Microsoft's Internet Explorer does not.
The spoof exploits flaws in how the browsers interpret Unicode, a broad character set used in IDN that allows URLs to include non-English characters. Unicode can be used to craft "homographic" attacks, in which two different combinations of characters in an HTML link can display the same URL in the browser, but send users to different sites. URL spoofing exploits are useful to Internet phishing scams, making it easier to trick victims into sharing sensitive information with bogus web sites constructed by fraudsters.(more...)
The web site of anti-spyware activist Ben Edelman is back online after an extended outage, apparently caused by a distributed denial of service (DDoS) attack. Edelman's research documents the methods used to install adware and spyware programs, and has been used in legal cases against providers of advertising software.
"For much of Monday and Tuesday, as well as several hours last week, all of benedelman.org was unreachable," Edelman writes. "My prior web host, Globat, tells me I was the target of the biggest DDoS attack they've ever suffered - some 600MB+/second."(more...)
The server hosting the main site for the phpBB bulletin board has been cracked, leaving the development team locked out of its primary server. The open source project's web site was compromised using a vulnerability in a separate program, AWStats, which was announced Jan. 17 and has also been used to hack several popular weblogs in recent days.
The phpBB.com site blamed the intrusion on "a group of politically motivated hackers" wishing to publicize an agenda. "While the group who did this say they changed only a single password, we have lost all access to the server, " the phpBB.com team states. "This means we cannot access the system even in single user mode." The compromised server is being shipped from the project's data center to its server manager, meaning the site is unlikely to be restored immediately.(more...)
All non-Microsoft browers include a flaw that allows URL spoofing using Unicode characters, which can be exploited by phishing scams seeking to steal login information for online banking accounts. The spoofing flaw, which is demonstrated on the web site of the Shmoo Group, works in the Firefox, Mozilla and Opera browsers, as well as the Safari browser for Macs.
The spoof exploits flaws in how the browsers interpret Unicode characters. A link using Unicode characters to replace the letter "a" in "Paypal" will display as www.paypal.com in the browser, but send users to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.(more...)
Several UK betting sites have experienced lengthy outages today as betting action mounts ahead of Sunday's Super Bowl. The simultaneous downtime at UK Betting and TotalBet were preceded by a similar period of slowed response time at early Friday.
(UPDATE, Feb. 8: In our initial post we indicated that UKBetting and TotalBet are hosted at Prolexic, which specializes in defending against distributed denial of service (DDoS) attacks. Prolexic hosts IP addresses for UKBetting and TotalBet, but does not host customer servers or web files. Its systems deflect DDoS attacks, forwarding legitimate traffic to clients' servers. "Our network operated at 100% uptime during the entire Super Bowl week including the entire time during the reported Totalbet/UK Betting failure," said Prolexic CTO Barrett Lyon, who said the outage was caused by technical failures elsewhere, and not related to a DDoS attack.)
Betting sites are frequent targets of scams that seek payoffs by threatening a site operator with DDoS attacks, which gain leverage when timed to heavy betting events, when downtime is more costly. It is estimated that online betting sites will handle at least at $450 million in wagers on Sunday's game between the New England Patriots and Philadelphia Eagles.
Netcraft is monitoring the performance of twenty leading UK Internet Gambling Sites, with dynamically updating graphs available here.(more...)