PayPal XSS Exploit available for two years?

The cross-site scripting (XSS) vulnerability, which was harnessed by fraudsters to execute a convincing phishing attack against PayPal users, may have been exploitable for two years previously.

paypalxss.png

Despite the prompt action taken by PayPal to address the security flaw after it was reported by Netcraft last month, it became apparent that the very same flaw had been discovered and documented two years earlier. The page - cached by the Wayback Machine - describes a cross site scripting attack that affected donation pages for suspended users, and is the exact method exploited by the phishing attack in June 2006.

Chris Marlow tried to warn PayPal about the flaw in June 2004, but claims the PayPal representative he spoke to did not understand what cross-site scripting was, and - due to company policy - was unable to provide an email address to allow a proof-of-concept exploit to be demonstrated. Frustrated at being unable to convey the seriousness of the issue, Mr Marlow then posted details about the exploit to his web site but did not receive any response from PayPal.

PayPal fixed the flaw after reports of the phishing attack were published by Netcraft. A PayPal company spokesman initially said that they did not know how many people had fallen victim to the scam, although as the fraud was committed using PayPal's own web site, analysis of log files, if available, would have allowed PayPal to identify users at risk and take appropriate action.

paypal-limited.jpg

Netcraft offers a Web Application Security Testing service, which can discover a number of security flaws, including cross-site scripting vulnerabilities like these.

Fraudsters Attack Two-Factor Authentication

An ongoing phishing attack against Citibank is using man-in-the-middle tactics against two-factor authentication to gain access to online banking accounts.

The second authentication factor used by Citibank is provided by a security token – a physical item possessed by an account holder – which generates a one-time password that remains valid for approximately one minute. One-time passwords are useless to an attacker if they are captured via keylogging trojans, as they will not work immediately after the victim has used them, nor will the attacker be able to gain access to the victim's account at a later date.

However, by tricking a victim into entering these items of data into a form, the attacker's site can automatically relay the authentication credentials to the real Citibank site instantly. Effectively, this allows the attacker to successfully log in on behalf of the victim.

citibank.png

Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) has called for banks to provide additional protection for high-risk transactions, such as those that involve moving funds or accessing sensitive customer information, but it is now clear that fraudsters are already making efforts to bypass the protection features being added by banks.

The Netcraft Toolbar community has to date reported 35 sites that have used this method to attack Citibank customers. All of the reported sites have used Russian country-code top level domains (.ru), although the hosting location varies from site to site.

Netcraft offers a comprehensive range of phishing protection services, including Phishing, Identity Theft and Bank Fraud Detection, and a Phishing Site Feed, which offers realtime protection against new phishing attacks as soon as they are reported. Netcraft's Phishing Site Countermeasures service can be used to 'take down' fraudulent sites that are actively engaged in phishing attacks.

New CEO Mulls Future Path for The Planet/ EV1Servers

Doug Erwin has a big job ahead of him. As the new CEO of The Planet and EV1Servers, Erwin must blend the operations of the world's two largest dedicated server providers and position the new entity to compete in a rapidly-evolving sector of the hosting industry. But Erwin, an IT industry veteran, is used to large challenges. And GI Partners, the new owner of The Planet and EV1Servers, has plenty of ambition and a track record of building big.

The two Texas-based companies, which were acquired by GI Partners in early May, are plenty big already. The Planet and EV1Servers have more than 2.7 million hostnames between them, and between Dallas and Houston operate seven data centers and 370,000 square feet of web hosting space.

Customers of both companies are eager to hear what changes lie ahead. As he settled into his new position last week, Erwin said they'll need to wait a little longer. "In the next 30 days I'm going to put together the new management team, and I've committed to everyone that in the 30 days they'll know where their job is," said Erwin. "Within 90 days from today I intend to have our strategy completed. We don't even have a name for the company yet," he added, saying that all options remained on the table, including choosing between the two brands or adopting an entirely new name.

Continue reading

IPowerWeb Most Reliable Hoster in June

Ranking by Failed Requests and Connection time,
June 1st - 30th 2006

hoster_performance_june06.PNG

iPowerWeb is the most reliable hostinig company site in June, followed closely by Hostway, as budget hosts continue to demonstrate that their networks can compete with those of high-end managed hosting providers.

iPowerWeb's shared hosting accounts start at $7.95 a month for packages that include a free domain and 10 gigs of disk space. Hostway, which ties for second with Above.net this month, offers "SuperPower" shared hosting accounts that include 150 gigs of disk space and 1,500 gigs of data transfer (no, those aren't typos) starting at $9.95 a month.

Leading managed hosting providers continue to turn in strong performance, with Datapipe, Navisite, Rackspace and New York Internet all among the top 10, which included four sites on FreeBSD, three on Linux and two using Windows Server 2003. Of the 50 major hosts we monitor, 34 had no measurable outages in June.

Continue reading

July 2006 Web Server Survey

In the July 2006 survey we received responses from 88,166,395 sites, an increase of 2.87 million (3.25%) from last month. The Internet continues to see strong hostname growth, and has now gained 14.1 million hostnames (19%) in 2006 for an average increase of more than 2 million per month.

It was a good month for the Apache web server, which gains 3.2 million hostnames. The improvement boosts Apache's market share by 1.8% to 63.25%, gaining back some of the ground it lost during several months of strong gains for Windows servers. The largest gains for Apache was at Oversee.Net, which added more than 0.58 million hostnames on the Linux/Apache platform. But Apache's growth in the hosting sector extends beyond Oversee.Net, as eleven other hosting companies added 20K or more hostnames on Apache.

Solaris has a loss of 953K hostnames, resulting in a loss of nearly half its market share (-1.1% to 1.5%). The decline occurred at a single host, Network Solutions, where access problems prevented us from obtaining a thorough tally.

Total Sites Across All Domains August 1995 - July 2006

Total Sites Across All Domains, August 1995 - July 2006

Graph of market share for top servers across all domains, August 1995 - July 2006

Top Developers
DeveloperJune 2006PercentJuly 2006PercentChange
Apache5238988561.255562258463.091.84
Microsoft2541561129.712598809929.48-0.23
Zeus5313990.625185030.59-0.03
Sun13118221.533470370.39-1.14

Continue reading

SQL Injection Weaknesses Found in Mambo, Joomla

Potentially serious security flaws have been found in existing versions of the Mambo and Joomla content management systems, and developers of the two projects are advising users to install upgrades or security patches as soon as possible. Both programs are vulnerable to SQL injection attacks, which allow remote attackers to execute commands on the web server in by typing SQL code into form fields. Joomla is a fork of Mambo, with both programs derived from the same code base.

Mambo and Joomla are open source projects which use the PHP scripting language and MySQL database. These applications are popular with web site owners because they are powerful, user-friendly, and can be installed by users with little or no PHP coding experience. They are also frequently targeted by Internet criminals seeking to crack web servers for use in botnets, phishing scams and distributed denial of service (DDoS) attacks. The Internet Storm Center said it is receiving reports that older versions of Mambo are being actively targeted and exploited using unpatched vulnerabilities.

Continue reading