|
The Web Hacking Incidents Database
Last update:07 November 2007
List of incidents of class OS Commanding
Other
WASC threat
classifications:
Abuse of Functionality, Brute Force, Content Spoofing, Credential/Session Prediction, Cross-site Scripting, Defacement, Denial of Service, Directory Indexing, HTTP Response Splitting, Information Leakage, Insufficient Anti-automation, Insufficient Authentication, Insufficient Authorization, Insufficient Process Validation, Insufficient Session Expiration, Known Vulnerabity, Misconfiguration, OS Commanding, Other, Path Traversal, Phishing, Predictable Resource Location, Redirection, SQL Injection, Unknown, Weak Password Recovery Validation, Worm
There are 10 incidents of class OS Commanding
Date: 07 August 2007
Incident Type: Security Breach
WASC Threat Classification: OS Commanding, SQL Injection
This gem is very interesting since it happened on Gentoo servers. It therefore combines transparency into the incident that only an open source project can offer with the importance and resource of a large one. As a result we have a detailed report about the vulnerability, exploit attempts and event people shouting at each other during the patching process.
What can we learn from this? That no server is secure, and that patching is hard.
References:
Date: 01 August 2007
Incident Type: Security Breach
WASC Threat Classification: OS Commanding
A command injection vulnerability at 1&1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites.
References:
Date: 25 April 2006
Incident Type: Security Breach
WASC Threat Classification: OS Commanding
A hacker successfully abuse a vulnerability in Horde to penetrate a site owned by the National Security Agency of the Slovak Republic
References:
Date: 04 October 2005
Incident Type: Security Breach
WASC Threat Classification: OS Commanding
Exploited unpatched Twiki
References:
Date: 21 August 2005
Incident Type: Security Breach
WASC Threat Classification: OS Commanding
Sites where defaced by utilizing an issue in an XMLRPC library used by PHP
References:
Date: 05 July 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Insufficient Authorization, OS Commanding, SQL Injection
A person who discovered an SQL injection vulnerability in a USC system and informed security focus about the flaw was criminally charged with breaking into the system.
References:
Date: 22 February 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, OS Commanding, Weak Password Recovery Validation
Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic
References:
Date: 25 December 2004
Incident Type: Security Breach
WASC Threat Classification: OS Commanding
phpBB worm
References:
Date: 21 December 2004
Incident Type: Security Breach
WASC Threat Classification: OS Commanding
Worm used Google to locate sites vulnerable to OS
References:
Date: 15 December 2000
Incident Type: Security Breach
WASC Threat Classification: OS Commanding
Executing local commands using URL parameters
References:
This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
|
