Following are the latest addition to the Web Hacking Incidents Database
(WHID), a Web Application Security Consortium project. For further
information about the incidents including reference to further
information about each incident, refer to WHID's site at
http://www.webappsec.org/projects/whid/


WHID 2007-48: MSU investigating hacking incident
  Reported: 17 October 2007
  Occured: 09 October 2007
  Incident Type: Security Breach
  WASC Threat Classification: Unknown 

Information including birth date and social security number of 1400
students who enrolled online to the Montana State University has been
stolen by hackers. While no technical explanation is provided, the fact
that only students who enrolled online where affected points to a web
site breach.


WHID 2007-47: Commerce Bank, a US regional bank, hacked
  Reported: 12 October 2007
  Occured: 10 October 2007
  Incident Type: Security Breach
  WASC Threat Classification: SQL Injection 

3,000 records were exposed and 20 actually stolen at Commerce Bank, a
small bank in Central USA. While the vulnerability exploited is not
clear, SQL injection was mentioned. Therefore the record is uncertain
and based on further information, it might be withdrawn.


WHID 2007-46: School Web site breached? Personal info of Pembroke
workers, volunteers accessible for months
  Reported: 11 October 2007
  Occured: 02 October 2007
  Incident Type: Vulnerability Disclosure
  WASC Threat Classification: Insufficient Authorization 

Personal information on anyone who worked or volunteered for the
Pembroke schools in the last four years was accessible via the Internet
because of a weakness in the district's computer system. The
information, including names, birth dates and Social Security numbers,
was available from May until Oct. 2, when school officials learned of
the problem.


WHID 2007-45: XSS flaw makes PM say: "I want to suck your blood"
  Reported: 10 October 2007
  Occured: 09 October 2007
  Incident Type: Security Breach
  WASC Threat Classification: Cross-site Scripting 

Using XSS on the sites of both Australian major political parties a
security researcher nicknamed Bsoric caused the Liberal Party's Web site
to read: "John Howard says: I want to suck your blood", while another
script caused a window to pop up on the Labor Party's Web site, urging
viewers to "Vote Liberal!"

WHID 2007-44: Hacker Breaks Into eBay Server, Locks Users Out
  Reported: 10 October 2007
  Occured: 06 October 2007
  Incident Type: Security Breach
  WASC Threat Classification: Other 

A hacker exploited a leftover admin function on eBay to block users and
close sales.


---
About WHID: The web hacking incident database (WHID) is a Web
Application Security Consortium project dedicated to maintaining a list
of web applications related security incidents. 

The database is unique in tracking only media reported security
incidents that can be associated with a web application security
vulnerability. We also try to limit the database to targeted attacks
only. Please refer to the FAQ for further information on what you will
find and what you will not find in WHID.

WHID goal is to serve as a tool for raising awareness of the web
application security problem and provide information for statistical
analysis of web applications security incidents. WHID has been features
in Information Week  and slash dot.


Ofer Shezaf
ofers@breach.com, Phone:+972-9-9560036 #212, Cell: +972-54-4431119

CTO, Breach Security; 
Chair, OWASP Israel; 
Leader, ModSecurity Core Rule Set Project; 
Leader, WASC Web Hacking Incidents Database Project