HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: September 2010

Top Five Web Application Vulnerabilities 8/31/2010 - 9/12/2010

1) IBM Records Manager Multiple Unspecified Remote Vulnerabilities


IBM Records Manager is susceptible to multiple remote vulnerabilities including Cross-Site Scripting, information disclosure, and URI-redirection. Successful exploitation would give an attacker the means to execute arbitrary script or HTML, steal cookie-based authentication credentials, and access sensitive information which could likely be utilized to conduct more damaging attacks. Updates which resolve these issues are available. Contact the vendor for additional information.




2) Horde Application Framework 'icon_browser.php' Cross-Site Scripting Vulnerability


Horde Application Framework is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. A patch which resolves this issue has been released. Contact the vendor for more details.




3) phpMyAdmin Debug Backtrace Cross-Site Scripting Vulnerability


phpMyAdmin is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for further information.




4) CubeCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities


CubeCart is susceptible to multiple vulnerabilities including Cross-Site Scripting and SQL Injection. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or execution of malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are reported to be available. Contact the vendor for additional details.




5) Invision Power Board BBCode Cross-Site Scripting Vulnerability


Invision Power Board is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this issue to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this vulnerability are available. Contact the vendor for more information.



79% of 2009 data breaches via web application attacks

According to a recent Forrester report, the hole in security efforts is still web application security.  While 79% of data breaches in 2009 were the result of attacks on web applications, most security spending remains focused on infrastructure components. One of the key takeaways from this report is that companies should focus more on high-risk areas, and specifically on web application security. That's simply common sense if it's via web application vulnerabilities that the most data is  being stolen.


This is yet another piece in a long list of supporting evidence of how hacking has evolved from sport and one time stings into an organized (and often state-sponsored) criminal enterprise. Hackers no longer look for a single score. Instead, they're looking to fundamentally alter the application and provide a "consistent source of revenue." Eight billion a year in US cybercrime costs alone should help with that.



Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.