From Security Watch:
- Circuit City warns of online forum attack: Part of the Circuit
City Web site was hacked and used in an attempt to install
malicious code on PCs of unwitting visitors, the electronics
retailer said Thursday.
We at Cybertrust Inc. have cited PHP as a problem vector
numerous times in the past. In general, we do not believe our
customers are using PHP widely on their own Web sites. In this
case, Circuit City itself was not using PHP, but the third party
that provided it with the forum site did use PHP. More
importantly, that company used PHP insecurely on behalf of
Circuit City. It is important to remember that when using third
parties to host your brand, ensure you have performed a
reasonable audit of their security practices to prevent your
brand from being associated with such a security story.