_
Vulnerabilities verified on Samsung Galaxy S2 for Sprint-US (Epic 4G Touch), with EL29 firmware (Android 2.3.6). Some, but likely not all, of these vulnerabilities are probably present on ICS and on other Samsung Galaxy series devices, but they have not been tested significantly there. Reader testing is welcome--I don't have other Samsung devices for testing myself, and have no desire to upgrade to ICS to test.

The open source version of Total Shop UK eCommerce based on CodeIgniter version 2.1.2 is subject to a cross-site scripting vulnerability. The value of a generic parameter was not sufficiently sanitised before being written to a block of Javascript code. An attacker could distribute a malicious URL that would trigger this vulnerability and potentially steal session cookies, redirect the user to a malicious URL or download malware onto their machine.

• CVE number: CVE-2012-4236
• Impact: High
• Vendor homepage: http://www.totalshopuk.com/
• Vendor notified: 06/08/2012
• Vendor fixed: 08/08/2012
• Credit: Chris Cooper and Joseph Sheridan of Reaction Information Security

Game maker Blizzard Entertainment's internal network security has been breached, the company informed customers today.

While the company behind World of Warcraft and Diablo believes no sensitive financial information was compromised, it said e-mailaddresses for non-China Battle.net players and scrambled passwords were stolen, Blizzard President Michael Morhaime said in a company blog post: 

 This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened. At this time, we've found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Microsoft today said it will patch at least 14 vulnerabilities next week, including four in Internet Explorer (IE), making it three monthsin a row that the company has plugged holes in its browser.

Of the nine updates set for Aug. 14, five will be labeled "critical," the most serious of the four ratings Microsoft uses. The other four will be pegged "important," the next-lower threat ranking.

The big story for next week will be the one-two punch of patches for Exchange and SQL Server.

"Those are two of the three things that are most important to IT in enterprises," said Andrew Storms, director of security operations atnCircle Security. "Thank goodness SharePoint's not included. But Microsoft is hitting two out of three in just one month."

This article is written for publicizing of new SQL injection method about detour some web firewall or some security solution. I did test on a web firewall made in Korean, most SQL injection attack was hit, I will not reveal the maker for cutting its damage.