Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Mozilla Products Multiple Vulnerabilities
• (2) HIGH: Sun Java Runtime Environment Multiple Vulnerabilities
• (3) LOW: Microsoft Windows MessageBoxA Memory Corruption
• (4) LOW: Mozilla Firefox Information Disclosure

Other Software

• (5) HIGH: ESET NOD32 CAB Parsing Heap Overflow
• (6) HIGH: MailEnable POP3 PASS Command Buffer Overflow
• (7) HIGH: Typo3 Multiple Remote Command Execution Vulnerabilities
• (8) HIGH: McAfee NeoTrace ActiveX Control Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 06.51.1 - Sambar FTP Server Remote Denial of Service
• 06.51.2 - Star FTP Server RETR Command Remote Denial of Service
• 06.51.3 - Microsoft Windows Explorer and Media Player Denial of Service
• 06.51.4 - Microsoft Windows MessageBoxA Denial of Service

Microsoft Office

• 06.51.5 - Microsoft Project Server 2003 PDSRequest.ASP XML Request Information Disclosure
• 06.51.6 - Microsoft Outlook ActiveX Control Remote Internet Explorer Denial of Service

Third Party Windows Apps

• 06.51.7 - Yahoo! Messenger Unspecified ActiveX Control Remote Buffer Overflow
• 06.51.8 - Intel 2200BG 802.11 Driver Beacon Frame Remote Code Execution
• 06.51.9 - MailEnable POP Service PASS Command Remote Buffer Overflow
• 06.51.10 - AstonSoft DeepBurner DBR Compilation Buffer Overflow
• 06.51.11 - Ozeki HTTP-SMS Gateway Password Information Disclosure
• 06.51.12 - NOD32 Anti-Virus Multiple File Parsing Vulnerabilities
• 06.51.13 - McAfee NeoTrace ActiveX Control Remote Buffer Overflow

Mac Os

• 06.51.14 - Apple Mac OS X Quicktime For Java Information Disclosure

Linux

• 06.51.15 - Linux Kernel Bluetooth CAPI Packet Remote Buffer Overflow
• 06.51.16 - Linux Kernel MinCore User Space Access Locking Local Denial of Service

Cross Platform

• 06.51.17 - SQL-Ledger Unspecified Code Execution
• 06.51.18 - IBM WebSphere Utility Classes Unspecified Vulnerability
• 06.51.19 - Multiple Vendor Firewall HIPS Process Spoofing Vulnerability
• 06.51.20 - OpenOffice Remote Integer Overflow Denial of Service
• 06.51.21 - Mandiant First Response Multiple Denial of Service and Agent Hijacking Vulnerabilities
• 06.51.22 - Multiple BitDefender Products Parsing Engine Integer Overflow Vulnerabilities
• 06.51.23 - ITalk Plus Multiple Remote Pre-Authentication Buffer Overflow Vulnerabilities
• 06.51.24 - Kerio MailServer Remote Unspecified LDAP Denial of Service
• 06.51.25 - IBM DB2 Remote SQLJRA Packet Denial of Service
• 06.51.26 - GNU Wget FTP_Syst Function Remote Denial of Service
• 06.51.27 - Sun Java Runtime Environment Multiple Remote Privilege Escalation Vulnerabilities
• 06.51.28 - Sun Java Runtime Environment Information Disclosure Vulnerabilities
• 06.51.29 - Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities
• 06.51.30 - Oracle Portal Calendar.JSP HTTP Response Splitting
• 06.51.31 - RealNetworks RealPlayer ActiveX Control Remote Denial of Service
• 06.51.32 - Hitachi Directory Server LDAP Request Handling Multiple Vulnerabilities
• 06.51.33 - ESET NOD32 Antivirus CAB File Parsing Engine Integer Overflow
• 06.51.34 - HTTP Explorer Web Server Directory Traversal

Web Application - Cross Site Scripting

• 06.51.35 - Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities
• 06.51.36 - osTicket Support Cards View.PHP Cross Site Scripting
• 06.51.37 - Mini Web Shop View.PHP Viewcategory.PHP Cross-Site Scripting
• 06.51.38 - SugarCRM Sugar Open Source Multiple Unspecified Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 06.51.39 - ScriptMate User Manager Multiple SQL Injection Vulnerabilities
• 06.51.40 - Contra Haber Sistemi Haber.ASP SQL Injection
• 06.51.41 - Upload_download_de_fichiers Administre2.PHP SQL Injection
• 06.51.42 - Burak Yilmaz Download Portal Down.ASP SQL Injection

Web Application

• 06.51.43 - IBM WebSphere Application Server Multiple Remote Vulnerabilities
• 06.51.44 - Knusperleicht Shoutbox Shout.php HTML Injection
• 06.51.45 - Azucar CMS Index_sitios.PHP Remote File Include
• 06.51.46 - Clam Anti-Virus Attachment Wrapping Denial of Service
• 06.51.47 - WeBWorK Program Generation Language Macro Security Restriction Bypass
• 06.51.48 - Torrentflux-B4RT Viewnfo.PHP Directory Traversal
• 06.51.49 - mxBB Web Links Module MX_Root_Path Remote File Include
• 06.51.50 - mxBB Charts Module Module_Root_Path Remote File Include
• 06.51.51 - Bandwebsite Unauthorized Administrative Account Creation
• 06.51.52 - ScriptMate User Manager Default.ASP Multiple HTML Injection Vulnerabilities
• 06.51.53 - Yaplap Ldap.PHP Remote File Include
• 06.51.54 - AR_Memberscript UserCP_menu.PHP Remote File Include
• 06.51.55 - EyeOS Aplic.PHP Arbitrary File Upload
• 06.51.56 - VerliAdmin Index.PHP Remote File Include
• 06.51.57 - Drupal Project and Project Issues Tracking Modules Multiple HTML Injection Vulnerabilities
• 06.51.58 - KDE LibkHTML NodeType Function Denial of Service
• 06.51.59 - PHPFanBase Protection.PHP Remote File Include
• 06.51.60 - phpProfiles Multiple Remote File Include Vulnerabilities
• 06.51.61 - cwmCounter Statistic.PHP Remote File Include
• 06.51.62 - Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
• 06.51.63 - Valdersoft Shopping Cart Common.PHP Remote File Include
• 06.51.64 - Computer Associates Multiple CleverPath Portal Environments Session Hijacking
• 06.51.65 - cwmExplorer Index.PHP Source Code Information Disclosure
• 06.51.66 - Web-App.Org and Web-App.Net Multiple Input Validation Vulnerabilities
• 06.51.67 - Mono XSP Source Code Information Disclosure
• 06.51.68 - TextSend Sender.PHP Remote File Include
• 06.51.69 - PgmReloaded Multiple Remote File Include Vulnerabilities
• 06.51.70 - Newxooper Mapage.PHP Remote File Include
• 06.51.71 - OFBiz Search_String Parameter HTML Injection
• 06.51.72 - Calacode @Mail Webmail Filtering Engine HTML Injection
• 06.51.73 - Hitachi Soumu Workflow Multiple Remote Authentication Bypass Vulnerabilities

Network Device

• 06.51.74 - Allied Telesis AT-9000/24 Ethernet Switch Unauthorized Management VLAN Access
• 06.51.75 - NeoScale Systems CryptoStor Tape 700 Series Appliance SmartCard Authentication Bypass
• 06.51.76 - HP Printer FTP Print Server List Command Buffer Overflow

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 51, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5314 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.51.1 - CVE: Not Available
• Platform: Windows
• Title: Sambar FTP Server Remote Denial of Service
• Description: Sambar FTP Server is vulnerable to a remote denial of service issue when a long sequence of "./" characters (160 or more) is processed. Sambar FTP Server version 6.4 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21617/info

• 06.51.2 - CVE: Not Available
• Platform: Windows
• Title: Star FTP Server RETR Command Remote Denial of Service
• Description: Star FTP Server is a File Transfer Protocol Daemon available for Microsoft Windows. The application is exposed to a remote denial of service issue that affects the processing of "RETR" commands. Star FTP Server version 1.10 is affected.
• Ref: http://www.securityfocus.com/bid/21630/info http://milw0rm.com/exploits/2942

• 06.51.3 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Explorer and Media Player Denial of Service
• Description: Microsoft Windows Explorer and Windows Media Player are both exposed to a denial of service issue. Please see the link below for further details.
• Ref: http://www.securityfocus.com/archive/1/454502

• 06.51.4 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows MessageBoxA Denial of Service
• Description: Microsoft Windows is prone to a local denial of service vulnerability because the operating system fails to handle certain API calls with unexpected parameters. Specifically, the vulnerability occurs when the executable makes an API call to the "MessageBoxA" message box and passes certain malicious parameters.
• Ref: http://www.securityfocus.com/bid/21688

• 06.51.5 - CVE: Not Available
• Platform: Microsoft Office
• Title: Microsoft Project Server 2003 PDSRequest.ASP XML Request Information Disclosure
• Description: Microsoft Project Server 2003 is prone to an information disclosure vulnerability when an XML request in the "/logon/pdsrequest.asp" script is sent to the HTTP server.
• Ref: http://www.securityfocus.com/bid/21611

• 06.51.6 - CVE: Not Available
• Platform: Microsoft Office
• Title: Microsoft Outlook ActiveX Control Remote Internet Explorer Denial of Service
• Description: The Microsoft Office Outlook Recipient Control is exposed to a denial of service issue due to a flawed interaction between Microsoft Outlook and Internet Explorer. Microsoft Outlook XP and prior versions are affected.
• Ref: http://www.securityfocus.com/bid/21649/info

• 06.51.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Yahoo! Messenger Unspecified ActiveX Control Remote Buffer Overflow
• Description: Yahoo! Messenger is a freely available chat client distributed and maintained by Yahoo!. An unspecified ActiveX control shipped with Yahoo! Messenger is prone to a buffer overflow vulnerability because it fails to perform sufficient bounds checking of user-supplied input before copying it to an insufficiently sized memory buffer. Yahoo! Messenger versions released prior to November 2, 2006 are affected.
• Ref: http://messenger.yahoo.com/security_update.php?id=120806

• 06.51.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Intel 2200BG 802.11 Driver Beacon Frame Remote Code Execution
• Description: Intel 2200BG driver is prone to a remote code execution vulnerability due to a race condition which occurs when "w29n51.sys" fails to properly handle a flood of malformed beacon frames. Intel 2200BG (Mini-PCI) driver version 9.0.3.9 is affected.
• Ref: http://www.securityfocus.com/bid/21641

• 06.51.9 - CVE: CVE-2006-6605
• Platform: Third Party Windows Apps
• Title: MailEnable POP Service PASS Command Remote Buffer Overflow
• Description: MailEnable is a commercially available mail server. It is prone to a stack-based buffer overflow vulnerability in the POP service that occurs when the application handles excessively long parameters to the "PASS" command. MailEnable version 2.35 is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21645

• 06.51.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: AstonSoft DeepBurner DBR Compilation Buffer Overflow
• Description: AstonSoft DeepBurner is a CD and DVD burning application. It is prone to a remote buffer overflow vulnerability. The vulnerability affects the "file name" tag located in DBR files which contain a listing to be included in a CD/DVD burning project. The application does not allocate a sufficient sized buffer for user-supplied data in these files, allowing an attacker to corrupt process memory by supplying more than 272 bytes as input for the "file name" tag. AstonSoft DeepBurner version 1.8.0 is affected.
• Ref: http://www.securityfocus.com/bid/21657

• 06.51.11 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ozeki HTTP-SMS Gateway Password Information Disclosure
• Description: Ozeki HTTP-SMS Gateway is an application that allows users to send and receive a large volume of SMS messages over IP SMS connection. This application is exposed to an information disclosure vulnerability. This issue occurs because the application fails to protect sensitive information. Specifically the username and passwords of users are stored in the "HKEY_LOCAL_MACHINESoftwareOzekiSMSServerCurrentVersionPluginshttpsmsgate" registry in clear text. This registry is readable by all users. This issue affects version 1.0.
• Ref: http://www.securityfocus.com/bid/21679

• 06.51.12 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: NOD32 Anti-Virus Multiple File Parsing Vulnerabilities
• Description: NOD32 Anti-Virus is an anti-virus application available for Microsoft Windows. It is exposed to a divide by zero issue when attempting to process CHM files and also to a heap-based buffer overflow issue when attempting to process DOC files. NOD32 Anti-Virus versions prior to 1.1743 are affected.
• Ref: http://www.securityfocus.com/bid/21682

• 06.51.13 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: McAfee NeoTrace ActiveX Control Remote Buffer Overflow
• Description: NeoTrace is a utility that allows users to map computers on the Internet. The NeoTraceExplorer.NeoTraceLoader ActiveX control is vulnerable to a buffer overflow issue when receiving a string of over 500 bytes to the "TraceTarget()" function. McAfee NeoTrace Express version 3.25 and NeoTrace Professional version 3.25 are vulnerable.
• Ref: http://www.securityfocus.com/bid/21697

• 06.51.14 - CVE: Not Available10.4.8 is affected.
• Platform: Mac Os
• Title: Apple Mac OS X Quicktime For Java Information Disclosure
• Description: Apple Mac OS X is exposed to an information disclosure issue. Specifically, the vulnerability occurs when Java applets use "Quicktime for Java" to retrieve images rendered on screen by embedded Quicktime objects. Attackers may combine this with Quartz Composer to capture images that contain local information. Apple Mac OS X version
• Ref: http://www.securityfocus.com/bid/21672

• 06.51.15 - CVE: CVE-2006-6106
• Platform: Linux
• Title: Linux Kernel Bluetooth CAPI Packet Remote Buffer Overflow
• Description: The Linux kernel is prone to a buffer overflow vulnerability because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue occurs when the Bluetooth driver attempts to handle excessively large CAPI packets. Versions prior to 2.4.33.5 are affected.
• Ref: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.33.5

• 06.51.16 - CVE: CVE-2006-4814
• Platform: Linux
• Title: Linux Kernel MinCore User Space Access Locking Local Denial of Service
• Description: The Linux kernel is exposed to denial of service issue due to a design error in "mincore()", a system call used to determine the residency of memory pages. Linux Kernel versions prior to 2.4.33.6 are affected.
• Ref: http://www.securityfocus.com/bid/21663/info

• 06.51.17 - CVE: VE-2006-5872
• Platform: Cross Platform
• Title: SQL-Ledger Unspecified Code Execution
• Description: SQL-Ledger is a double entry accounting system. It is exposed to a remote code execution issue because the application fails to properly sanitize input to unspecified parameters. SQL-Ledger versions 2.6 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/21634/info

• 06.51.18 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Utility Classes Unspecified Vulnerability
• Description: IBM WebSphere Application Server is a framework for supporting various enterprise web applications. It is prone to an unspecified vulnerability that is likely to be related to the handling of Java utility classes. IBM WebSphere Application Server versions prior to 5.1.1.13 are reportedly vulnerable.
• Ref: http://www-1.ibm.com/support/docview.wss?uid=swg24014231

• 06.51.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Vendor Firewall HIPS Process Spoofing Vulnerability
• Description: Multiple vendor firewalls and HIPS (host-based intrusion prevention systems) are prone to a process spoofing vulnerability. An attacker can exploit this issue to have an arbitrary malicious program appear to run as a trusted process and function undetected on an affected victim's computer. Please see the advisory for further information.
• Ref: http://www.securityfocus.com/bid/21615

• 06.51.20 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenOffice Remote Integer Overflow Denial of Service
• Description: OpenOffice is exposed to a remote denial of service issue because of an integer overflow flaw in the "WW8PLCF::GeneratePLCF()" method when attempting to process malformed Word files. OpenOffice version 2.1 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/archive/1/454514 http://www.securityfocus.com/bid/21618/info

• 06.51.21 - CVE: CVE-2006-6475,CVE-2006-6476,CVE-2006-6477
• Platform: Cross Platform
• Title: Mandiant First Response Multiple Denial of Service and Agent Hijacking Vulnerabilities
• Description: Mandiant First Response is an incident-response tool to collect system information such as running processes, system services, registry information, and event logs. It is affected by a denial of service and agent hijack issue. Mandiant First Response version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/21548

• 06.51.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple BitDefender Products Parsing Engine Integer Overflow Vulnerabilities
• Description: Multiple BitDefender applications are exposed to an integer overflow issue because they fail to ensure that integer values are not overrun. When the applications parse crafted packed PE files, a heap-based buffer overflow occurs, resulting from the integer overflow issue. BitDefender for MS Exchange 5.5 0 and prior versions are affected. Ref: http://www.bitdefender.com/KB323-en--cevakrnl.xmd-vulnerability.html http://www.securityfocus.com/bid/21610

• 06.51.23 - CVE: Not Available
• Platform: Cross Platform
• Title: ITalk Plus Multiple Remote Pre-Authentication Buffer Overflow Vulnerabilities
• Description: Italk Plus is a freely available chat application available for Windows, Unix and Unix-like operating systems. It is susceptible to multiple remote buffer overflow issues due to the application's failure to properly bounds check user-supplied input before copying it to insufficiently sized memory buffers. Italk Plus versions prior to 0.92.1 are affected.
• Ref: http://italk.sourceforge.net/italk-sa-1.txt

• 06.51.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Kerio MailServer Remote Unspecified LDAP Denial of Service
• Description: Kerio MailServer is prone to a denial of service vulnerability because the software fails to properly handle malformed LDAP traffic, resulting in an application crash. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/21602

• 06.51.25 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM DB2 Remote SQLJRA Packet Denial of Service
• Description: DB2 Universal Database is a database management application written for use on multiple platforms. DB2 Universal Database is affected by a denial of service vulnerability due to a failure of the "sqle_db2ra_as_recvrequest()" function to properly handle malformed "SQLJRA" packets.
• Ref: http://www-1.ibm.com/support/docview.wss?uid=swg1IY86917

• 06.51.26 - CVE: Not Available
• Platform: Cross Platform
• Title: GNU Wget FTP_Syst Function Remote Denial of Service
• Description: GNU Wget is a non-interactive command line application to retrieve files using HTTP, HTTPS and FTP. It is prone to a remote denial of service issue in the "ftp_syst()" function when processing an excessive amount of FTP "220" status codes. GNU Wget version 1.10.2 is affected.
• Ref: http://www.securityfocus.com/bid/21650

• 06.51.27 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java Runtime Environment Multiple Remote Privilege Escalation Vulnerabilities
• Description: Sun Java Runtime Environment is an enterprise development platform. It is vulnerable to multiple unspecified privilege escalation issues. See the advisory for further details.
• Ref: http://www.securityfocus.com/bid/21673

• 06.51.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java Runtime Environment Information Disclosure Vulnerabilities
• Description: The Sun Java runtime environment is prone to multiple information disclosure vulnerabilities. These issues are due to a design flaw in the affected application. Specifically, untrusted applets are inappropriately allowed to access data from other applets in two different circumstances. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1&searchclause=

• 06.51.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities
• Description: The Java Runtime Environment is an application that allows users to run Java applications. It is prone to multiple unspecified buffer overflow vulnerabilities. Please refer to the advisory for further information. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1&searchclause=

• 06.51.30 - CVE: Not Available
• Platform: Cross Platform
• Title: Oracle Portal Calendar.JSP HTTP Response Splitting
• Description: Oracle Portal is a portal application which is title integrated with Oracles application server software. It is exposed to a HTTP response splitting issue because it fails to properly sanitize user-supplied input to the "enc" parameter of the "calendar.jsp" script before saving data to the Oracle Web Cache. Oracle Portal version 10g is affected.
• Ref: http://www.securityfocus.com/archive/1/454945

• 06.51.31 - CVE: Not Available
• Platform: Cross Platform
• Title: RealNetworks RealPlayer ActiveX Control Remote Denial of Service
• Description: RealNetworks RealPlayer is prone to a denial of service issue. The ActiveX control with a CLSID from the "rpau3260.dll" library is exposed to a denial of service issue. RealPlayer version 10.5 is affected.
• Ref: http://www.securityfocus.com/bid/21689

• 06.51.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Directory Server LDAP Request Handling Multiple Vulnerabilities
• Description: Hitachi LDAP Directory Server contains multiple denial of service vulnerabilities which are only reported to affect the Microsoft Windows and HP-UX versions of the application. These issues arise when the server handles specially-crafted LDAP requests. Please refer to the attached advisory for details.
• Ref: http://www.securityfocus.com/bid/21692

• 06.51.33 - CVE: Not Available
• Platform: Cross Platform
• Title: ESET NOD32 Antivirus CAB File Parsing Engine Integer Overflow
• Description: ESET NOD32 Antivirus is an antivirus application. It is vulnerable to an integer overflow issue as it fails to ensure that integer values are not overrun. Versions prior to 1.1743 are affected.
• Ref: http://www.securityfocus.com/bid/21701/info

• 06.51.34 - CVE: Not Available
• Platform: Cross Platform
• Title: HTTP Explorer Web Server Directory Traversal
• Description: HTTP Explorer is a webserver. It is vulnerable to a directory traversal issue when specially-crafted HTTP GET requests contain directory traversal strings. HTTP Explorer version 1.02 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21712

• 06.51.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities
• Description: Omniture SiteCatalyst is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the "ss" parameter of the "search.asp" script. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/21620

• 06.51.36 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: osTicket Support Cards View.PHP Cross Site Scripting
• Description: osTicket Support Cards is a web-based customer support application. It is prone to a cross site scripting issue because it fails to properly sanitize user-supplied input to the "e" parameter of the "view.php" script. osTicket versions 1.3 beta and 1.2.7 are affected.
• Ref: http://www.securityfocus.com/bid/21669

• 06.51.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Mini Web Shop View.PHP Viewcategory.PHP Cross-Site Scripting
• Description: Mini Web Shop is a web-based customer support application implemented in PHP. The application is exposed to a cross-site scripting issue due to improper sanitization of user-supplied input to the "catname" parameter of the "viewcategory.php" script. Mini Web Shop version 2.1.c is affected.
• Ref: http://www.securityfocus.com/bid/21677/info

• 06.51.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SugarCRM Sugar Open Source Multiple Unspecified Cross-Site Scripting Vulnerabilities
• Description: Sugar Open Source is a suite of customer relationship management software. The application is exposed to multiple unspecified cross-site scripting issues as it fails to sufficiently sanitize user-supplied input. Sugar Open Source versions prior to 4.5.0g are affected.
• Ref: http://www.securityfocus.com/bid/21694/info

• 06.51.39 - CVE: CVE-2006-6595
• Platform: Web Application - SQL Injection
• Title: ScriptMate User Manager Multiple SQL Injection Vulnerabilities
• Description: ScriptMate User Manager is a platform for registering and managing members and for securing ASP pages. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "mesid" parameter of the "/smusermanager/utilities/usermessages.asp" script. ScriptMate User Manager versions 2.1 and 2.0 are vulnerable.
• Ref: http://www.hackerscenter.com/archive/view.asp?id=26656

• 06.51.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Contra Haber Sistemi Haber.ASP SQL Injection
• Description: Contra Haber Sistemi is a web application implemented in ASP. The application is exposed to an SQL injection issue due to insufficient sanitization of user-supplied data to the "id" parameter of the "haber.asp" script before using it in an SQL query. Contra Haber Sistemi version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21626/info http://www.securityfocus.com/archive/1/454594

• 06.51.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Upload_download_de_fichiers Administre2.PHP SQL Injection
• Description: The Upload_download_de_fichiers application is a file transfer tool. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id_user" parameter of the "administre2.php" script. Upload_download_de_fichiers version 3 is affected.
• Ref: http://www.securityfocus.com/bid/21648/info

• 06.51.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Burak Yilmaz Download Portal Down.ASP SQL Injection
• Description: Burak Yilmaz Download Portal is a web application. It is exposed to an SQL injection issue due to insufficient sanitization of user-supplied data to the "id" parameter of the "down.asp" script. MaxiASP Burak Yilmaz Download Portal version 0 is affected.
• Ref: http://www.securityfocus.com/bid/21676

• 06.51.43 - CVE: CVE-2006-6636
• Platform: Web Application
• Title: IBM WebSphere Application Server Multiple Remote Vulnerabilities
• Description: IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications. It is vulnerable to multiple remote vulnerabilities. IBM WebSphere Application Server prior to versions 6.0.2 Fix Pack 17 are vulnerable. See the advisory for further details.
• Ref: http://www-1.ibm.com/support/docview.wss?uid=swg27006879

• 06.51.44 - CVE: Not Available
• Platform: Web Application
• Title: Knusperleicht Shoutbox Shout.php HTML Injection
• Description: Knusperleicht Shoutbox adds message and comment posting functionality to web sites. It is prone to an HTML injection issue because it fails to properly sanitize user-supplied input to the "shout.php" script before using it in dynamically generated content. Knusperleicht Shoutbox version 2.6 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/21637

• 06.51.45 - CVE: Not Available
• Platform: Web Application
• Title: Azucar CMS Index_sitios.PHP Remote File Include
• Description: Azucar CMS is a web-based content management system. It is prone to a remote file include vulnerability due to insufficient sanitization of the "$_GET[_VIEW]" parameter of the "admin/index_sitios.php" script. Azucar CMS version 1.3 is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21638

• 06.51.46 - CVE: CVE-2006-6481
• Platform: Web Application
• Title: Clam Anti-Virus Attachment Wrapping Denial of Service
• Description: ClamAV is an antivirus application. It is vulnerable to a denial of service issue due to insufficient handling of attachments. ClamAV versions 0.88.6 and earlier are vulnerable.
• Ref: http://kolab.org/security/kolab-vendor-notice-14.txt http://www. quantenblog.net/security/virus-scanner-bypass

• 06.51.47 - CVE: Not Available
• Platform: Web Application
• Title: WeBWorK Program Generation Language Macro Security Restriction Bypass
• Description: WeBWorK Program Generation (PG) Language is a support application for WeBWorK. It is exposed to a security restriction bypass issue due to a failure of the application to properly enforce restrictions in place to deter attackers from running arbitrary script code on affected computers. WeBWorK versions prior to 2.3.1 are affected.
• Ref: http://www.securityfocus.com/bid/21614

• 06.51.48 - CVE: CVE-2006-6598
• Platform: Web Application
• Title: Torrentflux-B4RT Viewnfo.PHP Directory Traversal
• Description: Torrentflux-B4RT is a web-based front end for the Torrentflux application. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input to the "path" parameter of the "viewnfo.php" script. Torrentflux-B4RT versions prior to 2.1-b4rt-97 are vulnerable.
• Ref: http://www.securityfocus.com/bid/21613

• 06.51.49 - CVE: CVE-2006-6645
• Platform: Web Application
• Title: mxBB Web Links Module MX_Root_Path Remote File Include
• Description: The web links module for the mxBB bulletin board adds categorized links functionality to the portal application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mx_root_path" parameter of the "modules/mx_links/language/lang_english/lang_admin.php" script. mxBB web links module version 2.05 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21622

• 06.51.50 - CVE: Not Available
• Platform: Web Application
• Title: mxBB Charts Module Module_Root_Path Remote File Include
• Description: The Charts module for the mxBB bulletin board adds chart functionality to the portal application. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "module_root_path" parameter of the "modules/mx_charts/charts_constants.php" script. mxBB Version 1.0.0 is vulnerable to this issue and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/21623

• 06.51.51 - CVE: Not Available
• Platform: Web Application
• Title: Bandwebsite Unauthorized Administrative Account Creation
• Description: Bandwebsite is a web-based content management framework designed to allow music bands to easily create web sites. It is exposed to an unauthorized administrative account creation due to insufficient sanitization of "admin.php" script. Bandwebsite version 1.5 is affected.
• Ref: http://www.securityfocus.com/bid/21625

• 06.51.52 - CVE: Not Available
• Platform: Web Application
• Title: ScriptMate User Manager Default.ASP Multiple HTML Injection Vulnerabilities
• Description: ScriptMate User Manager is a platform for registering and managing members and for securing ASP pages. It is prone to multiple HTML injection vulnerabilities due to insufficient sanitization of the "members_username" and "members_password" parameters of "/smusermanager/members/default.asp". ScriptMate User Manager version 2.1 is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21472

• 06.51.53 - CVE: Not Available
• Platform: Web Application
• Title: Yaplap Ldap.PHP Remote File Include
• Description: The Yaplap application is an LDAP administration tool. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "LOGIN_style" parameter of the "ldap.php" script. Yaplap versions 0.6 and 0.6.1 are affected.
• Ref: http://www.securityfocus.com/bid/21599

• 06.51.54 - CVE: Not Available
• Platform: Web Application
• Title: AR_Memberscript UserCP_menu.PHP Remote File Include
• Description: The AR_Memberscript application is a tool for managing memberships. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "script_folder" parameter of the "usercp_menu.php" script.
• Ref: http://www.milw0rm.com/exploits/2931 http://www.securityfocus.com/bid/21600/info

• 06.51.55 - CVE: Not Available
• Platform: Web Application
• Title: EyeOS Aplic.PHP Arbitrary File Upload
• Description: EyeOS is a content management system. It is vulnerable to an arbitrary file upload issue due to insufficient sanitization of user-supplied input to the "apps/eyeHome.eyeapp/aplic.php" script. EyeOS versions prior to 0.9.3-3 are affected.
• Ref: http://www.securityfocus.com/bid/21639

• 06.51.56 - CVE: Not Available
• Platform: Web Application
• Title: VerliAdmin Index.PHP Remote File Include
• Description: VerliAdmin is an administration tool for the VerliHub application. The application is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "q" parameter of the "index.php" script. VerliAdmin version 0.3 is affected.
• Ref: http://www.securityfocus.com/bid/21640

• 06.51.57 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Project and Project Issues Tracking Modules Multiple HTML Injection Vulnerabilities
• Description: The Drupal Project and Project issue tracking modules are project management modules for the Drupal content management system. They are vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied data to various unspecified fields passed to the "check_plain()" function. See the advisory for further details.
• Ref: http://drupal.org/node/103943

• 06.51.58 - CVE: Not Available
• Platform: Web Application
• Title: KDE LibkHTML NodeType Function Denial of Service
• Description: KDE Libkhtml is a HTML parsing library used by applications such as Konqueror and Kmail. It is exposed to denial of service issue in the "nodeType()" function. KDE Libkhtml version 4.2, KDE Konqueror version 3.5.2 and KDE kmail version 1.9.1 are affected.
• Ref: http://www.securityfocus.com/bid/21662

• 06.51.59 - CVE: Not Available
• Platform: Web Application
• Title: PHPFanBase Protection.PHP Remote File Include
• Description: PHPFanBase is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "siteurl" parameter of the "protection.php" script. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/21664

• 06.51.60 - CVE: Not Available
• Platform: Web Application
• Title: phpProfiles Multiple Remote File Include Vulnerabilities
• Description: phpProfiles is a web-based application. It is vulnerable to multiple remote file include issues due to improper sanitization of user-supplied input to various scripts. phpProfiles versions 3.1.2b and earlier are affected.
• Ref: http://www.securityfocus.com/bid/21667

• 06.51.61 - CVE: Not Available
• Platform: Web Application
• Title: cwmCounter Statistic.PHP Remote File Include
• Description: cwmCounter is a PHP based application that keeps track of the number of visitors visiting a web site. Insufficient sanitization of the "path" parameter of the "statistic.php" script exposes the application to a remote file include issue. cwmCounter version 5.1.1 is affected.
• Ref: http://www.securityfocus.com/bid/21671

• 06.51.62 - CVE: Not Available
• Platform: Web Application
• Title: Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
• Description: TYPO3 is a content management system. It is vulnerable to multiple issues that permit the execution of arbitrary system commands due to insufficient sanitization of user-supplied data to the "userUid" parameter and an unspecified parameter of the "/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php" script. TYPO3 versions 4.0 to 4.0.3 and 4.1beta are vulnerable; versions 3.7 and 3.8 are also vulnerable if they have the optional "rtehtmlarea" extension installed.
• Ref: http://www.securityfocus.com/archive/1/454944

• 06.51.63 - CVE: Not Available
• Platform: Web Application
• Title: Valdersoft Shopping Cart Common.PHP Remote File Include
• Description: Valdersoft Shopping Cart is a PHP based shopping cart application. It is prone to a remote file include vulnerability due to insufficient sanitization of the "commonIncludePath" parameter of the "common.php" script. Valdersoft Shopping Cart version 3.0 is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21685

• 06.51.64 - CVE: Not Available
• Platform: Web Application
• Title: Computer Associates Multiple CleverPath Portal Environments Session Hijacking
• Description: Computer Associates multiple CleverPath Portal environments are web-based portal applications. These applications are exposed to a session hijacking issue when multiple CleverPath Portal Environments are sharing a common data store at exactly same time. Computer Associates Workload Control Center versions 1.0 SP4 and prior are affected. Ref: http://supportconnectw.ca.com/public/ca_common_docs/cpportal_secnot.asp

• 06.51.65 - CVE: Not Available
• Platform: Web Application
• Title: cwmExplorer Index.PHP Source Code Information Disclosure
• Description: cwmExplorer is a web-based file and folder browsing application implemented in PHP. The application is exposed an information disclosure issue due to insufficient sanitization of user-supplied input to the "show_file" parameter of the "index.php" script. cwmExplorer version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21683

• 06.51.66 - CVE: Not Available
• Platform: Web Application
• Title: Web-App.Org and Web-App.Net Multiple Input Validation Vulnerabilities
• Description: Web-APP.org and Web-APP.net are web portal applications. They are affected by multiple cross-site and filter-bypass vulnerabilities. Web-APP.net version 0.9.9.3.4NE and Web-APP.org version 0.9.9.4 are affected.
• Ref: http://www.securityfocus.com/bid/21684

• 06.51.67 - CVE: CVE-2006-2658
• Platform: Web Application
• Title: Mono XSP Source Code Information Disclosure
• Description: XSP is a web server designed to serve ASP.NET applications. It is vulnerable to a source code disclosure issue due to insufficient sanitization of user-supplied input. Mono XSP version 2.0 rev 68766 resolves this issue.
• Ref: http://www.securityfocus.com/archive/1/454962

• 06.51.68 - CVE: Not Available
• Platform: Web Application
• Title: TextSend Sender.PHP Remote File Include
• Description: TextSend is an SMS messaging script. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "ROOT_PATH" parameter of the "config/sender.php" script. Version 1.5 is affected.
• Ref: http://www.securityfocus.com/bid/21690

• 06.51.69 - CVE: Not Available
• Platform: Web Application
• Title: PgmReloaded Multiple Remote File Include Vulnerabilities
• Description: PgmReloaded is a simple CMS for e-commerce and generic web catalogs application. It is exposed to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to multiple parameters of different scripts. Version 0.8.5 is affected.
• Ref: http://www.securityfocus.com/bid/21696

• 06.51.70 - CVE: Not Available
• Platform: Web Application
• Title: Newxooper Mapage.PHP Remote File Include
• Description: Newxooper is a web-based content management system (CMS). It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "chemin" parameter of the "mapage.php" script. Newxooper version 0.9.1 is vulnerable and other versions may also be affected.
• Ref: http://www.milw0rm.com/exploits/2970

• 06.51.71 - CVE: CVE-2006-6589
• Platform: Web Application
• Title: OFBiz Search_String Parameter HTML Injection
• Description: OFBiz is an ecommerce solution implemented in Java. The application is prone to an HTML injection issue due to improper sanitization of user-supplied input before using it in dynamically generated content which affects "SEARCH_STRING" parameter while performing searches. OFBiz version 3.0.0 and opentaps version 0.9.3 are affected.
• Ref: https://issues.apache.org/jira/browse/OFBIZ-260

• 06.51.72 - CVE: Not Available
• Platform: Web Application
• Title: Calacode @Mail Webmail Filtering Engine HTML Injection
• Description: Calacode @Mail is a web-based email client. It is exposed to an HTML injection issue due to improper sanitization of user-supplied input in the "Global.pm" perl module. CalaCode @Mail Webmail version 4.51 is affected.
• Ref: http://www.securityfocus.com/bid/21708/info

• 06.51.73 - CVE: Not Available
• Platform: Web Application
• Title: Hitachi Soumu Workflow Multiple Remote Authentication Bypass Vulnerabilities
• Description: Hitachi Soumu Workflow is an application for workflow productivity. The application is exposed to multiple authentication bypass vulnerabilities because of a flaw in its authentication process. Hitachi Soumu Workflow versions 3.0 and prior are affected. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS06-016_e/01-e.html

• 06.51.74 - CVE: Not Available
• Platform: Network Device
• Title: Allied Telesis AT-9000/24 Ethernet Switch Unauthorized Management VLAN Access
• Description: Allied Telesis AT-9000/24 devices are managed Ethernet switches. They are prone to an unauthorized management VLAN access issue. When multiple VLANs are configured, attackers can access the management VLAN by guessing the IP configuration that the management interface is configured to respond to.
• Ref: http://www.securityfocus.com/bid/21628

• 06.51.75 - CVE: CVE-2006-3896
• Platform: Network Device
• Title: NeoScale Systems CryptoStor Tape 700 Series Appliance SmartCard Authentication Bypass
• Description: CryptoStor Tape is a tape backup encryption appliance. It is vulnerble to an unspecified authentication bypass issue. CryptoStor 700 series with firmware version prior to 2.6 are vulnerable.
• Ref: http://www.kb.cert.org/vuls/id/339004

• 06.51.76 - CVE: Not Available
• Platform: Network Device
• Title: HP Printer FTP Print Server List Command Buffer Overflow
• Description: HP FTP Print Server is an application that allows computers to access various printers. It is vulnerable to a buffer overflow issue due to insufficient handling of multiple "LIST" and "NLIST" commands with arbitrary long strings. See the advisory for further details.
• Ref: http://www.securityfocus.com/archive/1/454817

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.