@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) LOW: lftp Client Buffer Overflows Affected Products: lftp versions 2.3.0, 2.4.9, 2.6.6, 2.6.7, 2.6.8, 2.6.9 and potentially other versions *Description: lftp is a sophisticated open source FTP/HTTP client that can perform file transfers via

Other Software

• (2) HIGH: Dameware Mini Remote Control Server Buffer Overflow Affected Products: Dameware Mini Remote Control Server versions prior to 3.73 *Description: Dameware is a lightweight program used to remotely manage desktop systems. The Dameware dae

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 03.52.1 CV - Microsoft Internet Explorer File Download Warning Bypass Vulnerability

Third Party Windows Apps

• 03.52.2 CV - ECW-Shop Cross-Site Scripting Vulnerability
• 03.52.3 CV - Openwares.org Internet Explorer Patch Buffer Overrun Vulnerability
• 03.52.4 CV - PY Software Active Webcam Directory Traversal Vulnerability
• 03.52.5 CV - PY Software Active Webcam Cross-Site Scripting Vulnerability
• 03.52.6 CV - PlatinumFTPServer Format String Vulnerability
• 03.52.7 CV - AOL Instant Messenger Buddy Icon Warning Denial Of Service Vulnerability
• 03.52.8 CV - Kerio Personal Firewall Unspecified Firewall Bypassing Issue
• 03.52.9 CV - Multiple Vulnerabililties in DUware DUportal
• 03.52.10 C - Ipswitch WS_FTP Server Remote Denial Of Service
• 03.52.11 C - DCAM WebCam Server Directory Traversal Vulnerability

Mac Os

• 03.52.12 C - MacOS X ASN.1 Decoding Denial Of Service Vulnerability

Linux

• 03.52.13 C - P3Scan Attachment Scanning Bypass Vulnerability

Unix

• 03.52.14 C - Security Auditor Research Assistant HTML Injection Vulnerability
• 03.52.15 C - Tcpdump L2TP Parser Denial Of Service Vulnerability
• 03.52.16 C - Dada Mail Blank Password Authentication Bypass
• 03.52.17 C - Dada Mail Subscription Confirmation Spoofing
• 03.52.18 C - sipd Remote Format String Vulnerability

Web Application

• 03.52.19 C - Multiple ASPapp Vulnerabilities
• 03.52.20 C - Autorank SQL Injection Vulnerability
• 03.52.21 C - BES-CMS PHP File Include Vulnerability
• 03.52.22 C - Xoops MyLinks Myheader.php Cross-Site Scripting Vulnerability
• 03.52.23 C - SiteInteractive Subscribe Me Command Execution Vulnerability
• 03.52.24 C - Elektropost EPIServer Multiple Vulnerabilities
• 03.52.25 C - SOLMETRA SPAW Editor Remote File Include Vulnerability
• 03.52.26 C - Double Choco Latte Remote File Include Vulnerability
• 03.52.27 C - osCommerce Cross-Site Scripting Vulnerability
• 03.52.28 C - BN Soft BoastMachine Comment Form HTML Injection Vulnerability
• 03.52.29 C - ProjectForum Denial of Service Vulnerability
• 03.52.30 C - ProjectForum HTML Injection Vulnerability
• 03.52.31 C - osCommerce products_id SQL Injection Vulnerability
• 03.52.32 C - osCommerce manufacturers_id Cross-Site Scripting Vulnerability
• 03.52.33 C - My Little Forum Cross-Site Scripting Vulnerability

Network Device

• 03.52.34 C - CyberGuard Firewall/VPN 5.1 Cross-Site Scripting Issue
• 03.52.35 C - Xerox_MicroServer/Xerox11 Directory Traversal Vulnerability
• 03.52.36 C - SEH InterCon Smart PrintServer Configuration Access

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description on the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 52, 2003

PART II Weekly Comprehensive List of Newly Discovered Vulnerabilities Week 52 2003 _____________________________________________________________________ This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3136 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that can not be scanned remotely.

• 03.52.1 CV - Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer File Download Warning Bypass Vulnerability
• Description: A vulnerability has been reported for Microsoft Internet Explorer which allows an attacker, by simply renaming the files in a certain way, to trick the browser into bypassing the security warning displayed before downloading executable files (such as .exe or .bat files).
• Ref: http://www.securityfocus.com/archive/1/348225

• 03.52.2 CV - Not Available
• Platform: Third Party Windows Apps
• Title: ECW-Shop Cross-Site Scripting Vulnerability
• Description: ECW-Shop is an e-commerce package for Microsoft Windows, it is prone to a cross-site scripting attack through data supplied via the 'cat' parameter in the URL. Attackers could construct links which would render malicious code in a user's browser.
• Ref: http://www.secunia.com/advisories/10458/

• 03.52.3 CV - Not Available
• Platform: Third Party Windows Apps
• Title: Openwares.org Internet Explorer Patch Buffer Overrun Vulnerability
• Description: Openwares has released a patch to fix a Browser URL Obfuscation problem with internet explorer, however it has been reported that this patch is itself vulnerable to a buffer overflow issue. An attacker could potentially exploit this vulnerability to execute arbitrary code on the affected browser, or merely deny service to the user. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3683.html

• 03.52.4 CV - Not Available
• Platform: Third Party Windows Apps
• Title: PY Software Active Webcam Directory Traversal Vulnerability
• Description: Active Webcam is an application used for sharing video streams from webcams, it includes a built in webserver. This webserver may allow a remote attacker to traverse outside the server root directory using '../' or '..' sequences in the URL.
• Ref: http://aluigi.altervista.org/adv/activecam-adv.txt

• 03.52.5 CV - Not Available
• Platform: Third Party Windows Apps
• Title: PY Software Active Webcam Cross-Site Scripting Vulnerability
• Description: Active Webcam is an application used for sharing video streams from webcams, it includes a built in webserver. This webserver suffers from a cross-site scripting issue in error pages which may be exploited by malicious users to execute HTML code in a target's browser.
• Ref: http://aluigi.altervista.org/adv/activecam-adv.txt

• 03.52.6 CV - Not Available
• Platform: Third Party Windows Apps
• Title: PlatinumFTPServer Format String Vulnerability
• Description: PlatinumFTPServer is an FTP server for Microsoft Windows systems, it has been reported that many of the FTP commands are vulnerable to format string attacks, including "user", "mkdir" and "rename". Format string vulnerabilities may be exploited to kill the server process, and in some cases code execution may be possilble.
• Ref: http://www.securityfocus.com/bid/9262

• 03.52.7 CV - Not Available
• Platform: Third Party Windows Apps
• Title: AOL Instant Messenger Buddy Icon Warning Denial Of Service Vulnerability
• Description: AOL Instant Messenger (AIM) suffers from an issue that may allow malicious parties to deny the availability of the service to other users. It is possible for malicious users to raise the warning level of other users until they are unable to use the service, normally warnings can only occur if a message has been sent by the victim, however it is possible to bypass this limitation by exploiting a flaw in the buddy icon implementation.
• Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0288.html

• 03.52.8 CV - Not Available
• Platform: Third Party Windows Apps
• Title: Kerio Personal Firewall Unspecified Firewall Bypassing Issue
• Description: Kerio Personal Firewall (KPF) is a desktop firewall solution for Microsoft Windows that performs stateful packet inspection. It has been discovered that certain types of stealth TCP scans will bypass the firewall filtering, allowing an attacker to gain information about open ports on a supposedly protected host.
• Ref: http://www.kerio.com/kpf_releasehistory.html

• 03.52.9 CV - Not Avalable
• Platform: Third Party Windows Apps
• Title: Multiple Vulnerabililties in DUware DUportal
• Description: DUware DUportal is a web based portal portal application for the Microsoft Windows Operating system. Multiple vulnerabilities have been identified in the software including remote code execution, file upload, unauthorised access and cross site scripting.
• Ref: http://www.gulftech.org/vuln/DUd3.html

• 03.52.10 C - Not Available
• Platform: Third Party Windows Apps
• Title: Ipswitch WS_FTP Server Remote Denial Of Service
• Description: Ipswitch WS_FTP Server is an FTP server for Microsoft Windows, it has been reported that a resource consumption issue with the software may lead to a denial of service condition. The issue can be exploited by any user able to use the 'CWD' and 'MKD' commands.
• Ref: http://www.securityfocus.com/bid/9237

• 03.52.11 C - Not Available
• Platform: Third Party Windows Apps
• Title: DCAM WebCam Server Directory Traversal Vulnerability
• Description: DCAM WebCam server is a webcam server. Due to this vulnerability a remote user can traverse outside the server root directory by using '.' character sequences.
• Ref: http://aluigi.altervista.org/adv/dcam-adv.txt

• 03.52.12 C - Not Available
• Platform: Mac Os
• Title: MacOS X ASN.1 Decoding Denial Of Service Vulnerability
• Description: A vulnerability has been reported in the handling of ASN.1 sequences used in the Public Key Infrastructure (PKI) implementation on Mac OS X. Services which use the vulnerable implementation could potentially be crashed by an attacker delivering specially crafted data to the server.
• Ref: http://www.secunia.com/advisories/10474/

• 03.52.13 C - Not Available
• Platform: Linux
• Title: P3Scan Attachment Scanning Bypass Vulnerability
• Description: P3Scan is a pop3 proxy server which scans incoming email messages for malicious attachments, It has been reported that when Pop 3 Scan is used with the renattach package, the software may allow malicious code through undetected.
• Ref: http://p3scan.sourceforge.net/changelog.html

• 03.52.14 C - Not Available
• Platform: Unix
• Title: Security Auditor Research Assistant HTML Injection Vulnerability
• Description: The HTTP server component of SARA does not completely sanitise banner data recived from scanned hosts when displaying them to users, thus it is possible to inject malicious html into the browser of the SARA administrator.
• Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0260.html

• 03.52.15 C - Not Available
• Platform: Unix
• Title: Tcpdump L2TP Parser Denial Of Service Vulnerability
• Description: Reports indicat that tcpdump 3.7 is vulnerable to a denial of service condition in the L2TP protocol parser, specially crafted packets can throw the parser into an infinite loop which eventually consumes all memory resources. While this was originaly discovered on OpenBSD, it appears that tcpdump implementations on other unices are affected by the same issue.
• Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0295.html

• 03.52.16 C - Not Available
• Platform: Unix
• Title: Dada Mail Blank Password Authentication Bypass
• Description: Dada Mail is mailing list management software, it is vulnerable to an issue whereby a blank list password disables authentication, this may be an issue during software upgrades. If the list password is blank, it is possible to successfully authenticate using any password.
• Ref: http://mojo.skazat.com/project/security-2_8_11.html

• 03.52.17 C - Not Available
• Platform: Unix
• Title: Dada Mail Subscription Confirmation Spoofing
• Description: Dada Mail is mailing list management software, the software suffers from a flaw in the way the software generates subscription confirmation PINs. The PIN's are generated purely based upon the e-mail address, thus a malicious user could spoof confirmation e-mails for a list.
• Ref: http://mojo.skazat.com/project/security-2_8_11.html

• 03.52.18 C - Not Available
• Platform: Unix
• Title: sipd Remote Format String Vulnerability
• Description: sipd is a SIP proxy and location server for VOIP applications, reports suggest that older versions are vulnerable to a format string issue which may be triggered remotely. This has been reported for sipd versions up to and including 0.1.4.
• Ref: http://www.securityfocus.com/bid/9236

• 03.52.19 C - Not Available
• Platform: Web Application
• Title: Multiple ASPapp Vulnerabilities
• Description: ASPapp ProjectApp, PortalApp and IntranetApp are ASP based web portal packages,it has been reported that they are vulnerable to multiple problems including priviledge escalation, account hijacking, cross site scripting and information disclosure.
• Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0274.html

• 03.52.20 C - Not Available
• Platform: Web Application
• Title: Autorank SQL Injection Vulnerability
• Description: AutoRank is a PHP web application for charts, it has been discovered that it is affected by multiple SQL injection vulnerabilities resulting from incorrect sanitization of user data supplied in form fields. As a result, it is possible to modify the structure and logic of SQL queries.
• Ref: http://www.gulftech.org/12182003b.php

• 03.52.21 C - Not Available
• Platform: Web Application
• Title: BES-CMS PHP File Include Vulnerability
• Description: BES-CMS is a PHP based content management system, it is vulnerable to a number of remote file include vulnerabilties which could be exploited by an attacker to run artitrary code on the affected server.
• Ref: http://www.security-corporation.com/advisories-024.html

• 03.52.22 C - Not Available
• Platform: Web Application
• Title: Xoops MyLinks Myheader.php Cross-Site Scripting Vulnerability
• Description: Xoops is a freely available web portal software written in PHP, it is vulnerable to a cross-site scripting vulnerability in the 'myheader.php' file. Exploitation allows attackers to insert arbitrary HTML code into a users browser potentially allowing the theft of authentication credentials from other users, other attacks may also be possible.
• Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0303.html

• 03.52.23 C - Not Available
• Platform: Web Application
• Title: SiteInteractive Subscribe Me Command Execution Vulnerability
• Description: SiteInteractive Subscribe Me is a Newsletter and Mailing List management software implemented in Perl, it is intended to be used via a web interface. An attacker may exploit a flaw in the 'setup.pl' script to create a new 'config.pl', this file may contain malicious code which could ultimately be executed in the context of the web server.
• Ref: http://www.pimp-industries.com/pimp-0003.txt

• 03.52.24 C - Not Available
• Platform: Web Application
• Title: Elektropost EPIServer Multiple Vulnerabilities
• Description: Elektropost EPIServer is a web content management system, multiple vulnerabilities have been reported for this application including directory traversal, information disclosure, and denial of service. These issues are the result of insufficient sanitization of user-supplied data.
• Ref: http://www.securityfocus.com/bid/9223/info/

• 03.52.25 C - Not Available
• Platform: Web Application
• Title: SOLMETRA SPAW Editor Remote File Include Vulnerability
• Description: SOLMETRA SPAW Editor is a web based editor implemented in PHP, a vulnerability exists in the software which permits attackers to execute arbitrary PHP code on the server. A new version of the software has been released to correct this issue. Ref: http://sourceforge.net/mailarchive/forum.php?thread_id=3565737&forum_id=32624

• 03.52.26 C - Not Available
• Platform: Web Application
• Title: Double Choco Latte Remote File Include Vulnerability
• Description: Double Choco Latte is an open source PHP web application for software development management. A number of remote file inclusion vulnerabilities have been reported in many of the modules, these vulnerabilities may be exploited to include a malicious script which will be executed by the webserver.
• Ref: http://www.secunia.com/advisories/10476/

• 03.52.27 C - Not Available
• Platform: Web Application
• Title: osCommerce Cross-Site Scripting Vulnerability
• Description: osCommerce is an open-source e-commerce suite implemented in PHP, a Cross Site Scripting issue has been discovered, it results from incomplete sanitization of user supplied data in the 'osCsid' parameter. Successful exploitation of this attack may allow an attacker to steal authentication credentials from other users.
• Ref: http://www.gulftech.org/12172003.php

• 03.52.28 C - Not Available
• Platform: Web Application
• Title: BN Soft BoastMachine Comment Form HTML Injection Vulnerability
• Description: BoastMachine is a web-based application used for publishing blogs and articles. Due to a problem in sanitizing of user-supplied data in the 'Comment' form, it may be possible for an attacker to include malicious HTML code in one of the vulnerable fields.
• Ref: http://www.systemsecure.org/forum/viewtopic.php?t=74

• 03.52.29 C - Not Available
• Platform: Web Application
• Title: ProjectForum Denial of Service Vulnerability
• Description: ProjectForum is a web-based forum application. Due to a problem in 'projectforum.exe' malicious users can cause the server to crash by sending an excessively long string via the 'find' request to the server.
• Ref: http://www.elitehaven.net/pfbugs.txt

• 03.52.30 C - Not Available
• Platform: Web Application
• Title: ProjectForum HTML Injection Vulnerability
• Description: ProjectForum is a web-based forum application. Due to improper sanitizing of user-supplied data in the administrator login page, the find function, and the error page. It may be possible for an attacker to include malicious HTML code in one of the vulnerable fields.
• Ref: http://www.elitehaven.net/pfbugs.txt

• 03.52.31 C - Not Available
• Platform: Web Application
• Title: osCommerce products_id SQL Injection Vulnerability
• Description: osCommerce is an open-source PHP e-commerce suite. It has been reported that 'default.php' script fails to validate user-supplied input, rendering it vulnerable to a SQL injection attack.
• Ref: http://www.gulftech.org/12222003.php

• 03.52.32 C - Not Available
• Platform: Web Application
• Title: osCommerce manufacturers_id Cross-Site Scripting Vulnerability
• Description: osCommerce is an open-source PHP e-commerce suite. Due to improper sanitizing of user-supplied data in the 'manufacturers_id' parameter passed to the default.php script, cross site scripting attacks can be performed againts the software.
• Ref: http://www.gulftech.org/12222003.php

• 03.52.33 C - Not Available
• Platform: Web Application
• Title: My Little Forum Cross-Site Scripting Vulnerability
• Description: my little forum, a simple web-forum, is vulnerable to a cross-site scripting vulnerability in the 'email.php' script due to inadequate user input sanitization.
• Ref: http://www.secunia.com/advisories/10489/

• 03.52.34 C - Not Available
• Platform: Network Device
• Title: CyberGuard Firewall/VPN 5.1 Cross-Site Scripting Issue
• Description: CyberGuard is a Firewall/VPN application, a cross site scripting vulnerability has been reported in the software's web interface. The problem exists due to incomplete sanitization of user-supplied data which allows an attacker to construct a URL containing malicious html code.
• Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0263.html

• 03.52.35 C - Not Available
• Platform: Network Device
• Title: Xerox_MicroServer/Xerox11 Directory Traversal Vulnerability
• Description: Xerox_MicroServer/Xerox11 is web server software included with Xerox Document Centre 470, 255ST and others. It appears that this server is vulnerable to directory traversal attacks allowing an attacker to traverse content outside of the server root direcotry by using '/..' and '/.' sequences appended to a URL.
• Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0283.html

• 03.52.36 C - Not Available
• Platform: Network Device
• Title: SEH InterCon Smart PrintServer Configuration Access
• Description: SEH InterCon Smart PrintServer is an IEEE 1284 compatible device, is is reported that the location of server configuration files can be obtained via the server and an attacker may exploit this to access sensitive resources.
• Ref: http://www.securityfocus.com/bid/9224

(c) 2003. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==END OF PART II==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2003. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.