Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 23
June 14, 2004

SANS Newsletters Home

A rather troubling vulnerability in Internet Explorer (Number 1 below) is already being exploited while users wait for Microsoft to find a way to fix it.

Also, today is the deadline for special hotel rates in Monterey - Don't forget to book your hotel reservation for SANSFire (July 5-13) to receive the special SANS rate. Wednesday is also the deadline before the $150 late fee kicks in so make sure to register for the conference and your hotel room at http://www.sans.org/sansfire2004/

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#1)
    • Other Microsoft Products
    • 6
    • Third Party Windows Apps
    • 5 (#4)
    • MacOS
    • 2
    • Linux
    • 1 (#9)
    • BSD
    • 1
    • Solaris
    • 1
    • UNIX
    • 2 (#3, #6, #8)
    • Cross Platform
    • 10 (#2)
    • Web Application
    • 10 (#5, #7)
    • Network Device
    • 5
    • Hardware
    • 1

******************** Security Training Update *************************

This Week's Featured Security Training Program: SANSFIRE 2004 Monterey, CA, July 5-13,2004 SANSFIRE offers you 14 immersion training tracks in one of the most beautiful and romantic places in America. Phenomenal training for auditors who want to master the challenges of security auditors, for managers who want to build a great security program, for security beginners who want to get a fast start, and, of course, the only place to go for technologists who want to master the most current methods for protecting systems and networks. SANSFIRE also offers lots of evening programs, extra one-day classes ranging from security business law to cyberwarrior training, and vendor exhibits, too.

Register soon to get a seat at your choice of courses. http://www.sans.org/sansfire2004

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
BSD
Solaris
Unix
Cross Platform
Web Application
Network Device
Hardware

************************** SPONSORED LINK ***************************

Note: this link takes you to a non-SANS site.

(1) Discover, audit, remediate and report vulnerabilities - increasing the efficiency of your overall threat reduction strategy. Free Trial: http://www.sans.org/click.php?id=474

***********************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) MODERATE: Oracle E-Business Suite SQL Injection Vulnerabilities
  • Affected:
    • Oracle E-Business Suite versions 11i, 11.5.1 to 11.5.8
    • Oracle Applications version 11.0

  • Description: Oracle E-Business suite offers a set of applications to automate business processes such as marketing, customer services, supply-chain management etc. The pertinent business information is typically stored in a single database, and accessed via the web front-end offered by the E-Business suite applications. This suite contains multiple SQL injection vulnerabilities. These flaws can be exploited via malicious HTTP requests to execute arbitrary SQL statements and procedures against the back-end database, possibly resulting in the compromise of the entire database. Note that the Internet facing web servers hosting the E-Business suite applications face the maximum risk. Very limited technical details regarding how to exploit the flaws have been posted.

  • Status: Vendor confirmed, updates available.

  • Council Site Actions: Only one of the reporting council sites is using the affected software; however their Oracle servers are internal facing only. They plan to install the patches after regression testing.

  • References:
  • (3) MODERATE: CVS Server Remote Code Execution Vulnerabilities
  • Affected:
    • CVS feature release version 1.12.8 and prior
    • CVS stable release version 1.11.16 and prior

  • Description: CVS, the most popular source code control and versioning system, contains multiple vulnerabilities. These flaws were found after an inspection of the CVS source code. Many of the vulnerabilities found can cause only a DoS, or require CVS commit access for further exploitation. However, the following vulnerabilities can be exploited to execute arbitrary code, and require only authentication to the CVS server: (a) A vulnerability in the implementation of "Argumentx" command can be exploited by an authenticated user to execute arbitrary code on the CVS server. The Argumentx command adds more data to the current "argument" being saved. The problem arises because the server fails to check the existence of a previously declared argument. This results in freeing the same memory twice (double free bug). (b) A vulnerability in the implementation of "serve_notify" function can be exploited by an authenticated user to execute arbitrary code. The problem arises because this function does not properly handle empty data lines. Note that a CVS repository configured for "anonymous read-only" access also faces the risk of getting compromised. The technical details required to leverage the flaws have been posted. Further information can be obtained by examining the fixed and the vulnerable version of the software.

  • Status: Vendor confirmed, fixes available. Upgrade to version 1.12.9 or 1.11.17.

  • Council Site Actions: Only one of the reporting council sites is using the affected software on a very small number of systems. Given that users with CVS write privileges also have login access to their CVS server machines, they consider this vulnerability to be unimportant.

  • References:
  • (4) MODERATE: Real Networks RealPlayer Multiple Vulnerabilities
  • Affected:
    • RealOne Player
    • RealOne Player v2
    • RealPlayer 10
    • RealPlayer 8
    • RealPlayer Enterprise

  • Description: RealPlayer is one of the popular internet media players that has a reported user base of over 200 million. The player contains following vulnerabilities: (a) The "embd3260.dll" is responsible for handling error messages for the player. This dll contains a heap-based overflow that can be triggered by a malformed movie embedded in a webpage. (b) The player contains another overflow that can be triggered by URLs containing a large number of "." characters. Both these flaws can be exploited by a malicious webpage to execute arbitrary code on a client system with the privileges of the media player. The technical details required to leverage the vulnerabilities have been posted.

  • Status: Vendor confirmed, patches available.

  • Council Site Actions: All of the reporting council sites are using the affected software. However, most sites do not officially support the software. One site does plan to roll out the patches during their normal system upgrade process. Another site is investigating if they can provide the users the patch. The remaining sites will rely on the users to install the patch if necessary.

  • References:
Other Software
  • (5) HIGH: PHP Shell Escape Functions Remote Command Execution
  • Affected: PHP version prior to 4.3.7 on Windows platforms

  • Description: PHP, a widely used web scripting language, contains a vulnerability in its implementation of "escapeshellcmd()" and "escapeshellarg()" functions. These functions perform sanitization of the user-supplied input before it is passed to any command execution PHP functions such as "system()". However, the functions fail to perform proper checking for some shell metacharacters on Windows platform. Hence, the flaws can be possibly exploited to execute arbitrary commands on a web server. Note that only PHP scripts that invoke command execution functions with the user-supplied arguments are vulnerable. The technical details and proof-of-concept exploits have been posted.

  • Status: Vendor confirmed, upgrade to version 4.3.7.

  • Council Site Actions: Only three of the reporting council sites are using the affected software and they have notified their UNIX support teams to be aware of the problem. Two of the sites will roll out the patch during their normal system update process. The third site does not believe their users would run commands with arguments from an untrusted site; thus they do not plan any action at this time.

  • References:
  • (8) LOW: Apache "mod_proxy" Module Buffer Overflow
  • Affected: mod_proxy module in Apache version 1.3.31 and earlier

  • Description: The Apache "mod_proxy" module implements forward and reverse proxy functionality for FTP, SSL and HTTP protocols. This module contains a heap-based buffer overflow in its "ap_bread" function. The flaw can be triggered when a malicious web server sends an HTTP response with a negative content-length to the Apache proxy. For example, an attacker can entice a client, whose HTTP requests are being handled by the Apache proxy, to connect to a malicious web server. The buffer overflow can be possibly exploited to execute arbitrary code with the Apache server's privileges (not confirmed). The posted advisory contains the technical details and a proof-of-concept exploit.

  • Status: Vendor confirmed, upgrade to the Apache version 1.3.32-dev. An unofficial fix is also included in the posted advisory.

  • Council Site Actions: Two of the reporting council sites are using the mod_proxy module. One site will address the issue when Apache 1.3.32 is available for the proxies they have built. They will also start requesting vendors to include mod_proxy in the proxy appliances they sell. They other site has a small number of Apache web servers that support mod_proxy. They are investigating if any of them are unpatched and if so, will notify the system administrators to upgrade.

  • References:
Exploit Code
  • (9) Firebird/Borland Interbase Database Buffer Overflow

  • Description: An exploit has been released that targets Borland Interbase database. This vulnerability was discussed in the last week's @RISK newsletter.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3474 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.23.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer URL Local Resource Access
  • Description: Microsoft Internet Explorer is vulnerable to a URL processing weakness that could allow malicious web pages to reference and load local resources contrary to computer security policy settings. Internet Explorer 6.0 SP1 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/365293
  • 04.23.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Dialog Zone Bypass Vulnerability
  • Description: Microsoft Internet Explorer may permit cross-zone access, allowing an attacker to execute malicious script code in the context of the Local Zone. This vulnerability could be exploited in combination with a number of other types of attacks such as execution of arbitrary code. Internet Explorer versions 6.0 and 6.0 SP1 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/10473
  • 04.23.3 - CVE: CAN-2004-0202
  • Platform: Other Microsoft Products
  • Title: Microsoft DirectX DirectPlay Remote Denial of Service
  • Description: The Microsoft DirectX DirectPlay service is reportedly vulnerable to a remote denial of service condition. This issue manifests itself when the service receives a specifically malformed network packet. The service fails to validate the malformed data and enters a denial of service condition. Microsoft has released a patch to remedy this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS04-016.mspx
  • 04.23.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer File Installation Vulnerability
  • Description: Microsoft Internet Explorer is reportedly vulnerable to an arbitrary local file creation and overwrite issue. If a user opens a local HTML file in Internet Explorer, a malicious script embedded in the HTML file can use the ActiveX "ADODB.Stream" object to create or overwrite arbitrary files on the local filesystem. For this to occur, the script must retrieve an external malicious file from an attacker specified web site using the "XMLHTTP" ActiveX object.
  • Ref: http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html
  • 04.23.5 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer URL Obfuscation Weakness
  • Description: Microsoft Internet Explorer may allow an attacker to obfuscate the URL of a link. Under certain conditions the true URL of the site displayed in the browser window may be obfuscated by a combination of special characters. This exploit works only if the redirect URL is hosted by IIS 4.0.
  • Ref: http://secunia.com/advisories/11830/
  • 04.23.6 - CVE: CAN-2004-0204
  • Platform: Other Microsoft Products
  • Title: Microsoft Crystal Reports Directory Traversal
  • Description: Crystal Reports and the Crystal Enterprise Web viewers are vulnerable to a directory traversal issue. Insufficient sanitization of HTTP requests exposes this vulnerability. This issue affects Visual Studio .NET 2003, Outlook 2003 with Business Contact Manager and Microsoft Business Solutions CRM 1.2.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-017.mspx
  • 04.23.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FoolProof Security Password Recovery Vulnerability
  • Description: SmartStuff FoolProof is a policy enforcement engine for managing computer resources. It has been reported that FoolProof is vulnerable to a password recovery weakness. An unprivileged user could use this weakness to gain administrative control of the policy engine. FoolProof versions 3.9.7 for Windows 98/ME and 3.9.4 for Windows 95 are reported to be vulnerable. Later versions are unaffected.
  • Ref: http://archives.neohapsis.com/archives/fulldisclosure/2004-06/0081.html
  • 04.23.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: PHP Windows Shell Functions Command Execution
  • Description: PHP offers shell escape functions that aid a developer in sanitizing user input. A command execution vulnerability exists in the shell escape functions on the Windows platform. Insufficient user input sanitization in the "escapeshellarg()" and "escapeshellcmd()" functions expose this issue. PHP versions 4.3.5 and earlier are affected.
  • Ref: http://www.idefense.com/application/poi/display?id=108&type=vulnerabilities&
    amp;flashstatus=true
  • 04.23.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AspDotNetStorefront ReturnURL Cross-Site Scripting
  • Description: AspDotNetStorefront is a web based e-commerce solution. Insufficient sanitization of the "returnurl" parameter of the "signin.aspx" script exposes a cross-site scripting issue. AspDotNetStorefront versions 3.3 and earlier are affected.
  • Ref: http://seclists.org/lists/bugtraq/2004/Jun/0140.html
  • 04.23.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ignitionServer IRC Server Authentication Bypass
  • Description: ignitionServer is an IRC server package available for Microsoft Windows. It has been reported that ignitionServer doesn't authenticate credentials when peer servers link to create an IRC network. By default linking is turned off, but if turned on any IRC server that connects can cause a denial of service or inject malicious content into the IRC network. ignitionServer version 0.3.1 is reported to be vulnerable.
  • Ref: http://forums.ignition-project.com/viewtopic.php?t=187
  • 04.23.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WinAgents TFTP Server Remote Buffer Overrun
  • Description: WinAgents TFTP Server is a TFTP server available for the Windows platform. The server is vulnerable to a remote buffer overrun. The problem exists when it processes filename requests. A filename request of 1000 bytes or more will cause the overflow. WinAgents TFTP Server version 3.0 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/11840/
  • 04.23.12 - CVE: Not Available
  • Platform: Mac Os
  • Title: Qualcomm Eudora Internet Mail Server Remote Buffer Overflow
  • Description: Qualcomm Eudora Internet Mail Server (EIMS) for Mac OS 7 is a POP3 and SMTP server. EIMS for Mac OS 7 is reportedly vulnerable to a remote heap overflow. When at least 588 bytes of data are sent to port 105 of the target, a heap-based buffer overflows due to lack of sufficient boundary checks. This memory corruption could be leveraged to execute arbitrary code, or more likely cause a denial of service condition on the target.
  • Ref: http://www.securityfocus.com/bid/10443/
  • 04.23.13 - CVE: CAN-2004-0538, CAN-2004-0539
  • Platform: Mac Os
  • Title: Apple Mac OS X Multiple Security Vulnerabilities
  • Description: Multiple security vulnerabilities exist in Mac OS X. "LaunchServices", "DiskImageMounter" and "Safari" have several problems that result in irregular user experiences and could be used to compromise security. Mac OS X versions 10.2.8 and 10.3 are affected.
  • Ref: http://docs.info.apple.com/article.html?artnum=61798
  • 04.23.14 - CVE: Not Available
  • Platform: Linux
  • Title: SMTP.Proxy Remote Format String Vulnerability
  • Description: SMTP.proxy is an SMTP gateway available for UNIX variant operating systems. SMTP.proxy is subject to a remotely exploitable format string vulnerability. The issue occurs in routines that log SMTP headers in email passed through the proxy. The vulnerability has been reported in versions 1.1.3 and prior. The vendor has released version 1.3.3 to address this issue.
  • Ref: http://secunia.com/advisories/11823/
  • 04.23.15 - CVE: Not Available
  • Platform: BSD
  • Title: OpenBSD ISAKMPD Denial of Service
  • Description: OpenBSD isakmpd is an IKE key management daemon. Insufficient sanitization of malformed UDP isakmp packets exposes a denial of service issue. A specially crafted packet can cause isakmpd to drop tunneled connections. All current versions are reported to be affected.
  • Ref: http://seclists.org/lists/fulldisclosure/2004/Jun/0191.html
  • 04.23.16 - CVE: CAN-2004-0079, CAN-2004-0081, CAN-2004-0112
  • Platform: Solaris
  • Title: Sun Crypto Accelerator 4000 Software OpenSSL Vulnerabilities
  • Description: Solaris 8 and Solaris 9 systems equipped with Sun Crypto Accelerator 4000 v1.0 boards which are configured to use the Apache web server may be vulnerable to denial of service or remote code execution issues. This is due to buffer overflows in the OpenSSL library. The vendor has released a patch to remedy this issue.
  • Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57571
  • 04.23.17 - CVE: CAN-2004-0541
  • Platform: Unix
  • Title: Squid Proxy NTLM Authentication Buffer Overflow
  • Description: Squid Web Proxy Cache is reportedly vulnerable to a buffer overflow issue. This vulnerability manifests itself while processing NTLM authentication credentials. This issue was reported for Squid-Proxy branches 2.5.x-STABLE and 3.x-PRE when Squid-Proxy is compiled with the NTLM helper enabled.
  • Ref: www.idefense.com/application/poi/display?id=107&type=vulnerabilities
  • 04.23.18 - CVE: Not Available
  • Platform: Unix
  • Title: Webmin Module Configuration Information Disclosure
  • Description: Webmin is a web-based UNIX system administration tool. It has been reported that Webmin is vulnerable to configuration disclosure due to insufficient administration access validation. Given the configuration of a module, it could be possible to use that information in escalated attacks against the server.
  • Ref: http://www.webmin.com/changes-1.150.html
  • 04.23.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle E-Business Suite Multiple SQL Injection Vulnerabilities
  • Description: The Oracle E-Business Suite is reportedly affected by multiple SQL injection issues. These issues could allow an attacker to corrupt the backend E-Business database. The Oracle E-Business Suite version 11i 11.5.9 is fixed and not vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/365173
  • 04.23.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: L2TPD BSS Buffer Overflow
  • Description: l2tpd is a Layer 2 Tunneling Protocol daemon. l2tpd is reportedly affected by a Block Started by Symbol (BSS) based buffer overflow vulnerability. This issue exposes itself due to insufficient sanitization of the "wbuf" variable inside the "write_packet()" function of the "control.c" file. All current versions of l2tpd are affected.
  • Ref: http://seclists.org/lists/fulldisclosure/2004/Jun/0094.html
  • 04.23.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: cPanel Unauthorized DNS Information Deletion Vulnerability
  • Description: cPanel is a multi-platform web hosting control panel which includes web-based account management. cPanel reportedly allows administrators to delete arbitrary customer DNS settings. This attack can cause a denial of service condition against the modified web sites. cPanel versions 5.0 through 9.1 are reported to be vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2004/Jun/1010398.html
  • 04.23.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PostgreSQL ODBC Driver Remote Buffer Overflow
  • Description: The PostgreSQL ODBC driver is reportedly vulnerable to an unspecified remote buffer overflow. PostgreSQL version 7.2.1 was reported vulnerable.
  • Ref: http://www.securityfocus.com/advisories/6819
  • 04.23.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM GSKit SSL Handshake Denial of Service
  • Description: IBM Global Security Toolkit (GSKit) is a security toolkit that provides SSL functionality. IBM has reported that during SSL handshakes, malformed packets can either crash the affected application, or cause performance degradation. All products using GSKit versions 3.9, 4.1 and 5.1 are affected.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg21169222
  • 04.23.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: NetWin SurgeMail/WebMail Input Validation Weakness
  • Description: SurgeMail and WebMail are mail server applications. Insufficient sanitization of user-supplied input expose multiple path disclosure and cross-site scripting issues. SurgeMail versions 1.9 and earlier and WebMail 3.1d and earlier are affected.
  • Ref: http://www.exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt
  • 04.23.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: jCIFS Invalid Username Authentication Weakness
  • Description: jCIFS is a Java implementation of the Common Internet File System (CIFS) protocol. When using jCIFS to authenticate with a CIFS server that has the "guest" account enabled, jCIFS will fall back to using the "guest" account if the supplied username is invalid. An attacker could exploit this issue to gain unauthorized access. Versions prior to 0.9.1 are reported to be vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/10494/
  • 04.23.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apache mod_proxy Remote Buffer Overflow
  • Description: mod_proxy is a proxy module that ships with the Apache web server. It has been reported that a remote buffer overflow exists in mod_proxy. By passing a negative number in the "Content-Length" header, it is possible to cause a denial of service by crashing the Apache instance. Apache version 1.3.x has been reported to be vulnerable.
  • Ref: http://www.guninski.com/modproxy1.html
  • 04.23.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealNetworks RealPlayer Remote Buffer Overflows
  • Description: RealPlayer is a media player for multiple operating systems, including Windows, Linux and Mac OS. It has been reported that multiple buffer overflows exist across multiple RealPlayer software packages. RealNetworks has released multiple product updates to remedy this issue.
  • Ref: http://www.service.real.com/help/faq/security/040610_player/EN/
  • 04.23.28 - CVE: CAN-2004-0413
  • Platform: Cross Platform
  • Title: Subversion Remote Heap Overflow
  • Description: Subversion, a software version control system, is reportedly vulnerable to a remote heap overflow issue. This issue manifests itself due to an integer overflow in the "svn" protocol parser. Subversion versions 1.0.4 and prior are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0164.html
  • 04.23.29 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke Reviews Module Cross-Site Scripting
  • Description: The "reviews" module written for PHP-Nuke is reportedly vulnerable to a cross-site scripting issue. This is due to insufficient user input sanitization on the "id" parameter. This can allow an attacker to steal cookie-based authentication credentials from legitimate PHP-Nuke users. PHP-Nuke versions 6.x through 7.3 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/365368
  • 04.23.30 - CVE: Not Available
  • Platform: Web Application
  • Title: Crafty Syntax Live Help Multiple HTML Injection Vulnerabilities
  • Description: Crafty Syntax Live Help (CSLH) is a web-based chat application. Due to insufficient user-input sanitization, it is vulnerable to multiple HTML injection issues. Cratfy Syntax Live Help versions 2.7.3 and prior are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/365137
  • 04.23.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Webmin Multiple Vulnerabilities
  • Description: Webmin is a web-based system administration interface for Unix systems. The vendor has reported multiple vulnerabilities including denial of service conditions and information disclosure issues. Webmin versions 1.140 and prior are vulnerable.
  • Ref: http://www.webmin.com/changes-1.150.html
  • 04.23.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Blosxom Writeback Cross-Site Scripting Vulnerability
  • Description: Blosxom is a web log management system. It has been reported that Blosxom contains a cross-site scripting vulnerability in its comment plug-in. The plug-in performs insufficient user input sanitization, allowing a malicious user to inject HTML into the web log. Blosxom version 2.0 is reported to be vulnerable.
  • Ref: http://kylem.xwell.org/blosxom.cgi/tech/security/km-2004-01.html
  • 04.23.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Roundup Remote File Disclosure
  • Description: Roundup is a utility used to track issues during the software development cycle. Insufficient sanitization of user-supplied input exposes a file disclosure issue in the application. A remote user can disclose files by using "../" directory traversal sequences. Roundup versions 0.6.11 and earlier are affected.
  • Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=961511&group_id
    =31577&atid=402788
  • 04.23.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Horde IMP Input Validation Vulnerability
  • Description: Horde IMP is a web-based IMAP email interface written in PHP. Insufficient sanitization of email messages that contain malicious HTML or script code expose an arbitrary HTML injection and script execution issue. All current releases in the 3.x branch are affected.
  • Ref: http://www.horde.org/imp/3.2/
  • 04.23.35 - CVE: Not Available
  • Platform: Web Application
  • Title: AspDotNetStorefront Improper Access Validation
  • Description: AspDotNetStorefront is a web-based e-commerce package. It is reportedly vulnerable to an improper access validation issue. This issue occurs because the "deleteicon.aspx" script in the "/admin" administrative directory does not validate user credentials. This allows unauthenticated remote users to delete arbitrary data. AspDotNetStorefront version 3.3 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0127.html
  • 04.23.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board SSI.PHP SQL Injection
  • Description: Invision Power Board is a web forum package. An SQL injection vulnerability has been identified in its improper sanitization of the "f" URI parameter in the "ssi.php" script. If properly utilized, a malicious user could view or inject information into the database. Invision Power Board versions 1.3.1 Final and earlier are affected.
  • Ref: http://seclists.org/lists/bugtraq/2004/Jun/0124.html
  • 04.23.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Blackboard Learning System File Download Vulnerability
  • Description: Blackboard Learning System is web-based educational software. Insufficient authorization checks in the application allow unauthorized users to download files intended only for course administrators. Blackboard Learning System Basic Edition Release 6 and earlier are affected.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0147.html
  • 04.23.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Open Webmail Content Injection
  • Description: Open WebMail is a web-based e-mail system. It has been reported that Open WebMail is vulnerable to an HTML/script injection attack due to improper validation of the "Content-Type:" header. Open WebMail version 2.32 is reported to be vulnerable.
  • Ref: http://www.openwebmail.com/openwebmail/doc/changes.txt
  • 04.23.39 - CVE: Not Available
  • Platform: Network Device
  • Title: Symantec Gateway 360R Wireless VPN Bypass
  • Description: Symantec Gateway Security 360R may be vulnerable to a weakness that could allow a remote attacker to establish an insecure wireless connection with an internal computer. Symantec Gateway can be configured to only allow wireless VPN traffic, but due to a design error the settings will not block unencrypted wireless traffic. This weakness reportedly affects Symantec Gateway Security 360R firmware 2.1 build 300 and build 415.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0122.html
  • 04.23.40 - CVE: Not Available
  • Platform: Network Device
  • Title: U.S. Robotics Broadband Router Insecure Password Vulnerability
  • Description: U.S. Robotics Broadband Router 8003 is vulnerable to a web interface insecure password issue. Client authentication is performed by JavaScript, which contains clear-text credential information viewable in web page source. Firmware version 1.04.08 is reported to be vulnerable.
  • Ref: http://seclists.org/lists/bugtraq/2004/Jun/0116.html
  • 04.23.41 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco CatOS TCP-ACK Denial of Service
  • Description: CatOS is the operating system used on Cisco Catalyst switches. Cisco CatOS is vulnerable to a denial of service attack. This vulnerability can be reproduced by initiating a broken 3-way TCP handshake causing affected devices to cease functioning or reboot. Catalyst 6000, 5000, 4500, 4000, 2948G, 2980G, 2980G-A, 4912G, 2901, 2902, 2926[T,F,GS,GL], and 2948 series are vulnerable. Cisco has released upgrades to remedy this issue.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0124.html
  • 04.23.42 - CVE: Not Available
  • Platform: Network Device
  • Title: Billion BIPAC-640 AE Administration Authentication Bypass
  • Description: Billion BIPAC-640 AE is an appliance firewall and a NAT network device. It is reportedly vulnerable to an authentication bypass issue. Specially-crafted HTTP requests can bypass the authentication on the administrative web interface. This vulnerability was reported for Billion BIPAC-640 AE firmware version 3.33.
  • Ref: http://secunia.com/advisories/11813/
  • 04.23.43 - CVE: Not Available
  • Platform: Network Device
  • Title: Edimax EW7205-APL Default Backdoor Account
  • Description: The Edimax 7205APL is an 802.11b wireless access point. It has been reported that a backdoor account is hard-coded into the firmware allowing for configuration backups. If malicious users use this backdoor account, they could download the router configuration which contains the administrator password. Edimax firmware version 2.40a-00 is reported to be vulnerable.
  • Ref: http://www.edimax.com.tw/download/manual/EW-7205APL_M.pdf
  • 04.23.44 - CVE: Not Available
  • Platform: Hardware
  • Title: Linksys Web Camera File Disclosure
  • Description: Linksys Web Camera drivers include HTTP serving capabilities. It has been revealed that the HTTP server is susceptible to a file disclosure vulnerability. This issue is caused by insufficient sanitization of URL parameters. Linksys Web Camera software version 2.10 is known to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-06/0103.html

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

It is clear that a great deal of time is spent in creating and maintaining these courses. Content is well presented, relevant and accurate. Delivery is meaningful and energetic.
-Sue Farrand, Edgewater Technology Associates

SANS San Diego 2013

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee