The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 35
September 6, 2004

SANS Newsletters Home

If you use Oracle, especially Oracle Application Server, it would be prudent to install the critical new patches right away. More than 40 buffer overflow vulnerabilities were found; some allow remote unauthenticated users to compromise your systems. (#1) Also if you are totally dependent of Kerberos, there's a critical vulnerability listed in #2.

On another topic, it's just three weeks to SANS largest Network Security conference. NS2004 in Las Vegas has a spectacular program: sixteen tracks of hands-on training by America's greatest audit and security instructors plus a big tools expo. Here's what one recent attendee said: "SANS training is the most comprehensive and valuable training a security professional can complete (JK Stanford, US Department of Energy). Another confirmed the SANS promise, "It gave me the tools and knowledge to hit the ground running and make an immediate contribution to my organization." (Charles Hamby, Univ. of Alaska)

See all the upcoming training programs at www.sans.org

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Window Apps
    • 7 (#4, #7)
    • Unix
    • 4 (#5, #9)
    • Novell
    • 1
    • Cross Platform
    • 6 (#1, #2, #3, #8)
    • Web Application
    • 12
    • Hardware
    • 2
    • Network Devices
    • 6
Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Unix
Novell
Cross Platform
Web Application
Hardware
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Oracle Products Multiple Vulnerabilities
  • Affected:
    • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
    • Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
    • Oracle8i Database Server Release 3, version 8.1.7.4
    • Oracle Database 10g Release 1, version 10.1.0.2
    • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
    • Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
    • Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
    • Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
    • Oracle9i Application Server Release 1, version 1.0.2.2
    • Oracle Collaboration Suite
    • Oracle E-Business Suite 11i

  • Description: The Oracle Database server, the Oracle Application server, the Oracle Enterprise Manager, the Oracle E-Business and the Oracle Collaboration suites contain multiple buffer overflows (numbering over 40) and SQL injection vulnerabilities, which may be exploited to execute arbitrary code on the server(s). Some of the flaws in the Database and the Application server can be exploited by a remote unauthenticated attacker, whereas the flaws in the Enterprise Manager can be exploited only with valid user credentials. The Collaboration and the E-Business suite customers have been advised to apply the appropriate Database and Application server patches; hence, the flaws in these applications could also be exploited by remote unauthenticated attackers. In the configurations using Oracle as a back-end database, the flaws may be leveraged via SQL injection vulnerabilities in the front-end web scripts. The default accounts provide another avenue for exploitation. The technical details regarding many of the buffer overflows have been publicly posted. Further details are expected to be released in the upcoming months.

  • Status: Oracle has released patches listed in the Oracle Security Alert #68. Given the fact that relevant technical information regarding some of the overflows has been posted, and that some of the flaws may be exploited by remote unauthenticated attackers, the patches should be applied on a priority basis. The Center for Internet Security (CIS) has released security benchmarking tools for Oracle, which may help in hardening the database security.

  • Council Site Actions: A majority of the reporting council sites that have Oracle implementations and are responding to this vulnerability. Most of these sites are currently evaluating and testing the patches. Some sites plan to patch the systems as soon as possible, while other sites will patch during their next regularly scheduled system update process. Several sites commented that their Oracle database servers are isolated from external networks and thus the threat is greatly reduced. One site is monitoring for any unusual network connections to systems that are running Oracle products.

  • References:
  • (2) MODERATE: MIT Kerberos 5 Double Free Vulnerabilities
  • Affected:
    • All releases of Kerberos 5 prior to and including krb5-1.3.4
    • Cisco VPN 3000 Series Concentrators using KDC for user authentication

  • Description: Kerberos, a network protocol created at MIT, is used to provide strong authentication for client/server applications. The MIT Kerberos implementation is widely used by many network vendors and Linux/Unix flavors. The protocol uses Abstract Syntax Notation (ASN.1) encoded data for communications. The libraries that handle the ASN.1 decoding contain multiple "double free" vulnerabilities. The problem occurs because when an error is encountered in decoding an invalid ASN.1 object, the memory allocated for that ASN.1 object is freed twice. The double free vulnerabilities affect the Kerberos Key Distribution Center (KDC), krb524d daemon etc. The KDC authenticates a client, and provides the client with "tickets" that can be used to access other kerberized services. The double-free vulnerabilities in the KDC may be exploited by an unauthenticated attacker to possibly execute arbitrary code on the KDC server or to cause a denial-of service to the KDC server. The KDC server compromise may result in compromising the entire organization ("Kerberos realm"). An attacker controlled KDC server can be further used to compromise the Kerberos clients. The krb524d daemon converts a Kerberos version 5 ticket to a Kerberos version 4 ticket. An unauthenticated attacker may leverage the double free flaws in krb524d daemon to execute arbitrary code. In many cases, the krb524d daemon runs on the KDC. Hence, this compromise may also result in compromising the KDC and the entire Kerberos realm. The double free vulnerabilities are also present in the "krb5_rd_cred()" function; however, an attacker would require authentication credentials to exploit these flaws. Note that the double free memory bugs are generally harder to leverage to execute arbitrary code, and the exploit code tends to be platform dependent (as opposed to be universal). Hence, a widespread exploitation of these flaws is less probable. Exploit code is not currently available. The technical details required to leverage the flaws can be obtained by examining the patch files.

  • Status: MIT has released patches for multiple Kerberos versions. Apply the appropriate patches, and rebuild the software. Version krs5-1.3.5 release will fix all these flaws. Multiple Linux vendors, Sun and Cisco have released patches. For the status of other vendors, please refer to the CERT advisories.

  • Council Site Actions: Three of the reporting council sites are using the affected software. Two of these sites will patch their systems during the next regularly scheduled system update process. The third site has a very large implementation of Kerberos. They began patching critical servers on August 31st with a second round of patching to begin early next week.

  • References:
  • (3) MODERATE: IBM DB2 Buffer Overflow Vulnerabilities
  • Affected:
    • IBM DB2 version 8.1 Fixpak 6 and prior
    • IBM DB2 version 7.x Fixpak 11 and prior

  • Description: IBM DB2 database contains two buffer overflow vulnerabilities, which can be potentially exploited to execute arbitrary code on the database server. The discoverers of the flaw have not released any technical details regarding these flaws, which have been rated as "High". Other advisories with a similar rating from the discoverers have included overflows that require minimal user privileges or flaws that can be exploited by remote unauthenticated attackers. Hence, although the @RISK rating for this item is currently "MODERATE" due to lack of any more information, the DB2 administrators should apply the patches on a priority basis. The technical details are scheduled to be released on December 1, 2004. It may also be possible to "binary diff" the patches to obtain more information about the flaws.

  • Status: IBM has released the patches. Upgrade DB2 version 8.1 to Fixpak 7, and DB2 version 7.x installations to Fixpak 12.

  • Council Site Actions: Three council sites are running the affected software. One site is reviewing the potential impact and will likely patch their systems on an accelerated schedule. The other two sites have notified their support staff, but no other action has been taken at this time.

  • References:
  • (4) MODERATE: WinZip Buffer Overflow Vulnerabilities
  • Affected:
    • WinZip version 9.0 and prior

  • Description: WinZip, the most popular archiving software on Windows platform, has been downloaded over a 100 million times. The software contains buffer overflow vulnerabilities that may be triggered by a specially crafted zip file. The flaws may be exploited by an email or a webpage that entices a user to open a malicious zip file. No technical details regarding the flaws have been posted. Note that many viruses like Beagle have globally spread via emails with a malicious zip attachment.

  • Status: WinZip has released version 9.0-SR1 to fix the flaws. An additional benefit this version offers is - if a user double clicks an executable file in a zip archive, the user is prompted before the file is executed. This feature can help to limit the spread of viruses.

  • Council Site Actions: Most of the reporting council sites are running the affected software and plan to distribute the new version during their next regularly scheduled system update process. One site does not officially support the software and thus plans no action at this time.

  • References:
  • (5) LOW: LHA Multiple Remote Code Execution Vulnerabilities
  • Affected:
    • All versions of LHA up to version 1.14

  • Description: LHA is a file compression utility similar to zip and gzip. It ships with many Linux distributions and has been ported to BSD, Solaris and other operating systems. The software contains a stack-based overflow that may be exploited to execute arbitrary code with the privileges of the LHA process. In addition, the software contains a remote command execution vulnerability that is triggered upon opening a specially crafted archive, which has a directory name containing shell meta-characters. Note that the software is used by many virus scanners to unpack LHA archives, and web browsers to automatically uncompress LHA archives upon download. Hence, an attacker can exploit the flaw via a specially crafted email or a malicious web page. Limited technical details about the flaws have been posted.

  • Status: Official vendor patches are not yet available. Red Hat has released updated LHA packages.

  • Council Site Actions: Two of the reporting council sites are running the affected software on either Red Hat or Debian Linux systems. One site has already made the patches available via their Up2date server. The other site has a large installation of Red Hat and Debian systems. The Red Hat systems have already been updated and the Debian systems will be updated once the patch is released. Any systems which need a manual update will be patched later this month.

  • References:
  • (6) LOW: Cisco IOS Telnet Denial of Service
  • Affected:
    • All devices running Cisco IOS and telnet/reverse telnet for the device
    • management

  • Description: The Cisco devices running IOS can be configured for remote management via telnet or reverse telnet. Under such a configuration, the IOS contains a vulnerability that can be triggered by specially crafted TCP packets to the devices' telnet or reverse telnet ports. The vulnerability can be exploited to cause a denial-of-service to the management services. The device refuses connections to the management services via RSH, SSH, telnet, reverse telnet, HTTP (in certain cases) or Data Link Switching protocols. Although no technical details regarding the flaw have been publicly posted, the vulnerability is reportedly being exploited in the wild. Note that the vulnerability does not affect any packet processing/forwarding functions of the device, or the device access via SNMP/console.

  • Status: Cisco will release the patches soon. Until the patches are available, a number of workarounds have been suggested. These include disabling the telnet and using SSH for remote management, and blocking access to the devices' management ports from the Internet via ACLs.

  • Council Site Actions: All of the reporting council sites are running the affected software. Some of these sites are not using telnet, but SSH for management of their network devices, thus they are not affected by the vulnerability. Other sites block external access to their routers and thus consider this a reduced threat. Most of the sites plan to distribute the patches during their next regularly scheduled system update process.

  • References:
Other Software
Exploit Code
  • (8) Citadel UX/BBS USER Command Overflow

  • Description: An exploit has been released for the Citadel bulletin board system's USER command overflow vulnerability discussed in a prior issue of the @RISK newsletter.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 35, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3693 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.35.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Altnet ADM ActiveX Control Remote Buffer Overflow
  • Description: Altnet is a peer-to-peer distributor of licensed digital entertainment and file sharing applications. Insufficient boundry condition checks in the "IsValidFile()" method of the ADM ActiveX control exposes a stack-based buffer overflow. Altnet Download Manager versions 4.0.0.2 and 4.0.0.4 are affected.
  • Ref: http://secunia.com/advisories/12446/
  • 04.35.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ipswitch WS_FTP Remote Denial of Service
  • Description: Ipswitch WS_FTP is an FTP server. Insufficient sanitization of user supplied input data in the "cd" command causes the server to crash, denying service to legitimate users. WS_FTP Server versions 5.0.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/373420
  • 04.35.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Titan FTP Server CWD Command Remote Heap Overflow
  • Description: Titan is an FTP server for Microsoft Windows. It is reported vulnerable to a heap overflow issue. The issue exists due to insufficient sanitization of the "cwd" command parameters. All current versions of Titan FTP server are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0405.html
  • 04.35.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ACLogic CesarFTP Buffer Overflow Vulnerability
  • Description: CesarFTP is an FTP server for Windows systems. It is reported to be vulnerable to a buffer overflow issue which exists due to improper sanitization of user supplied commands. This vulnerability is exploitable before authentication. CesarFTP versions 0.98b, 0.99g and 0.99e are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12417/
  • 04.35.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WFTPD Server MLST Argument Remote Denial of Service
  • Description: WFTPD is an FTP server for Windows systems. It is reported vulnerable to a denial of service condition triggered by a logged in user issuing 60 MLST requests with parameter size greater than 2048 bytes. WFTPD Pro Server versions 3.21 and earlier are known to be vulnerable.
  • Ref: http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id
    =66
  • 04.35.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Xedus Web Server Multiple Vulnerabilities
  • Description: Xedus web server is reportedly susceptible to multiple vulnerabilities including denial of service, cross-site scripting and directory traversal issues. Xedus version 1.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/373506
  • 04.35.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WinZip Multiple Unspecified Buffer Overflows
  • Description: WinZip is reported to be vulnerable to multiple unspecified buffer overflow issues. The issues exist due to improper sanitization of the user supplied input. WinZip versions 9.0 and prior are affected by these issues.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0021.html
  • 04.35.8 - CVE: CAN-2004-0694, CAN-2004-0745, CAN-2004-0769,CAN-2004-0771
  • Platform: Unix
  • Title: LHA Multiple Code Execution Vulnerabilities
  • Description: LHA is a utility that can compress and decompress LHarc/LH7 format archives. LHA is vulnerable to multiple buffer overflows issues that could lead to remote command execution. LHA versions 1.14 and earlier are known to be vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2004-323.html
  • 04.35.9 - CVE: Not Available
  • Platform: Unix
  • Title: Squid Proxy NTLM Authentication Denial of Service
  • Description: Squid is a web proxy software package. It is reported to be vulnerable to a denial of service issue. The issue exists due to improper sanitization of the "length" argument. Squid versions 2.x and 3.x are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0029.html
  • 04.35.10 - CVE: Not Available
  • Platform: Unix
  • Title: Samba Remote Print Denial of Service
  • Description: Samba is reportedly vulnerable to a remote denial of service condition. This issue is due to a failure of the application to handle out of sequence requests. An attacker might leverage this issue to cause the affected server to crash, denying service to legitimate users. Samba version 2.2.11 addresses the issue.
  • Ref: http://us1.samba.org/samba/history/samba-2.2.11.html
  • 04.35.11 - CVE: CAN-2004-0817, CAN-2004-0802
  • Platform: Unix
  • Title: imlib/imlib2 Multiple BMP Image Decoding Buffer Overflow
  • Description: imlib and imlib2 are image loading and rendering libraries. imlib version 1.9.14 is vulnerable to a buffer overflow issue. By creating a specially-crafted BMP image file, a remote attacker could overflow a buffer and cause the program to crash or possibly execute arbitrary code on the system.
  • Ref: http://xforce.iss.net/xforce/xfdb/17182
  • 04.35.12 - CVE: Not Available
  • Platform: Novell
  • Title: Novell iChain Multiple Remote Vulnerabilities
  • Description: Novell iChain Server is a web-based security product for maintaining network-based access controls. Multiple vulnerabilities have been reported in iChain, which can be exploited by malicious people to bypass security restrictions and conduct cross-site scripting and denial of service attacks. These vulnerabilities have been addressed in version 2.3 Support Pack 1 Beta.
  • Ref: http://secunia.com/advisories/12366/
  • 04.35.13 - CVE: CAN-2004-0748
  • Platform: Cross Platform
  • Title: Apache mod_ssl Denial of Service
  • Description: Apache web server's mod_ssl component is reportedly vulnerable to a denial of service condition. This issue is exposed when an attacker aborts a SSL connection when it is in a particular state. This causes the software to enter an infinite loop and consume all CPU resources. All Apache versions from 2.0 to 2.0.50 are reported to be vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2004-349.html
  • 04.35.14 - CVE: CAN-2004-0638, CAN-2004-0637
  • Platform: Cross Platform
  • Title: Oracle Database and Application Server Multiple Vulnerabilities
  • Description: Oracle Database Server, Application Server and Enterprise Manager are vulnerable to multiple critical security issues ranging from buffer overflow, PL/SQL injection, SQL trigger abuse and character set conversion bugs, and denial of service. Oracle released a set of patches to address all of these issues.
  • Ref: http://otn.oracle.com/deploy/security/pdf/2004alert68.pdf
  • 04.35.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PvPGN Remote Buffer Overflow
  • Description: PvPGN (Player Vs. Player Gaming Network) is a gaming application. It is reported to be vulnerable to a remote buffer overflow issue. The issue exists due to improper sanitization of "watchall" and "unwatchall" commands. PvPGN versions 1.6.0 to 1.6.5 are reported to be vulnerable.
  • Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1018729&group_i
    d=53514&atid=677785
  • 04.35.16 - CVE: CAN-2004-0642, CAN-2004-0772, CAN-2004-0643
  • Platform: Cross Platform
  • Title: Kerberos 5 Multiple Double-Free Vulnerabilities
  • Description: The MIT Kerberos network authentication protocol implementation is reported to be vulnerable to multiple double-free memory corruption issues. These issues could lead to denial of service conditions or even remote code execution. Kerberos 5 versions 1.3.4 and earlier are reported vulnerable.
  • Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
  • 04.35.17 - CVE: CAN-2004-0644
  • Platform: Cross Platform
  • Title: Kerberos 5 ASN.1 Decoder Denial of Service
  • Description: MIT Kerberos is a network authentication protocol. Insufficient sanitization in the "asn1buf_skiptail()" function of the krb5 library exposes a remote denial of service issue. MIT Kerberos 5 versions 1.2.2 through to 1.3.4 are reportedly affected by this vulnerability.
  • Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt
  • 04.35.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: DB2 Universal Database Multiple Remote Buffer Overflows
  • Description: IBM DB2 is vulnerable to multiple remote buffer overflows and other unspecified vulnerabilities that could lead to a remote compromise of the vulnerable system. IBM DB2 versions affected include DB2 8.1 Fixpak 6 and earlier, as well as DB2 7.x Fixpak 11 and earlier.
  • Ref: http://www.nextgenss.com/advisories/db2-01.txt
  • 04.35.19 - CVE: Not Available
  • Platform: Web Application
  • Title: meindlSOFT Cute PHP Library Input Validation Vulnerabilities
  • Description: meindlSOFT Cute PHP Library cphplib is affected by multiple input validation vulnerabilities. These issues may allow an attacker to carry out HTML injection, cross-site scripting, and SQL injection attacks against applications that utilize the Cute PHP library. Cute PHP version 0.47 addresses this issue.
  • Ref: http://www.securityfocus.com/bid/11062/info/
  • 04.35.20 - CVE: Not Available
  • Platform: Web Application
  • Title: CuteNews index.php Cross-Site Scripting
  • Description: CuteNews is a news management system implemented in PHP. It is reported to be vulnerable to a cross-site scripting issue. The issue exists due to improper sanitization of user-supplied input to the "mod" parameter of the "index.php" script. CuteNews versions 1.3.6 and prior are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0018.html
  • 04.35.21 - CVE: Not Available
  • Platform: Web Application
  • Title: Webmatic Unspecified Security Vulnerability
  • Description: Webmatic is a web based application that is used to create Web sites. It has been reported to be prone to an unspecified security vulnerability. The cause and impact of this issue are currently unknown as very few details were released. This issue was disclosed by the vendor. It is conjectured that this vulnerability is remote in nature. Webmatic versions 1.8 and prior are affected by this issue.
  • Ref: http://www.securityfocus.com/bid/11045/info/
  • 04.35.22 - CVE: Not Available
  • Platform: Web Application
  • Title: XOOPS Dictionary Multiple Cross-Site Scripting
  • Description: XOOPS is a dynamic Object Oriented based portal system. The Nagl XOOPS Dictionary module is vulnerable to multiple cross-site scripting issues due to insufficient user supplied data sanitization of the "letter" parameter in the "search.php" script. XOOPS Version 2.x Dictionary module is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/373508
  • 04.35.23 - CVE: Not Available
  • Platform: Web Application
  • Title: Scout Tracker Multiple Unspecified Vulnerabilities
  • Description: Scout Tracker is a web-based forum. The vendor released a new version 0.10 that reportedly fixes multiple unspecified security issues.
  • Ref: http://www.securityfocus.com/bid/11066/
  • 04.35.24 - CVE: Not Available
  • Platform: Web Application
  • Title: Password Protect Multiple Input Validation Vulnerabilities
  • Description: Web Animations Password Protect is a web-based authentication interface. It is reportedly vulnerable to multiple cross-site scripting and SQL injection issues. Successful exploitation of these may result in theft of cookie based authentication credentials from legitimate clients and compromise of the backend database. All current versions of Password Protect are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/373901
  • 04.35.25 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPScheduleIt HTML Injection Vulnerability
  • Description: phpScheduleIt is a web application for resource scheduling. It is reported to be vulnerable to an HTML injection issue. The issue exists due to improper sanitization of the "Schedule Title" field. phpScheduleIt 1.0.0RC1 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-08/0417.html
  • 04.35.26 - CVE: Not Available
  • Platform: Web Application
  • Title: Comersus Cart HTTP Response Splitting Vulnerability
  • Description: Comersus Cart is an e-commerce shopping cart application. It is reported to be vulnerable to an HTTP response splitting issue. The issue exists due to improper sanitization of the "redirecturl" parameter in the "comersus_customerLoggedVerify.asp" script. Comersus Shopping Cart version 5.0991 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0006.html
  • 04.35.27 - CVE: Not Available
  • Platform: Web Application
  • Title: pLog User Registration HTML Injection
  • Description: pLog is a blog system. pLog is vulnerable to an HTML injection issue due to a lack of sanitization in the "username" and "blog" parameters of the "register.php" script. pLog version 0.3.2 is known to be vulnerable.
  • Ref: http://secunia.com/advisories/12415/
  • 04.35.28 - CVE: Not Available
  • Platform: Web Application
  • Title: TorrentTrader SQL Injection Vulnerability
  • Description: TorrentTrader is a BitTorrent tracker script. It is reportedly vulnerable to a SQL injection issue due to insufficient sanitization of the "id" URL parameter. TorrentTrader version 1.0 RC2 was reported to be vulnerable.
  • Ref: http://forum.tutoriaux.net/index.php?showtopic=299&st=0&#entry1342
  • 04.35.29 - CVE: Not Available
  • Platform: Web Application
  • Title: Newtelligence DasBlog Request Log HTML Injection
  • Description: newtelligence DasBlog is a web log application designed for the Microsoft .NET environment. It is reported to be vulnerable to an HTML injection issue in its request log. The issue exists due to an improper sanitization of user-supplied input to "Referrer" and "User-Agent" headers. DasBlog versions 1.3 to 1.6 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0004.html
  • 04.35.30 - CVE: Not Available
  • Platform: Web Application
  • Title: phpWebSite Multiple Input Validation Vulnerabilities
  • Description: phpWebSite is a web-based content management system. It is reportedly vulnerable to multiple issues due to insufficient input validation. These include cross-site scripting, HTML injection and SQL injection vulnerabilities. phpWebsite versions from 0.7.3 to 0.9.3-4 are reported to be vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00048-08312004
  • 04.35.31 - CVE: Not Available
  • Platform: Hardware
  • Title: D-Link Securicam DCS-900 Remote Configuration Vulnerability
  • Description: D-Link Securicam Network DCS-900 is a surveillance camera which can be administered remotely. Insufficient authentication checks performed on data received on UDP port 62976 allows remote attackers to change the IP address of the device. D-Link DCS-900 Internet Camera versions 2.10, 2.20 and 2.28 are affected.
  • Ref: http://www.securityfocus.com/archive/1/373527
  • 04.35.32 - CVE: Not Available
  • Platform: Hardware
  • Title: GEMS Central Tabulator Vote Database Integrity Compromise
  • Description: Diebold GEMS Central Tabulator is a voting system used as a solution for electronic voting. It is possible for an attacker to bypass the data integrity checks in order to add fake votes. Diebold GEMS Central Tabulator versions 1.17.7 and 1.18 are known to be vulnerable.
  • Ref: http://www.blackboxvoting.org/?q=node/view/75

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

SANS provides an unbiased view of the technical issues we face today.
-Mark Towers, Nokia

SANS Cyber Guardian Program

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT