Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 37
September 20, 2004

SANS Newsletters Home

A very tough week for security staff in most sites that rely on Microsoft Office products. Trying to persuade Microsoft Office users to jump through hoops to patch their systems appears to be thankless and, at least partially, unproductive.

Good news on the "minimum security configuration" benchmarks front. The Center for Internet Security just released four more benchmarks (and free testing tools): Windows Server 2003 and FreeBSD operating systems, and Pix Firewall and Apache Web Server. The Solaris benchmark update was also released this week. Get them at http://www.cisecurity.org

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#1)
    • Microsoft Office
    • 1 (#3)
    • Third Party Windows Apps
    • 5
    • Mac Os
    • 2
    • Unix
    • 6 (#5)
    • Cross Platform
    • 14 (#2, #4, #6)
    • Web Application
    • 9
    • Network Device
    • 5

**************** Sponsored This Week by FaceTime ************************

Secure IM and P2P

IM and P2P create serious corporate and security risks for the enterprise, and traditional security tools provide an inadequate defense. Learn how to protect your network from security threats and violations.

Download a free white paper from Osterman Research, Managing IM and P2P Threats in the Enterprise.

http://www.facetime.com/secure

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Third Party Windows Apps
Mac Os
Unix
Cross Platform
Web Application
Network Device

************************** SPONSORED LINKS ****************************** Privacy notice: Sponsored links redirect to non-SANS web pages.

(1) Radware DefensePro secures networked applications against viruses, malicious intrusions and Denial of Service at 3-Gbps. FREE Whitepaper. http://www.sans.org/info.php?id=588

******************** Security Training Update *************************

Featured Training program of the Week: SANS Cyber Defense Initiative CDI is in two parts: CDI South in New Orleans November 1-4 ( http://www.sans.org/cdisouth04) and CDI East in Washington, DC, December 7-14 ( http://www.sans.org/cdieast04)

New Orleans offers a whole new type of program that many people have asked us to provide: 18 one and two day courses on issues shaping the future of information security, from the newest hacker tools to changes in legal issues surrounding security. Perfect for people who have taken SANS courses and want updates and for people who just don't have time to attend a full class. On the other hand, Washington offers 13 full length immersion courses an a few short courses.

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Microsoft JPEG Image Processing Overflow
  • Affected:
    • Windows XP/2003
    • Internet Explorer version 6.0 SP1
    • Outlook 2002/2003
    • Microsoft .NET Framework version 1.0 (SP2) and version 1.1
    • Microsoft Office XP/2003
    • Other Microsoft and third party applications that use GDIplus.dll.

  • Description: Windows XP/2003 and multiple Windows applications use GDIPlus.dll to display information on the screen and the printers. This DLL contains a heap-based buffer overflow that can be triggered by a specially crafted JPEG image. The overflow arises because the DLL does not check the declared length of the "comment" section in a JPEG file. Therefore, setting the comment section length to either 0 or 1 results in a heap-based overflow. The flaw may be exploited to execute arbitrary code on a system with the privileges of the application that opens the specially crafted JPEG file. In order to exploit the flaw, an attacker can either - (a) Send the JPEG image in an HTML email or as an email attachment. (b) Host the JPEG image on a webserver or a shared folder, and entice a user to view the image via a link in an email or another webpage. Note that the JPEG may be embedded in a Word/PowerPoint or other document. A proof-of-concept JPEG file has been publicly posted.

  • Status: Microsoft released the MS04-028 security bulletin on September 14, 2004. Apply the updates for operating system as well as various applications as described in the bulletin. There is a concern that third-party applications that are using their own copy of GDIPlus.dll may not get detected by WindowsUpdate or the GDI+ detection tool.

  • Council Site Actions: All reporting council sites are responding to this vulnerability. Several sites have already started the patch deployment process. One site said they are only deploying the patches that are available via SUS and will rely on anti-virus products to reduce the threat from other affected applications. Another site commented that the great majority of their systems have obtained the Internet Explorer or Windows update through the public Windows Update site, or through their local SUS server. A very small number of their systems have obtained the Microsoft Office update. Their central IT department has some prominent web pages that advise users to go to the Office Update site and select "Check for Updates".

  • References:
  • (3) MODERATE: Microsoft WordPerfect Converter Buffer Overflow
  • Affected:
    • Microsoft Office 2000/XP/2003
    • Microsoft Works Suites 2001/2002/2003/2004
    • Microsoft WordPerfect 5.x Converter
    • Description:
    • The Microsoft WordPerfect converter converts WordPerfect documents to
    • the Microsoft Word format. This converter contains a heap-based buffer
    • overflow vulnerability that can be exploited by a malicious WordPerfect
    • document to execute arbitrary code. The flaw can be exploited when any
    • application that uses the WordPerfect converter opens a malicious
    • document. The attacker could exploit the overflow by sending a malicious
    • WordPerfect document as an email attachment, which would be opened by
    • the user. Alternatively, the malicious file could also be hosted on a
    • website, and a user could be enticed (via another web page or email) to
    • view the file. If the malicious WordPerfect file is named with a ".doc"
    • extension, Internet Explorer would automatically invoke Word as a helper
    • application (which would trigger the overflow). Very limited technical
    • details have been publicly posted.

  • Status: Microsoft released the MS04-027 security bulletin on September 14, 2004. Apply the updates described in this bulletin. A workaround is to uninstall the WordPerfect Converter. Note that the converter is installed by default with Microsoft Office and is also available separately as part of the Microsoft Office Converter Pack.

  • Council Site Actions: Two of the reporting council sites are already in the process of distributing the patch. A third site will deploy the patch during their next regularly scheduled system update process. Another site plans to rely on the Microsoft AUTO UPDATE process to patch their systems. One site does not plan to take any action at this time, but rather rely on anti-virus for protection and are anxiously awaiting Windows Update Service (WUS) that will support automatic deployment of Office updates.

  • References:
  • (4) MODERATE: Apache apr-util Library Buffer Overflow
  • Affected:
    • Apache version 2.0.35 up to and including 2.0.50

  • Description: The Apache Portable Runtime (apr) library provides APIs that ensure a consistent application behavior across platforms. apr-util is a companion library to the apr library, both of which are used by the Apache server. The apr-util library contains a buffer overflow in the "apr_uri_parse" function. The flaw can be triggered by a specially crafted IPv6 address in the URI or the "Host" header field in an HTTP request. The flaw may be potentially exploited on some platforms such as BSD to execute arbitrary code.

  • Status: Apache has released version 2.0.51 that fixes this flaw. Many other denial-of-service vulnerabilities have also been fixed in this version.

  • Council Site Actions: Most of the reporting council sites are responding to this vulnerability, but in different ways. One site will deploy the patch as a required fix for their small number of Apache-2.0.x systems. Another site plans to deploy during their next regularly schedule system update process. A third site is still investigating if they have the software in use and will treat this as a moderate problem if found. Another site commented they have very few systems running the affected version (none of which are critical servers). Those that are running the affected version are primarily running Red Hat Enterprise Linux or Debian GNU/Linux and are configured to retrieve all vendor updates. Systems for which administrator intervention is needed to trigger patching will most likely be updated later this month.

  • References:
  • (5) MODERATE: Multiple XPM File Parsers Buffer Overflow Vulnerabilities
  • Affected:
    • X11R6 version prior to 6.8.1
    • gtk+ version 2.4.4 and prior
    • XFree86 versions 4.x

  • Description: X PixMap (XPM) is an ASCII image format popularly used by the X Windows on UNIX systems. The libXpm and GdkPixBuf (ships with gtk+2.x) libraries provide various functions to store and read XPM image files. These libraries contain multiple stack-based and integer buffer overflow vulnerabilities that can be triggered by specially crafted XPM files. The flaws can be exploited to execute arbitrary code. In order to exploit the flaws, an attacker has to entice a user (via email or another webpage) to view a malicious XPM file. Multiple proof-of-concept exploits have been posted.

  • Status: X.org has released version 6.8.1 of X11R6 that fixes the flaws. Multiple Linux vendors such as RedHat, Mandrake and Debian have released patches for the affected products.

  • Council Site Actions: Several council sites are responding to this vulnerability. Two sites are running RedHat and/or Debian and as such, they are configured to retrieve the vendor updates. Another site has very limited usage of the software and plans to deploy the path during their next regularly scheduled system update process. A final site is still investigating if they are using the software, and if so, will treat this as a moderate priority.

  • References:
Other Software
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 37, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3718 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.37.1 - CVE: CAN-2004-0200
  • Platform: Windows
  • Title: Microsoft JPEG Processing Buffer Overrun
  • Description: The Microsoft GDI+ (Graphics Device Interface) library JPEG handler is vulnerable to a buffer overrun when processing JPEG images. An attacker could create a specially crafted JPEG image to execute arbitrary code when the picture is rendered by a Windows application using the vulnerable library. Microsoft has released the security bulletin MS04-028 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
  • 04.37.2 - CVE: CAN-2004-0573
  • Platform: Microsoft Office
  • Title: Microsoft WordPerfect Converter Remote Buffer Overflow
  • Description: The Microsoft WordPerfect Converter is vulnerable to a remote buffer overflow condition due to insufficient boundary checks while handling certain malformed files. This could be exploited to execute arbitrary code on the vulnerable host. All current versions other than the one bundled with Microsoft Office 2003 Service Pack 1 are reported to be vulnerable to this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms04-027.mspx
  • 04.37.3 - CVE: CAN-2004-0830
  • Platform: Third Party Windows Apps
  • Title: F-Secure Content Scanner Server Remote Denial of Service
  • Description: F-Secure anti-virus for Microsoft Exchange and F-Secure Internet Gatekeeper are vulnerable to a remote denial of service while handling certain malformed packets. F-Secure Anti-Virus for Microsoft Exchange versions 6.21 and earlier as well as F-Secure Internet Gatekeeper versions 6.32 and earlier are vulnerable.
  • Ref: http://www.f-secure.com/security/fsc-2004-2.shtml
  • 04.37.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Gadu-Gadu Image Send Feature Remote Heap Overflow
  • Description: Gadu-Gadu is an instant messaging application. It is reported to be vulnerable to a remote heap overflow issue. The issue exists due to improper sanitization of "GG_MSG_IMAGE_REPLY" packets for image transfer. Gadu-Gadu version 6.0 build 149 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0100.html
  • 04.37.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Serv-U FTP Server Remote Denial of Service
  • Description: The RhinoSoft Serv-U FTP server is reportedly vulnerable to a denial of service condition due to its failure to handle certain software exceptions gracefully. This causes the server to eventually crash thus denying service to FTP clients. All versions of Serv-U are reportedly affected by this vulnerability.
  • Ref: http://www.securityfocus.com/archive/1/374888
  • 04.37.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: TwinFTP Server Directory Traversal
  • Description: Jigunet TwinFTP is an FTP server application. It is reported to be vulnerable to a directory traversal issue. The vulnerability exists due to improper sanitization of "CWD", "STOR" and "RETR" commands. TwinFTP Enterprise and Standard version 1.0.3 R2 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0106.html
  • 04.37.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Tech-Noel Pigeon Server Remote Denial of Service
  • Description: The Tech-Noel Pigeon Server is reported to be vulnerable to a remote denial of service issue. The issue exists when a "login" field longer than 8180 chars is sent on the port 3180. Version 3.03.146 was released to fix this issue.
  • Ref: http://aluigi.altervista.org/adv/pigeonx-adv.txt
  • 04.37.8 - CVE: CAN-2004-0873
  • Platform: Mac Os
  • Title: Apple iChat Remote Link Application Execution
  • Description: The Apple iChat instant messaging client is reportedly vulnerable to a remote link application execution vulnerability. Using this, an attacker can specify an application to be activated when a link sent in an instant message is followed by a target user. This could allow the attacker to execute arbitrary applications on the vulnerable host. This issue was reported in Apple iChat versions 1 and 2.
  • Ref: http://secunia.com/advisories/12575/
  • 04.37.10 - CVE: CAN-2004-0807, CAN-2004-0808
  • Platform: Unix
  • Title: Samba Remote Denial of Service
  • Description: The Samba file and printer sharing server is reportedly affected by multiple remote denial of service issues. These issues are due to a failure to properly parse ASN.1 and MailSlot packets. An attacker could exploit these conditions to deny service to other legitimate users of the service. These issues were reported for versions 3.0.x of Samba.
  • Ref: http://www.securityfocus.com/archive/1/374980
  • 04.37.11 - CVE: CAN-2004-0801
  • Platform: Unix
  • Title: Foomatic-rip Privilege Escalation
  • Description: Foomatic integrates various print spoolers with freely available printer drivers. Foomatic-rip is affected by an arbitrary command execution vulnerability due to insufficient sanitization of command lines and environment variables. Foomatic 3.0.2 has been released to fix this issue.
  • Ref: http://www.linuxprinting.org/pipermail/foomatic-devel/2004q3/001996.html
  • 04.37.12 - CVE: CAN-2004-0558
  • Platform: Unix
  • Title: CUPS UDP Packet Remote Denial of Service
  • Description: CUPS (Common UNIX Printing System) is reported to be vulnerable to a remote denial of service issue. The issue exists due to improper sanitization of certain UDP packets on port 631. Debian and RedHat have both released a patch for this issue.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0162.html
  • 04.37.13 - CVE: CAN-2004-0753, CAN-2004-0782, CAN-2004-0783,CAN-2004-0788
  • Platform: Unix
  • Title: GDK-Pixbuf Multiple Vulnerabilities
  • Description: gdk-pixbuf is a GNOME multiple-format imaging library. It is reportedly vulnerable to multiple security issues. These include two denial of service conditions while decoding certain BMP and ICO image files, and two memory corruption conditions while decoding certain XPM images. These could be exploited to cause a denial of service condition or execute arbitrary code on the vulnerable host. All current gdk-pixbuf versions 0.x are reported to be vulnerable.
  • Ref: http://scary.beasts.org/security/CESA-2004-005.txt
  • 04.37.14 - CVE: Not Available
  • Platform: Unix
  • Title: LibXpm Image Decoding Multiple Buffer Overflows
  • Description: libXpm is a graphics library that decodes the X Pixmap (XPM) image format. It is reportedly vulnerable to multiple buffer overflow issues. These are due to insufficient boundary checks while handling certain maliciously crafted XPM images. These could be exploited to execute arbitrary code on the vulnerable host. The LibXpm version that shipped with X.org X11R6 6.8.0 is reported vulnerable to this issue.
  • Ref: http://scary.beasts.org/security/CESA-2004-003.txt
  • 04.37.15 - CVE: Not Available
  • Platform: Unix
  • Title: Xine-lib VideoCD And Text Subtitle Stack Overflow Vulnerabilities
  • Description: Xine is a multimedia player. Xine-lib contains two buffer overflows that could be exploited through malicious video cds or subtitles in order to execute arbitrary code. Xine-lib versions 1-rc2 though 1-rc5 are known to be vulnerable.
  • Ref: http://www.open-security.org/advisories/6
  • 04.37.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mod_cplusplus Buffer Overflow Vulnerability
  • Description: John Sterling's mod_cplusplus is a module used to implement Apache 2.0 handlers as C++ objects. mod_cplusplus is vulnerable to a buffer overflow issue due to a failure to perform boundary checks for a buffer size in the "ApacheRequestRec::istring()" function. This issue could lead to remote arbitrary code execution. mod_cplusplus versions 1.4.1 and earlier are reported to be vulnerable.
  • Ref: https://sourceforge.net/project/shownotes.php?group_id=26896&release_id=2666
    45
  • 04.37.17 - CVE: CAN-2004-0751
  • Platform: Cross Platform
  • Title: Apache mod_ssl Remote Denial of Service
  • Description: Apache 2.x mod_ssl is reported to be vulnerable to a remote denial of service issue. The issue exists due to improper exception handling in the "char_buffer_read()" function of the "ssl_engine_io.c" file. Apache version 2.0.50 is reported to be affected by this issue.
  • Ref: http://issues.apache.org/bugzilla/show_bug.cgi?id=30134
  • 04.37.18 - CVE: CAN-2003-1014, CAN-2003-1015, CAN-2003-1016,CAN-2004-0051, CAN-2004-0052, CAN-2004-0053, CAN-2004-0161,CAN-2004-0162
  • Platform: Cross Platform
  • Title: Multiple Vendor MIME Encapsulation Vulnerabilities
  • Description: MIME is a standard for encoding attachments to emails. MIME is also used as an encoding method for transfer of files in the HTTP protocol. Multiple vulnerabilties including content checking bypass, remote code execution and denial of service were reported in numerous software implementations.
  • Ref: http://www.uniras.gov.uk/vuls/2004/380375/mime.htm
  • 04.37.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple BEA Systems WebLogic Vulnerabilities
  • Description: BEA Systems has released advisories to address multiple vulnerabilities in WebLogic Server and Express. These issues may allow unauthorized access and information disclosure, or pose threats to role and policy security. BEA has released BEA Systems WebLogic Express 8.1 SP 3 to address these issues.
  • Ref: http://www.securityfocus.com/bid/11168/credit/
  • 04.37.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Multiple URI Processing Heap Overflow
  • Description: Mozilla is vulnerable to multiple heap overflow issues when processing URLs in emails. Mozilla versions 1.7.2 and earlier are known to be vulnerable.
  • Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=258005
  • 04.37.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Browser Vcard Handling Remote Buffer Overflow
  • Description: The Mozilla Browser is reportedly vulnerable to a remote buffer overflow issue. This is exposed while handling certain maliciously crafted "vcard" files due to insufficient boundary checks in the parsing routine. Versions prior to Mozilla Browser 1.7.3 and Mozilla Thunderbird 0.8 are reported to be vulnerable.
  • Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=257314#c1
  • 04.37.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Browser BMP Image Decoding Multiple Integer Overflows
  • Description: Mozilla Browser is reportedly vulnerable to multiple integer overflow issues in the image parsing routines. These issues exist due to improper boundary checks in "nsBMPDecoder.cpp" and "nsImageWin.cpp" files. Mozilla 1.7 is reported to be vulnerable.
  • Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=255067
  • 04.37.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Browser Non-ASCII Hostname Heap Overflow
  • Description: The Mozilla browser is reportedly vulnerable to a remotely exploitable heap overflow. This issue is exposed when the browser handles non-ASCII characters in certain maliciously crafted URLs. Successful exploitation would permit remote compromise in the context of the client user. All versions prior to Mozilla Browser 1.7.3 and Mozilla Thunderbird 0.8 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11169/credit/
  • 04.37.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla/Firefox Browsers URL Cross-Domain Scripting Issue
  • Description: Mozilla and Firefox are cross platform web browsers. They are reported to be vulnerable to a cross-domain scripting issue. Mozilla Browser versions prior to 1.7.3 and Mozilla Firefox version 0.10 are reported to be vulnerable.
  • Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=250862
  • 04.37.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla/Firefox Browsers Unauthorized Clipboard Contents Disclosure
  • Description: Mozilla and Firefox are cross-platform browsers. They are reported to be vulnerable to unauthorized clipboard contents disclosure. This vulnerability exists due to improper sanitization of unsafe keyevents such as "CTRL-Insert" and "SHIFT-Insert". Mozilla has released Browser 1.7.3 and Firefox Preview Release to fix this issue.
  • Ref: http://bugzilla.mozilla.org/show_bug.cgi?id=257523
  • 04.37.26 - CVE: CAN-2004-0809
  • Platform: Cross Platform
  • Title: Apache mod_dav LOCK Denial of Service
  • Description: The Apache web server's "mod_dav" module is reportedly vulnerable to a denial of service condition. This issue is exposed when the server receives a specific sequence of "LOCK" commands from an authorized user. This allows an attacker to crash the Apache thread/process making a denial of service attack against other legitimate clients possible. All versions of Apache 2.0, prior to 2.0.51 are reported vulnerable.
  • Ref: http://secunia.com/advisories/12527/
  • 04.37.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MyServer Directory Traversal Vulnerability
  • Description: MyServer is an application and web server. It is reported to be vulnerable to a directory traversal attack due to a lack of URL sanitization. MyServer version 0.7 is known to be vulnerable.
  • Ref: http://www.securiteinfo.com/attaques/hacking/myServer0_7.shtml
  • 04.37.28 - CVE: CAN-2004-0786
  • Platform: Cross Platform
  • Title: Apache Web Server Remote IPv6 Buffer Overflow
  • Description: Apache web server is reported to be vulnerable to a remote buffer overflow issue. The issue presents itself when a malformed URL is used with IPv6. The issue exists due to improper sanitization of "apr_uri_parse()" function of the affected server.
  • Ref: http://www.apache.org/dist/httpd/Announcement2.html
  • 04.37.29 - CVE: CAN-2004-0849
  • Platform: Cross Platform
  • Title: GNU Radius SNMP String Length Remote Denial of Service
  • Description: GNU Radius is a server used primarily by Internet Service Providers (ISPs) as a solution for authentication and accounting. GNU Radius is reported to be vulnerable to a denial of service issue. This issue exists due to improper sanitization of SNMP input in the "asn1.c" file. GNU Radius version 1.2 is reported to be vulnerable. Ref: http://www.idefense.com/application/poi/display?id=141&type=vulnerabilities&flashstatus=true
  • 04.37.30 - CVE: Not Available
  • Platform: Web Application
  • Title: getSolutions getInternet Multiple SQL Injection Vulnerabilities
  • Description: getSolutions getInternet is a content management system implemented in ASP. It is reported to be vulnerable to multiple remote SQL injection issues. These issues exist due to improper sanitization of URL parameters in multiple scripts.
  • Ref: http://www.securityfocus.com/bid/11150
  • 04.37.31 - CVE: Not Available
  • Platform: Web Application
  • Title: PostNuke Subjects Module SQL Injection
  • Description: The PostNuke "Subjects" Module is a module for postnuke application. It is reported to be vulnerable to an SQL injection issue. The issue exists due to improper sanitization of "pageid", "subid" and "catid" parameters. PostNuke "Subjects" Module version 2.0 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0098.html
  • 04.37.32 - CVE: Not Available
  • Platform: Web Application
  • Title: PerlDesk Arbitrary File Inclusion
  • Description: PerlDesk is a web-based help desk and email management application. PerlDesk is vulnerable to an arbitrary file inclusion issue due to insufficient user-data sanitization of the "lang" parameter in the "pdesk.cgi" script.
  • Ref: http://nikyt0x.webcindario.com/
  • 04.37.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Turbo Seek Information Disclosure Vulnerability
  • Description: FocalMedia.net Turbo Seek is a web-based search application. It is reported to be vulnerable to an information disclosure issue due to improper sanitization of the "location" argument in the "tseekdir.cgi" script. Turbo Seek versions prior to 1.7.2 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12500/
  • 04.37.34 - CVE: Not Available
  • Platform: Web Application
  • Title: SnipSnap HTTP Response Splitting Vulnerability
  • Description: SnipSnap is a web-based blog and wiki application. It is reportedly vulnerable to an HTTP response splitting attack. Through the "referer" parameter, an attacker could inject "CR/LF" sequences into the HTTP response headers. This could trick a browser into misinterpreting served content and could be used towards information theft or other attacks. This issue was identified in SnipSnap versions 0.5.2a and prior.
  • Ref: http://www.securityfocus.com/advisories/7217
  • 04.37.35 - CVE: Not Available
  • Platform: Web Application
  • Title: vBulletin SQL Injection Vulnerability
  • Description: The vBulletin bulletin board is reportedly vulnerable to a remote SQL injection issue due to insufficient sanitization of user-supplied input via the "x_invoice_num" parameter. This allows attackers to compromise the remote backend database. vBulletin versions 3.0 through to 3.0.3 are reported to be vulnerable.
  • Ref: http://www.vbulletin.com/forum/showthread.php?p=734250#post734250
  • 04.37.36 - CVE: Not Available
  • Platform: Web Application
  • Title: BBS E-Market Professional Multiple File Disclosure
  • Description: BBS E-Market Professional is a web-based e-commerce application implemented in PHP. It is reported to be vulnerable to multiple file disclosure issues. These issues exist due to improper sanitization of the "filename" and the "dn_path" parameters. BBS E-Market patch level bf_130 (v1.3.0) and prior are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/12509/
  • 04.37.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Snitz Forums Down.ASP HTTP Response Splitting
  • Description: Snitz Forums is reportedly vulnerable to a HTTP response splitting attack. The "down.asp" script allows an attacker to inject "CR/LF" sequences into the HTTP response headers. This could trick a browser into misinterpreting served content and could be used towards information theft or other attacks. Snitz Forums 2000 version 3.4.04 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/375430
  • 04.37.38 - CVE: CAN-2004-0533
  • Platform: Web Application
  • Title: WebIntelligence Arbitrary File Deletion
  • Description: Business Objects WebIntelligence is a web query, reporting, and analysis application. A vulnerability in the application allows an authenticated user to bypass the access controls and delete arbitrary documents from the application. WebIntelligence version 2.7 with Business Objects 5.1 is reported to be vulnerable. The vendor has released a patch to fix the issue.
  • Ref: http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0056.html
  • 04.37.39 - CVE: Not Available
  • Platform: Network Device
  • Title: Xpressa Handset Remote Denial of Service
  • Description: Pingtel Xpressa is a Voice-over-IP (VoIP) phone. Its web interface is reportedly vulnerable to a remote denial of service condition due to insufficient boundary checks on the HTTP "GET" request arguments. This issue is reported to affect the Xpressa Model PX-1 handset.
  • Ref: http://www.securityfocus.com/archive/1/375054
  • 04.37.40 - CVE: Not Available
  • Platform: Network Device
  • Title: ZyXEL Prestige 681 ARP Request Information Disclosure
  • Description: ZyXEL Prestige 681 SDSL router is an Internet broadband router. The device sends ARP requests containing a memory dump that could leak sensitive information. ZyNOS version Vt020225a is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/375025
  • 04.37.41 - CVE: Not Available
  • Platform: Network Device
  • Title: Inkra 1504GX Remote Denial of Service
  • Description: The Inkra 1504GX is a hardware device designed for load balancing, SSL acceleration, and intrusion prevention. It is reported to be vulnerable to a denial of service issue. The issue presents itself when the switch receives a malicious packet. Inkra 1504GX routers with VSM release 2.1.4.b003 are reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0136.html
  • 04.37.42 - CVE: Not Available
  • Platform: Network Device
  • Title: HP Web Jetadmin Unspecified Arbitrary Command Execution
  • Description: HP Web Jetadmin is a web-based interface for remote management of network peripheral devices. It is reported to be vulnerable to an arbitrary command execution issue. HP Web Jetadmin version 7.5 is reported to be vulnerable.
  • Ref: http://xforce.iss.net/xforce/xfdb/15607
  • 04.37.43 - CVE: Not Available
  • Platform: Network Device
  • Title: SMC Router Authentication Bypass Vulnerability
  • Description: SMC 7004VWBR and 7008ABR devices are Internet broadband routers. They are reported to be vulnerable to an authentication bypass issue in their web administration interface.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-09/0150.html

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

This course has been a career changing event. I will be approaching the way I manage in a whole new mind set
-Steve Hoevernaar, Kroger

NetWars - Cyber Range

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County