@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (0) HIGH: Symantec Multiple Products DNS Cache Poisoning
• (1) MODERATE: Ipswitch IMAP Server EXAMINE Command Overflow
• (2) LOW: MySQL Database Multiple Vulnerabilities

Other Software

• (3) HIGH: Goodtech Telnet Server Buffer Overflow
• (4) HIGH: Multiple Vendor Remote File Include Vulnerabilities
• (5) MODERATE: SuSE Openslp Multiple Buffer Overflows

Exploit Code

• (6) Microsoft License Logging Service Overflow (MS05-010)
• (7) Safenet Sentinel License Manager Buffer Overflow
• (8) Ethereal RADIUS Authentication Decoding Overflow
• (9) Internet Explorer Cross Zone Vulnerability (MS05-014)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 05.11.1 - GoodTech Systems Telnet Server Remote Buffer Overflow
• 05.11.2 - Symantec AntiVirus SMB Scan Evasion
• 05.11.3 - PlatinumFTPServer Denial of Service
• 05.11.4 - Active Webcam Webserver Multiple Vulnerabilities
• 05.11.15 - Ipswitch Collaboration Suite IMail Server Buffer Overflow

Linux

• 05.11.5 - Linux Kernel PPP Driver Remote Denial of Service
• 05.11.6 - racoon ISAKMP Header Denial of Service

Unix

• 05.11.7 - OpenSLP Multiple Unspecified Buffer Overflow Vulnerabilities
• 05.11.8 - Grip CDDB Multiple Matches Buffer Overflow

Cross Platform

• 05.11.9 - RXVT-Unicode Escape Sequence Remote Buffer Overflow
• 05.11.10 - MaxDB Multiple Denial of Service Vulnerabilities
• 05.11.11 - Lime Wire Multiple Remote Unauthorized Access Vulnerabilities
• 05.11.12 - Mozilla Status Bar Spoofing
• 05.11.13 - Apache Tomcat Malformed Request Denial of Service
• 05.11.14 - MySQL AB Multiple Remote Vulnerabilities
• 05.11.16 - Sun Java Application Server Cross-Site Scripting
• 05.11.17 - Multiple Antivirus Products Malformed ZIP File Scan Evasion
• 05.11.18 - Novell iChain Mini FTP Server Remote Path Disclosure
• 05.11.19 - XPand Rally Remote Format String Vulnerability

Web Application

• 05.11.20 - PHPOpenChat Multiple Remote File Include Vulnerabilities
• 05.11.21 - ZPanel Multiple SQL Injection and File Include Vulnerabilities
• 05.11.22 - iChain Sensitive Information Disclosure
• 05.11.23 - phpAdsNew AdFrame.PHP Cross-Site Scripting
• 05.11.24 - VoteBox Votebox.PHP Remote File Include
• 05.11.25 - Phorum Multiple HTML Injection Vulnerabilities
• 05.11.26 - SimpGB Guestbook.PHP SQL Injection
• 05.11.27 - Spinworks Application Server Remote Denial of Service
• 05.11.28 - paBox Post Icon HTML Injection Vulnerability
• 05.11.29 - paFileDB Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
• 05.11.30 - HolaCMS Voting Module Remote File Corruption
• 05.11.31 - UBB.threads Editpost.PHP SQL Injection
• 05.11.32 - PhotoPost PHP Pro Multiple Remote Vulnerabilities
• 05.11.33 - SocialMPN Module Arbitrary Remote PHP File Include
• 05.11.34 - McNews Remote File Execution
• 05.11.35 - Zorum Multiple Remote Vulnerabilities
• 05.11.36 - WEBInsta Mailing Manager Remote File Include

Network Device

• 05.11.37 - Symantec Gateway Remote DNS Cache Poisoning

Hardware

• 05.11.38 - Xerox Document Centre ESS Remote Buffer Overflow
• 05.11.39 - Xerox Document Centre Remote Authentication Bypass

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 11, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4106 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.11.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: GoodTech Systems Telnet Server Remote Buffer Overflow
• Description: GoodTech Systems Telnet Server is vulnerable to a remote buffer overflow condition. An attacker may leverage this issue to execute arbitrary code with SYSTEM privileges on a computer running a vulnerable version. All current versions are affected.
• Ref: http://www.securityfocus.com/archive/1/393295

• 05.11.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec AntiVirus SMB Scan Evasion
• Description: Symantec AntiVirus is vulnerable to a scan evasion issue. This issue is due to a design error and may allow potentially malicious files to bypass detection. Files placed by a malicious client on a SMB share are not scanned when clients open them. Symantec AntiVirus Corporate Edition 9.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/393255

• 05.11.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: PlatinumFTPServer Denial of Service
• Description: PlatinumFTPServer is vulnerable to a denial of service condition. The issue exposes itself when a remote user makes 50 or more connections with a malformed user name. PlatinumFTPserver versions 1.0.18 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/393038

• 05.11.4 - CVE: CAN-2005-0734
• Platform: Third Party Windows Apps
• Title: Active Webcam Webserver Multiple Vulnerabilities
• Description: PY Software Active Webcam is an application used for capturing and sharing video streams from various video devices. It is vulnerable to multiple insecurities including a denial of service and a file system information disclosure.
• Ref: http://www.securityfocus.com/bid/12778/

• 05.11.15 - CVE: CAN-2005-0707
• Platform: Third Party Windows Apps
• Title: Ipswitch Collaboration Suite IMail Server Buffer Overflow
• Description: Ipswitch Collaboration Suite (ICS) provides e-mail and real-time collaboration. The IMAP service included with it is vulnerable to a buffer overflow issue due to insufficient boundary checks performed on arguments to the EXAMINE command and may allow a remote attacker to run arbitrary code. IMail Server versions 8.13 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/392871

• 05.11.5 - CVE: CAN-2005-0384
• Platform: Linux
• Title: Linux Kernel PPP Driver Remote Denial of Service
• Description: Linux Kernel Point-to-Point (PPP) protocol driver is prone to an unspecified remote denial of service vulnerability. The issue can allow a malicious PPP client to crash the server. Linux Kernel version 2.6.8 is affected.
• Ref: http://www.securityfocus.com/advisories/8229

• 05.11.6 - CVE: CAN-2005-0398
• Platform: Linux
• Title: racoon ISAKMP Header Denial of Service
• Description: Kame racoon is an IKE (Internet Key Exchange) daemon. It is vulnerable to a denial of service issue due to a failure to handle ISAKMP packets with malformed headers. racoon versions 20050307 and earlier are known to be vulnerable. Ref: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=109966&action=view

• 05.11.7 - CVE: Not Available
• Platform: Unix
• Title: OpenSLP Multiple Unspecified Buffer Overflow Vulnerabilities
• Description: OpenSLP is an implementation of SLP (Service Location Protocol). It is vulnerable to multiple unspecified buffer overflow conditions. Attackers could leverage these issues to cause a denial of service or execute arbitrary code on a vulnerable system. All current versions are affected.
• Ref: http://www.securityfocus.com/advisories/8224

• 05.11.8 - CVE: CAN-2005-0706
• Platform: Unix
• Title: Grip CDDB Multiple Matches Buffer Overflow
• Description: Grip is a GTK front-end for command line CD ripping tools. It is vulnerable to a buffer overflow issue when processing CDDB replies containing more than 16 matches. Grip versions 3.1.2 and 3.2.0 are known to be vulnerable. Ref: http://sourceforge.net/tracker/?group_id=3714&atid=103714&func=detail&aid=834724

• 05.11.9 - CVE: Not Available
• Platform: Cross Platform
• Title: RXVT-Unicode Escape Sequence Remote Buffer Overflow
• Description: RXVT-Unicode is an X11-based terminal emulation application. It is vulnerable to a remote buffer overflow issue due to a failure of the application to securely copy externally supplied input into process buffers and may be leveraged by an attacker to execute arbitrary code. RXVT-Unicode versions prior to 5.3 are affected.
• Ref: http://dist.schmorp.de/rxvt-unicode/Changes

• 05.11.10 - CVE: CAN-2005-0083
• Platform: Cross Platform
• Title: MaxDB Multiple Denial of Service Vulnerabilities
• Description: MaxDB is a version of SAP DB. The WebAgent is vulnerable to multiple remote denial of service vulnerabilities due to the failure of sanitization of user-supplied functions. MaxDB versions 7.5.00.24 and earlier are reported to be vulnerable. Ref: http://www.idefense.com/application/poi/display?id=218&type=vulnerabilities&flashstatus=true

• 05.11.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Lime Wire Multiple Remote Unauthorized Access Vulnerabilities
• Description: Lime Wire is a file sharing utility. It is vulnerable to multiple remote unauthorized access vulnerabilities due to a failure in handling malicious requests. This can be exploited by an attacker to gain access to sensitive information. Lime Wire versions 4.8 and earlier are affected.
• Ref: http://www.limewire.com/english/content/features_history.shtml

• 05.11.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Status Bar Spoofing
• Description: Mozilla is vulnerable to a URI spoofing weakness due to a "Save Link As.." function working with nested anchor tags in a table tag. Mozilla verions 1.7.x are vulnerable.
• Ref: http://secunia.com/advisories/14568/

• 05.11.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Apache Tomcat Malformed Request Denial of Service
• Description: Apache Tomcat is vulnerable to a remote denial of service issue due to improper handling of malformed requests and can be leveraged by an attacker remotely. Apache Tomcat versions 3.x are affected.
• Ref: http://www.kb.cert.org/vuls/id/204710

• 05.11.14 - CVE: CAN-2005-0709, CAN-2005-0710, CAN-2005-0711
• Platform: Cross Platform
• Title: MySQL AB Multiple Remote Vulnerabilities
• Description: MySQL is vulnerable to multiple remote vulnerabilities. The issues include insecure temporary file creation, insufficient sanitization of input and remote arbitrary code execution. MySQL released version 4.0.24 and 4.1.10a to address these issues.
• Ref: http://secunia.com/advisories/14547/

• 05.11.16 - CVE: CAN-2005-0742
• Platform: Cross Platform
• Title: Sun Java Application Server Cross-Site Scripting
• Description: Sun Java System Application Server is vulnerable to an unspecified cross-site scripting issue. The issue is due to a failure to sanitize user-supplied input before using it in dynamically generated web page content. Please refer to the referenced link for the versions of the software that are affected. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57742-1&searchclause=%22category:security%22%20%22availability,%20security%22

• 05.11.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Antivirus Products Malformed ZIP File Scan Evasion
• Description: Multiple antivirus products from various vendors are affected by a vulnerability that may allow potentially malformed ZIP archives to bypass detection. This issue affects H+BEDV AntiVirus, AVG Anti-Virus, Sybari Antigen for Microsoft Exchange, and products by Symantec, McAfee, and BitDefender.
• Ref: http://www.securityfocus.com/archive/1/392974

• 05.11.18 - CVE: CAN-2005-0746
• Platform: Cross Platform
• Title: Novell iChain Mini FTP Server Remote Path Disclosure
• Description: Novell iChain is shipped with an FTP server called Mini FTP server. Novell iChain Mini FTP server is affected by a remote path disclosure due to access validation issues. Novell iChain versions 2.2, 2.3 and 2.3 Support Pack 2 are affected.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htm

• 05.11.19 - CVE: CAN-2005-0729
• Platform: Cross Platform
• Title: XPand Rally Remote Format String Vulnerability
• Description: XPand Rally is a network game developed by Techland. A remote format string issue is exposed due to the failure of the application to sanitize data before calling the printing function. Techland XPand Rally versions 1.0 and 1.1 are affected.
• Ref: http://aluigi.altervista.org/adv/xprallyfs-adv.txt

• 05.11.20 - CVE: Not Available
• Platform: Web Application
• Title: PHPOpenChat Multiple Remote File Include Vulnerabilities
• Description: PHPOpenChat is a web chat server. Insufficient sanitization of user-supplied input exposes the application to multiple remote file include issues. PHPOpenChat version 3.0.1 and earlier are affected.
• Ref: http://www.albanianhaxorz.org/advisory/phpopenchaten.txt

• 05.11.21 - CVE: Not Available
• Platform: Web Application
• Title: ZPanel Multiple SQL Injection and File Include Vulnerabilities
• Description: ZPanel is a hosting control interface. It is vulnerable to multiple SQL injection and file include issues due to improper sanitization of user-supplied input to the "uname" parameter of the "index.php" script and the "page" parameter of the "zpanel.php" script. ZPanel versions 2.5 beta and earlier are affected.
• Ref: http://secunia.com/advisories/14602/

• 05.11.22 - CVE: CAN-2005-0744
• Platform: Web Application
• Title: iChain Sensitive Information Disclosure
• Description: Novell iChain is an identity-based web security application. It is vulnerable to an information disclosure issue because it does not encrypt the communications between the client and server. Novell iChain Server versions 2.2 and 2.3 SP2 and SP3 are reported to be vulnerable.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm

• 05.11.23 - CVE: Not Available
• Platform: Web Application
• Title: phpAdsNew AdFrame.PHP Cross-Site Scripting
• Description: phpAdsNew is a web site banner management application. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "refresh" parameter of "adframe.php" script. phpAdsNew version 2.0.4 -pr1 is vulnerable.
• Ref: http://secunia.com/advisories/14592/

• 05.11.24 - CVE: Not Available
• Platform: Web Application
• Title: VoteBox Votebox.PHP Remote File Include
• Description: VoteBox is a web-based voting system. VoteBox is affected by a remote PHP file include vulnerability. VoteBox versions 2.0 and earlier are known to be vulnerable.
• Ref: http://www.systemsecure.org/wwwboard/messages/295.html

• 05.11.25 - CVE: Not Available
• Platform: Web Application
• Title: Phorum Multiple HTML Injection Vulnerabilities
• Description: Phorum is a content management system. Insufficient sanitization of user-supplied input exposes the application to multiple HTML injection issues. Phorum versions 5.0.14 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/393192

• 05.11.26 - CVE: Not Available
• Platform: Web Application
• Title: SimpGB Guestbook.PHP SQL Injection
• Description: SimpGB is a web-based guestbook application. SimpGB is affected by an SQL injection vulnerability. SimpGB version 1.0 is known to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/393149

• 05.11.27 - CVE: Not Available
• Platform: Web Application
• Title: Spinworks Application Server Remote Denial of Service
• Description: Spinworks is a web-based development application. It is vulnerable to a denial of service issue when handling malformed "sid" URI parameters. Spinworks versions 3.x are known to be vulnerable.
• Ref: http://secunia.com/advisories/14579/

• 05.11.28 - CVE: CAN-2005-0674
• Platform: Web Application
• Title: paBox Post Icon HTML Injection Vulnerability
• Description: paBox is a web-based guestbook application. It is reported to be vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input to the "value" parameter of "pabox.php" script. paBox version 2.0 is vulnerable to this issue.
• Ref: http://secunia.com/advisories/14590/

• 05.11.29 - CVE: Not Available
• Platform: Web Application
• Title: paFileDB Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: paFileDB is a web-based file management utility. It is vulnerable to multiple SQL injection and cross-site scripting issues due to improper user input sanitization and can be exploited to perform session hijacking and database modification. paFileDB versions 3.1 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/393022

• 05.11.30 - CVE: Not Available
• Platform: Web Application
• Title: HolaCMS Voting Module Remote File Corruption
• Description: HolaCMS is a content management system. It is vulnerable to a remote file corruption issue. The issue presents itself when a remote attacker specifies an arbitrary location using the "vote_filename" parameter. All current versions are vulnerable.
• Ref: http://secunia.com/advisories/14566/

• 05.11.31 - CVE: CAN-2005-0726
• Platform: Web Application
• Title: UBB.threads Editpost.PHP SQL Injection
• Description: UBBCentral UBB.threads is a web forum. Insufficient sanitization of the "Number" parameter in the "editpost.php" script exposes the application to an SQL injection issue. UBB.threads version 6.0 is affectced.
• Ref: http://www.securityfocus.com/archive/1/392951

• 05.11.32 - CVE: CAN-2005-0274
• Platform: Web Application
• Title: PhotoPost PHP Pro Multiple Remote Vulnerabilities
• Description: PhotoPost PHP Pro is a web-based image gallery application. Insufficient sanitization of user-supplied input and invalid access rights checks exposes the application to various cross-site scripting and access bypass issues. PhotoPost PHP Pro version 5.0 RC3 is affected.
• Ref: http://www.securityfocus.com/bid/12779/info/

• 05.11.33 - CVE: CAN-2005-0691
• Platform: Web Application
• Title: SocialMPN Module Arbitrary Remote PHP File Include
• Description: SocialMPN is web portal software. It is vulnerable to a remote file include issue due to improper sanitization of user-supplied input in the module section. SocialMPN versions 1.2.5 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/12774

• 05.11.34 - CVE: CAN-2005-0720
• Platform: Web Application
• Title: McNews Remote File Execution
• Description: McNews is a news management script. It is vulnerable to a remote file execution issue due to a failure to sanitize user-supplied input to the "skinfile" variable of the "header.php" script. McNews versions 1.3 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/392548

• 05.11.35 - CVE: Not Available
• Platform: Web Application
• Title: Zorum Multiple Remote Vulnerabilities
• Description: PHPOutsourcing Zorum is a web-based forum application. It is vulnerable to multiple security issues such as HTML injection, cross-site scripting, SQL injection and authentication bypass. Zorum version 3.5 is known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/12777

• 05.11.36 - CVE: CAN-2005-0748
• Platform: Web Application
• Title: WEBInsta Mailing Manager Remote File Include
• Description: WEBInsta Mailing Manager is vulnerable to a remote file include issue. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer. WEBInsta Mailing Manager version 1.3d is affected.
• Ref: http://www.securityfocus.com/bid/12773/

• 05.11.37 - CVE: Not Available
• Platform: Network Device
• Title: Symantec Gateway Remote DNS Cache Poisoning
• Description: Symantec Gateway Security provides firewall and intrusion detection functionality. The DNS caching server in the device is vulnerable to a DNS cache poisoning issue. The issue can be exploited by an attacker to manipulate cache data and cause a denial of service. Please refer the link provided for a list of vulnerable products and versions. Ref: http://securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html

• 05.11.38 - CVE: Not Available
• Platform: Hardware
• Title: Xerox Document Centre ESS Remote Buffer Overflow
• Description: Xerox Document Centre ESS is reported to be vulnerable to a remote buffer overflow vulnerability. This could be used towards a denial of service attack or remote command execution on the vulnerable system. Ref: http://a1851.g.akamaitech.net/f/1851/2996/24h/cacheB.xerox.com/downloads/usa/en/c/CERT_Xerox_Security_XRX04-04.pdf

• 05.11.39 - CVE: Not Available
• Platform: Hardware
• Title: Xerox Document Centre Remote Authentication Bypass
• Description: The Xerox Document Centre ESS/Network Controller includes an HTTP server. It is affected by a remote authentication bypass issue due to improper validation of access credentials. Please refer to the attached link for a list of vulnerable versions.
• Ref: http://www.xerox.com/downloads/usa/en/c/cert_XRX05_003.pdf

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters. To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.