Last Day to Save $200 on SANS Cyber Defense San Diego 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 13
March 31, 2005

telnet client users on Linux, UNIX, Apple Macs and Kerberos should install the updates if you are using telnet extensively.

Also, to attend SANS training with our top instructors in small classes, come to Colorado in May for SANS Rocky Mountain. You get Auditing Wireless Security, Forensics, both basic and advanced Hacker Techniques, plus Forensics and Firewalls and IDS and Security Management and Security Essentials and even training for the ISC2 CISSP exam. See: http://www.sans.org/rockymnt2005/

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1
    • Third Party Windows Apps
    • 4
    • Linux
    • 1
    • Unix
    • 4 (#1, #3)
    • Cross Platform
    • 4 (#2)
    • Web Application
    • 35 (#4)
    • Network Device
    • 3

********************** Sponsored by Shavlik******************************

Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next generation of security patch management. With over 50 awesome new features including detailed reporting, advanced reboot options, email notification, and distribution servers, staying up to date on patches has never been easier and your network has never been more secure. Keep your world in Chk with Shavlik. Download the trial version today at http://www.sans.org/info.php?id=744

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Linux
Unix
Cross Platform
Web Application
Network Device

************************* SPONSORED LINKS *******************************

These links may point to sites outside of SANS: 1) Learn more about Radware (Booth 921) at the SANS 2005 Conference, San Diego, April 7-8, 2005 Download DefensePro whitepaper http://www.sans.org/info.php?id=745 2) Download your free trial of SecurityEXPERT. Automate the enforcement of policy settings across your network. http://www.sans.org/info.php?id=746 3) SANS is happy to bring you the latest in our complimentary series of Secure Software Webcasts. Database risks explored in depth at https://www.sans.org/webcasts/show.php?webcastid=90568

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) MODERATE: Multiple Telnet Clients Buffer Overflows
  • Affected:
    • Telnet Clients distributed by:
    • ALT Linux distribution
    • Apple Mac OS
    • FreeBSD
    • Openwall
    • Red Hat Linux
    • Sun Solaris
    • MIT Kerberos
  • Description: Telnet LINEMODE option can be used to let the telnet client-side perform more character processing, which helps to reduce the amount of telnet traffic on a network. A number of telnet client implementations contain a buffer overflow in the way they process a certain telnet LINEMODE sub-option. Specifically, a telnet server can trigger the buffer overflow by sending a large number of "Set Local Character (SLC)" sub-options within the LINEMODE option command. The clients also contain another heap-based buffer overflow in the "env_opt_add()" function. This overflow can be triggered by sending the telnet client a buffer containing a large number of telnet escape characters. These flaws can be exploited to execute arbitrary code on the client system with the privileges of the logged-on user. In order to exploit these overflows, an attacker has to force a victim to connect to his malicious telnet server. This, in turn, can be accomplished in some cases via a specially crafted webpage or an HTML email containing a "telnet://" URL. Proof-of-concept exploits have been posted for the overflows.

  • Status: Many vendors have confirmed this flaw and have released updates.

  • Council Site Actions: Most of the council sites are running the affected software on various platforms within their environments. A few sites do not plan to take any action since none of their affected systems are used to establish telnet connections to unknown or untrusted locations. Three sites do plan to distribute the patches during their next regularly scheduled system update process or have already updated their systems through automatic software update features. One of these sites commented that they have a large number of Linux and Solaris systems which are vulnerable. However, as far as they know, very few of them have an installed web browser configured to recognize "telnet://" URLs. Clicking on a "telnet://" link produces an error window stating "telnet is not a registered protocol". Also, it is not common for their users to run the telnet program directly, and thus the chance of encountering a malicious telnet server is small. They plan to update these systems, but at a much slower pace. Another site commented that telnet is banned from their critical application systems, and most of their systems don't allow telnet at all.

  • References:
  • (2) LOW: Apple QuickTime JPEG Processing Buffer Overflow
  • Affected:
    • QuickTime version 6.5.1
  • Description: Apple's QuickTime media player is reportedly vulnerable to a buffer overflow while processing specially crafted JPEG images. The flaw is triggered by a malformed "Haufmann segment" in a JPEG image. The discoverer reports that the crash results in an "access violation" error (crash). Hence, the flaw may be possibly exploited for code execution purposes (not confirmed). Note that Internet Explorer and other browsers open files associated with QuickTime player without user interaction, which may facilitate easy exploitation.

  • Status: Apple has not confirmed. The flaw may be related to an older vulnerability in QuickTime that was fixed in October 2004. An upgrade to version 6.5.2 is recommended.

  • Council Site Actions: Most of the council sites are running the affected software, although not officially supported by their perspective support group. All are awaiting official word from the vendor along with a patch. Several of the sites specified they would install the patches during a normal system update process. One site commented that many of their Windows systems were updated to QuickTime 6.5.2 last year because of the October 2004 vulnerability ( http://www.securityfocus.com/bid/11553/info/), and their Mac OS X systems have been updated to QuickTime 6.5.2 through Software Update.

  • References:
Other Software
  • (4) HIGH: Double Choco Latte PHP Code Execution
  • Affected:
    • Double Choco Latte version 0.9.4.2 and prior
  • Description: Double Choco Latte is enterprise-class software designed for project management, online documents, call tracking, etc that is being used by a number of organizations. This software contains a remote PHP code execution vulnerability that can be exploited to compromise the server running Double Choco Latte. The technical details can be obtained via examining the fixed and the affected versions of the software.

  • Status: Vendor confirmed, upgrade to version 0.9.4.4.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 13, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4167 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 05.13.1 - CVE: Not Available
  • Platform: Windows
  • Title: Windows XP TSShutdn.exe Remote Denial of Service
  • Description: Microsoft Windows XP is affected by a remote denial of service vulnerability. Microsoft Windows XP Service Pack 1 is known to be vulnerable.
  • Ref: http://support.microsoft.com/kb/889323/

  • 05.13.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FastStone 4in1 Browser Web Server Directory Traversal
  • Description: FastStone 4in1 is a web browser that includes a web server application. Insufficient sanitization of the "..", "../" and "/.../" directory traversal sequences exposes the application. FastStone 4in1 browser versions 1.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/394507

  • 05.13.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Norton AntiVirus AutoProtect Module Remote Denial of Service
  • Description: Symantec Norton AntiVirus AutoProtect is a virtual device driver that scans files for malicious applications. It is vulnerable to a remote denial of service issue that can be exploited by a remote attaker to crash the machine. Please refer the link below for the vulnerable versions.
  • Ref: http://www.symantec.com/avcenter/security/Content/2005.03.28.html

  • 05.13.4 - CVE: CAN-2005-0903
  • Platform: Third Party Windows Apps
  • Title: QuickTime PictureViewer Buffer Overflow
  • Description: Apple QuickTime Player is a media player. It is vulnerable to a buffer overflow issue when used to view malformed JPEG files. QuickTime version 6.5.1 for Windows is affected.
  • Ref: http://www.securityfocus.com/bid/12905

  • 05.13.5 - CVE: CAN-2005-0874
  • Platform: Third Party Windows Apps
  • Title: Trillian Multiple Remote HTTP Response Buffer Overflow Vulnerabilities
  • Description: Cerulean Studios Trillian is an instant messaging client. It is reported vulnerable to multiple buffer overflow conditions while parsing HTTP responses from web servers. Attackers could leverage this to execute arbitrary code on the vulnerable client's system. Trillian version 3.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/12890/

  • 05.13.6 - CVE: Not Available
  • Platform: Linux
  • Title: YepYep mtftpd Remote CWD Format String
  • Description: mtftpd is FTP server software. It is reported to be vulnerable to a remote format string issue. The issue presents itself when a specially crafted "CWD" command is used. mtftpd versions 0.0.3 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12947

  • 05.13.7 - CVE: CAN-2005-0926
  • Platform: Unix
  • Title: Sylpheed MIME-Encoded Attachment Buffer Overflow
  • Description: Sylpheed is a GTK+ based email client. It is vulnerable to a buffer overflow when a malformed MIME-encoded file named is processed. Sylpheed versions 0.8.0 to 1.0.3 and 1.9.0 to 1.9.4 are vulnerable.
  • Ref: http://www.tmtm.org/cgi-bin/w3ml/sylpheed/msg/24429

  • 05.13.8 - CVE: CAN-2005-0468,CAN-2005-0469
  • Platform: Unix
  • Title: Telnet Client Multiple Buffer Overflow Vulnerabilities
  • Description: Multiple telnet client implementations are vulnerable to a buffer overlow issue in the "env_opt_add" function of the "telnet.c" code. Some telnet implementation are also affected by LINEMODE buffer overflow issues.
  • Ref: http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

  • 05.13.9 - CVE: CAN-2005-0893
  • Platform: Unix
  • Title: Smail-3 Unspecified Remote Vulnerability
  • Description: Smail-3 is a Mail Transport Agent (MTA). It is reported to be vulnerable to an unspecified security issue. It is conjectured that attackers could leverage this towards code execution or denial of service on the vulnerable system.
  • Ref: http://www.securityfocus.com/archive/1/394413

  • 05.13.10 - CVE: Not Available
  • Platform: Unix
  • Title: Dnsmasq Multiple Remote Vulnerabilities
  • Description: Dnsmasq is a DHCP and DNS server. Dnsmasq is vulnerable to cache poisoning attacks and a buffer overflow issue. Dnsmasq versions 2.20 and earlier are known to be vulnerable.
  • Ref: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

  • 05.13.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AntiGen For Lotus Domino Multiple Remote Denial of Service Vulnerabilities
  • Description: Sybari AntiGen For Lotus Domino is antivirus software designed for Lotus Domino. It is reported to be vulnerable to multiple remote denial of service issues. The issues present themselves when a specially crafted RAR archive is processed.
  • Ref: http://secunia.com/advisories/14726/

  • 05.13.12 - CVE: CAN-2005-0906
  • Platform: Cross Platform
  • Title: Tincat Network Library Remote Buffer Overflow
  • Description: Tincat is a network API used by various games. It is reported vulnerable to a remote buffer overflow condition. Attackers could leverage this towards arbitrary remote code execution or a denial of service on the vulnerable server.
  • Ref: http://www.securityfocus.com/archive/1/394404

  • 05.13.13 - CVE: CAN-2005-0900, CAN-2005-0901, CAN-2005-0902
  • Platform: Cross Platform
  • Title: Nuke Bookmarks marks.php Path Disclosure
  • Description: Nuke Bookmarks is a module for PHP-Nuke that allows users to store their bookmarks on the server. Nuke Bookmarks is affected by a path disclosure issue when invalid data is submitted. Nuke Bookmarks versions 0.6 and earlier are known to be vulnerable.
  • Ref: http://www.zone-h.org/en/advisories/read/id=7356/

  • 05.13.14 - CVE: CAN-2005-0873
  • Platform: Cross Platform
  • Title: Oracle Reports Server 10g Cross-Site Scripting
  • Description: Oracle Reports Server is a web reporting application designed to provide access to various reporting formats for selected data sets. Insufficient sanitization of the "desname" and "repprod" parameters in the "test.jsp" script exposes the application to multiple cross-site scripting issues. Oracle Reports Server 10g version 9.0.4.3.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/394159

  • 05.13.15 - CVE: Not Available
  • Platform: Web Application
  • Title: Adventia Chat Server Pro Remote HTML Injection
  • Description: Adventia Chat Server Pro is a chat server implemented with ASP technology. It is reported to be vulnerable to an HTML injection issue. Attackers can inject HTML code into the chat windows of legitimate users. This can be leveraged towards theft of cookie-based authentication credentials and other attacks via malicious script execution.
  • Ref: http://www.securityfocus.com/bid/12940/

  • 05.13.16 - CVE: CAN-2005-0386
  • Platform: Web Application
  • Title: Mailreader Remote HTML Injection
  • Description: Mailreader is a web-based email client. It is affeceted by a HTML injection issue. Mail messages that have MIME types "text/enriched" or "text/richtext" are not sanitized for HTML injection and script execution issues. Mailreader versions 2.3.29 and earlier are affected.
  • Ref: http://www.debian.org/security/2005/dsa-700

  • 05.13.17 - CVE: CAN-2005-0378
  • Platform: Web Application
  • Title: Horde Application Framework Cross-Site Scripting
  • Description: The Horde Application Framework is a series of web applications implemented in PHP. Horde Application Framework is affected by a cross-site scripting vulnerability. Horde versions 3.0.4-RC2 and earlier are known to be vulnerable.
  • Ref: http://lists.horde.org/archives/announce/2005/000176.html

  • 05.13.18 - CVE: Not Available
  • Platform: Web Application
  • Title: Squirrelcart SQL Injection Vulnerability
  • Description: Lighthouse Development Squirrelcart is a shopping cart application. It is vulnerable to an SQL injection issue due to insufficient sanitization of the "crn" parameter of the "index.php" script. All versions of Squirrelcart are known to be vulnerable.
  • Ref: http://icis.digitalparadox.org/~dcrab/sqc.txt

  • 05.13.19 - CVE: Not Available
  • Platform: Web Application
  • Title: PortalAPP Multiple Input Validation Vulnerabilities
  • Description: PortalApp is a web application for web publication. It is vulnerable to multiple SQL injection and cross-site scripting issues due to insufficient sanitization of user-supplied data in the "content.asp" and the "ad_click.asp" scripts.
  • Ref: http://icis.digitalparadox.org/~dcrab/portalapp.txt

  • 05.13.20 - CVE: CAN-2005-0927
  • Platform: Web Application
  • Title: WebAPP File Disclosure Vulnerability
  • Description: WebAPP (Web Automated Perl Portal) is a web portal application. It is reported vulnerable to an unspecified file disclosure issue that allows attackers to gain access to sensitive information from a vulnerable system. All versions of WebAPP are considered vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/12938/

  • 05.13.21 - CVE: CAN-2005-0934
  • Platform: Web Application
  • Title: WackoWiki Cross-Site Scripting Vulnerabilities
  • Description: WackoWiki is a PHP wiki clone. It is vulnerable to multiple unspecified cross-site scripting issues due to improper sanitization of user input and may be exploited to steal cookie-based authentication credentials. WackoWiki versions earlier to 4.2 are vulnerable.
  • Ref: http://wackowiki.com/WackoDownload/InEnglish

  • 05.13.22 - CVE: CAN-2005-0913
  • Platform: Web Application
  • Title: Smarty Template Engine Remote Script Execution
  • Description: Smarty is a PHP script template for development of PHP Web applications. The Smarty Template Engine is vulnerable to remote execution of PHP code due to the "regex_replace" modifier. Smarty versions prior to 2.6.8 are reported to be vulnerable.
  • Ref: http://smarty.php.net/

  • 05.13.23 - CVE: CAN-2005-0930
  • Platform: Web Application
  • Title: Chatness Message Form Field HTML Injection
  • Description: Chatness is a web-based chat system. It is vulnerable to an HTML injection issue exposed through various chat message form fields and may be exploited by an attacker to steal cookie-based authentication credentials. Chatness 2.5.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394526

  • 05.13.24 - CVE: CAN-2005-0917
  • Platform: Web Application
  • Title: EncapsBB File Include Vulnerability
  • Description: EncapsBB is a web-based forum. It is reported to be vulnerable to a file include issue due to improper sanitization of user-supplied input to the "root" parameter of the "index_header.php" script. EncapsBB version 0.3.2_fixed is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14761

  • 05.13.25 - CVE: CAN-2005-0928, CAN-2005-0929
  • Platform: Web Application
  • Title: PhotoPost Pro Multiple Input Validation Vulnerabilities
  • Description: PhotoPost Pro is photograph-viewing software. It is affected by multiple input validation vulnerabilities. All versions of PhotoPost Pro are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394407

  • 05.13.26 - CVE: CAN-2005-0914
  • Platform: Web Application
  • Title: CPG Dragonfly Multiple Cross-Site Scripting Vulnerabilities
  • Description: CPG Dragonfly is a content management portal. It is reported to be vulnerable to multiple cross-site scripting issues. These can be leveraged towards theft of cookie-based authentication credentials. CPG Dragonfly version 9.0.2.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12930/

  • 05.13.27 - CVE: CAN-2005-0925
  • Platform: Web Application
  • Title: Ublog Cross-Site Scripting
  • Description: Ublog is a weblog application. Insufficient sanitization of user-supplied input of the "msg" parameter in the "login.asp" script exposes it to a cross-site scripting issue. Ublog versions 1.0.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/394543

  • 05.13.28 - CVE: CAN-2005-0924
  • Platform: Web Application
  • Title: Adventia E-Data Remote HTML Injection Vulnerability
  • Description: Adventia E-Data is an email directory written in Perl. It is reported to be vulnerable to an HTML injection issue due to improper sanitization of user-supplied input. Adventia E-data version 2.0 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14739

  • 05.13.29 - CVE: CAN-2005-0931
  • Platform: Web Application
  • Title: Includer Remote Code Execution
  • Description: The Includer provides server side includes for web sites. It is affected by a remote code execution vulnerability due to a failure to sanitize user-supplied input in the "include()" function. All versions of the Includer are vulnerable.
  • Ref: http://www.securityfocus.com/bid/12926


  • 05.13.31 - CVE: CAN-2005-0920
  • Platform: Web Application
  • Title: Bugtracker.NET Multiple SQL Injection Vulnerabilities
  • Description: Bugtracker.NET is a web-based bug tracker application. It is vulnerable to multiple SQL injection issues. Bugtracker.NET version 2.0.2 has been released to fix this issues.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=315830

  • 05.13.32 - CVE: CAN-2005-0907, CAN-2005-0908
  • Platform: Web Application
  • Title: Valdersoft Shopping Cart Multiple Vulnerabilities
  • Description: Valdersoft Shopping Cart is web-based e-commerce software. There are multiple input validation vulnerabilities such as failing to properly sanitize user-supplied input and SQL injection issues. Valdersoft Shopping Cart version 3.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/12916

  • 05.13.33 - CVE: CAN-2005-0911
  • Platform: Web Application
  • Title: EXoops Multiple Input Validation Vulnerabilities
  • Description: EXoops is web portal software written in PHP. It is vulnerable to multiple cross-site scripting and SQL injection issues that can be exploited by an attacker to steal authentication credentials and cause the destruction or disclosure of sensitive data. All current versions of EXoops are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394410

  • 05.13.34 - CVE: CAN-2005-0802
  • Platform: Web Application
  • Title: ACS Blog Name Field HTML Injection Vulnerability
  • Description: ACS Blog is web blog software. It is reported to be vulnerable to an HTML injection issue due to improper sanitization of user-supplied input to the "Name" parameter. ACS Blog 1.1.1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12904

  • 05.13.35 - CVE: CAN-2005-0901
  • Platform: Web Application
  • Title: Nuke Bookmarks Multiple Cross-Site Scripting Vulnerabilities
  • Description: Nuke Bookmarks is a PHP-Nuke module used to store bookmarks online. Nuke Bookmarks is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied data. Nuke Bookmarks version 0.6 is known to be vulnerable.
  • Ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0901

  • 05.13.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Nuke Bookmarks marks.php SQL Injection
  • Description: Nuke Bookmarks is a module for PHP-Nuke that allows users to store their bookmarks on the server. It is reported to be vulnerable to an SQL injection issue. Attackers could leverage this to compromise the remote backend database.
  • Ref: http://www.securityfocus.com/archive/1/394307

  • 05.13.37 - CVE: CAN-2005-0898
  • Platform: Web Application
  • Title: E-Store Kit-2 PayPal Edition Cross-Site Scripting
  • Description: MagicScripts E-Store Kit-2 PayPal Edition is a script for using PayPal to accept online payments. Insufficient sanitization of the "txn_id" parameter in the "downloadform.php" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/394312

  • 05.13.38 - CVE: Not Available
  • Platform: Web Application
  • Title: E-Store Kit-2 PayPal Edition Remote File Include Vulnerability
  • Description: MagicScripts E-Store Kit-2 PayPal Edition is a script for using PayPal to accept online payments. It is vulnerable to a remote file include issue due to a failure in the application to properly sanitize user-supplied input to the "catalog.php" script. All known versions of E-Store Kit-2 PayPal are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394312

  • 05.13.39 - CVE: CAN-2005-0909
  • Platform: Web Application
  • Title: Tkai's Shoutbox Query Parameter URI Redirection
  • Description: Tkai's Shoutbox is a web-based chat and forum application. Insufficient sanitization of the "query" URI parameter exposes the application to a URI redirection issue in which users will be redirected to malicious web sites. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/394312

  • 05.13.40 - CVE: CAN-2005-089610.1.3-rel is reported to be vulnerable.
  • Platform: Web Application
  • Title: phpMyDirectory review.php Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpMyDirectory is a web-based business directory script. It is reported to be vulnerable to a cross-site scripting issue via various script parameters. Attackers could leverage this towards theft of cookie-based authentication credentials. phpMyDirectory version
  • Ref: http://www.securityfocus.com/archive/1/394284

  • 05.13.41 - CVE: CAN-2005-0936
  • Platform: Web Application
  • Title: ESMI PayPal Storefront Cross-Site Scripting Vulnerability
  • Description: ESMI PayPal Storefront is a PHP script for building e-commerce web sites using PayPal as a payment system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "id" parameter of "products1h.php". ESMI PayPal Storefront version 1.7 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12904

  • 05.13.42 - CVE: CAN-2005-0889
  • Platform: Web Application
  • Title: Koobi CMS Cross Site-Scripting
  • Description: Koobi CMS is web-based content management software. It is vulnerable to a cross-site scripting vulnerablitiy due to a failure to sanitize user-supplied input to the "area" parameter. Dream4 Koobi version 4.2.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/12895

  • 05.13.43 - CVE: CAN-2005-0890
  • Platform: Web Application
  • Title: Koobi CMS index.php SQL Injection
  • Description: Koobi CMS is web-based content management software. Koobi CMS is affected by an SQL injection vulnerability. Koobi CMS versions 4.2.3 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12896/info/

  • 05.13.44 - CVE: CAN-2005-0872
  • Platform: Web Application
  • Title: Calendar scheduler.php Cross-Site Scripting
  • Description: Topic Calendar is a phpBB module that adds a calendar to the board. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "start" parameter of the "calendar_scheduler.php" script. Topic Calender version 1.0.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/394154

  • 05.13.45 - CVE: CAN-2005-0888
  • Platform: Web Application
  • Title: Double Choco Latte Multiple Vulnerabilities
  • Description: Double Choco Latte is a web-based application for managing software development. It is reported to be vulnerable to multiple cross-site scripting and arbitrary code execution issues due to improper sanitization of user-supplied input. Double Choco Latte versions 0.9.4.3 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12894

  • 05.13.46 - CVE: CAN-2005-0869,CAN-2005-0870
  • Platform: Web Application
  • Title: phpSysInfo Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpSysInfo is a PHP script which generates a web page containing information about the "/proc" filesystem. It is vulnerable to multiple cross-site scripting issues in the "index.php" and "system_footer.php" scripts. phpSysInfo version 2.3 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394086

  • 05.13.47 - CVE: CAN-2005-0883
  • Platform: Web Application
  • Title: DigitalHive base.php Cross-Site Scripting
  • Description: DigitalHive is a web forum. Insufficient sanitization of the "page" parameter in the "base.php" script exposes the application to a cross-site scripting issue. DigitalHive version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/12883/info/

  • 05.13.48 - CVE: CAN-2005-0885
  • Platform: Web Application
  • Title: XMB Forum Multiple Cross-Site Scripting Vulnerabilities
  • Description: XMB Forum is a web-based message board application. It is reported to be vulnerable to multiple cross-site scripting issues due to improper sanitization of user-supplied input. XMB Forum version 1.9.1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12886

  • 05.13.49 - CVE: CAN-2005-0886
  • Platform: Web Application
  • Title: Invision Power Board HTML Injection
  • Description: Invision Power Board is web forum software. It is vulnerable to an HTML injection vulnerability due to a failure to sanitize user-supplied data. All versions of Invision Power Board are vulnerable.
  • Ref: http://www.securityfocus.com/bid/12888

  • 05.13.50 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco VPN 3000 Concentrator Denial of Service
  • Description: Cisco VPN 3000 Concentrator products provide Virtual Private Network (VPN) services. It is vulnerable to a remote denial of service issue due to a failure to handle malformed data in its SSL protocol module and can be exploited to cause the affected device to reload or drop connections. Cisco VPN 3000 Concentrator products running software versions 4.1.7.A and prior are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8322

  • 05.13.51 - CVE: CAN-2005-0895
  • Platform: Network Device
  • Title: Netcomm NB1300 Modem/Router Remote Denial of Service
  • Description: Netcomm NB1300 is a router that includes a modem. It is affected by a denial of service condition when a large amount of ping requests are sent to the device. The device hangs due to resource exhaustion. Netcomm NB1300 versions 4.4.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/394287

  • 05.13.52 - CVE: CAN-2005-0864, CAN-2005-0865
  • Platform: Network Device
  • Title: Samsung DSL Modem Multiple Remote Vulnerabilites
  • Description: Samsung DSL modems are affected by multiple remote vulnerabilities. Samsung DSL modems running software versions SMDK8947v1.2 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12864

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.