The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 14
April 7, 2005

SANS Newsletters Home

DNS Cache Poisoning appears to be a big and fast-growing problem. Windows and Bind users should review number 1 below for a description of the problem and how to block it. Separately, if you are using Windows 2003, definitely explore Service Pack 1 for a slew of important security improvements.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#6)
    • Other Microsoft Products
    • 1 (#2)
    • Third Party Windows Apps
    • 5 (#5)
    • Linux
    • 2
    • BSD
    • 1
    • Aix
    • 1
    • Unix
    • 3
    • Cross Platform
    • 15 (#1, #3, #4, #7)
    • Web Application
    • 8

****************** Sponsored by Secure Software *************************

SANS is happy to bring you the latest in our complimentary series of Secure Software Webcasts. Database risks explored in depth at https://www.sans.org/webcasts/show.php?webcastid=90568

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
BSD
Aix
Unix
Cross Platform
Web Application

************************ Sponsored Links ********************************

Note: These links redirect to sites outside the SANS site. 1) Top Layer - 2005 NSS Group "Double Approval" for Rate & Content-based Intrusion Prevention. Report http://www.sans.org/info.php?id=752 2) Stop worm outbreaks without stopping your business. FREE Worm Suppression white paper. http://www.sans.org/info.php?id=753

*************************************************************************

Highlighted Training Program of the Week Rocky Mountain SANS 2005, in Denver in May offers nine immersion tracks plus short programs on Cutting Edge Hacker Techniques, Security Policy Development, Security Awareness Training, and more. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at http://www.sans.org/rockymnt2005 What attendees say: "SANS is the gold standard in network security training, in terms of relevance of material, knowledgeable instructors, and sheer usefulness." (Steve Keifling, SGI)

*************************************************************************

SANS@HOME Program When a live conference is not an option due to cost, time away or visa issues, try SANS@HOME Weekly Webcasts. Great course leaders, same material, great way to learn, and less expensive. For details, go to http://www.sans.org/athome

***********************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: DNS Cache Poisoning Attacks
  • Affected:
    • Windows NT and Windows 2000(prior to SP3) DNS servers in the default
    • configuration The following configurations are also reportedly
    • vulnerable and being investigated: Windows DNS server forwarding
    • requests to a BIND DNS server running version 4.x or 8.x Windows DNS
    • server forwarding requests to another vulnerable Windows DNS server

  • Description: SANS Internet Storm Center (ISC) has been actively analyzing reports of large-scale DNS cache poisoning attacks underway. By performing the DNS cache poisoning, an attacker is able to direct traffic intended for legitimate domains (for instance, windowsupdate.com) to an IP address under the attacker's control. The attacks have been used to re-direct popular domains belonging to a number of financial, entertainment, travel, health and software companies to the attackers' servers in order to install malware on the user systems. The attacks are targeting flaws in the Symantec Gateway security products (described in an earlier @RISK newsletter), and the forwarding configurations using Windows and BIND DNS servers listed above.

  • Status: Microsoft has published an article KB241352 that describes how to set up a registry key on Windows 2000 (prior to SP3) and NT 4.0 (SP4 and later) to harden a DNS server's configuration. An upgrade to version 9.x for the DNS forwarding servers running BIND is recommended. An upgrade to Windows 2000 (SP3 or above) and Windows 2003 is recommended for Windows DNS servers since these versions offer protection against the cache poisoning attacks in their default configuration. Symantec has already released updates for its DNS products that should be immediately applied. ISC has also detailed steps on how to clean the current DNS cache, which may be polluted.

  • Council Site Actions: Most of the reporting council sites are running only UNIX-based DNS and BIND servers with safe configurations and thus are not vulnerable to this issue. A few sites running Windows versions have either confirmed their configurations are safe or have updated them, as necessary. One site is implementing a rapid response plan based on a previous risk assessment of this threat situation.

  • References: ISC DNS Cache Poisoning Report
  • (2) MODERATE: Microsoft Jet Database Engine Overflow
  • Affected:
    • Jet Database Engine all versions

  • Description: The Jet Database Engine (Msjet40.dll) is Microsoft's relational database engine that handles the entire task of database processing for Microsoft Access and Visual Basic. This engine reportedly contains a buffer overflow that can be triggered by a specially crafted ".mdb" Access database file. The flaw, according to the discoverer, can be easily exploited to execute code on a Windows client system. In order to exploit this flaw, an attacker has to supply the malicious .mdb file via web, email, peer-to-peer sharing etc to the victim. Note that Internet Explorer and other browsers do not automatically open the attacker-supplied ".mdb" file. Hence, user interaction is required to leverage this flaw. A proof-of-concept database file has been publicly posted. The discoverer also mentions other denial-of-service flaws in this DLL for which no technical details have been posted.

  • Status: Microsoft has not confirmed; no patches are available. The flaw also affects third party applications that use msjet40.dll.

  • Council Site Actions: Most of the council sites are waiting for confirmation and a patch from the vendor and plan to deploy the patch once available. One site commented they have no plans to patch at this time, and will instead rely on their implementation of the Cisco Security Agent to prevent this exploit from occurring.

  • References:
  • (2) LOW: PHP getimagesize Denial of Service
  • Affected:
    • PHP versions prior to 4.3.11 and 5.0.4

  • Description: PHP, the popular scripting language for web servers, contains two vulnerabilities in its "getimagesize()" function. This function is used to compute the size of many image formats such as GIFF, JPEG etc. An attacker can exploit these flaws to cause a denial of service to any webserver that is using PHP scripts( and the getimagesize() function) to process the user-supplied images. The technical details required to craft a malicious image file have been publicly posted.

  • Status: Upgrade to PHP version 4.3.11 or 5.0.4.

  • Council Site Actions: Only one of the reporting council sites is using the affects software and feature. Their servers will be updated through a vendor patch (e.g., a patch associated with a Linux distribution) rather than updated with software obtained directly from www.php.net.

  • References:
Other Software
  • (3) CRITICAL: BakBone Netvault Backup Software Buffer Overflow
  • Affected:
    • NetVault version 7.3 and earlier on various platforms

  • Description: Bakbone Netvault is a backup solution for environments running UNIX, Linux, Windows NT/2000/2003 or Netware. The software is reportedly being used by AT&T, Los Alamos National Laboratory and many other large enterprises. The implementation of the communication protocol between the Netvault client (the system being backed up) and the server (the system backing up the data) contains a heap-based buffer overflow. By sending specially crafted packets to the port 20031/tcp, an attacker can execute arbitrary code on the system running this software. Exploit code for leveraging this flaw on Windows platforms is publicly available.

  • Status: Vendor not confirmed, no updates available. A workaround is to block the ports 20031/tcp and 20031/udp (the Netvault default ports) at the network perimeter. Increased scanning activity has been noticed for the port 20031/tcp.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) HIGH: MailEnable IMAP Service Buffer Overflow
  • Affected:
    • MailEnable Enterprise version 1.04 and prior
    • MailEnable Professional version 1.54 and prior

  • Description: MailEnable, a Windows-based mail server, contains buffer overflows in its IMAP server (MEIMAPS.EXE). An unauthenticated attacker can trigger the flaw by sending an overlong argument to the "AUTHENTICATE" or "LOGIN" commands. The flaws can be exploited to execute arbitrary code with the privileges of the IMAP server. Exploit code has been publicly posted.

  • Status: Vendor has confirmed the buffer overflow in the "AUTHENTICATE" command and released hotfixes. The status of hotfixes for the "LOGIN" command overflow is unknown.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 14, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4201 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.14.2 - CVE: CAN-2004-0197
  • Platform: Other Microsoft Products
  • Title: Jet Database Engine Malformed Database File Buffer Overflow
  • Description: Microsoft Jet Database Engine (Jet) is used to provide data access to various applications. It is reported to be vulnerable to a buffer overflow issue due to improper boundary checks of user-supplied database file contents. "msjet40.dll" library version 4.00.8618.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12960
  • 05.14.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BlueSoleil Object Push Service Directory Traversal
  • Description: BlueSoleil, a bluetooth software package, is reported vulnerable to directory traversal attacks in its Object Push Service. Clients can specify the destination directory for uploads using directory traversal sequences. Attackers can leverage this to install trojans on the vulnerable system.
  • Ref: http://www.digitalmunition.com/DMA%5B2005-0401a%5D.txt
  • 05.14.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RUMBA Profile Handling Multiple Buffer Overflow Vulnerabilities
  • Description: RUMBA provides information that may be accessed from any desktop or server-managed client. Insufficient sanitization of the "SysName" value in an RTO profile and a section of the WPA profile exposes the software to a buffer overflow issue. RUMBA version 7.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/394800
  • 05.14.5 - CVE: CAN-2005-0804
  • Platform: Third Party Windows Apps
  • Title: MailEnable Unspecified IMAP Vulnerability
  • Description: MailEnable is a commercially available mail server. It is vulnerable to an unspecified remote security issue in the server's IMAP implementation. All unpatched versions of MailEnable Enterprise Edition and MailEnable Professional 1.5 and later are vulnerable.
  • Ref: http://www.mailenable.com/hotfix/
  • 05.14.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MailEnable Unspecified SMTP Denial of Service
  • Description: MailEnable is a mail server for the Microsoft Windows platform. It is reported to be vulnerable to an unspecified issue that may allow remote attackers to crash the SMTP service. MailEnable Professional 1.54, MailEnable Enterprise Edition 1.0.4 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12994
  • 05.14.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: DameWare Mini Remote Control Server Privilege Escalation
  • Description: DameWare Mini Remote Control Server is a remote administration tool. It is reported to be vulnerable to a remote privilege escalation issue. DameWare Mini Remote Control Server versions 4.8 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13023
  • 05.14.8 - CVE: CAN-2005-0891
  • Platform: Linux
  • Title: gdk-pixbuf Double Free Remote Denial of Service
  • Description: gdk-pixbuf is a GNOME library. It is vulnerable to a denial of service vulnerability when handling malformed bitmap image files. gdk-pixbuf version 0.22.0 and gtk2 version 2.4.14 are vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2005-344.html
  • 05.14.9 - CVE: CAN-2005-0967
  • Platform: Linux
  • Title: Gaim Jabber File Request Remote Denial of Service
  • Description: Gaim is an instant messaging client that supports numerous protocols. It is vulnerable to a remote denial of service issue which can be exploited by an attacker to crash the application. Gaim versions 1.2.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8368
  • 05.14.10 - CVE: CAN-2005-0960
  • Platform: BSD
  • Title: OpenBSD TCP Stack Denial of Service
  • Description: OpenBSD TCP stack is vulnerable to a denial of service issue when processing invalid SACK options. OpenBSD versions 3.5 and 3.6 are vulnerable.
  • Ref: http://www.openbsd.org/errata.html#sack
  • 05.14.11 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX NIS Client Remote Vulnerability
  • Description: NIS is designed to assist in the administration of networks. IBM AIX NIS client is affected by a remote arbitrary code execution issue which could allow remote attackers to gain unauthorized access to a vulnerable machine with superuser privileges. IBM AIX version 5.3 is affected.
  • Ref: http://www.securityfocus.com/bid/13022/info/
  • 05.14.12 - CVE: CAN-2005-0388
  • Platform: Unix
  • Title: Remstats Remote Command Execution Vulnerability
  • Description: Remstats is a suite of applications designed for network data gathering and presentation. A remote command execution vulnerability affects Remstats's "remoteping" service. Attackers could use this towards a system compromise.
  • Ref: http://www.securityfocus.com/advisories/8351
  • 05.14.13 - CVE: CAN-2005-0965
  • Platform: Unix
  • Title: Gaim_Markup_Strip_HTML Remote Denial of Service
  • Description: Gaim is an instant messaging client that supports numerous protocols. It is reported vulnerable to a remote denial of service condition. It is reported that the issue exists in the "gaim_markup_strip_html" function and leads to an application crash. This vulnerability is reported to affect Gaim versions 1.2.0 and earlier.
  • Ref: http://gaim.sourceforge.net/security/?id=13
  • 05.14.14 - CVE: CAN-2005-0966
  • Platform: Unix
  • Title: Gaim IRC Protocol Plug-in Markup Language Injection
  • Description: Gaim is an instant messaging client. Insufficient sanitization of user-supplied input exposes the client to numerous markup language injection issues. Gaim versions 1.2.0 and earlier are affected.
  • Ref: http://gaim.sourceforge.net/security/?id=14
  • 05.14.15 - CVE: CAN-2005-0524
  • Platform: Cross Platform
  • Title: PHP Image File Format Remote Denial of Service
  • Description: PHP is affected by a remote denial of service vulnerability. The issue occurs due to a failure to properly validate user-controlled file data in the "php_handle_iff()" function. PHP versions 5.0.3 and earlier are known to be vulnerable.
  • Ref: http://www.php.net/release_4_3_11.php
  • 05.14.16 - CVE: CAN-2005-0525
  • Platform: Cross Platform
  • Title: PHP JPEG File Format Remote Denial of Service
  • Description: A remote denial of service vulnerability affects PHP. The problem presents itself when the affected application attempts to parse a maliciously crafted JPEG file. This occurs due to a failure to properly validate image header data in the "php_handle_jpeg()" function defined in "ext/standard/image.c". PHP versions 4.2.2, 4.3.9, 4.3.10 and 5.0.3 are affected.
  • Ref: http://www.idefense.com/application/poi/display?id=222&type=vulnerabilities
  • 05.14.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BakBone NetVault Remote Heap Overflow
  • Description: NetVault is a backup and restore solution. It is reported to be vulnerable to a remote heap overflow issue due to improper sanitization of user-supplied input to the "Clientname" variable. BakBone NetVault versions 7.1 and 7.0 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12967
  • 05.14.18 - CVE: CAN-2005-0430
  • Platform: Cross Platform
  • Title: Quake 3 Engine Message Denial of Service
  • Description: Quake 3 is a game produced by iD Software. The engine allows remote attackers to cause a denial of service issue including a remote shutdown of the game server and possible crash by sending a long infostring. All games using the Quake 3 engine as mentioned in the link are affected.
  • Ref: http://www.securityfocus.com/archive/1/394823
  • 05.14.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Star Wars Jedi Knight: Jedi Academy Buffer Overflow
  • Description: Star Wars Jedi Knight: Jedi Academy is a game developed by Raven Software. It is vulnerable to a stack-based buffer overflow issue that can be exploited remotely by an attacker to run arbitrary code on the server. Star Wars Jedi Knight: Jedi Academy 1.0.11 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394824
  • 05.14.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Call of Duty United Offensive Denial of Service
  • Description: Call of Duty and Call of Duty United Offensive are a series of games. They are reported to be vulnerable to a denial of service issue due to improper boundary checks. Call of Duty United Offensive versions 1.5.1b and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12978
  • 05.14.21 - CVE: CAN-2005-0035
  • Platform: Cross Platform
  • Title: Acrobat Reader ActiveX Control LoadFile Information Disclosure
  • Description: Adobe Acrobat Reader is an application designed for reading Portable Document Format (PDF) files. Adobe Acrobat Reader ActiveX control is affected by an information disclosure vulnerability. Adobe Acrobat Reader versions 7.0 and earlier are known to be vulnerable.
  • Ref: http://www.adobe.com/support/techdocs/331465.html http://www.adobe.com/support/techdocs/331468.html
  • 05.14.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Suite/Firefox JavaScript Lambda Replace Memory Disclosure
  • Description: Mozilla Suite/Firefox are reported vulnerable to a memory disclosure vulnerability. This issue can allow a remote attacker to disclose arbitrary heap memory. Firefox versions 1.0.1 and 1.0.2 are reported vulnerable. Mozilla version 1.7.6 is vulnerable as well.
  • Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=288688
  • 05.14.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM iSeries AS400 LDAP Server Remote Information Disclosure
  • Description: IBM iSeries AS400 is an enterprise server solution. Due to a problem in the implementation of the LDAP server, the software is exposed to a remote information disclosure issue where user names and account information can be accessed by unauthorized users. All current versions are affected.
  • Ref: http://www.venera.com/downloads/AS400_ldap_user_accounts_disclosure.pdf
  • 05.14.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CommuniGate Pro LIST Unspecified Denial of Service
  • Description: CommuniGate Pro is an Internet messaging server. Communigate Pro is affected by an unspecified denial of service vulnerability. Communigate Pro versions 4.3 c2 and earlier are known to be vulnerable.
  • Ref: http://www.stalker.com/CommuniGatePro/History.html
  • 05.14.25 - CVE: CAN-2005-0942
  • Platform: Cross Platform
  • Title: Sybase Adaptive Server Enterprise Remote Denial of Service
  • Description: Sybase Adaptive Server Enterprise is a full SQL relational database management system. It is affected by a remote denial of service vulnerability due to a failure of the affected application to properly handle malformed network data. A remote attacker can leverage this issue to cause the affected server to crash, denying service to legitimate users. ASE versions 12.5.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/385198
  • 05.14.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sybase Adaptive Server Enterprise Attrib_Valid Remote Buffer Overflow
  • Description: Sybase Adaptive Server is a full SQL relational database management system. A buffer overflow vulnerability affects the "attrib_valid" Transact-SQL extension function. An attacker may exploit this issue to execute arbitrary code with the privileges of the affected application. The vendor has released Adaptive Enterprise Server 12.5.3 ESD#1 to address this issue.
  • Ref: http://www.ngssoftware.com/advisories/sybase-ase.txt
  • 05.14.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sybase Adaptive Server Enterprise Declare Extension Buffer Overflow
  • Description: Sybase Adaptive Server is a full SQL relational database management system. A remote buffer overflow vulnerability affects Sybase Adaptive Server Enterprise. Attackers can leverage this towards remote code execution or a denial of service condition.
  • Ref: http://www.securityfocus.com/archive/1/395001
  • 05.14.28 - CVE: Not Available12.5.3 and earlier are reported to be vulnerable.
  • Platform: Cross Platform
  • Title: Sybase Adaptive Server Enterprise Convert Function Buffer Overflow
  • Description: Sybase Adaptive Server is a full SQL relational database management system. It is reported to be vulnerable to a remote buffer overflow issue due to improper sanitization of user-supplied input to the "convert" function. Sybase Adaptive Server Enterprise versions
  • Ref: http://www.securityfocus.com/bid/13015
  • 05.14.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Nuke Downloads Cross-Site Scripting
  • Description: PHP Nuke is a content management system. The PHP Nuke "Downloads" module is vulnerable to a cross-site scripting issue due to the application failing to properly sanitize user supplied URI input. PHP-Nuke versions 7.6 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394971
  • 05.14.30 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPNuke Multiple Module Cross-Site Scripting Vulnerabilities
  • Description: PHPNuke is a web-based portal system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input. PHPNuke versions 7.6 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12983
  • 05.14.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Logics Software LOG-FT Arbitrary File Disclosure
  • Description: LOG-FT is a web-based application that is used to transfer files to and from mainframe servers. It is vulnerable to a file disclosure vulnerablity with the "VAR_FT_LANG" and the "VAR_FT_TMPL" parameters. All versions of Logics Software LOG-FT are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394969
  • 05.14.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Comersus Cart Username Field HTML Injection
  • Description: Comersus Cart is a set of ASP scripts creating an online shopping cart. A remote HTML injection vulnerability affects Comersus Cart when a malicious user enters HTML and script code through the "Username" field of the affected application. Comersus Cart version 6.03 is affected by this issue.
  • Ref: http://www.comersus.com/index.html
  • 05.14.33 - CVE: Not Available
  • Platform: Web Application
  • Title: RunCMS Remote Arbitrary File Upload Vulnerability
  • Description: RunCMS is a web-based messaging system implemented in PHP. RunCMS is affected by a remote arbitrary file upload vulnerability. RunCMS versions 1.1A and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395097
  • 05.14.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Pavuk Multiple Unspecified Vulnerabilities
  • Description: Pavuk is a web spider application. It is reported to be vulnerable to multiple unspecified issues due to improper boundary checks. Pavuk version 0.9.31 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13005
  • 05.14.35 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke Your_Account Module Avatarcategory Cross-Site Scripting
  • Description: PHP-Nuke is a content management system. Insufficient sanitization of the "Avatarcategory" parameter of the "Your_Account" module exposes the application to a cross-site scripting issue. PHP-Nuke versions 7.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/394971
  • 05.14.36 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke Web_Links Module Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHP-Nuke is a content management system. It is vulnerable to multiple cross-site scripting issues in the "Web_Links" Module. An attacker may leverage these issues to steal cookie-based authentication credentials. PHP-Nuke version 7.6 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394867
  • 05.14.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Active Auction House Multiple Cross-Site Scripting Vulnerabilities
  • Description: Active Auction House is web-based auction software. It is reportedly affected by multiple cross-site scripting vulnerabilities. These can be used towards theft of cookie-based authentication credentials.
  • Ref: http://www.securityfocus.com/archive/1/395104

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

Best money my company has spent on training or other computer conferences. The extra lunch and nightly seminars are great and push the conference over the top.
-Pat Militzer, MetroMLS Inc.

SANS 2010-sky-c

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT