Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 15
April 14, 2005

SANS Newsletters Home

A huge week for new vulnerabilities! Windows users face critical new risks to add to last week's DNS cache poisoning problems. Oracle database and application server users also have work to do. CA Brightstor ArcServe users also face more critical vulnerabilities.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 3 (#2, #6, #8)
    • Microsoft Office
    • 2 (#5, #14)
    • Other Microsoft Products
    • 4 (#1, #3, #7)
    • Third Party Windows Apps
    • 11 (#10)
    • Linux
    • 5
    • Unix
    • 1
    • Novell
    • 1
    • Cross Platform
    • 16 (#4, #9, #11, #12, #13)
    • Web Application
    • 39
    • Network Device
    • 6
    • Hardware
    • 1

*************************************************************************

Highlighted Training Program of the Week Rocky Mountain SANS 2005, in Denver in May offers ten immersion tracks plus short courses on Cutting Edge Hacker Techniques, Security Policy Development, Security Awareness Training, and more. Wonderful teachers give you material you can put to work immediately upon returning to the office and present the most current tools and techniques. Details at http://www.sans.org/rockymnt2005 What attendees say: "SANS is the gold standard in network security training, in terms of relevance of material, knowledgeable instructors, and sheer usefulness." (Steve Keifling, SGI)

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Novell
Cross Platform
Web Application
Network Device
Hardware

************************* SPONSORED LINKS *******************************

These links may point to sites outside of SANS: 1) Stop worm outbreaks without stopping your business. FREE Worm Suppression white paper. http://www.sans.org/info.php?id=757 2) Find security tools that actually work and listen to interviews with users who have experience with them. Intrusion detection, penetration testing, end point security and more. http://www.sans.org/whatworks

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Exchange Server Extended Verb Overflow
  • Affected:
    • Microsoft Exchange Server 2000/2003

  • Description: Microsoft Exchange server supports many SMTP extended verbs that add functionality beyond the SMTP protocol specification. The extended verb used to communicate routing information (X-LINK2STATE) between Exchange servers contains a buffer overflow. The overflow can be exploited to execute arbitrary code with the privileges of the SMTP process, typically Local System. Note that Windows 2000 Exchange servers are critically affected as unauthenticated attackers can leverage this flaw. On Exchange 2003, the overflow can be exploited only by authenticated users, which reduces the impact of the vulnerability.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-021.

  • Council Site Actions: Many of the reporting council sites are responding to this vulnerability. All sites plan to patch during the next regular system update process.

  • References:
  • (2) CRITICAL: Windows Message Queuing Service Overflow
  • Affected:
    • Windows 2000 SP3 and SP4
    • Windows XP SP1 (including 64-bit edition)

  • Description: Windows Message Queuing service, an RPC-based service, allows applications running at different times to communicate across networks and systems that may even be temporarily offline. This service contains a buffer overflow that can be triggered by a specially crafted RPC call. An anonymous attacker can exploit this flaw to execute arbitrary code with "Local System" privileges. Note that even though the service is not installed by default on Windows systems, the MSMQ service is used in many e-commerce environments. Exploit code has been included in the Immunitysec CANVAS product.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-016. The service binds on multiple high numbered TCP ports. Hence, blocking unsolicited RPC requests above port 1024/tcp, will prevent the attack. E-commerce and other sites using MSMQ should only expose the MSMQ HTTP service to the Internet.

  • Council Site Actions: One site is remediating its affected systems on a priority basis. Other sites that responded to this item plan to patch during the next regular system update process.

  • References:
  • (3) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities
  • Affected:
    • Windows 2000 SP3 and SP4
    • Windows XP SP1 and SP2
    • Windows XP 64-bit SP1 and 2003
    • Windows 2003
    • Windows 98/ME/SE
    • Internet Explorer 5.01, 5.5 and 6.0

  • Description: Microsoft has released a cumulative security update for Internet Explorer that patches the following vulnerabilities- (a) A specially crafted webpage using certain Dynamic HTML functions can force Internet Explorer to execute arbitrary code. The problem occurs due to a race condition between IE threads that can be exploited to overwrite a thread's memory with the attacker-supplied data. The technical details and exploit code have been publicly posted. (b) Internet Explorer contains a heap corruption vulnerability that can be triggered by a link of the format '<a href ="hostname over 256 characters">'. A malicious webpage or an HTML email may exploit this flaw to execute arbitrary code on a client system. (c) Internet Explorer Content Advisor (can be reached by clicking Tools->Options->Content on IE menu) can restrict IE users from accessing certain sites. For example, parents can use the Content Advisor to limit access to adult sites for their children. IE contains a buffer overflow that can be triggered by a specially crafted Content Advisor file (PICS format). Note that an attacker would need to convince a user to accept the malicious PICS file in order to exploit the flaw.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-020. Note that Internet Explorer exploits are popularly used by malicious sites to install spyware and Trojans on client systems. Hence, this patch should be applied on an expedited basis.

  • Council Site Actions: All of the reporting council sites are planning to respond to this item. Some plan to patch over the next two weeks and others during their next regularly scheduled system update process.

  • References:
  • (5) HIGH: Microsoft Word Multiple Buffer Overflows
  • Affected:
    • Microsoft Word 2000/2002/2003
    • Microsoft Works Suite 2001/2002/2003/2004

  • Description: Microsoft has released patches for two buffer overflow vulnerabilities in Microsoft Word. One of the buffer overflows that has been patched was publicly reported in October 2004 along with complete technical details. The technical details about the other overflow have not been publicly disclosed. A webpage or a network share serving a malicious Word document, or an email with a malicious Word attachment, may leverage these flaws to compromise a client. Note that Internet Explorer automatically opens a Word document, which makes it easy to exploit the vulnerabilities via HTTP.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-023.

  • Council Site Actions: Most of the reporting council sites plan to respond to this item and install the patch during their next regularly scheduled system update process. One site commented that they don't distribute patches for applications such as MS Word, but do inform their users about the need to download and install MS Office updates.

  • References:
  • (6) HIGH: Windows Shell Remote Code Execution
  • Affected:
    • Windows 2000 SP3 and SP4
    • Windows XP SP1 and SP2
    • Windows XP 64-bit SP1 and 2003
    • Windows 2003

  • Description: Microsoft Office (Word, Excel, PowerPoint) and some WordPerfect and Adobe files are stored in "OLE2" format. This format stores a program name (actually its CLSID) in the OLE2 document that can open the OLE2 file even when the file is re-named with an unknown extension. For instance, if a Word document is renamed with a ".docy" extension, Windows will still open the file with the Word program. A problem arises because Windows does not perform a proper check on the program CLSID stored in an OLE2 document. An attacker can craft a malicious OLE2 document with an unknown extension that contains CLSID of an arbitrary executable. An attacker, for example, can use the CLSID of Microsoft HTML Application Host (MSHTA) in an OLE2 document, to execute arbitrary script code on a user's system. Note that the user would need to double-click the attacker-supplied OLE2 document with an unknown extension. The attacker may be able to fool a user by using visually similar extensions such as ".d0c", ".pppt" etc. Exploit code to craft a malicious OLE2 document has been posted.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-016. A workaround to block the email attack vector is to filter file attachments with unknown extensions at the mail gateways. To prevent the attack via HTTP, users should be advised not to open documents with unknown extensions.

  • Council Site Actions: All of the reporting council sites plan to respond to this item. They will patch during their next regularly scheduled system update process.

  • References:
  • (7) MODERATE: MSN Messenger GIF Processing Overflow
  • Affected:
    • MSN Messenger version 6.2

  • Description: MSN messenger contains a buffer overflow that can be triggered by malformed GIF image files. Specifically GIF files with improper height and width cause this overflow that can be exploited to execute arbitrary code with the privileges of the MSN messenger user. A successful attack requires significant user interaction. Prior to sending a specially crafted GIF file, the attacker has to convince an MSN messenger user to add him to the user's contact list.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-022.

  • Council Site Actions: Most of the council sites plan to respond to this item and install the patches during their next regularly scheduled system update process. A few sites commented that they are blocking the affected traffic at their network perimeter points; thus reducing the risk associated with this item. Installation and use of MSN Messenger is not supported by their central IT department, but neither is it blocked.

  • References:
  • (8) MODERATE: Windows TCP/IP Multiple Vulnerabilities
  • Affected:
    • Windows 2000 SP3 and SP4
    • Windows XP SP1 and SP2
    • Windows XP 64-bit SP1 and 2003
    • Windows 2003

  • Description: Windows OS contains the following vulnerabilities in its TCP/IP stack implementation. (a) A specially crafted IP message can lead to a buffer overflow that may be exploited to execute arbitrary code on a Windows system. The technical details regarding this flaw have not been publicly posted yet. (b) An existing TCP connection can be reset by using crafted ICMP or TCP packets. The attacker would need to guess the IP addresses and port numbers used in a TCP connection as well as be able to spoof the source address of ICMP packets to carry these denial-of-service or TCP performance degrading attacks. For more details, please look at item #9 n this newsletter. (c) Land attack, a denial-of service attack known since 1997, can be launched by directing IP packets, with identical source and destination IP addresses, to the target machine. By continuously sending a stream of malformed TCP "SYN" packets to the open ports on a Windows XP/2003 system, it is possible to cause a significant performance degradation (in some configurations 100% CPU utilization); thereby, rendering the system unusable.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-019.

  • Council Site Actions: All of the reporting council sites plan to respond to this item and install the patches during their next regularly scheduled system update process. One site plans to patch all of their systems within one week, as they consider the (a) part of this vulnerability to raise the risk level.

  • References:
  • (9) MODERATE: Multiple Vendor ICMP Error Message Validation Flaws
  • Affected: A number of vendors including Cisco and Juniper. For a list of all the vendors, please refer to the CERT Advisory.

  • Description: ICMP protocol was designed to communicate information about specific networking failures to hosts or routers on the Internet. The TCP protocol specification defines how a host should respond to the ICMP messages. ICMP error messages may be classified into "hard" and "soft" errors, and contain the source port, destination port and the associated sequence number of the TCP connection. The "hard" errors (e.g. ICMP Destination Unreachable messages with codes 2, 3 and 4) result in an immediate reset of the TCP connection whereas some "soft" errors (e.g. ICMP Source Quench) lead to the performance degradation of the TCP connection. Multiple vendor implementation of the TCP protocol does not sufficiently validate an ICMP error message i.e. the sequence number in the ICMP error message is not checked for correctness . Hence, an ICMP error message containing the correct TCP port numbers, and the same source and destination IP addresses as a TCP connection is processed and acted upon accordingly. An attacker can exploit this to craft ICMP packets that can either reset an existing TCP connection or degrade its performance. Note that for services running on well-known ports, an attacker can reset a TCP connection with 65536 ICMP packets. In addition to the ICMP error messages, an attacker can lower the Maximum Transmission Unit (MTU) size being used in a TCP connection by sending spoofed ICMP Type 3 Code 4 messages. This can lead to degrading the performance of the applications running over TCP. The higher-level protocols that use long-lasting TCP sessions such as the Border Gateway Protocol (BGP) are most affected by this vulnerability. BGP uses persistent TCP connections to exchange routing information with other BGP peers. Repeatedly resetting a BGP connection can lead to denial-of-service to certain portions of the Internet.

  • Status: Many vendors, including Cisco and Juniper, have confirmed the flaw and have made updates available. For a detailed status on other vendors, please refer to the UK NISCC advisory below. A possible workaround is to filter ICMP messages at the network perimeter and allow only certain types of ICMP messages into the network.

  • Council Site Actions: One site considers a this low risk vulnerability due to the difficulty of exploitation vs. other DoS mechanisms. Thus they don't plan any action. Most of the other reporting council sites plan to patch their systems during their next regularly scheduled system update process.

  • References:
Other Software
  • (10) CRITICAL: Computer Associates BrightStor ARCServe Backup Overflow
  • Affected:
    • BrightStor ARCserve Backup 9.x, 10.x and 11.x on Windows platform

  • Description: Computer Associates BrightStor ARCserve Backup products provide backup services for Windows, NetWare, Linux and UNIX. The backup agent, that listens on port 6050/tcp by default, contains a buffer overflow. The flaw can be triggered by sending a large string followed by the "option" field set to 0, 3 or 1000, and exploited to execute arbitrary code with "SYSTEM" privileges. Exploit code has been included in the Metasploit project.

  • Status: CA confirmed, updates available. A workaround is to block traffic to port 6050/tcp at the network perimeter.

  • Council Site Actions: Three sites responded to this item. One site plans to patch during its next regular patching cycle. The second site plans to scan its network on TCP port 6050 to obtain a preliminary list of systems that may be affected and then determine action. They may have some systems directly exposed to the Internet. The final site is in the process of migrating away from CA backup products and will proceed with patching its systems to limit exposure.

  • References:
  • (11) HIGH: OpenOffice Doc File Overflow
  • Affected:
    • OpenOffice version 1.1.4 and prior
    • OpenOffice version 2.0 beta

  • Description: OpenOffice software is a multi-platform open-source office productivity software that emulates other commercial products like Microsoft Office. This software contains a heap-based overflow that can be triggered by a malformed ".doc" (Word) file. The flaw can be exploited to execute arbitrary code on the client system with the privileges of the logged-on user. If OpenOffice is set as the default application to handle .doc documents, browsing a malicious page or clicking a Word attachment in an email, is sufficient to trigger the flaw. The technical details that can be used to craft a malicious .doc document have been posted.

  • Status: OpenOffice confirmed, patches available. Users of 2.0 Beta should download version 1.9.95.

  • Council Site Actions: Only one site responded to this item. They have around 400 systems where the system configuration and/or user practices would lead to some risk of opening a malicious document. They plan to update their systems this month.

  • References:
  • (12) MODERATE: Lotus Domino Server Buffer Overflow
  • Affected:
    • Domino server version 6.0.5 and 6.5.4

  • Description: IBM Lotus Domino multi-platform server software is designed to handle email and scheduling for large enterprises. The HTTP service in the Lotus Domino server contains a buffer overflow that can be triggered by an HTTP POST request containing a large amount of data for certain time/date fields. The researchers claim to have discovered six attack vectors to exploit this flaw that, they say, will be disclosed in July 2005. Lotus Domino administrators should upgrade their servers before July. Note that the flaw is marked as "MODERATE" due to unavailability of complete technical details and the lack of information regarding the credentials required to exploit this flaw. According to the @RISK recommendations, "MODERATE" rated flaws should be attended to within 15 business days.

  • Status: IBM has acknowledged the flaw and has released an update.

  • Council Site Actions: Two of the reporting council sites are running the affected software. Both plan to patch during their next regularly scheduled system update process.

  • References:
  • (13) MODERATE: Veritas i3 FocalPoint Server Vulnerability
  • Affected:
    • i3 FocalPoint Server version 7.1 and prior

  • Description: FocalPoint server is the central server of the Veritas i3 Application Performance Management suite. NGSSoftware has reported a critical flaw in this server. Note that the @RISK rating for this flaw is "MODERATE" due to lack of any further information but "critical" ratings from the NGSSoftware typically implies that a remote compromise of the FocalPoint server may be possible by unauthenticated attackers. This server is bundled with other servers such as Oracle. Hence, FocalPoint users should upgrade their servers prior to the release of technical details of the flaw (currently schedules for July 2005).

  • Council Site Actions: The affected software or vulnerable configuration is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 15, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4224 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.15.1 - CVE: CAN-2005-0059
  • Platform: Windows
  • Title: Microsoft Windows Message Queuing Remote Buffer Overflow
  • Description: Microsoft Message Queuing (MSMQ) attempts to facilitate process communication over the Internet. A remote buffer overflow vulnerability affects Microsoft Windows. A remote attacker may exploit this issue to execute arbitrary code with SYSTEM privileges.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx
  • 05.15.2 - CVE: CAN-2005-0063
  • Platform: Windows
  • Title: Microsoft Windows Shell Remote Code Execution
  • Description: Microsoft Windows is vulnerable to an issue that may allow remote attackers to execute code through the Windows Shell. A design error allows the execution of non-executable object/file types.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx
  • 05.15.3 - CVE: CAN-2005-0048
  • Platform: Windows
  • Title: Microsoft Windows Internet Protocol Validation Code Execution
  • Description: Microsoft Windows is vulnerable to a remote code execution issue due to insufficient validation that is performed on TCP/IP data. Microsoft has released a patch to address this issue.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx
  • 05.15.4 - CVE: CAN-2005-1052
  • Platform: Microsoft Office
  • Title: Microsoft Outlook Email Address Spoofing Weakness
  • Description: Microsoft Outlook and Outlook Web Access clients are vulnerable to an address spoofing issue. This occurs when attackers send a spoofed email address. Outlook displays only the first comma separated addresses in the "From" field. Microsoft Outlook 2003 and Outlook Web Access 2003 are vulnerable.
  • Ref: http://xforce.iss.net/xforce/xfdb/20026
  • 05.15.5 - CVE: CAN-2005-0558
  • Platform: Microsoft Office
  • Title: Microsoft Word Malformed Document Buffer Overflow
  • Description: Microsoft Word is vulnerable to a buffer overflow issue when it attempts to parse a malformed document. This vulnerability may be leveraged by an attacker to execute arbitrary code with the user's context when the malicious document is opened.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-023.mspx
  • 05.15.6 - CVE: CAN-2005-0554
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Malformed URI Buffer Overflow
  • Description: Microsoft Internet Explorer is susceptible to a buffer overflow vulnerability, triggered by specially formatted URIs. A remote attacker may be able to execute malicious code on the user's computer in the context of Internet Explorer.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx
  • 05.15.7 - CVE: CAN-2005-0555
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Content Advisor Buffer Overflow
  • Description: Microsoft Internet Explorer is vulnerable to a remote buffer overflow issue when handling malformed Content Advisor files due to insufficient boundary checks prior to copying user-supplied data. See Microsoft Security Bulletin MS05-020 for further details.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx
  • 05.15.8 - CVE: CAN-2005-0553
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer DHTML Memory Corruption
  • Description: A vulnerability in Microsoft Internet Explorer that is related to DHTML (Dynamic Hypertext Markup Language) may allow a remote attacker to execute arbitrary code in the context of the user of Internet Explorer. The malicious DHTML code on the attacker's website will try to exploit a race condition between multiple DHTML rendering threads inside Internet Explorer.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx
  • 05.15.9 - CVE: CAN-2005-0562
  • Platform: Other Microsoft Products
  • Title: MSN Messenger GIF Image Processing Remote Buffer Overflow
  • Description: MSN Messenger is reported to be vulnerable to a remote buffer overflow issue due to improper boundary checks. MSN Messenger 6.2 and MSN Messenger 7.0 beta are reported to be vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-022.mspx
  • 05.15.10 - CVE: CAN-2005-1015
  • Platform: Third Party Windows Apps
  • Title: MailEnable IMAP Login Request Buffer Overflow
  • Description: MailEnable is a commercially available mail server for the Microsoft Windows platform. MailEnable is affected by a remotely exploitable stack-based buffer overflow vulnerability. MailEnable versions 1.54 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395720
  • 05.15.11 - CVE: CAN-2005-1034
  • Platform: Third Party Windows Apps
  • Title: SurgeFTP LEAK Command Denial of Service
  • Description: SurgeFTP is an FTP server supporting SSL/TLS. SurgeFTP exposes an internal debugging facility, which can be used to create a DOS situation. SurgeFTP versions 2.2m1 and 2.2k3 running on Windows 2000 and XP were reported to be vulnerable.
  • Ref: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1034
  • 05.15.12 - CVE: CAN-2005-1087
  • Platform: Third Party Windows Apps
  • Title: AN HTTPD CMDIS.DLL Remote Buffer Overflow
  • Description: AN HTTPD is a web server. It is reported to be vulnerable to a remote buffer overflow issue due to improper boundary checks. AN HTTPD version 1.42n is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13066
  • 05.15.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: HTTPD Log Content Injection
  • Description: AN HTTPD is a web server. It is vulnerable to an issue that allows injection of arbitrary content into the log file due to failing to validate input. AN HTTPD version 1.42n is vulnerable.
  • Ref: http://www.security.org.sg/vuln/anhttpd142n.html
  • 05.15.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Maxthon Web Browser Plug-in API Directory Traversal Vulnerability
  • Description: Maxthon web browser is based on the Microsoft Internet Explorer engine and provides tabbed browsing support. It is vulnerable to an input validation issue that can be used by a remote attacker to read or write arbitrary files with the privileges of a user that is running the vulnerable web browser. Maxthon web browser versions 1.2.1 and 1.2.0 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13074/discussion/
  • 05.15.15 - CVE: CAN-2005-1091
  • Platform: Third Party Windows Apps
  • Title: Maxthon Web Browser Plug-in API Security ID Information Disclosure
  • Description: Maxthon web browser is reported to be vulnerable to an information disclosure issue. The issue presents itself when a malicious application gets the security id from the "max.src" file. Maxthon version 1.2.1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13073
  • 05.15.16 - CVE: CAN-2005-1045
  • Platform: Third Party Windows Apps
  • Title: Centrinity FirstClass Client Bookmark Window File Execution
  • Description: Centrinity FirstClass Desktop is a client application used to manage the FirstClass server. FirstClass client fails to validate user input, which can result in a malicious file to be placed on the client filesystem and later be executed. FirstClass 8.0 is affected by this issue.
  • Ref: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1045
  • 05.15.17 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Multiple Debuggers Malicious Code Execution
  • Description: Multiple Windows debuggers are affected by a malicious code execution issue due to a failure of the affected applications to properly ensure that the examined code is run in a contained environment. All current versions of OllyDbg, WinDbg, and Microsoft Visual C++ Debuggers are affecetd.
  • Ref: http://www.securityfocus.com/archive/1/395520
  • 05.15.18 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IrfanView Multiple Heap-Based Memory Corruption Vulnerabilities
  • Description: IrfanView is an image viewer application. It is vulnerable to multiple unspecified heap memory corruption issues due to insufficient sanity checks while allocating heap-based memory. Infran Skiljan IrfanView32 version 3.0.7 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395529
  • 05.15.19 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Centra 7 User Information Multiple HTML Injection Vulnerabilities
  • Description: Centra 7 is software for streaming Microsoft Office and other applications over the web. It is vulnerable to multiple HTML injection issues due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to steal cookie-based authentication credentials. All current versions of Centra 7 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395577
  • 05.15.20 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WIDCOMM Bluetooth Communication Software Directory Traversal
  • Description: WIDCOMM provides Bluetooth communication software. It is reported to be vulnerable to a directory traversal issue. WIDCOMM BTStackServer for Microsoft Windows version 1.4.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13135
  • 05.15.21 - CVE: CAN-2005-0390
  • Platform: Linux
  • Title: Axel HTTP Redirection Buffer Overflow
  • Description: Axel is a download accelerator application for various Linux platforms. Axel is prone to a buffer overflow vulnerability in "conn.c". This issue presents itself when Axel handles HTTP redirection. A malicious HTTP response could overrun a static buffer, potentially allowing arbitrary code execution in the security context of the application. This vulnerability was fixed in Axel 1.0b.
  • Ref: http://www.securityfocus.com/advisories/8401
  • 05.15.22 - CVE: CAN-2005-1046
  • Platform: Linux
  • Title: KDE PCX Image File Handling Buffer Overflow
  • Description: KDE "kimgio" library is used for image handling in the KDE desktop system. While handling PCX files the library fails to ensure that memory allocation routines succeed prior to utilizing the returned pointer in memory write operations. This results in a buffer overflow issue. All current versions are affected.
  • Ref: http://bugs.kde.org/show_bug.cgi?id=102328
  • 05.15.23 - CVE: Not Available
  • Platform: Linux
  • Title: GwenView Multiple Unspecified Image Handling Heap Memory Corruption
  • Description: GwenView is an image viewer application for KDE. It is reported to be vulnerable to multiple unspecified heap memory corruption issues due to improper boundary checks. GwenView version 1.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13098
  • 05.15.24 - CVE: CAN-2005-0404
  • Platform: Linux
  • Title: KDE KMail HTML EMail Remote Email Content Spoofing
  • Description: KDE KMail is an email client integrated with the K Desktop Environment. KMail fails to properly sanitize HTML email messages, resulting in a possibility of spoofed email content and various header fields of email messages. KDE KMail 1.7.1 and likely other versions are affected.
  • Ref: http://bugs.kde.org/show_bug.cgi?id=96020
  • 05.15.25 - CVE: Not Available
  • Platform: Linux
  • Title: Internet JunkBuster Heap Corruption
  • Description: JunkBuster is a HTTP proxy. It is vulnerable to a heap corruption issue when it filters URIs. Junkbuster version 2.02 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8405
  • 05.15.26 - CVE: CAN-2005-0967
  • Platform: Unix
  • Title: Gaim IRC Plugin Multiple Remote Denial of Service Vulnerabilities
  • Description: Gaim is an instant messaging client. It is affected by multiple issues that lead to a denial of service condition. Gaim version 1.2.0 is affected.
  • Ref: http://securitytracker.com/alerts/2005/Apr/1013645.html
  • 05.15.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenView Network Node Manager Unspecified Denial of Service
  • Description: HP OpenView Network Node Manager is a management software package. It is vulnerable to an unspecified denial of service issue. HP OpenView Network Node Manager versions 7.50 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8372
  • 05.15.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: eTrust Intrusion Detection System Remote Denial of Service
  • Description: Computer Associates eTrust Intrusion Detection System is a network security application that provides functionality such as intrusion detection, antivirus, centralized monitoring and web filtering. eTrust Intrusion Detection System is affected by a remote denial of service vulnerability. eTrust Intrusion Detection System versions 3.0 SP1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395012
  • 05.15.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sybase Adaptive Server Enterprise Install Remote Buffer Overflow
  • Description: Sybase Adaptive Server is an SQL relational database management system. A buffer overflow vulnerability affects the "install java" statement. Please check the link below for a list of vulnerable versions.
  • Ref: http://www.ngssoftware.com/advisories/sybase-ase.txt
  • 05.15.31 - CVE: CAN-2005-1022
  • Platform: Cross Platform
  • Title: Macromedia ColdFusion MX Updater Remote File Disclosure
  • Description: Macromedia ColdFusion MX is vulnerable to a remote file disclosure issue. Remote attackers can access compiled Java files on the application server. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/395265
  • 05.15.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino Server Web Service Remote Denial of Service
  • Description: IBM Lotus Domino Server is an application framework for web-based collaborative software. A remote denial of service vulnerability affects IBM Lotus Domino Server web service. This issue is due to a failure of the application to properly handle malformed network requests. Version 6.5.1 is reported affected.
  • Ref: http://www.idefense.com/application/poi/display?id=224&type=vulnerabilities
  • 05.15.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PopUp Plus Instant Messenger Remote Buffer Overflow
  • Description: PopUp Plus Instant Messenger is a plugin that provides popup window functionality. It is vulnerable to a remote buffer overflow issue due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers and can be exploited by an attacker to execute arbitrary code on a vulnerable system. Popup Plus versions 2.0.3.8 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13048/discussion/
  • 05.15.34 - CVE: CAN-2005-1080
  • Platform: Cross Platform
  • Title: Sun J2SE SDK Java Archive Tool Directory Traversal
  • Description: Sun J2SE Java Archive Tool is a compression utility that is used to create Java Archive (JAR) files. Insufficient sanitization of the "../" sequence exposes the software to a directory traversal issue. Sun Java 2 Standard Edition versions 1.5.0 and 1.4.2 are affected.
  • Ref: http://www.securityfocus.com/bid/13083
  • 05.15.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: DC++ Unspecified Download Drive File Appending
  • Description: DC++ is a client for the Direct Connect protocol. A vulnerability in it allows remote attackers to append data to files in the local download directory. DC++ versions earlier than 0.674 are reported to be vulnerable.
  • Ref: http://dcplusplus.sourceforge.net/index.php?t=8&s=1
  • 05.15.36 - CVE: CAN-2005-0941
  • Platform: Cross Platform
  • Title: OpenOffice Malformed Document Remote Heap Overflow
  • Description: OpenOffice is reported to be vulnerable to a remote heap overflow vulnerability resulting from insufficient boundary checks performed by the application. OpenOffice versions 1.1.4 and 2.0 Beta are reported to be vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/395516?ref=rss
  • 05.15.37 - CVE: CAN-2005-1018
  • Platform: Cross Platform
  • Title: ARCserve Backup UniversalAgent Remote Buffer Overflow
  • Description: A remote buffer overflow vulnerability reportedly affects BrightStor ARCserve and ARCserve Enterprise agent. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer. Computer Associates BrightStor ARCserve Backup version v11 for Win32 platforms is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395512
  • 05.15.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino POST Request Buffer Overflow
  • Description: IBM Lotus Domino Server is an application framework for web-based collaborative software. A POST request containing excessive data causes an internal buffer overflow in the application. IBM Lotus Domino Server versions 6.0.5 and 6.5.4 resolve the issue.
  • Ref: http://www.securityfocus.com/archive/1/395583
  • 05.15.39 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GLD Postfix Greylisting Daemon Buffer Overflow
  • Description: Salim Gasmi's GLD Postfix greylisting daemon is designed to implement the greylisting protocol. This issue is due to a failure of the application to properly ensure that a fixed-size memory buffer is sufficiently large prior to copying user-supplied input data into it. GLD version 1.4 is affected.
  • Ref: http://www.gasmi.net/gld.html
  • 05.15.40 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GLD Postfix Greylisting Daemon Format String
  • Description: Salim Gasmi's GLD Postfix greylisting daemon is a standalone daemon designed to implement the greylisting protocol. A format string issue in its printing functionality allows remote attackers to cause denial of service or remote code execution on a vulnerable system. GLD version 1.4 is reportedly to be affected.
  • Ref: http://www.securityfocus.com/advisories/8402
  • 05.15.41 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Multiple Vulnerabilities
  • Description: Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are susceptible to multiple vulnerabilities, some of them remotely exploitable and some of them exploitable without authorization (login). Oracle has released "Critical Patch Updates" that address these issues for the above-mentioned products on various platforms.
  • Ref: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
  • 05.15.42 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun JavaMail MimeBodyPart.getFileName Directory Traversal
  • Description: Sun JavaMail is an API that provides a framework to build mail and messaging applications. The MimeBodyPart.getFileName() method in the JavaMail API does not perform validation on the filename attribute in the Content-Disposition header of received email. An attacker could craft an email containing a malicious filename using '../' directory traversal sequences potentially allowing existing data to be overwritten. This issue was reported to affect JavaMail 1.3.2.
  • Ref: http://www.securityfocus.com/archive/1/395584
  • 05.15.43 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Internet Junkbuster Configuration Modification Vulnerability
  • Description: Internet Junkbuster is an open source HTTP proxy that removes banner ads and protects a user from cookies and information leaks. It contains a vulnerability that, if exploited, allows a remote attacker to modify the "referrer" setting, provided the application is running in single threaded mode. The filtering of Referrer URIs could be disabled, which could compromise the user's privacy.
  • Ref: http://www.securityfocus.com/bid/13147
  • 05.15.44 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPMyAdmin Convcharset Cross-Site Scripting
  • Description: PHPMyAdmin is a tool for handling MySQL administrative tasks. Insufficient sanitization of the "convcharset" parameter in the "index.php" script exposes the application to a cross-site scripting issue. PHPMyAdmin versions prior to 2.6.2-rc1 are affected.
  • Ref: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3
  • 05.15.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Early Impact ProductCart Multiple Input Validation
  • Description: Early Impact ProductCart is online web store software that is implemented in ASP. Multiple input validation vulnerabilities reportedly affect ProductCart. These issues are due to a failure of the application to properly sanitize user-supplied input prior to using it to carry out critical actions. The issues affect ProductCart version 2.7.
  • Ref: http://digitalparadox.org/advisories/prodcart.txt
  • 05.15.46 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke Banners.PHP Cross-Site Scripting
  • Description: PHP-Nuke is a content management system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of the bid parameter of the "banners.php" script. PHP-Nuke version 7.6 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13026
  • 05.15.47 - CVE: Not Available
  • Platform: Web Application
  • Title: ProfitCode Software PayProCart Directory Traversal
  • Description: PayProCart is a web-based shopping cart. PayProCart is vulnerable to a directory traversal attack when handling crafted HTTP GET requests through the "ftoedit" parameter. PayProCart version 3.0 is vulnerable.
  • Ref: http://digitalparadox.org/advisories/profit.txt
  • 05.15.48 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke Your_Account Module Username Cross-Site Scripting
  • Description: PHP-Nuke "Your_Account" module is affected by a cross-site scripting vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input. This vulnerability is reported to affect PHP-Nuke versions 7.6 and earlier.
  • Ref: http://www.securityfocus.com/archive/1/394971
  • 05.15.49 - CVE: CAN-2005-1029
  • Platform: Web Application
  • Title: Active Auction House default.asp multiple SQL Injection Vulnerabilities
  • Description: Active Auction House is web auction software. Insufficient sanitization of the "Sortby" and "SortDir" parameters in the "default.asp" script exposes the application to multiple SQL injection issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/395104
  • 05.15.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Active Auction House itemInfo.asp SQL Injection
  • Description: Active Auction House is web auction software. It is affected by an SQL injection vulnerability due to a failure in the application to properly sanitize user-supplied input to the "itemID" parameter of "ItemInfo.asp" script. All currently known versions of Active Auction House are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395104
  • 05.15.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Active Auction House Sendpassword.ASP SQL Injection
  • Description: Active Auction House is web-based auction software implemented in ASP. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "email" parameter of the "sendpassword.asp" script.
  • Ref: http://www.securityfocus.com/bid/13035
  • 05.15.52 - CVE: CAN-2005-0996
  • Platform: Web Application
  • Title: PHP-Nuke Downloads Module multiple SQL Injection Vulnerabilities
  • Description: PHP-Nuke is a content management system. Insufficient sanitization of the "url", "email" and "min" parameters exposes the application to multiple SQL injection issues. PHP-Nuke versions 7.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/395256
  • 05.15.53 - CVE: Not Available
  • Platform: Web Application
  • Title: WebWasher Conf Script Cross-Site Scripting
  • Description: WebWasher is free Internet filtering software. It is reported that the WebWasher "conf" script is prone to a cross-site scripting vulnerability. A remote attacker may exploit this issue to have arbitrary script and HTML code executed in the browser of a target user. WebWasher CSM 4.4.1 (Build 752) is reported to be vulnerable to this issue.
  • Ref: http://www.oliverkarow.de/research/WebWasherCONNECT.txt
  • 05.15.54 - CVE: CAN-2005-1030
  • Platform: Web Application
  • Title: Active Auction House Multiple Cross-Site Scripting Vulnerabilities
  • Description: Active Auction House is web auction software. Insufficient sanitization of the "Title" and "Table" parameter to the "sendpassword.asp" script exposes the application to multiple cross-site scripting issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/395104
  • 05.15.55 - CVE: CAN-2005-0999
  • Platform: Web Application
  • Title: PHP-Nuke Top Module SQL Injection
  • Description: PHP-Nuke is a content management system. Insufficient sanitization of the "querylang" parameter in the "Top" module exposes the application to an SQL injection issue.
  • Ref: http://www.securityfocus.com/archive/1/395132
  • 05.15.56 - CVE: CAN-2005-1026
  • Platform: Web Application
  • Title: PHPBB LinksLinks Pro Module SQL Injection
  • Description: PHPBB LinksLinks Pro is a module for phpBB. Failure to properly sanitize user-supplied input to the "id" parameter of the "links.php" file before using it in an SQL query, exposes the application to an SQL injection issue. PHPBB versions 2.0.13 and earlier are affected.
  • Ref: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1026
  • 05.15.57 - CVE: Not Available
  • Platform: Web Application
  • Title: PayProCart usrdetails.php Cross-Site Scripting
  • Description: PayProCart is a web-based PayPal and Ebay shopping cart implemented in PHP. It is vulnerable to a cross-site scripting vulnerability due to a failure in the application to properly sanitize user-supplied input to the "usrdetails.php" script and can be leveraged by an attacker to steal cookie-based authentication credentials. PayProCart version 3.0 is vulnerable.
  • Ref: http://digitalparadox.org/advisories/profit.txt
  • 05.15.58 - CVE: CAN-2005-0997
  • Platform: Web Application
  • Title: PHP-Nuke Web_Links Module Multiple SQL Injection Vulnerabilities
  • Description: PHP-Nuke is a content management system. The Web_Links module of PHP-Nuke is vulnerable to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in SQL queries. PHP-Nuke versions 7.6 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395272
  • 05.15.59 - CVE: CAN-2005-1068
  • Platform: Web Application
  • Title: sCssBoard URL Tag Script Injection Vulnerability
  • Description: sCssBoard is web forum software implemented in PHP. It is reported to be vulnerable to a script injection issue due to improper sanitization of user-supplied input. sCssBoard versions 1.11, 1.1 and 1.0 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13041
  • 05.15.60 - CVE: Not Available
  • Platform: Web Application
  • Title: DLMan Pro Module SQL Injection
  • Description: DLMan Pro is a phpBB download manager module. It is vulnerable to a SQL injection issue due to failing to properly sanitize user-supplied input to the "file_id" parameter of "dlman.php". DLMAN Pro version 0.9.8 corrects this issue.
  • Ref: http://www.securityfocus.com/bid/13028/info/
  • 05.15.61 - CVE: CAN-2005-1032
  • Platform: Web Application
  • Title: LiteCommerce Multiple SQL Injection
  • Description: LiteCommerce is an e-commerce application implemented in PHP. LiteCommerce fails to properly sanitize user-supplied input before using it in SQL queries, exposing the application to an SQL injection issue. All versions of LiteCommerce are affected by this issue.
  • Ref: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1032
  • 05.15.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Ocean12 Membership Manager Pro SQL Injection
  • Description: Ocean12 Membership Manager Pro is a web-based membership manager application implemented in ASP and VBScript, utilizing a Microsoft Access database. Ocean12 Membership Manager Pro is reportedly affected by an SQL injection vulnerability. This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
  • Ref: http://www.hackerscenter.com/archive/view.asp?id=1865
  • 05.15.63 - CVE: CAN-2005-1079
  • Platform: Web Application
  • Title: Zoom Media Gallery Index.PHP SQL Injection
  • Description: Zoom Media Gallery is an image gallery module for MamboCMS. An SQL injection issue could allow remote attackers to compromise the backend database. Zoom Media Gallery version 2.1.2 is reported to be vulnerable.
  • Ref: http://dcplusplus.sourceforge.net/index.php?t=8&s=1
  • 05.15.64 - CVE: CAN-2005-1070
  • Platform: Web Application
  • Title: Invision Power Board SQL Injection Vulnerability
  • Description: Invision Power Board is web forum software. It is vulnerable to an SQL injection issue in its "index.php" script due to improper sanitization of user-supplied data. Invision Power Board versions 1.3.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/395515
  • 05.15.65 - CVE: CAN-2005-0569
  • Platform: Web Application
  • Title: PunBB profile.php SQL Injection
  • Description: PunBB is a web-based bulletin board application. PunBB fails to properly sanitize user-supplied input through the "change_email" action of the "profile.php" script before using it in an SQL query. PunBB 1.2.4 and prior versions are vulnerable.
  • Ref: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0569
  • 05.15.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Access_user Class Arbitrary Account Authentication Bypass
  • Description: Access_user Class is a system for protecting pages and registering users. The class is powered by MySQL and PHP sessions. Access_user Class is affected by an arbitrary account authentication bypass vulnerability. Attackers with knowledge of valid usernames can login to any account using "new" as the password. The vendor has released Access_user Class version 1.75 to address this issue.
  • Ref: http://www.finalwebsites.com/snippets.php?id=10
  • 05.15.67 - CVE: CAN-2005-1055
  • Platform: Web Application
  • Title: TowerBlog User Credential Exposure Weakness
  • Description: TowerBlog is a web blog application. The application stores the user password hashes in the "_dat/login" file, which resides in the web root. This can allow remote attackers to access sensitive information. TowerBlog version 0.6 is affected.
  • Ref: http://www.securityfocus.com/bid/13090
  • 05.15.68 - CVE: CAN-2005-1054
  • Platform: Web Application
  • Title: ModernBill News.PHP File Include Vulnerability
  • Description: ModernBill is a web hosting application. It is vulnerable to a remote file include issue due to improper sanitization of user-supplied data. An attacker can exploit this issue to execute arbitrary server side script code with the privileges of the Web server process. ModernBill versions 4.3 and earlier are vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00067-04102005
  • 05.15.69 - CVE: CAN-2005-1049
  • Platform: Web Application
  • Title: PostNuke Phoenix Module Cross-Site Scripting
  • Description: PostNuke is a web-based content management system. Insufficient sanitization of the "module" parameter of the "admin.php" script exposes the application to multiple cross-site scripting issues.
  • Ref: http://www.securityfocus.com/bid/13076
  • 05.15.70 - CVE: CAN-2005-1053
  • Platform: Web Application
  • Title: ModernGigabyte ModernBill Cross-Site Scripting
  • Description: ModernBill is a web-based hosting application. It is vulnerable to a cross-site scripting issue, due to a failure to properly sanitize user-supplied input to the "aid" parameter of the "orderwiz.php" script. ModernBill 4.3 and earlier versions are vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00067-04102005
  • 05.15.71 - CVE: Not Available
  • Platform: Web Application
  • Title: RadScripts RadBids Gold Multiple Vulnerabilities
  • Description: RadBids Gold is a web-based auction application implemented in PHP with a mySQL database. RadBids Gold is reported prone to multiple vulnerabilities. These issues include arbitrary file disclosure, cross-site scripting, and SQL injection. RadBids Gold v2 is reported to be vulnerable to these issues.
  • Ref: http://www.hackerscenter.com/archive/view.asp?id=1872
  • 05.15.72 - CVE: CAN-2005-1071
  • Platform: Web Application
  • Title: JPortal Banner.PHP SQL Injection
  • Description: JPortal is a web-based portal application. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of the "haslo" variable of the "banner.php" script. JPortal version 2.3.1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13103
  • 05.15.73 - CVE: CAN-2005-1010
  • Platform: Web Application
  • Title: Comersus Cart Cross-Site Scripting
  • Description: Comersus Cart is a collection of ASP online shopping cart scripts. It is reported to be vulnerable to cross site scripting issues due to insufficient sanitization of user-supplied input to the "curpage" variable of the "comersus_searchItem.asp" script. Comersus Open Technologies Comersus Cart versions 5.0 9 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13125/info/
  • 05.15.74 - CVE: CAN-2005-1084
  • Platform: Web Application
  • Title: AEwebworks Dating Software aeDating Sdating.PHP SQL Injection
  • Description: aeDating is a web-based forum implemented in PHP. aeDating fails to properly sanitize user-supplied input through the "event" parameter of the "sdating.php" script before using it in an SQL query exposing the application to an SQL injection issue. aeDating 3.2 and prior are affected by this issue.
  • Ref: http://www.securityfocus.com/bid/13111
  • 05.15.75 - CVE: CAN-2005-1085
  • Platform: Web Application
  • Title: AEwebworks Dating Software aeDating Control Panel Cross-Site Scripting
  • Description: aeDating is a web-based forum implemented in PHP. aeDating is affected by a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the control panel script of the application. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. aeDating 3.2 and prior are affected by this issue.
  • Ref: http://www.aewebworks.com/aedating.htm
  • 05.15.76 - CVE: CAN-2005-1077
  • Platform: Web Application
  • Title: XAMPP Guestbook-EN.PL Remote HTML Injection
  • Description: XAMPP is an Apache distribution. It is vulnerable to a remote HTML injection issue due to a failure of the application to properly sanitize user-supplied input in "guestbook-en.pl" script prior to including it in dynamically generated web content. XAMPP versions 1.4.13 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13128/discussion/
  • 05.15.77 - CVE: Not Available
  • Platform: Web Application
  • Title: XAMPP Insecure Default Password Disclosure
  • Description: XAMPP is an Apache distribution. It is reported to be vulnerable to a default password disclosure issue. The problem presents itself when "xampp/security.php" script is accessed globally. XAMPP versions 1.4.13 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13131
  • 05.15.78 - CVE: CAN-2005-1076
  • Platform: Web Application
  • Title: WebCT Discussion Board HTML Injection
  • Description: WebCT is a course management system. WebCT is reportedly affected by an HTML injection vulnerability due to a failure in the application to properly sanitize user-supplied input prior to using it in dynamically generated content. This issue is reported to affect WebCT Version 4.1; other versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/395544
  • 05.15.79 - CVE: Not Available
  • Platform: Web Application
  • Title: Pinnacle Cart Cross Site Scripting
  • Description: Pinnacle Cart is a web-based shopping cart application. It is vulnerable to a cross-site scripting issue due to insufficient sanitizaion of user-supplied input to the "pg" parameter of "index.php". All versions of Pinnacle Cart are reported to be vulnerable.
  • Ref: http://systemsecure.org/board/index.php?showtopic=8
  • 05.15.80 - CVE: Not Available
  • Platform: Web Application
  • Title: PostNuke Phoenix SID Parameter SQL Injection
  • Description: PostNuke is a web-based content management system. Insufficient sanitization of the "sid" parameter of the news module exposes the application to a SQL injection issue. PostNuke Phoenix version 0.760 RC3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/395352
  • 05.15.81 - CVE: Not Available
  • Platform: Web Application
  • Title: ACNews Login.ASP SQL Injection
  • Description: ACNews is a web application implemented in ASP. ACNews is affected by an SQL injection vulnerability. This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
  • Ref: http://securitytracker.com/alerts/2005/Apr/1013681.html
  • 05.15.82 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB2 Plus Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpBB2 Plus is a set of components for phpBB bulletin board system. Insufficient sanitization of the "SID", "C" and "mark" parameter of the "index.php" script exposes the application to multiple cross-site scripting issues. phpBB2 Plus versions 1.52 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/395720
  • 05.15.83 - CVE: Not Available
  • Platform: Network Device
  • Title: SonicWALL SOHO Web Interface Multiple Vulnerabilities
  • Description: SonicWALL SOHO is a firewall and VPN security solution. There are multiple vulnerabilities, including a cross-site scripting issue, that arise due to insufficient sanitization of user-supplied input. SonicWall SOHO version 5.1.7.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/394869
  • 05.15.84 - CVE: CAN-2005-1058
  • Platform: Network Device
  • Title: Cisco IOS Unauthorized Security Association Vulnerability
  • Description: Cisco IOS is prone to an issue related to XAUTH and ISAKMP profiles that may allow a malicious VPN client to gain unauthorized access to a VPN. The issue arises when ISAKMP profiles that have been assigned to remote peers are not processed. Please check the link below for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/advisories/8374
  • 05.15.85 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS Easy VPN Server XAUTH Authentication Bypass
  • Description: Cisco IOS Easy VPN Server is reported to be vulnerable to an authentication bypass condition. This issue can allow remote attackers to bypass Extended Authentication (XAUTH) and gain unauthorized access to resources.
  • Ref: http://www.securityfocus.com/advisories/8374
  • 05.15.86 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS Secure Shell Server V2 Remote Denial of Service
  • Description: Cisco IOS is reported to be vulnerable to a remote denial of service issue. The issue is reported to exist when the Cisco IOS device is configured to employ SSHv2 for remote management and Terminal Access Controller Access Control System Authentication (TACACS+).
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
  • 05.15.87 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS Secure Shell Server Denial of Service
  • Description: Cisco IOS is vulnerable to a Denial of Service vulnerability when the IOS device attempts to authenticate clients against a TACACS+ server through SSHv1/SSHv2. Cisco IOS versions 12.x and R12.x are vulnerable.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20050406-ssh.shtml
  • 05.15.88 - CVE: CAN-2005-1059
  • Platform: Network Device
  • Title: Linksys WET11 Password Update Remote Authentication Bypass
  • Description: Linksys WET11 is a wireless Ethernet bridge device. It is reported to be vulnerable to a remote authentication bypass issue. The issue presents itself when an attacker accesses the "changepw.html" script directly to change the password. Linksys WET11 bridge versions 1.5.4 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13051
  • 05.15.89 - CVE: Not Available
  • Platform: Hardware
  • Title: LG U8120 Mobile Phone Remote Denial of Service
  • Description: The U8120 mobile phone is a popular "3G" cellular phone (mobile phone) made by LG. Reportedly, the U8120 cellular phone is susceptible to a remote denial of service vulnerability, presumably triggered by a malicious MIDI file. When a remote attacker sends a malicious MIDI file to the LG U8120 phone (via the mms protocol) and the recipient plays back the MIDI file, the phone operating system crashes.
  • Ref: http://www.securityfocus.com/archive/1/395714

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

This is critical to any business to protect sensitive data.
-Melissa Black, Lockheed Martin

Forensics 526

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP