Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 18
May 5, 2005

SANS Newsletters Home

Apple Macintosh computers may be safer than Windows PCs, but this week's three critical Mac vulnerabilities reminds us that the vendors have a long way to go before they deliver a fully secure operating system.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 5 (#6)
    • Mac Os
    • 3 (#1)
    • Linux
    • 1
    • HP-UX
    • 1
    • Unix
    • 6
    • Cross Platform
    • 14 (#2, #3, #7)
    • Web Application
    • 27 (#4, #5)

************************ Sponsored by Symark **************************

Secure storage and access control for all your ADMINISTRATIVE PASSWORDS: UNIX/Linux, Windows, databases, routers and firewalls http://www.symark.com/powerkeeper.htm

*************************************************************************
Why Professionals Always Attend SANS Training If They Have A Choice

(1) "SANS courses balance the why and the how-to of security. Not only will you learn something, you learn how to do something." (Greg Kotula, Wall Street On Demand)

(2)" SANS never fails to provide top level training that is worth every penny." (Tyler Hudak, Yellow Roadway Tech)

(3) "SANS training gives me the tools I need to do my job." (Michael Hiramoto, NCI)
*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Mac Os
Linux
HP-UX
Unix
Cross Platform
Web Application

*************************** SPONSORED LINKS *****************************
This link points to a site outside SANS:

1) Learn more about Radware at SANS Rocky Mountain 2005, Denver, CO, May 10, 2005 Download DefensePro whitepaper http://www.sans.org/info.php?id=770

*************************************************************************
SANS@Home Program

The SANS@HOME program is designed for professionals who are seeking a flexible alternative to SANS popular six-day conferences. The Program enables students to participate in SANS training, without the expense, disruptions and inconvenience of travel or taking time out of the workday.

The goal of the SANS@HOME Program is to offer an alternative method of outstanding security training and help every student obtain GIAC certification.

See http://www.sans.org/athome/ for upcoming sessions. New sessions are being added frequently.
*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
Other Software
  • (2) HIGH: Ethereal Multiple Protocol Decoding Vulnerabilities
  • Affected: Ethereal version 0.8.14 through 0.10.10

  • Description: Ethereal is a popular open source network sniffer and protocol analyzer for Unix and Windows platforms. The software contains format string or buffer overflow vulnerabilities in parsing the following protocols: DISTCC, FCELS, SIP, ISIS, ANSI A, Megaco, Q.931, CMIP, CMP, CMS, CRMF, ESS, OCSP, PKIX1Explitit, PKIX Qualified, X.509, ISUP and TCAP. Many of these flaws can be exploited to execute arbitrary code with the privileges of the ethereal process (typically"root" when ethereal is being used as a sniffer). To exploit these flaws, an attacker has to either inject the malicious packets into the network traffic being sniffed by ethereal, or entice a client to open a specially crafted packet capture file. The technical details can be obtained by examining the fixed code. Note that any network applications based on ethereal protocol decoder modules may also be affected.

  • Status: Vendor confirmed, upgrade to version 0.10.11. Many of the protocol decoders affected are for UDP-based protocols. This makes it easy for an attacker to inject malformed packets in any network.

  • References:
  • (3) HIGH: HP OpenView Radia Management Portal Remote Code Execution
  • Affected:
    • Radia Management Portal version 1.x and 2.x running Radia Management
    • Agent on Windows NT/2000/XP/2003
    • Radia Management Portal version 1.x running Radia Management Agent on
    • AIX 4.1 and later, HP-UX 10.20 and later, Linux

  • Description: HP's Openview Radia Management portal (RMP) can be used to remotely and centrally manage software updates, patches, and configuration on a number of UNIX and/or Windows systems. The Radia Management Portal running Radia Management Agent (RMA) contains a vulnerability that can be exploited by an unauthenticated attacker to execute arbitrary commands. The commands can be executed with "SYSTEM" privileges if Radia software is running on Windows. The discoverers have not released any technical details now but claim that they plan to do so after 3 months. Note that this vulnerability may lead to an enterprise-wide compromise, and hence should be patched on a priority basis.

  • Status: HP has acknowledged the flaw, and released patches. Block the ports 3465/tcp and 3466/tcp, which are associated with Radia management and agent communications, at the network perimeter to minimize the possibility of attacks originating from the Internet.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) HIGH: Claroline e-Learning Software Multiple Vulnerabilities
  • Affected:
    • Claroline version 1.53, 1.6 beta, 1.6 RC1

  • Description: Claroline is a PHP/MySQL based software package designed for educational institutions to create online courses. The software is being used around the world by a number of institutions. The software contains 10 SQL injection and 4 remote command execution vulnerabilities. The flaws can be exploited to execute arbitrary PHP scripts on the Claroline server and/or manipulate the SQL queries issued against the back-end MySQL database. The technical details about the SQL injection flaws have been posted publicly. The details about the remote command injection vulnerabilities can be obtained by examining the fixed version of the software.

  • Status: Vendor confirmed. Upgrade to version 1.54 or 1.6 final.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (5) HIGH: osTicket Support Ticket Software Multiple Vulnerabilities
  • Affected:
    • osTicket versions prior to 1.2.7

  • Description: osTicket is an open-source PHP-based customer support system. This software contains multiple SQL injection and remote file include vulnerabilities. The flaws can be exploited to execute arbitrary PHP scripts on the osTicket server and/or manipulate the SQL queries issued against the back-end database. The posting shows how to craft HTTP requests to leverage these flaws.

  • Status: Vendor confirmed, upgrade to the version 1.2.7.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (6) HIGH: Globalscape Secure FTP Server Buffer Overflow
  • Affected:
    • Globalscape Secure FTP server version 3.0.2 or prior

  • Description: Globalscape Secure FTP server is designed for data exchange between businesses and customers. This server contains a buffer overflow that can be triggered by sending an overlong FTP command (over 3000 bytes). An attacker can exploit the overflow to execute arbitrary code. Exploit code has been publicly posted. Note that FTP servers configured for "anonymous" access face the maximum risk.

  • Status: Vendor confirmed, upgrade to 3.0.3 Build 4.29.2005.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (7) UPDATE: Netscape Code Execution Vulnerabilities
  • Affected:
    • Netscape versions 6.x and 7.x

  • Description: Netscape browser has been found vulnerable to some of the remote code execution flaws reported in the Firefox browser last week. Proof-of-concepts exploits are available for these vulnerabilities. Since there are no patches available, Netscape users should migrate to Mozilla/Firefox browsers.

  • Council Site Updates: Most of the council sites are no longer using Netscape as a supported browser and thus are not taking any action. One site is still actively trying to convince their support organization to abandon Netscape as a supported browser and move to Firefox. A second organization has a large number of Netscape users; however, they do not plan any action at this time. They have been pushing Internet Explorer as the preferred browser since late 2004.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 18, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4273 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.18.1 - CVE: CAN-2005-1415
  • Platform: Third Party Windows Apps
  • Title: GlobalSCAPE Secure FTP Server Remote Buffer Overflow
  • Description: GlobalSCAPE Secure FTP Server is an FTP server application. It is reported to be vulnerable to a remote buffer overflow issue. The issue presents itself when 3000 bytes of data is sent. Secure FTP Server version 3.0.2 Build 04.12.2005.1 and version 3.0 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13454
  • 05.18.2 - CVE: CAN-2005-1421
  • Platform: Third Party Windows Apps
  • Title: Video Cam Server Directory Traversal
  • Description: Video Cam Server is a web cam application. Insufficient sanitization of ".." sequences expose the application to a directory traversal issue. Video Cam Server version 1.0 beta is affected.
  • Ref: http://www.securityfocus.com/bid/13456
  • 05.18.3 - CVE: CAN-2005-1420
  • Platform: Third Party Windows Apps
  • Title: Video Cam Server Path Disclosure
  • Description: Video Cam Server is a web cam application for Windows platforms. It is vulnerable to a path disclosure issue when invalid data is submitted. An attacker can exploit this issue to access sensitive data. Video Cam Server 1.0.0 Beta is vulnerable to this issue.
  • Ref: http://www.autistici.org/fdonato/advisory/VideoCamServer1.0.0-adv.txt
  • 05.18.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Video Cam Server Administrative Interface Authentication Bypass
  • Description: Video Cam Server is a web cam application. It is reported to be vulnerable to an authentication bypass issue. Video Cam Server version 1.0 beta is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13459
  • 05.18.5 - CVE: CAN-2005-1063
  • Platform: Third Party Windows Apps
  • Title: Kerio Administration Port Denial of Service
  • Description: The administration protocol for Kerio products are vulnerable to a denial of service. The protocol may be abused and force the product to "compute unexpected conditions" and "perform cryptographic operations." Kerio resolved this issue in Kerio MailServer version 6.0.9, Kerio WinRoute Firewall version 6.0.11, and Kerio Personal Firewall version 4.1.3.
  • Ref: http://research.tic.udc.es/scg/advisories/20050429-2.txt
  • 05.18.6 - CVE: CAN-2005-1337
  • Platform: Mac Os
  • Title: Apple Mac OS X Help Viewer JavScript Code Execution
  • Description: The Apple Mac OS X Help Viewer URI handler is vulnerable to an access validation issue that could allow malicious JavaScript code to be executed in the security context of a user running the application. Mac OS X versions 10.3.9 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8523
  • 05.18.7 - CVE: CAN-2005-1333
  • Platform: Mac Os
  • Title: Apple Mac OS X BlueTooth Directory Traversal
  • Description: Apple Mac OS X is prone to a directory traversal vulnerability. Due to insufficient sanitization of input, the Bluetooth file and object exchange Services could be used by a remote attacker to access files outside the default file exchange directory. Mac OS X versions 10.3.9 and 10.3.9 are affected.
  • Ref: http://docs.info.apple.com/article.html?artnum=301528
  • 05.18.8 - CVE: CAN-2005-1344 CAN-2004-1308 CAN-2004-1307 CAN-2005-1330 CAN-2005-1331 CAN-2005-1332 CAN-2005-1333 CAN-2005-1335 CAN-2005-0342 CAN-2005-1336
  • Platform: Mac Os
  • Title: Apple Mac OS X Multiple Vulnerabilities
  • Description: Apple released security update "2005-005" to address multiple vulnerabilities in Mac OS operating system. Please check the Apple advisory below for details on the issues, vulnerable versions and patch information.
  • Ref: http://docs.info.apple.com/article.html?artnum=301528
  • 05.18.9 - CVE: Not Available
  • Platform: Linux
  • Title: LAM/MPI Runtime Insecure Account Creation
  • Description: LAM is an implementation of the Message Passing Interface (MPI) protocol. The LAM/MPI Runtime environment for Mandrake Linux is vulnerable to an insecure account creation vulnerability. The package creates an account "mpi" without a password. MandrakeSoft LAM runtime version 7.0.6-2mdk is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/397157
  • 05.18.10 - CVE: CAN-2005-1434
  • Platform: HP-UX
  • Title: HP OpenView Network Node Manager Multiple Remote Vulnerabilities
  • Description: The HP OpenView Network Node Manager is vulnerable to unspecified remote vulnerabilities. OpenView Network Node Manager versions 7.50 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13470
  • 05.18.11 - CVE: CAN-2005-1388
  • Platform: Unix
  • Title: Survivor Unspecified Cross-Site Scripting
  • Description: Survivor is a POSIX-thread based scheduler that monitors system services. It is affected by an unspecified cross-site scripting vulnerability. Survivor versions 0.9.5a and earlier are known to be vulnerable.
  • Ref: http://www.columbia.edu/acis/dev/projects/survivor/doc/todo.html#changelog
  • 05.18.12 - CVE: CAN-2005-1431
  • Platform: Unix
  • Title: GnuTLS Padding Denial of Service
  • Description: GNU Transport Layer Security Library (GnuTLS) is a library that implements the TLS 1.0 and SSL 3.0 protocols. It is vulnerable to a denial of service vulnerability due to improper validation of padding bytes. A remote attacker can send specifically designed data to cause denial of service conditions. GnuTLS versions before 1.0.25 and 1.2.3 are vulnerable.
  • Ref: http://secunia.com/advisories/15193
  • 05.18.13 - CVE: CAN-2005-1391
  • Platform: Unix
  • Title: APSIS Pound Remote Buffer Overflow Vulnerability
  • Description: APSIS Pound is a reverse-proxy and load-balancer service. It is vulnerable to a remote buffer overflow issue due to insufficient bounds checking in the "add_port" function. An attacker can exploit this issue to run arbitrary code in the vulnerable system. Pound versions 1.8.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8506
  • 05.18.14 - CVE: CAN-2005-0241
  • Platform: Unix
  • Title: Squid Proxy Synchronization Remote Cache Poisoning
  • Description: Squid Proxy is a web proxy software package. It is affecetd by a remote cache poisoning vulnerability. When the application accepts malformed HTTP requests it may store incorrect values for the multiple headers or may define request boundaries incorrectly leading to cache poisoning type of attacks. Squid Cache versions 2.5.STABLE5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/13434
  • 05.18.15 - CVE: Not Available
  • Platform: Unix
  • Title: Mtp-Target Client Remote Format String
  • Description: Mtp-Target is a computer game that implements both a game server and client. Mtp-Target is affected by a remote format string vulnerability. Mtp-Target versions 1.2.2 and earlier are known to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/mtpbugs-adv.txt
  • 05.18.16 - CVE: Not Available
  • Platform: Unix
  • Title: LibTomCrypt Flawed Signature Generation
  • Description: LibTomCrypt is affected by a security vulnerability that exists in the signature generation functionality. LibTomCrypt versions 1.0.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/13473
  • 05.18.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Radia Management Portal Remote Command Execution
  • Description: HP OpenView Radia Management Portal is an IT Change and Configuration Management applicaiton. It is vulnerable to a remote command execution issue due to the applications failure to properly secure access to critical functions. HP Radia Management Portal verions 1.0 and 2.0 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13414/info/
  • 05.18.19 - CVE: CAN-2005-1381
  • Platform: Cross Platform
  • Title: Oracle Application Server 9i Webcache Cache_dump_file Cross-Site Scripting
  • Description: A remote cross-site scripting vulnerability affects the Oracle Application Server 9i Webcache administration console. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
  • Ref: http://www.red-database-security.com/advisory/oracle_webcache_CSS_vulnerabilitie
    s.html
  • 05.18.20 - CVE: CAN-2005-1381
  • Platform: Cross Platform
  • Title: Oracle Application Server 9i Webcache PartialPageErrorPage Cross-Site Scripting
  • Description: Oracle Application Server is affected by a remote cross-site scripting issue. Insufficient sanitization of the "PartialPageErrorPage" parameter in the "webcacheadmin" script exposes this issue. Oracle9i Application Server Web Cache versions 9.0.3.1 and earlier are affected.
  • Ref: http://www.red-database-security.com/advisory/oracle_webcache_CSS_vulnerabilitie
    s.html
  • 05.18.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Golden FTP Server Pro Directory Traversal
  • Description: Golden FTP Server Pro is reported to be vulnerable to a directory traversal issue due to improper sanitization of "Get" command. Golden FTP Server versions 2.52 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13479
  • 05.18.22 - CVE: CAN-2005-0669, CAN-2005-0670, CAN-2005-0946
  • Platform: Cross Platform
  • Title: phpCOIN Multiple SQL Injection Vulnerabilities
  • Description: phpCOIN is a customer information and shopping application designed for integration into an existing website. phpCOIN is affected by multiple SQL injection vulnerabilities. phpCOIN versions 1.2.1 and earlier are known to be vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00065-03292005
  • 05.18.23 - CVE: CAN-2005-1441
  • Platform: Cross Platform
  • Title: IBM Lotus Domino Server Notes Remote Procedure Call Format String
  • Description: IBM Lotus Domino Server is an application framework for collaboration. A remote format string vulnerability affects IBM Lotus Domino Server due to a failure of the application to properly sanitize user-supplied input data prior to using it in a formatted-printing function. Remote attackers may exploit this vulnerability to cause arbitrary machine code to be executed in the context of the affected application. Lotus Domino versions 6.0.5 and 6.5.4 are not vulnerable.
  • Ref: http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202525
  • 05.18.24 - CVE: CAN-2005-1402
  • Platform: Cross Platform
  • Title: Mtp-Target Server Memory Corruption
  • Description: Mtp-Target is a computer game that implements both server and client. It is prone to a memory corruption vulnerability due to improper validation of client parameters. This issue may be exploited to trigger the allocation of insufficient buffers in heap-based memory, and could result in process memory corruption. Immediate consequences of exploitation of this vulnerability are a denial of service. Mtp-Target 1.2.2 is vulnerable.
  • Ref: http://aluigi.altervista.org/adv/mtpbugs-adv.txt
  • 05.18.25 - CVE: CAN-2005-1433
  • Platform: Cross Platform
  • Title: HP OpenView Event Correlation Service Unspecified Remote Vulnerabilities
  • Description: The HP OpenView Event Correlation Service is vulnerable to unspecified remote vulnerabilities. Successful exploitation can result in a denial of service or arbitrary code execution with elevated privileges. Openview Event Correlation Service versions 3.33 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8514
  • 05.18.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Open WebMail Arbitrary Shell Command Execution
  • Description: Open WebMail is a web mail package. It is vulnerable to a remote shell command vulnerability due to insufficient sanitization of user-supplied data before being used in an "open()" call. Open WebMail dated after Apr 30, 2005 resolves this issue.
  • Ref: http://www.securityfocus.com/bid/13472
  • 05.18.27 - CVE: CAN-2005-1410
  • Platform: Cross Platform
  • Title: PostgreSQL TSearch2 Design Error
  • Description: PostgreSQL is an open source relational database suite. Its "contrib/tsearch2" module is prone to a security vulnerability that allows a remote user who can write SQL queries to the affected database to call functions that should not be accessible directly from SQL commands. This may lead to a denial of service or further database compromise. This vulnerability affects PostgreSQL versions 7.4 and later.
  • Ref: http://www.postgresql.org/about/news.315
  • 05.18.28 - CVE: CAN-2005-1409
  • Platform: Cross Platform
  • Title: PostgreSQL Character Set Conversion Privilege Escalation
  • Description: PostgreSQL is an open source relational database suite. The PostgreSQL functions that support client to server character set conversions can be called by unprivileged users through SQL commands. The problem exists because these conversion functions do not properly sanitize input, potentially allowing malicious argument values to be included. This may result in arbitrary queries being executed with the privileges of the conversion functions.
  • Ref: http://www.postgresql.org/about/news.315
  • 05.18.29 - CVE: CAN-2005-0174
  • Platform: Cross Platform
  • Title: Squid Proxy HTTP Response Splitting Remote Cache Poisoning
  • Description: Squid Proxy is web proxy software. It is reported to be vulnerable to a cache poisoning issue due to a failure of the affected proxy to handle CR/LF characters in HTTP requests. Squid Proxy Cache version 2.5.STABLE7 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13435
  • 05.18.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Leafnode Fetchnews Client Article Header Remote Denial of Service
  • Description: Leafnode is a Usenet news proxy. Fetchnews is NNTP client software used with Leafnode. Fetchnews is affected by a remote denial of service vulnerability that may allow a remote attacker to cause the software to hang. Leafnode versions 1.9.48 to 1.11.1 are known to be vulnerable.
  • Ref: http://leafnode.sourceforge.net/leafnode-SA-2005-01.txt
  • 05.18.31 - CVE: CAN-2005-1373
  • Platform: Web Application
  • Title: Koobi CMS Index.PHP Q Parameter SQL Injection
  • Description: Koobi CMS is PHP based content management software with a MySQL back end. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "q" parameter of "index.php" before using it in an SQL query. Successful exploitation could allow an attacker to compromise the application or get hold of sensitive data. Koobi CMS version 4.2.3 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/397057
  • 05.18.32 - CVE: CAN-2005-1448
  • Platform: Web Application
  • Title: S9Y Serendipity BBCode Plugin HTML Injection
  • Description: Serendipity is a web-log application. It is reported to be vulnerable to an HTML injection issue due to improper sanitization of user-supplied input. S9Y Serendipity versions 0.8-beta6 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13411
  • 05.18.33 - CVE: CAN-2005-1378
  • Platform: Web Application
  • Title: Notes Module for PHPBB SQL Injection
  • Description: The notes module for phpBB allows users to keep their own memo pad in usercp. The notes module for phpBB is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "post_id" variable of "posting_notes.php" before using it in an SQL query. Other variables may also be affected. This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic and other attacks. All known versions of the notes module are vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00070-04272005
  • 05.18.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Oracle Application Server HTTP Service Restriction Bypass
  • Description: Oracle HTTP Server of Oracle Application Server is vulnerable to an access restriction bypass issue because the Oracle Webcache client is able to access URIs regardless of the restrictions outlined in the "mod_access" file. Oracle Oracle10g Application Server versions 10.1.2 and earlier are reported to be vulnerable.
  • Ref: http://www.red-database-security.com/advisory/oracle_webcache_bypass.html
  • 05.18.35 - CVE: CAN-2005-1404
  • Platform: Web Application
  • Title: MyPHP Forum Post.PHP Username Spoofing
  • Description: MyPHP Forum is a web-based forum. It is prone to a username spoofing vulnerability. The issue exists due to a design error, which allows a user to arbitrarily specify their username as a value for a URI parameter while submitting a message to the forum. MyPHP Forum version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/13429
  • 05.18.36 - CVE: CAN-2005-1404
  • Platform: Web Application
  • Title: MyPHP Forum Username Spoofing
  • Description: MyPHP Forum is a web-based forum. It is reported to be vulnerable to a username spoofing issue due to improper sanitization of the URL parameter to the "privmsg.php" script. MyPHP Forum version 1.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13430
  • 05.18.37 - CVE: CAN-2005-1403
  • Platform: Web Application
  • Title: Just William's Amazon Webstore HTTP Response Splitting
  • Description: JustWilliam's Amazon Webstore is designed to interface with Amazon's database of products. It is reported to be vulnerable to an HTTP response splitting vulnerability due to improper sanitization of user-supplied input. Just William's Amazon Webstore 04050100 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13428
  • 05.18.38 - CVE: CAN-2005-0157
  • Platform: Web Application
  • Title: SmartList ListManager Arbitrary List Addition
  • Description: Smartlist provides creation and handling for mailing lists with the ability to automate subscription request processing. Smartlist could allow arbitrary email addresses to be added to a mailing list. This issue is due to a vulnerability in the confirm add-on function of Smartlist. Smartlist version 3.15 is affected.
  • Ref: http://www.securityfocus.com/bid/13474
  • 05.18.39 - CVE: CAN-2005-1439,CAN-2005-1438
  • Platform: Web Application
  • Title: osTicket Multiple Vulnerabilities
  • Description: osTicket is an open source support ticket system. It is affected by multiple input validation and remote code injection vulnerabilities due to insufficient sanitization of user-supplied input. osTicket STS versions 1.2.7 and earlier are vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00071-05022005
  • 05.18.40 - CVE: CAN-2005-1374
  • Platform: Web Application
  • Title: Claroline E-Learning Application Remote Input Validation
  • Description: Claroline is a web-based e-learning application implemented in PHP with a MySQL database back end. It is vulnerable to multiple remote input validation issues due to a failure of the application to properly sanitize user-supplied input. An attacker may exploit these issues to manipulate SQL queries to the underlying database and have arbitrary script code executed in the browser of an unsuspecting user. Clarioline versions 1.5.3, 1.6 beta and 1.6 RC1 are vulnerable.
  • Ref: http://www.claroline.net/
  • 05.18.41 - CVE: CAN-2005-1398
  • Platform: Web Application
  • Title: PHPCart(tm) Input Validation
  • Description: PHPCart(tm) is a web-based e-commerce solution. It is susceptible to a remote input validation vulnerability. The software fails to properly sanitize URI parameter data during checkout. A remote attacker may be able to manipulate invoice and payment charges during a checkout transaction. All current versions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13406
  • 05.18.42 - CVE: CAN-2005-1373
  • Platform: Web Application
  • Title: Koobi CMS Index.PHP P Parameter SQL Injection
  • Description: Koobi CMS is web-based content management software. Insufficient sanitization of the "p" parameter in the "index.php" script exposes the application to an SQL injection issue. Koobi CMS version 4.2.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/397057
  • 05.18.43 - CVE: CAN-2005-1403
  • Platform: Web Application
  • Title: Just William's Amazon Webstore Multiple Cross-Site Scripting Vulnerabilities
  • Description: Amazon Webstore is a project that is currently being developed at JustWilliam's. Insufficient sanitization of user supplied input to various php scripts exposes the application to multiple cross-site scripting issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13425/info/
  • 05.18.44 - CVE: CAN-2005-1403
  • Platform: Web Application
  • Title: Just William's Amazon Webstore Cross-Site Scripting
  • Description: Amazon Webstore is designed to interface with Amazon's database of products. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "currentNumber" parameter.
  • Ref: http://www.securityfocus.com/bid/13427
  • 05.18.45 - CVE: Not Available
  • Platform: Web Application
  • Title: DotText HTTP Referer HTML Injection
  • Description: DotText is a blog system implemented in ASP.NET. It is vulnerable to an HTML injection issue exploitable through the HTTP referer field. An attacker can exploit this issue to steal cookie-based authentication credentials. DotText versions 0.95 and 0.93 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13450/info/
  • 05.18.46 - CVE: Not Available
  • Platform: Web Application
  • Title: JGS-Portal ID Variable SQL Injection
  • Description: JGS-Portal is a portal plug-in for Woltlab Burning Board. Insufficient sanitization of the "ID" parameter exposes the application to an SQL injection issue. JGS-Portal versions 3.0.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/13451
  • 05.18.47 - CVE: CAN-2005-1440
  • Platform: Web Application
  • Title: CodeToSell ViArt Shop Enterprise Multiple Vulnerabilities
  • Description: ViArt Shop Enterprise is a web-based shopping cart and forum system. It is reported to be vulnerable to multiple cross-site scripting and HTML injection issues due to improper sanitization of user-supplied input. ViArt Shop Enterprise version 2.1.6 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13462
  • 05.18.48 - CVE: CAN-2005-1417
  • Platform: Web Application
  • Title: MaxWebPortal Multiple SQL Injection Vulnerabilities
  • Description: MaxWebPortal is a web portal and online community system. Insufficient sanitization of user supplied input to various script files exposes the application to multiple SQL injection issues. MaxWebPortal versions 1.33 and earlier are affecetd.
  • Ref: http://www.securityfocus.com/bid/13466
  • 05.18.49 - CVE: Not Available
  • Platform: Web Application
  • Title: enViVo|CMS Admin_Login.ASP Username Parameter SQL Injection
  • Description: enViVo|CMS is a web content management system. Insufficient sanitization of the "username" parameter of the "admin_login.asp" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13437
  • 05.18.50 - CVE: Not Available
  • Platform: Web Application
  • Title: enViVo|CMS Password Parameter SQL Injection
  • Description: enViVo|CMS is a web content management system. It is vulnerable to a SQL enViVo|CMS injection issue due to insufficient sanitization of user supplied input to the "password" parameter of the "admin_login.asp" script.
  • Ref: http://secunia.com/advisories/15173/
  • 05.18.51 - CVE: Not Available
  • Platform: Web Application
  • Title: enViVo|CMS Default.ASP SearchString Parameter SQL Injection
  • Description: enViVo|CMS is a Web content management system implemented in ASP. enViVo|CMS is affected by an SQL injection vulnerability. Currently all versions of enViVo|CMS are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13437
  • 05.18.52 - CVE: CAN-2005-0881
  • Platform: Web Application
  • Title: Interspire ArticleLive Multiple Remote Vulnerabilities
  • Description: Interspire ArticleLive is web content management software implemented in PHP. It is reported to be vulnerable to multiple issues due to improper sanitization of user-supplied input. Interspire ArticleLive 2005 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13493
  • 05.18.53 - CVE: Not Available
  • Platform: Web Application
  • Title: ASP Inline Corporate Calendar Details.ASP SQL Injection
  • Description: ASP Inline Corporate Calendar is a web-based calendar management tool. Insufficient sanitization of the "Event_ID" parameter of the "details.asp" script exposes the application to an SQL injection issue. ASP Inline Corporate Calendar version 3.6.3 is affected.
  • Ref: http://www.securityfocus.com/bid/13474
  • 05.18.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Gossamer Threads Links User.CGI Cross-Site Scripting
  • Description: Gossamer Threads Links is a web-based directory management application. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user input to the "user.cgi" script. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user to steal cookie-based authentication credentials. Links versions 2.x, 2.2.x, and Links-SQL version 3.0 are vulnerable.
  • Ref: http://www.gossamer-threads.com/perl/gforum/gforum.cgi?post=281029;sb=post_lates
    t_reply;so=ASC;forum_view=forum_view_collapsed;guest=11499283
  • 05.18.55 - CVE: Not Available
  • Platform: Web Application
  • Title: WebCrossing WebX Cross-Site Scripting
  • Description: WebCrossing is a collaboration server platform. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to "WebX" parameter. Web Crossing version 5.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13482
  • 05.18.56 - CVE: CAN-2005-1444, CAN-2005-1445
  • Platform: Web Application
  • Title: SitePanel2 Input Validation
  • Description: SitePanel2 is affected by multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. Please refer to the advisory link provided below for details.
  • Ref: http://www.gulftech.org/?node=research&article_id=00072-05032005
  • 05.18.57 - CVE: Not Available
  • Platform: Web Application
  • Title: ASP Inline Corporate Calendar Defer.ASP SQL Injection
  • Description: ASP Inline Corporate Calendar is a web-based calendar management tool. ASP Inline Corporate Calendar is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "Event_ID" parameter of the "defer.asp" script before using it in an SQL query. This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
  • Ref: http://www.hackerscenter.com/archive/view.asp?id=2416

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

I learned techniques and processes that I can use as soon as I walk back into work.
-Michael Marrion

Forensics 526

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd