Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 20
May 20, 2005

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#2)
    • Other Microsoft Products
    • 2
    • Third Party Windows Apps
    • 9
    • Unix
    • 4
    • Cross Platform
    • 8 (#1, #4)
    • Web Application
    • 38 (#5)
    • Network Device
    • 2 (#3)

************** Sponsored by SANS Washington DC 2005 *********************
Attend one of ten SANS in-depth training courses in Washington DC, July 28 - August 3. Plus you'll find a vendor Expo and five short courses: Cutting-edge Hacking Techniques, Advanced Worm and Bot Analysis, Legal Issues and more.
Details: http://www.sans.org/washington2005/caag.php

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Unix
Cross Platform
Web Application
Network Device

*************************************************************************
Reasons Security Professionals Give for Justifying SANS Training

(1) "I have attended several of SANS rivals and SANS blew them away!"
- Alton Thompson, US Marines

(2) " I have attended many conferences/training sessions, and SANS, by far, has been the best. The instructors are the top in the industry, examples are from real life experiences - terrific!"
- Chris Bush, Novartis Pharmaceuticals

(3) It's very dynamic, and I will be able to apply what I learned directly into my area of work."
- Wagner Nascimento, eBay, Inc.
*************************************************************************
SANS@Home summer program

Choose one of ten specially selected Instructor and Mentor Led sessions that enable you to participate in comprehensive SANS training from your home or office without disrupting your daily work schedule.

For more information and to register for one of our upcoming sessions, visit http://www.sans.org/athome/
*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) LOW: Windows XP/2003 IPv6 Land Attack
  • Affected:
    • Windows XP/2003

  • Description: Land attack, a denial-of service attack known since 1997, can be launched by directing IP packets with same source and destination IP addresses at the target machine. Windows XP SP2 and Windows 2003 SP1 server are reportedly vulnerable to this attack. By continuously sending a stream of malformed IPv6 (IP Protocol version 6) TCP "SYN" packets to the open ports on a Windows XP/2003 system, it is possible to cause a significant performance degradation thereby rendering the system unusable. Exploit code has been publicly posted.

  • Status: Microsoft has been informed about the vulnerability. No patches are available yet. Appropriate ingress/egress filtering would also defend against this attack. Another alternative is to use firewalls and router ACLs to block such attacks.

  • Council Site Actions: Council sites report they have a large number of systems that could potentially be affected by a local IPv6 attack. Nearly all of their affected systems will obtain the update through the public Windows Update site, or through their local SUS server, whenever Microsoft happens to release a patch for this. They are not planning to proactively block the attack, although it is possible that the vulnerability may cause them to temporarily hold off on further expansion of external IPv6 availability.

  • References:
Other Software
  • (3) HIGH: Neteyes Nexusway Border Gateway Administrative Access
  • Affected:
    • Possibly all versions

  • Description: Nexusway, a networking product from Taiwan, is designed to be a border gateway product to connect multiple networks. The gateway's web administration contains multiple flaws that can be exploited to obtain administrative control over the device, or run arbitrary commands. The posting shows how to craft HTTP requests to exploit these flaws.

  • Status: Vendor patch is not available yet.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) MODERATE: Gaim URL Processing Overflow
  • Affected:
    • gaim versions prior to 1.3.0

  • Description: Gaim is a multi-protocol instant messaging client for Linux, BSD, MacOS X and Windows platforms. Gaim contains a stack-based buffer overflow that can be triggered by an IM message containing an overlong URL (over 8192 bytes). An attacker can exploit this flaw via Jabber or SILC protocol messages to execute arbitrary code on a user's system. Exploit code development may be challenging as only certain printable characters can be used for such a purpose.

  • Status: Vendor confirmed, upgraded to version 1.3.0.

  • Council Site Actions: Only one of the reporting council sites is running the affected software and mostly on Linux platforms. Most of their systems regularly obtain updates from the Linux vendor through an automated process. They also a substantial collection of Red Hat Enterprise Linux systems for which an administrator must manually trigger updates, and this update (RHSA-2005:429-06) will most likely occur in early June.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 20, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4331 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.20.1 - CVE: CAN-2005-1649
  • Platform: Windows
  • Title: Microsoft IPV6 TCPIP Loopback and Denial of Service
  • Description: The Microsoft Windows IPV6 TCP/IP stack is vulnerable to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. A remote attacker may exploit this issue to deny service for legitimate users. This issue is reported to affect Microsoft Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1.
  • Ref: http://www.securityfocus.com/archive/1/398474
  • 05.20.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft HTML Help Workshop HHC.EXE HHA.DLL Corruption
  • Description: The Microsoft HTML Help workshop compiler tool (hhc.exe) is affected by a memory corruption vulnerability. The issue exists in the "HHA.DLL" library. When an ".hhc" contents file is processed by the compiler, a superfluous value supplied as a helpfile path results in the corruption of process memory.
  • Ref: http://www.securityfocus.com/bid/13668/info/
  • 05.20.3 - CVE: CAN-2005-1574
  • Platform: Other Microsoft Products
  • Title: Microsoft Windows Media Player DRM Arbitrary Web Page Launch
  • Description: Microsoft Windows Media Player Digital Rights Management (DRM) is affected by a weakness that could permit the launch of an arbitrary Web page. Windows Media Player versions 9 and 10 are known to be vulnerable.
  • Ref: http://www.microsoft.com/technet/security/advisory/892313.mspx
  • 05.20.4 - CVE: CAN-2005-1646
  • Platform: Third Party Windows Apps
  • Title: NETFile FTP/Web Server FTP Bounce
  • Description: Fastream NETFile FTP/Web Server is vulnerable to an FTP Bounce issue because the default installation does not require that the IP address in a PORT command be the same as the IP of the logged in user. Fastream NetFILE FTP/Web Server versions 7.6 and earlier are vulnerable.
  • Ref: http://www.security.org.sg/vuln/netfileftp746port.html
  • 05.20.5 - CVE: CAN-2005-1640
  • Platform: Third Party Windows Apps
  • Title: IgnitionServer Entry Access Validation Checking
  • Description: IgnitionServer is an Internet Relay Chat server. It is prone to a design error in the implementation of an access validation check due to which users without "delete" permissions can delete entries. IgnitionServer version 0.3.6-P1 was released to fix this issue.
  • Ref: http://www.ignition-project.com/security/20050414-hosts-delete-owner-access-entr
    ies
  • 05.20.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IgnitionServer Locked Channel Protected Operator Lockout
  • Description: IgnitionServer is an Internet Relay Chat (IRC) server. It is vulnerable to an issue that can allow a user to lock a protected operator out of an IRC channel, possibly forcing a server reboot. This is due to a failure in the application logic. IgnitionServer versions earlier to 0.3.6-P1 are vulnerable.
  • Ref: http://www.ignition-project.com/security/20050515-protected-opers-cannot-join-ch
    annel-with-key
  • 05.20.7 - CVE: CAN-2005-0040
  • Platform: Third Party Windows Apps
  • Title: DotNetNuke HTML Injection Vulnerability
  • Description: DotNetNuke is a web based content management system. It is vulnerable to an HTML injection vulnerability due to insufficent sanitization of user supplied input passed to the "User-Agent" HTTP header. DotNetNuke versions 3.0.12 and earlier are reported to be vulnerable.
  • Ref: http://www.woany.co.uk/advisories/dotnetnukexss.txt
  • 05.20.8 - CVE: CAN-2005-1622
  • Platform: Third Party Windows Apps
  • Title: MetaCart E-Shop ASP Cross Site Scripting
  • Description: MetaCart E-Shop is a shopping cart application. It is vulnerable to a cross site scripting issue due to insufficent sanitization of user supplied input to the "strCatalog_NAME" parameter of the "productsByCategory.asp" script. All versions of MetaCart E-shop are reported to be vulnerable.
  • Ref: http://echo.or.id/adv/adv13-theday-2005.txt
  • 05.20.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Keyvan1 ImageGallery Database Download
  • Description: Keyvan1 ImageGallery is an application for creation of web image galleries. It is vulnerable to an access validation issue that could allow anyone to download the underlying database. All current versions of Keyvan1 ImageGallery are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13630/info/
  • 05.20.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: OllyDbg INT3 Format String
  • Description: OllyDbg is a graphical debugging application for Microsoft Windows operating systems. OllyDbg is affected by a format string vulnerability. OllyDbg versions 1.10 and earlier are known to be vulnerable.
  • Ref: http://pb.specialised.info/all/adv/olly-int3-adv.txt
  • 05.20.11 - CVE: CAN-2005-1650, CAN-2005-1651, CAN-2005-1652,CAN-2005-1653
  • Platform: Third Party Windows Apps
  • Title: Woppoware PostMaster Multiple Vulnerabilities
  • Description: PostMaster is a combined email and proxy server. PostMaster is prone to multiple input validation and information disclosure vulnerabilities. Please look at the advisory for further details. These issues are reported to affect PostMaster version 4.2.2.
  • Ref: http://www.woppoware.com.au/index.htm
  • 05.20.12 - CVE: CAN-2005-1577
  • Platform: Third Party Windows Apps
  • Title: APG Technology ClassMaster Unauthorized Folder Access
  • Description: APG Technology ClassMaster is an application that is used to manage networks for schools. It is reported to be vulnerable to gain unauthorized access to an issue that allows unauthorized access to users' folders. All available versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13604
  • 05.20.13 - CVE: CAN-2005-1260
  • Platform: Unix
  • Title: bzip2 Remote Denial of Service
  • Description: bzip2 is an open-source file compression/decompression utility. bzip2 is prone to a remote denial of service vulnerability. This issue arises when the application processes malformed archives. A successful attack can result in resource exhaustion and trigger a denial of service condition. bzip2 version 1.0.2 is reportedly affected by this issue.
  • Ref: http://www.bzip.org/index.html
  • 05.20.14 - CVE: Not Available
  • Platform: Unix
  • Title: pServ completedPath Remote Buffer Overflow
  • Description: pServ is a freely available, open source web server package. pServ is affected by a remotely exploitable buffer overflow vulnerability. pServ versions 3.2 and earlier are known to be vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=327708
  • 05.20.15 - CVE: CAN-2005-1365
  • Platform: Unix
  • Title: pServ Directory Traversal
  • Description: pServ is a freely available, open source web server package. pServ is affected by a directory traversal vulnerability that could allow a remote attacker to execute arbitrary commands on the computer. pServ versions 3.2 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398310
  • 05.20.16 - CVE: CAN-2005-1366
  • Platform: Unix
  • Title: pServ Remote Source Code Disclosure
  • Description: pServ is a freely available, open source web server package. pServ is affected by a remote source code disclosure vulnerability. Reportedly, the application verifies a file as a script by checking the URI to the file. Information gathered through this attack could be used to launch further attacks against a system. pServ version 3.2 is reported to be vulnerable.
  • Ref: http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011
  • 05.20.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor TCP Timestamp PAWS Remote Denial of Service
  • Description: A denial of service vulnerability exists for the TCP RFC 1323. The issue exists in the Protection Against Wrapped Sequence Numbers (PAWS) technique that was included to increase overall TCP performance. Please check the link below for details.
  • Ref: http://www.kb.cert.org/vuls/id/637934
  • 05.20.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Suite And Firefox Multiple Security Bypass Vulnerabilities
  • Description: Multiple issues exist in Mozilla Suite and Firefox. These issues allow attackers to bypass security checks in the script security manager. Mozilla browser versions 1.7.7 and earlier and firefox versions 1.0.3 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13641
  • 05.20.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Suite And Firefox DOM Property Overrides Code Execution
  • Description: Mozilla Suite and Mozilla Firefox are affected by a code execution vulnerability due to a failure in the application to properly verify Document Object Model (DOM) property values. An attacker may leverage this issue to execute arbitrary code with the privileges of the user that activated the vulnerable Web browser. Please refer to the link below for vulnerable versions.
  • Ref: http://www.mozilla.org/security/announce/mfsa2005-44.html
  • 05.20.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Yahoo! Messenger URL Handler Remote Denial Of Service
  • Description: Yahoo! Messenger is a freely available chat client. Yahoo! Messenger is prone to a denial of service vulnerability. This issue is due to a failure in the application to handle exceptional conditions. An attacker can craft a malformed data packet by supplying characters preceded with an ampersand (&) after the first or third colon of the link. This issue is reported to affect Yahoo! Messenger versions 5.x to 6.0 Windows.
  • Ref: http://seclists.org/lists/bugtraq/2005/May/0176.html
  • 05.20.21 - CVE: CAN-2005-1138
  • Platform: Cross Platform
  • Title: Kerio MailServer Multiple Denial of Service Vulnerabilities
  • Description: Kerio MailServer is vulnerable to multiple denial of service issues becuase the application does not handle exceptional conditions when processing certain e-mail messages. Kerio MailServer versions 6.0.9 and earlier are vulnerable.
  • Ref: http://www.kerio.com/kms_history.html
  • 05.20.22 - CVE: CAN-2005-1547
  • Platform: Cross Platform
  • Title: BakBone NetVault Remote Heap Overflow Code Execution
  • Description: NetVault is a backup and restore solution. BakBone NetVault is prone to a remote heap overflow vulnerability. This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/398137
  • 05.20.23 - CVE: CAN-2005-1565
  • Platform: Cross Platform
  • Title: Bugzilla Authentication Information Disclosure
  • Description: Bugzilla is a bug tracking system. It is vulnerable to an information disclosure issue that could allow a user's authentication information to be embedded in links created during report generation. Bugzilla versions 2.19.2 and earlier are reported to be vulnerable.
  • Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=287436
  • 05.20.24 - CVE: CAN-2005-1579
  • Platform: Cross Platform
  • Title: Apple QuickTime Quartz Composer File Information Disclosure
  • Description: Apple QuickTime is affected by a vulnerability that may allow remote attackers to disclose sensitive information. The issue arises when a malformed Quartz Composer file embedded in a QuickTime Video Clip file (.mov) is handled by the application. This could disclose information such as the computer name, OS version, and other hardware related data to an attacker. QuickTime 7 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398053
  • 05.20.25 - CVE: Not Available
  • Platform: Web Application
  • Title: PROMS Multiple Unspecified SQL Injection Vulnerabilities
  • Description: PROMS is a web based project management system implemented in PHP. PROMS is affected by multiple unspecified remote SQL injection vulnerabilities. PROMS versions 0.10 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13672/info/
  • 05.20.26 - CVE: Not Available
  • Platform: Web Application
  • Title: Wordpress Edit.PHP Cross-Site Scripting
  • Description: Wordpress allows users to generate news pages and Web logs dynamically. Wordpress is affected by a cross-site scripting vulnerability. Wordpress versions 1.5 and earlier are known to be vulnerable.
  • Ref: http://codex.wordpress.org/Changelog/1.5.1
  • 05.20.27 - CVE: CAN-2005-1638
  • Platform: Web Application
  • Title: SafeHTML Quotes Handling Security Bypass
  • Description: SafeHTML is an HTML parser, which is designed to strip potentially malicious content such as tags and script code in HTML files. It is reported that SafeHTML does not filter HTML entities in a proper manner. An attacker can manipulate the use of quotes to bypass the security restrictions applied by SafeHTML. This can allow the attacker to exploit latent vulnerabilities in an application protected by SafeHTML. This issue has been addressed in SafeHTML version 1.3.2.
  • Ref: http://pixel-apes.com/safehtml/feed
  • 05.20.28 - CVE: Not Available
  • Platform: Web Application
  • Title: Help Center Live Multiple Input Validation Vulnerabilities
  • Description: Help Center Live is a Web based help desk application implemented in PHP. It is vulnerable to multiple input validation issues including HTML and SQL injection vulnerabilities due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit these issues to get hold of sensitive information or modify data. Help Center Live 1.2.7 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398457
  • 05.20.29 - CVE: Not Available
  • Platform: Web Application
  • Title: Help Center Live Administrator Command Execution
  • Description: Help Center Live is a Web based help desk application. It is vulnerable to an administrator command execution issue due to a failure of the application to properly validate access to administrative commands. This issue could permit a remote attacker to create a malicious URI link that performs some administrator function. Help Center Live versions 1.2.7 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398457
  • 05.20.30 - CVE: Not Available
  • Platform: Web Application
  • Title: Serendipity Multiple Unspecified Remote Vulnerabilities
  • Description: Serendipity is a web log application. It is reported to be vulnerable to unspecified remote issues, such as allowing unauthorized users to upload certain files and cross-site scripting attacks. Serendipity version 0.8 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13669
  • 05.20.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Wordpress WP-Trackback.PHP SQL Injection
  • Description: Wordpress allows users to generate news pages and Web logs dynamically implementing PHP and a MySQL database. Wordpress is affected by an SQL injection vulnerability. Wordpress versions 1.5 and earlier are known to be vulnerable.
  • Ref: http://codex.wordpress.org/Changelog/1.5.1
  • 05.20.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Wordpress Post.PHP Cross-Site Scripting
  • Description: Wordpress allows users to generate news pages and web logs. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of the "p" parameter and of the "post.php" script. WordPress version 1.5 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13663
  • 05.20.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Fusion News Script Code Injection
  • Description: FusionPHP Fusion News is a news management system. It is vulnerable to a remote PHP code injection issue due to insufficent sanitization of user-supplied input to the "comments.php" script. Fusion News versions 3.3 and 3.6.1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13661/info/
  • 05.20.34 - CVE: CAN-2005-0040
  • Platform: Web Application
  • Title: DotNetNuke User Registration Information HTML Injection
  • Description: DotNetNuke (formerly known as the IBuySpy Workshop) is a web based content management system. DotNetNuke is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials.
  • Ref: http://www.checksum.org/main/component/option,com_mla/mla,1/act,message/id,22838
  • 05.20.35 - CVE: CAN-2005-1637
  • Platform: Web Application
  • Title: NPDS THOLD Parameter SQL Injection
  • Description: NPDS is a forum software. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "thold" parameter of the "comments.php" and "pollcomments.php" scripts. NPDS versions 5.0 and 4.8 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13649
  • 05.20.36 - CVE: CAN-2005-1642
  • Platform: Web Application
  • Title: WoltLab Burning Board Verify_email Function SQL Injection
  • Description: WoltLab Burning Board is a web based bulletin board. Insufficient sanitization of the "email" variable in the "verify_email()" function exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/398296
  • 05.20.37 - CVE: CAN-2005-1479
  • Platform: Web Application
  • Title: JGS-Portal Multiple Cross-Site Scripting and SQL Injection
  • Description: JGS-Portal is a portal plug-in for Woltlab Burning Board. It is vulnerable to multiple cross-site scripting and SQL injection issues due to a failure in the application to properly sanitize user-supplied input. An attacker may exploit these issues to steal cookie based credentials or compromise the database. JGS-Portal versions 3.02 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398315
  • 05.20.38 - CVE: CAN-2005-1639
  • Platform: Web Application
  • Title: Sigma ISP Manager Sigmaweb.DLL SQL Injection
  • Description: Sigma ISP Manager is an accounting service for ISPs. Insufficient sanitization of user supplied input to the "sigmaweb.dll" file exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13640
  • 05.20.39 - CVE: CAN-2005-0040
  • Platform: Web Application
  • Title: DotNetNuke Failed Logon Username Application Logs HTML Injection
  • Description: DotNetNuke is a web-based content management system. It is reported to be vulnerable to an HTML injection issue due to improper sanitization of user-supplied input to the username parameter. DotNetNuke versions 3.1.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13647
  • 05.20.40 - CVE: Not Available
  • Platform: Web Application
  • Title: 1Two Livre D'Or Guestbook.PHP Multiple HTML Injection Vulnerabilities
  • Description: 1Two Livre D'Or is a Web site guest book script implemented in PHP. 1Two Livre D'Or is affected by multiple HTML injection vulnerabilities. 1Two Livre D'Or versions 1.0 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13631
  • 05.20.41 - CVE: CAN-2005-1620
  • Platform: Web Application
  • Title: Skull-Splitter Guestbook Multiple HTML Injection Vulnerabilities
  • Description: Skull-Splitter Guestbook is a Web based application written in PHP. It is prone to multiple HTML injection vulnerabilities. This is due to the application failing to properly sanitize user-supplied input prior to including it in dynamically generated content. An attacker could also exploit this issue to control how the site is rendered to the user. Skull-Splitter Guestbook versions 1.0, 2.0, and 2.2 have been reported to be vulnerable, however other versions may be affected as well.
  • Ref: http://seclists.org/lists/bugtraq/2005/May/0187.html
  • 05.20.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Shop-Script CategoryID SQL Injection
  • Description: Shop-Script is Web shopping cart software. Shop-Script Free is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "categoryID" parameter of "index.php" before using it in an SQL query. This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
  • Ref: http://www.shop-script.ru/
  • 05.20.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Shop-Script ProductID SQL Injection
  • Description: Shop-Script is web shopping cart software. Insufficient sanitization of the "productID" parameter in the "index.php" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13635
  • 05.20.44 - CVE: Not Available
  • Platform: Web Application
  • Title: PostNuke Blocks Module Directory Traversal
  • Description: PostNuke is a web-based content management system. PostNuke Blocks module is vulnerable to a directory traversal issue due to a failure of the application to sanitize user-supplied data prior to using it to access the host computer's file system. An attacker may leverage this issue to disclose arbitrary files on an affected computer. PostNuke versions 0.76 RC4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398293
  • 05.20.45 - CVE: CAN-2005-1628
  • Platform: Web Application
  • Title: WebAPP Apage.CGI Remote Command Execution
  • Description: WebAPP is a web message board. It is reported to be vulnerable to a remote command execution issue due to improper sanitization of user-supplied input to the "f" parameter of the "apage.cgi" script. WebAPP versions 0.9.9.2.1, 0.9.9.2 and 0.9.9 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13637
  • 05.20.46 - CVE: CAN-2005-1615
  • Platform: Web Application
  • Title: Ultimate PHP Board SQL Injection
  • Description: Ultimate PHP Board PHP Bulletin Board. Ultimate PHP Board is vulnerable to an SQL injection issue due to insufficient sanitization of user supplied input to the "postorder" parameter of the "viewforum.php" script. Ultimate PHP Board versions 1.9.6 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398127
  • 05.20.47 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenBB Read.PHP SQL Injection
  • Description: OpenBB is a freely available, open source bulletin board software package. OpenBB is affected by an SQL injection vulnerability. OpenBB versions 1.0.8 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398162
  • 05.20.48 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenBB Member.PHP Cross-Site Scripting
  • Description: OpenBB is a freely available, open source bulletin board software package. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "reverse" parameter of "member.php". This may facilitate the theft of cookie-based authentication credentials as well as other attacks. This issue reportedly affects OpenBB version 1.0.8.
  • Ref: http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-05/0174.html
  • 05.20.49 - CVE: CAN-2005-1619
  • Platform: Web Application
  • Title: PHPMyChat Start-Page.CSS.PHP3 Cross-Site Scripting
  • Description: phpMyChat is web based chat software. Insufficient sanitization of the "FontName" parameter in the "start-page.css.php3" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13627
  • 05.20.50 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPHeaven PHPMyChat Style.CSS.PHP3 Cross-Site Scripting
  • Description: phpMyChat is Web based chat software. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "FontName" parameter of "style.css.php3". An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. phpMyChat version 0.14.5 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/398167
  • 05.20.51 - CVE: Not Available
  • Platform: Web Application
  • Title: ASP Portal Login.ASP Password Parameter SQL Injection
  • Description: ASP Portal is a portal web site application. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "password" parameter of the "login.asp" script. ASP Portal version 2.0 Beta is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13629
  • 05.20.52 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPBB Attachment Mod Unspecified Realname
  • Description: Attachment Mod adds the functionality of attaching files in phpBB2. Attachment Mod for phpBB is prone to an unspecified vulnerability regarding "realnames". It is conjectured the application fails to perform proper sanitization on user-supplied data. This could result in various forms of attack. Versions 2.3.11 and 2.3.12 of the software are known to be vulnerable.
  • Ref: http://sourceforge.net/forum/forum.php?forum_id=465878
  • 05.20.53 - CVE: CAN-2005-1629
  • Platform: Web Application
  • Title: PhotoPost PHP Pro Member.PHP SQL Injection
  • Description: PhotoPost PHP Pro is a web-based image gallery application. Insufficient sanitization of the "uid" parameter in the "member.php" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13620
  • 05.20.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Booby Private Bookmark Disclosure Vulnerability
  • Description: Booby is a Web-based personal information manager. It is vulnerable to an issue that could allow users' private bookmarks to be retrieved and could allow an attacker to get hold of private data. Booby versions 1.0.1 and earlier are vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=326826
  • 05.20.55 - CVE: CAN-2005-1616
  • Platform: Web Application
  • Title: Ultimate PHP Board ViewForum.PHP Cross-Site Scripting
  • Description: Ultimate PHP Board (UPB) is a Bulletin Board. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of "postorder" parameter of "viewforum.php" script. Ultimate PHP Board version 1.9.6 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13621
  • 05.20.56 - CVE: CAN-2005-1569
  • Platform: Web Application
  • Title: DirectTopics HTML Injection
  • Description: DirectTopics is Web based forum software utilizing a MySQL backend and is implemented in PHP. DirectTopics is prone to an HTML injection vulnerability. Specifically, user-supplied input to posted threads is not sanitized, allowing script or HTML code to be included in forum topics. Attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials.
  • Ref: http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-05/0146.html
  • 05.20.57 - CVE: CAN-2005-1567
  • Platform: Web Application
  • Title: DirectTopics Topic.PHP SQL Injection
  • Description: DirectTopics is web based forum software. Insufficient sanitization of the "topic" parameter in the "topic.php" script exposes the application to an SQL injection issue. DirectTopics versions 2.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/398059
  • 05.20.59 - CVE: Not Available
  • Platform: Web Application
  • Title: 1Two News Multiple HTML Injection Vulnerabilities
  • Description: 1Two News is a Web application for monitoring and commenting on news items implemented in PHP. It is vulnerable to multiple HTML injection issues due to a failure in the application to properly sanitize input to the "index.php" script. An attacker might exploit this issue to steal cookie-based authentication credentials and perform other attacks.
  • Ref: http://www.hackisknowledge.org/Advisories/1Two%20News%20v1.0/1Two%20News%20v1.0.
    html
  • 05.20.60 - CVE: CAN-2005-1580
  • Platform: Web Application
  • Title: BoastMachine Remote Arbitrary File Upload
  • Description: BoastMachine is a Web based forum application. BoastMachine is affected by a remote arbitrary file upload vulnerability. BoastMachine versions 3.0 platinum and earlier are known to be vulnerable.
  • Ref: http://www.kernelpanik.org/docs/kernelpanik/bmachines.txt
  • 05.20.61 - CVE: CAN-2005-1562,CAN-2005-1561
  • Platform: Web Application
  • Title: MaxWebPortal Multiple Remote Vulnerabilities
  • Description: MaxWebPortal is a web portal and online community system. Multiple cross-site scripting, SQL and HTML injection issues were found in version 1.3.5 of the application. Please refer to the link below for details.
  • Ref: http://www.securityfocus.com/archive/1/398003
  • 05.20.62 - CVE: CAN-2005-1587
  • Platform: Web Application
  • Title: Open Solution Quick.Cart Index.PHP Cross-Site Scripting
  • Description: Quick.Cart is a shopping cart application. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "sWord" parameter of the "index.php" script. Quick.Cart version 0.3 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13599
  • 05.20.63 - CVE: CAN-2005-1566
  • Platform: Network Device
  • Title: Acrowave AAP-3100AR Wireless Router Authentication Bypass
  • Description: Acrowave AAP-3100AR wireless router is reported to be vulnerable to an authentication bypass issue. The issue presents itself when an attacker connects to the device using telnet, and sends a control-C interrupt sequence. The device will allow access without validating the supplied credentials.
  • Ref: http://www.securityfocus.com/bid/13613
  • 05.20.64 - CVE: CAN-2005-1558,CAN-2005-1559,CAN-2005-1560
  • Platform: Network Device
  • Title: NexusWay Border Gateway Multiple Vulnerabilities
  • Description: Neteyes NexusWay is a Border Gateway device. It is vulnerable to multiple vulnerabilities ranging from unauthorized remote command execution to gaining administration access. All versions of NexusWay are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398007

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

The SANS Security Windows track was the best training course I've ever had, far surpassing my already high expectations. Seriously!
-Derek Lidbom, Trone

Get an iPad or Nexus 10 with Online Training

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee