Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 21
May 26, 2005

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Microsoft Office
    • 1 (#4)
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 8 (#6)
    • Mac Os
    • 1 (#3)
    • Linux
    • 4
    • Solaris
    • 10
    • Unix
    • 3
    • Novell
    • 1
    • Cross Platform
    • 11 (#1, #2, #5, #8, #9)
    • Web Application
    • 18 (#7)
    • Network Device
    • 2

*************************************************************************
Why Do Security Professionals Get More Value From SANS Than from Any Other Source?

"Years of experience downloaded into your brain in 6 days."
- Chris Koutras, Titan, Inc.

"The perfect balance of theory and hands on experience."
- James D. Perry II, University of Tennessee

"SANS courses bring the best of the best to one place to teach cutting- edge information."
- Jeremy Baca, Sandia National Labs

"SANS has opened my eyes to things I never would have considered based on my own research."
- Doug Wells, Media General, Inc.

Upcoming programs in Washington, Atlanta, Portland, London, Ottawa, Madrid or in your home.
Training schedule posted at: http://www.sans.org
**********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Solaris
Unix
Novell
Cross Platform
Web Application
Network Device

*********************** Sponsored Links *********************************
These links take you outside SANS:

1) UpdateEXPERT patch management supports Microsoft, Red Hat Linux, Solaris and custom patches.
FREE 15-day trial available now! http://www.sans.org/info.php?id=782
*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Computer Associates and Zone Alarm Vet Library Overflow
  • Affected:
    • CA InoculateIT 6.0
    • CA eTrust Antivirus r6.0/r7.0/r7.1
    • CA eTrust Antivirus for the Gateway r7.0/r7.1
    • CA eTrust Secure Content Manager
    • CA eTrust Intrusion Detection
    • CA BrightStor ARCserve Backup (BAB) r11.1 Windows
    • CA eTrust EZ Armor 2.x/3.x
    • Any products running CA Vet Engine version prior to 11.9.1
    • Zonelabs ZoneAlarm Security Suite
    • Zonelabs ZoneAlarm Antivirus
    • Other vendors who use the Vet Library

  • Description: Computer Associates' and Zone Alarm's Vet Engine library (VetE.dll) is responsible for detecting viruses and other malware. The library can parse and scan OLE objects. (Object Linking and Embedding (OLE) is a standard defined by Microsoft that allows creating compound documents such as embedding an Excel spreadsheet in a Word document.) The Vet Engine contains a heap-based overflow that can be triggered by a malicious OLE document such as Microsoft Word, Powerpoint, Access, etc. An attacker can exploit this flaw by sending a malicious document via mail, web, FTP or a shared server. The discoverer has posted the disassembly of the VetE.dll highlighting the instructions that lead to the overflow. Note that no user interaction is required to exploit this flaw via email.

  • Status: CA has released updates for various products. CA Antivirus and EZ Armor products may already be up-to-date via the automatic signature updates. ZoneAlarm has made updates available that will get downloaded automatically during the daily update process.

  • Council Site Actions: Only one council site responded to this item. They have a small deployment of Zone Labs products resulting from personal purchases. They will be relying on Zone Labs daily update functionality to update the affected systems.

  • References:
  • (2) MODERATE: Multiple Vendor TCP Timestamp Vulnerability
  • Affected:
    • A number of vendors including Cisco and Microsoft. For a list of all the
    • vendors, please refer to the CERT Advisory.

  • Description: This vulnerability in certain TCP implementations can be exploited to cause a denial of service by forcing either ends involved in a TCP connection to drop TCP segments. That will eventually reset the connection. The problem arises due to the way some TCP stacks implement the TCP timestamp option. In order to preserve the TCP performance over high bandwidth, the PAWS and the Timestamp Option were introduced via RFC 1323. PAWS uses the TCP timestamp option to track new TCP segments. The vulnerability arises because some TCP stacks use the TCP timestamp to process further TCP segments without validating the TCP sequence numbers. Hence, an attacker who can guess the IP addresses and port numbers of the ends involved in a TCP connection, can inject TCP packets into the connection with crafted timestamp values. This can lead to resetting the connection or corrupting the data transfer between the two ends. The higher-level protocols that use long-lasting TCP sessions such as the Border Gateway Protocol (BGP) are most affected by this vulnerability. Exploit code has been publicly posted.

  • Status: Cisco has released an advisory and posted updates. Microsoft patch MS05-019 also fixes this vulnerability. For a detailed status on other vendors, please refer to the CERT advisory below.

  • Council Site Actions: All council sites have either deployed patches or plan to deploy them once they are available from the vendor. One site is still verifying that PAWS and Timestamps are not in use on any of their servers that are vulnerable to this attack. If any are found, the Timestamp/PAWS feature will be disabled. Another site is actively engaging with vendors that have not released patches but are known to use vulnerable platforms. A final site does plan to install the patches but is treating this as a low urgency event since very few of their machines maintain long-duration TCP sessions and thus very few are likely victims of an attack.

  • References:
  • (3) MODERATE: Mac OS Arbitrary Widget Download
  • Affected:
    • Mac OS X version 10.4

  • Description: Apple has released an update for Mac OS X 10.4 that fixes a number of vulnerabilities. The most important vulnerability is the automatic downloading of widgets through Safari browser. A malicious website can exploit this flaw to install arbitrary widgets on a Mac client without any user warning. In general, widgets don't have access to system resources without user prompting. However, there is some evidence that certain widgets may be able to access system resources without user prompting. This can lead to further compromise of the client system.

  • Status: Download the 10.4.1 update for Mac OS. An alternative is to delete suspicious Widgets from ~/Library/Widgets folder.

  • Council Site Actions: Only one site is running the affect O/S version. The great majority of their affected systems have been updated through the Software Update facility.

  • References:
  • (4) MODERATE: Microsoft Word MCW File Handling Overflow
  • Affected:
    • Word 2000 prior to SP3

  • Description: Microsoft Word reportedly contains an overflow in handling files with ".mcw" extension. The MCW format is the Microsoft Word format for Macintosh computers. The discoverer's posting indicates that by changing certain fields in an MCW file, an attacker can control the execution flow of the Word program. Hence, a malicious webpage or an HTML email may exploit this flaw to execute arbitrary code on a user's system. A proof-of-concept MCW document has been posted.

  • Status: Microsoft has not confirmed. The discoverer reports that Word 2002 SP3 is not vulnerable.

  • Council Site Actions: Most of the council sites plan to deploy the patch once it becomes available. One site said they have had limited success in convincing end users to recognize that Office Update is important in addition to Windows Update. They are hoping that users obtain Word updates more promptly after the Microsoft Update facility becomes available.

  • References:
  • (5) LOW: Cisco Multiple Products DNS Compression Vulnerability
  • Affected:
    • Cisco IP Phones 7902/7905/7912
    • Cisco ATA (Analog Telephone Adaptor) 186/188
    • Cisco Unity Express
    • Cisco ACNS (Application and Content Networking System) devices, including:
    • Cisco 500/7300 Series Content Engines
    • Cisco Content Routers 4400 series
    • Cisco Content Distribution Manager 4600 series
    • Cisco Content Engine Module for Cisco 2600, 2800, 3600, 3700, and 3800
    • series Integrated Service Routers

  • Description: Multiple Cisco products including certain VoIP products are vulnerable to a denial of service condition that can be triggered by a specially crafted DNS packet. DNS protocol defines a compression scheme that is used to remove the repetitions of the same host or domain name in a DNS packet. For example, if the query section in a DNS packet contains the name www.google.com, the answer section can use just 2 bytes to point to the same name by using the DNS compressed pointer. A DNS packet with specially crafted DNS compressed pointer causes some Cisco DNS clients to enter an infinite loop, thereby causing a DoS. Since these products don't run a DNS server, in order to exploit this flaw, an attacker would either need to run a malicious DNS server or would need to spoof a DNS response targeted at the affected products.

  • Status: Cisco confirmed, updates available. Note: NISCC UK, the British agency that reported this vulnerability, has not listed other vendors that may be vulnerable to a similar flaw yet. Depending on the affected vendor component (DNS server/client/IDS or IPS parser), the severity of this vulnerability will vary. The "LOW" rating applies only to Cisco products.

  • Council Site Actions: Two of the council sites are responding to this item. The first site is still investigating the level of vulnerability on their network. The second believe they have some departments which have purchased Cisco IP Phones, but the numbers are very small. They anticipate that software updates will occur within the next three months. Another site is running affected products, but not in front DNS; thus they are not vulnerable.

  • References:
Other Software
  • (7) HIGH: phpATM Remote File Include Vulnerability
  • Affected:
    • phpATM version 1.21 and earlier

  • Description: phpATM software provides file upload and download functions for web severs. This software contains a file include vulnerability. An attacker can pass a PHP file location to the "include_location" parameter, and execute arbitrary PHP code on the webserver running phpATM. This flaw has reportedly been exploited in the wild.

  • Status: phpATM has released version 1.30 that fixes the issue.

  • Council Site Actions: The affected software and/or configuration is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
  • (9) Mozilla Firefox Remote Code Execution Vulnerabilities

  • Description: Mozilla has released complete details of the remote code execution vulnerabilities in versions prior to 1.0.4.

  • Council Site Actions: Responses vary at the council sites. Some sites have advised their users to upgrade to version 1.0.4. Some sites are not taking action because Firefox is not a supported browser. One of these sites said that they would rely on Cisco Security Agent to prevent the code execution. Another site says they don't support Firefox, but do support Netscape which has even bigger problems. They plan is to go to Netscape 8.0.1, but this isn't firm yet.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 21, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4339 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.21.1 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Word MCW File Handler Buffer Overflow
  • Description: Microsoft Word is reported to be vulnerable to a buffer overflow issue due to improper boundary checks while handling ".mcw" files.
  • Ref: http://www.securityfocus.com/bid/13687
  • 05.21.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Outlook HTML Email URI Spoofing
  • Description: Microsoft Outlook is reportedly vulnerable to a URI spoofing issue that allows a URI in an email message to be misrepresented. An attacker can exploit this vulnerability by creating an HTML email message containing a specially crafted URI and tricking users into following links to untrusted sites. All current versions of Microsoft Outlook are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398497
  • 05.21.3 - CVE: CAN-2005-1256, CAN-2005-1249, CAN-2005-1255,CAN-2005-1252, CAN-2005-1254
  • Platform: Third Party Windows Apps
  • Title: Ipswitch IMail Server Multiple Unspecified Vulnerabilities
  • Description: Ipswitch IMail is an email server that serves clients their mail via a web interface. Ipswitch IMail is prone to multiple remote vulnerabilities. These issues may be exploited to deny service for legitimate users and disclose potentially sensitive information. Please refer to the advisory for further details.
  • Ref: http://www.ipswitch.com/products/imail_server/index.html
  • 05.21.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Warrior Kings And Warrior Kings: Battles Remote Format String Vulnerability
  • Description: Warrior Kings and Warrior Kings: Battles are games for the Microsoft Windows platform. They are vulnerable to a remote format string vulnerability due to a failure of the application to securely implement a formatting printing function, allowing an attacker to execute arbitrary code in a vulnerable machine. Warrier Kings version 1.3 and Warrier Kings: Battles version 1.2.3 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398730
  • 05.21.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Warrior Kings: Battles Remote Denial of Service
  • Description: Warrior Kings: Battles is a game for the Microsoft Windows platform. It is reported to be vulnerable to a remote denial of service issue due to improper handling of exceptional conditions. Warrior Kings: Battles version 1.23 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13712
  • 05.21.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Sambar Server Administrative Interface Multiple Cross-Site Scripting Vulnerabilities
  • Description: Sambar Server is a multi-threaded Web server. Sambar Server administrative interface does not adequately filter some HTML code thus making it prone to cross-site scripting attacks. This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the Web site running the vulnerable software. This vulnerability was reported for Sambar Server 6.2 and earlier.
  • Ref: http://www.sambar.com/security.htm
  • 05.21.7 - CVE: CAN-2005-1677
  • Platform: Third Party Windows Apps
  • Title: Groove Networks Groove Virtual Office COM Object Security Bypass
  • Description: Groove Virtual Office consists of a collaborative working environment that allows users to share files, manage projects, and perform other business tasks remotely. Groove Virtual Office is prone to a security bypass vulnerability with regards to COM objects. A failure in the application could permit an attacker to execute arbitrary code, divulge sensitive information or cause a denial of service condition. This issue has been addressed in Groove Virtual Office 3.1 build 2338, 3.1a build 2364, and Groove Workspace Version 2.5n build 1871.
  • Ref: http://www.kb.cert.org/vuls/id/155610
  • 05.21.8 - CVE: CAN-2005-1678
  • Platform: Third Party Windows Apps
  • Title: Groove Virtual Office File Extension Obfuscation Vulnerability
  • Description: Groove Virtual Office allows users to share files and manage projects. It is affected by a file extension obfuscation issue due when a malicious file is embedded or attached to a compound document. Groove Networks Workspace versions 2.5 and earlier are affected.
  • Ref: http://www.kb.cert.org/vuls/id/232232
  • 05.21.9 - CVE: CAN-2005-1676
  • Platform: Third Party Windows Apps
  • Title: Groove Networks Groove Virtual Office Arbitrary Script Injection
  • Description: Groove Virtual Office is a collaboration application that uses Microsoft Windows SharePoint Services. It is vulnerable to an arbitrary script injection vulnerability due to insufficient sanitization of user-supplied data and could allow unauthorized remote access in the context of the application. Please refer to the following link for vulnerable versions.
  • Ref: http://www.kb.cert.org/vuls/id/514386
  • 05.21.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Avast! Antivirus Scan Evasion
  • Description: Avast! Antivirus is vulnerable to an unspecified scan evasion issue. It has been reported that the software is unable to properly handle certain unspecified types of files. Avast! Antivirus Professional and Home Edition version 4.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/13671/info/
  • 05.21.11 - CVE: CAN-2005-1474
  • Platform: Mac Os
  • Title: Mac OS X Safari Dashboard Widget Download Validation Bypass Issue
  • Description: Apple Mac OS X contains a Dashboard framework that allows users to have small applications, or widgets, quickly accessible. Apple Mac OS X is susceptible to a Safari download validation bypass vulnerability when downloading Dashboard widgets. This issue is due to Safari improperly considering Dashboard widgets to be "safe" content. Mac OS X version 10.4 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13694
  • 05.21.12 - CVE: CAN-2005-1522
  • Platform: Linux
  • Title: Mailutils imap4d Remote Denial of Service
  • Description: The GNU mailutils is a collection of mail-related utilities. The imap4d server is vulnerable to a remote denial of service vulnerability because the application is unable to handle a sequence range argument to the FETCH command. GNU Mailutils versions 0.5 and 0.6 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398908
  • 05.21.13 - CVE: Not Available
  • Platform: Linux
  • Title: Gibraltar Firewall Antivirus Scan Evasion Vulnerability
  • Description: Gibraltar is a Debian GNU/Linux based firewall application. It is vulnerable to an antivirus scan evasion issue due to a change of features in the ClamAV antivirus scanning plugin for the squid proxy. Gibraltar Firewall version 2.2 is vulnerable.
  • Ref: http://gibraltar.at/changes.php?onlyLastVersion=1&htmlOutput=1&to=2.2a
  • 05.21.14 - CVE: Not Available
  • Platform: Linux
  • Title: gxine Hostname Format String Issue
  • Description: gxine is a GTK+ graphical user interface. It is vulnerable to a remote format string vulnerability due to the improper implementation of the "g_strdup_vprintf()" formatted printing function. gxine versions 0.4.4 and eariler are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398687
  • 05.21.15 - CVE: Not Available
  • Platform: Linux
  • Title: gedit Filename Format String Issue
  • Description: gedit is an open source text processing application. It is vulnerable to a format string issue because the application is unable to process filenames with malicious format specifiers. gEdit version 2.2.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398634
  • 05.21.16 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris BCP libmle Unspecified Buffer Overflow
  • Description: An unspecified buffer overflow vulnerability exists in the Sun Solaris libmle library. An application that uses the vulnerable library may be susceptible to security issues. Sun Solaris versions 2.0-2.6 and 7-8 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13755
  • 05.21.17 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris SSH IKE Information Disclosure Vulnerability
  • Description: IKE is the Internet Key Exchange daemon. Solaris IKE is reported to be vulnerable to an information disclosure issue. Sun Solaris 9 is affected by this vulnerability.
  • Ref: http://www.securityfocus.com/bid/13750
  • 05.21.18 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris XML Library Unspecified Buffer Overflow
  • Description: Sun Solaris XML library is vulnerable to an unspecified buffer overflow issue because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers. Sun Solaris 9.0 and 9.0 x86 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13748
  • 05.21.19 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris llc2 Network Driver Multicast Packet Denial of Service
  • Description: Sun Solaris llc2 network driver is susceptible to a denial of service issue when processing certain multicast network packets. This issue allows remote attackers to panic the kernel of affected computers. Please see the link below for a list of affected versions.
  • Ref: http://www.securityfocus.com/bid/13740
  • 05.21.20 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris Smart Card Lowered Security Settings
  • Description: Sun Solaris is prone to a vulnerability related to smart cards that could result in lowered security settings. This happens because entries from "pam.conf" could be removed when a smart card is enabled allowing unauthorized access. Sun Solaris version 8.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/13741
  • 05.21.21 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris Missing krb5.conf Unauthorized Login Vulnerability
  • Description: Sun Solaris is reported to be vulnerable to a vulnerability that may allow unauthorized users to log in to the computer. In particular, if the "krb5.conf" file is missing, unauthorized users can log in to the computer.
  • Ref: http://www.securityfocus.com/bid/13746
  • 05.21.22 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris DCS Denial of Service
  • Description: Solaris Domain Configuration Server (DCS) supports remote dynamic reconfiguration clients. It is vulnerable to an unspecified remote denial of service issue. Sun Solaris versions 2.8, 8 and SunOS 5.8 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13751
  • 05.21.23 - CVE: Not Available
  • Platform: Solaris
  • Title: SunOS talk.d Unspecified Security Vulnerability
  • Description: An unspecified vulnerability exists in the SunOS Talk daemon "talk.d" that is included with SunOS 5.8. The issue exists due to certain user format processing issues.
  • Ref: http://www.securityfocus.com/bid/13741
  • 05.21.24 - CVE: Not Available
  • Platform: Solaris
  • Title: SunOS LibC strfmon Unspecified Buffer Overflow
  • Description: An unspecified buffer overflow vulnerability exists in the libc "strfmon" API function call that is included with SunOS 5.9. This issue may present a security issue if a program that employs the vulnerable API call has installed setuid/setgid or if the vulnerability is related to processing of untrusted input.
  • Ref: http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-21-112874-31-1
  • 05.21.25 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris in.rshd Unauthorized Connection Vulnerability
  • Description: Sun Solaris in.rshd is affected by an unauthorized connection issue because it allows connections from unprivileged ports. This violates the privileged port authentication model for the server. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13721
  • 05.21.26 - CVE: CAN-2005-1521
  • Platform: Unix
  • Title: GNU Mailutils imap4d Remote Integer Overflow
  • Description: The GNU Mailutils imap4d server is reported to be vulnerable to an integer overflow issue. The issue presents itself when an attacker specifies the "END" parameter to be two less than the largest integer value. GNU Mailutils 0.5 and 0.6 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13763
  • 05.21.27 - CVE: CAN-2005-1520
  • Platform: Unix
  • Title: GNU Mailutils Mail Email Header Buffer Overflow
  • Description: GNU Mailutils Mail is email client software. It is vulnerable to an email header buffer overflow issue in the "header_get_field_name()" function. A malicious attacker can exploit this issue to execute arbitrary code on the affected computer with the privileges of the user who started the application. GNU Mainutils Mail versions prior to 0.6.90 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398903
  • , - CVE: CAN-2005-1705 CAN-2005-1704
  • Platform: Unix
  • Title: GDB Multiple Vulnerabilities
  • Description: GDB is the GNU debugger. It is vulnerable to multiple issues that can allow an attacker to execute arbitrary code to acquire elevated privileges or unauthorized access. GDB versions 6.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8611
  • 05.21.29 - CVE: CAN-2005-1543
  • Platform: Novell
  • Title: Novell ZENworks Multiple Remote Memory Corruption Vulnerabilities
  • Description: Novell ZENworks is an enterprise desktop management package. It is reported to be vulnerable to multiple remote pre-authentication memory corruption issues due to improper sanitization of user supplied input.
  • Ref: http://www.securityfocus.com/bid/13678
  • 05.21.30 - CVE: CAN-2005-1682
  • Platform: Cross Platform
  • Title: JavaMail Multiple Information Disclosure Vulnerabilities
  • Description: Sun JavaMail is an API that provides a framework to build mail and messaging applications. By requesting a directory that contains the e-mail address of the target user from the "mailboxesdir", a remote attacker may be able to retrieve arbitrary files. JavaMail versions 1.3.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/13749
  • 05.21.31 - CVE: CAN-2005-1709
  • Platform: Cross Platform
  • Title: Blue Coat Reporter License HTML Injection
  • Description: Blue Coat Reporter provides identity-based reporting on Web communications. It is prone to an HTML injection vulnerability due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. An attacker could exploit this issue to control how the site is rendered to the user. Blue Coat Reporter versions 7.1.1.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398816
  • 05.21.32 - CVE: CAN-2005-1708
  • Platform: Cross Platform
  • Title: Blue Coat Reporter Remote Privilege Escalation
  • Description: Blue Coat Reporter provides identity-based reporting on web communications enabling enterprises to evaluate Web policies and manage network resources. It is reported to be vulnerable to a remote privilege escalation issue due to failure to authenticate a user prior to permitting administrator access. Blue Coat Reporter versions 7.1.1.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13723
  • 05.21.33 - CVE: CAN-2005-0036, CAN-2005-0037, CAN-2005-0038
  • Platform: Cross Platform
  • Title: Multiple Vendor DNS Message Decompression Remote Denial of Service
  • Description: Multiple DNS vendors are susceptible to a remote denial of service vulnerability. This issue affects both DNS servers and clients. DNS messages include 16-bit text portions that contain domain names. The DNS (Domain Name System) specification RFC1035 section 4.1.4 describes a way to create smaller messages that can fit into a DNS UDP packet. These smaller messages are decoded using recursive routines. An attacker can trigger the denial of service condition by specifying an illegal address once the end of the string is reached by the recursive routines. This can lead to an infinite loop and eventually exhaust memory resources.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml
  • 05.21.34 - CVE: CAN-2005-1749
  • Platform: Cross Platform
  • Title: BEA WebLogic Server and WebLogic Express Multiple Remote Vulnerabilities
  • Description: WebLogic Server and WebLogic Express are enterprise application server products. They are reported to be vulnerable to multiple denial of service, access validation, information disclosure, cross-site scripting and buffer overflow issues.
  • Ref: http://www.securityfocus.com/bid/13717/info/
  • 05.21.35 - CVE: CAN-2005-1739
  • Platform: Cross Platform
  • Title: ImageMagick And GraphicsMagick XWD Decoder Denial of Service
  • Description: ImageMagick and GraphicsMagick are image editing applications. They are vulnerable to a remote, client-side issue that could be leveraged by a remote attacker to crash the affected application. Please refer to the following link for vulnerable versions.
  • Ref: http://www.securityfocus.com/advisories/8613
  • 05.21.36 - CVE: CAN-2005-1693
  • Platform: Cross Platform
  • Title: Computer Associates Vet Library Remote Heap Overflow
  • Description: Computer Associates Vet is a library that implements an antivirus scan engine. It is used by many Computer Associates, Zonelabs, and possibly other vendors. Insufficient sanitization of parameters passed to the library exposes the application to a remote heap overflow issue.
  • Ref: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896
  • 05.21.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Picasm Error Generation Remote Buffer Overflow
  • Description: Picasm is a microchip assembler/disassembler for 12 and 14-bit PIC chips. It is reported to be vulnerable to a remote buffer overflow issue due to improper sanitization of user-supplied input. Picasm versions 1.12b and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13698
  • 05.21.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SurgeMail Multiple Cross-Site Scripting Vulnerabilities
  • Description: NetWin SurgeMail is an email server application. There are multiple unspecified cross-site scripting issues due to insufficient sanitization of user supplied input. SurgeMail 3.0c2 is vulnerable.
  • Ref: http://secunia.com/advisories/15425/
  • 05.21.40 - CVE: CAN-2005-1105
  • Platform: Cross Platform
  • Title: JavaMail API MimeMessage Infromation Disclosure
  • Description: Sun JavaMail is an API that provides a framework to build mail and messaging applications. The MimeMessage method in JavaMail API does not perform sufficient validation on message number values exposing it to information disclosure issues. JavaMail versions 1.3.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/398544
  • 05.21.41 - CVE: Not Available
  • Platform: Web Application
  • Title: MaxWebPortal Password.ASP SQL Injection
  • Description: MaxWebPortal is a web portal and online community system. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "memKey" parameter of the "password.asp" script before using it in an SQL query. An attacker could exploit this issue to get hold of sensitive data or modify data. MaxWebPortal versions 2.0 and earlier are vulnerable.
  • Ref: http://www.maxwebportal.com/announcements.asp#48
  • 05.21.42 - CVE: Not Available
  • Platform: Web Application
  • Title: GForge Remote Arbitrary Command Execution
  • Description: GForge is an application that allows users to browse CVS repositories via the Web. It is vulnerable to a remote command execution issue due to a failure of the application to sanitize user-supplied data passed through URI parameters. An attacker can supply arbitrary shell commands through the affected parameter to be executed in the context of the affected server. GForge versions prior to 4.0 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/398819
  • 05.21.43 - CVE: CAN-2005-1573
  • Platform: Web Application
  • Title: Active News Manager LOGIN.ASP SQL Injection
  • Description: Active News Manager is a web based forum implemented in PHP. Active News Manager is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. All versions are considered to be vulnerable.
  • Ref: http://www.under9round.com/anm.txt
  • 05.21.44 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Poll Creator Poll_Vote.PHP File Include
  • Description: PHP Poll Creator is a web-based voting script. It is vulnerable to a remote file include issue due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the web server process. PHP Poll Creator version 1.0.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398901
  • 05.21.45 - CVE: Not Available
  • Platform: Web Application
  • Title: FunkyASP AD Systems Login.ASP SQL Injection
  • Description: FunkyASP AD Systems is a set of web management scripts. Insufficient sanitization of the "password" parameter in the "login.asp" script exposes the application to an SQL injection issue. FunkyASP AD Systems version 1.1 is affected.
  • Ref: http://www.under9round.com/funky-asp.txt
  • 05.21.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Spread The Word Multiple Cross-Site Scripting Vulnerabilities
  • Description: Spread The Word is a Comersus based book store. It is reported to be vulnerable to multiple cross-site scripting issues due to improper sanitization of user-supplied input.
  • Ref: http://www.securityfocus.com/bid/13733
  • 05.21.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Spread The Word Multiple SQL Injection Vulnerabilities
  • Description: Spread The Word is a Comersus based book store implemented in ASP. It is vulnerable to multiple SQL injection vulnerabilities due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. Remote attackers can exploit this issue to modify query logic or carry out other attacks. All current versions are vulnerable.
  • Ref: http://lostmon.blogspot.com/
  • 05.21.48 - CVE: CAN-2005-1750
  • Platform: Web Application
  • Title: Distinct Web Creations NewsletterEZ Login.ASP SQL Injection
  • Description: NewsletterEz is a web-based news management system. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "password" parameter of the "login.asp" script.
  • Ref: http://www.securityfocus.com/bid/13730
  • 05.21.49 - CVE: CAN-2005-1700
  • Platform: Web Application
  • Title: PostNuke Multiple Remote Input Validation Vulnerabilities
  • Description: PostNuke is a web-based content management system. It is reported to be vulnerable to SQL injection and cross-site scripting issues due to improper sanitization of user-supplied input. PostNuke version 0.760 RC3 and earlier are reported tobe vulnerable.
  • Ref: http://www.securityfocus.com/bid/13706
  • 05.21.50 - CVE: CAN-2005-1701
  • Platform: Web Application
  • Title: PortailPHP ID Parameter SQL Injection
  • Description: PortailPHP is a web portal project. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "id" parameter of the "index.php" script before using it in an SQL query. This vulnerability could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
  • Ref: http://www.securityfocus.com/archive/1/398728
  • 05.21.51 - CVE: Not Available
  • Platform: Web Application
  • Title: EJ3 TOPo Multiple Index.PHP Cross-Site Scripting Vulnerabilities
  • Description: TOPo is a free TOP system written in PHP that works without a MySQL database. TOPo is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
  • Ref: http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html
  • 05.21.52 - CVE: Not Available
  • Platform: Web Application
  • Title: EJ3 TOPo Comments Multiple HTML Injection Vulnerabilities
  • Description: TOPo is a free TOP system written in PHP that works without a MySQL database. TOPo is prone to multiple HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would be executed in the context of the affected web site, potentially allowing for theft of cookie-based authentication credentials.
  • Ref: http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html
  • 05.21.53 - CVE: CAN-2005-1604
  • Platform: Web Application
  • Title: PHP Advanced Transfer Manager Arbitrary File Include
  • Description: PHP Advanced Transfer Manager is an upload and download manager implemented in PHP. PHP Advanced Transfer Manager is prone to an arbitrary file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the web server process. This may facilitate unauthorized access.
  • Ref: http://www.securitytracker.com/alerts/2005/May/1014008.html
  • 05.21.54 - CVE: CAN-2005-1685
  • Platform: Web Application
  • Title: Episodex Guestbook Unauthorized Access
  • Description: Episodex Guestbook is web guestbook software. It is affected by an unauthorized access issue due to poor checks in the "admin.asp" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/398644
  • 05.21.55 - CVE: CAN-2005-1684
  • Platform: Web Application
  • Title: Episodex Guestbook HTML Injection
  • Description: Episodex Guestbook is web guestbook software. Insufficient sanitization of the "name" field exposes the application to a HTML injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/398644
  • 05.21.56 - CVE: CAN-2005-1676
  • Platform: Web Application
  • Title: Groove Mobile Workspace SharePoint Lists Arbitrary Script Injection
  • Description: Groove Virtual Office allows users to share files and manage projects. It is affected by an arbitrary script injection issue due to insufficient sanitization of SharePoint Lists. Groove Networks Workspace versions 2.5 and earlier are affected.
  • Ref: http://www.kb.cert.org/vuls/id/372618
  • 05.21.57 - CVE: CAN-2005-1737
  • Platform: Web Application
  • Title: PROMS Project Members Unauthorized Access
  • Description: PROMS is a web based project management system implemented in PHP. PROMS is prone to an unauthorized access vulnerability. It is conjectured the attacker can add new members to the project members list, thus permitting an escalation of privileges within the application. The vendor has addressed this issue in PROMS version 0.11.
  • Ref: http://www.electricmonk.nl/index.php?page=PROMS
  • 05.21.58 - CVE: CAN-2005-1737
  • Platform: Web Application
  • Title: PROMS Multiple HTML Injection Vulnerabilities
  • Description: PROMS is a web based project management system. It is prone to multiple HTML injection issues due to a failure in the application to properly sanitize user-supplied input. PROMS versions 0.10 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/13673/info/
  • 05.21.59 - CVE: CAN-2005-1717
  • Platform: Network Device
  • Title: Zyxel Prestige 650R-31 Router Remote Denial of Service
  • Description: Zyxel Prestige 650R-31 router is affected by a remote denial of service. The router stops responding when it handles malformed IP packets. Prestige 650R-31 router running ZyNOS Firmware version 3.40 (KO.1) is affected.
  • Ref: http://www.securityfocus.com/bid/13703/info/
  • 05.21.60 - CVE: Not Available
  • Platform: Network Device
  • Title: D-Link DSL Router Authentication Bypass
  • Description: D-Link DSL routers are vulnerable to a remote authentication bypass issue. The issue presents itself when an attacker attempts to download the "config.xml" file by sending request to the "/cgi-bin/firmwarecfg". D-Link routers DSL-504T and DSL-G604T, as well as firmware versions V1.00B02T02.EU.20040610 and ealier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/398539

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

The perfect balance of theory and hands on experience.
-James d. Perry II, University of Tennessee

SANS Technology Institute

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage