@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Other Software

• (1) HIGH: HP Openview Radia Notify Daemon Buffer Overflows
• (2) MODERATE: qmail Multiple Buffer Overflows
• (3) MODERATE: Hummingbird InetD FTP and LPD Service Overflows
• (4) LOW: Nortel VPN Routers IKE DoS

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 05.22.1 - Windows User32.DLL Icon Handling Denial of Service
• 05.22.2 - Windows Remote Desktop Protocol Server Private Key Disclosure

Other Microsoft Products

• 05.22.3 - Internet Explorer Restricted Sites Malformed URI Denial of Service
• 05.22.4 - Internet Explorer JavaScript OnLoad Handler Denial of Service
• 05.22.5 - Internet Explorer Object Embedding Denial of Service

Third Party Windows Apps

• 05.22.6 - Hummingbird Connectivity 10 FTP Daemon Heap Overflow
• 05.22.7 - Hummingbird Connectivity 10 LPD Daemon Stack Overflow
• 05.22.8 - FutureSoft TFTP Server 2000 Multiple Remote Vulnerabilities
• 05.22.9 - Compuware Softice DbgMsg.sys Denial Of Service
• 05.22.10 - Hosting Controller User Profile Unauthorized Access
• 05.22.11 - ServersCheck Directory Traversal
• 05.22.12 - Firefly Studios Stronghold 2 Remote Denial of Service
• 05.22.13 - Hosting Controller Multiple Vulnerabilities
• 05.22.14 - PicoWebServer Remote Buffer Overflow
• 05.22.15 - Terminator 3: War of the Machines Remote Denial of Service
• 05.22.16 - MailEnable Unspecified SMTP Authentication Denial of Service

Mac Os

• 05.22.17 - ClamAV Mac OS X Command Execution
• 05.22.18 - Apple Keynote Local File Disclosure

HP-UX

• 05.22.19 - HP-UX Trusted System Unauthorized Access

Unix

• 05.22.20 - GNU Binutils Binary File Descriptor Library Integer Overflow
• 05.22.21 - GNU Mailutils Imap4D Command Tag Remote Format String

Cross Platform

• 05.22.22 - Ulrich Drepper Elfutils Integer Overflow Vulnerability
• 05.22.23 - Symantec Brightmail AntiSpam Remote Information Disclosure
• 05.22.24 - Ettercap Remote Format String
• 05.22.25 - Peercast.org PeerCast Remote Format String
• 05.22.26 - C'Nedra Network Plug-in Read_TCP_String Remote Buffer Overflow
• 05.22.27 - Advanced Encryption Standard Cache Timing Key Disclosure
• 05.22.28 - L-Soft Listserv Multiple Unspecified Vulnerabilities

Web Application

• 05.22.29 - JAWS Glossary Cross-Site Scripting
• 05.22.30 - Invision Power Board Privilege Escalation
• 05.22.31 - BookReview Multiple Cross-Site Scripting Vulnerabilities
• 05.22.32 - ZonGG Login.ASP SQL Injection
• 05.22.33 - PostNuke SQL Injection and Cross-Site Scripting Vulnerabilities
• 05.22.34 - PHPStat Setup.PHP Authentication Bypass
• 05.22.35 - Hosting Controller SendPassword.ASP Cross-Site Scripting
• 05.22.36 - I-Man File Attachments Arbitrary PHP Script Execution
• 05.22.37 - NEXTWEB (i)Site Login.ASP SQL Injection
• 05.22.38 - Zeroboard preg_replace Remote Command Execution
• 05.22.39 - FreeStyle Wiki Attachment HTML Injection
• 05.22.40 - Calendarix Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
• 05.22.41 - Calendarix CalPath Remote File Include issue
• 05.22.42 - MyBB Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• 05.22.43 - Qualiteam X-Cart SQL Injection and Cross-Site Scripting Vulnerabilities
• 05.22.44 - MyBB Website Field HTML Injection
• 05.22.45 - PowerDownload IncDir Remote File Include
• 05.22.46 - NewLife Blogger Multiple Unspecified SQL Injection Vulnerabilities
• 05.22.47 - NikoSoft WebMail Unspecified Cross-Site Scripting
• 05.22.48 - Wordpress Cat_ID Parameter SQL Injection
• 05.22.49 - India Software Solution Shopping Cart SQL Injection
• 05.22.50 - Invision Power Board Unauthorized Access
• 05.22.51 - NPDS Multiple Input Validation Vulnerabilities
• 05.22.52 - OS4E LOGIN.ASP SQL Injection
• 05.22.53 - PHPMailer Data() Function Remote Denial of Service

Network Device

• 05.22.54 - Nortel Networks VPN Router 600 Remote Denial of Service
• 05.22.55 - Sony Ericsson P900 Beamer Denial of Service

Hardware

• 05.22.56 - Nokia 9500 vCard Viewer Remote Denial of Service

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 22, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4356 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.22.1 - CVE: CAN-2005-1793
• Platform: Windows
• Title: Windows User32.DLL Icon Handling Denial of Service
• Description: The Microsoft "user32.dll" library is prone to a denial of service vulnerability. The issue manifests when the library handles icon (.ico) files with height and width size values greater than 0xffff (655353). Software linked to the affected library will crash when the malicious icon is processed. Microsoft Windows 98SE is affected.
• Ref: http://www.securityfocus.com/bid/13791

• 05.22.2 - CVE: CAN-2005-1794
• Platform: Windows
• Title: Windows Remote Desktop Protocol Server Private Key Disclosure
• Description: Microsoft Windows Remote Desktop Protocol is vulnerable to a private key disclosure vulnerability. The vulnerability presents itself because a private key used to sign the Terminal Server public key is hardcoded in "mstlsapi.dll". A subroutine of the "TLSInit" API dynamically creates, uses and de-allocates this key. This can allow an attacker to disclose the key and calculate a valid signature to carry out man in the middle attacks. All current versions of Windows are vulnerable.
• Ref: http://www.oxid.it/downloads/rdp-gbu.pdf

• 05.22.3 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Restricted Sites Malformed URI Denial of Service
• Description: Microsoft Internet Explorer is affected by a denial of service vulnerability due to a failure in the application to handle exceptional conditions in a proper manner. This vulnerability is exposed when a user attempts to add a malformed URI to the list of restricted sites. An attacker may exploit this issue by supplying a malformed URI to a user and then enticing the user to add the URI to the list of restricted sites. A successful attack can result in a denial of service. Microsoft Internet Explorer 6 SP2 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/399302

• 05.22.4 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer JavaScript OnLoad Handler Denial of Service
• Description: Microsoft Internet Explorer is affected by a denial of service condition. The application fails to handle exceptional conditions in a proper manner. An attacker may exploit this issue by enticing a user to visit a malicious site resulting in a denial of service condition in the application. Internet Explorer 6 SP2 is reported to be affected.
• Ref: http://www.securityfocus.com/bid/13799

• 05.22.5 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Object Embedding Denial of Service
• Description: Microsoft Internet Explorer is vulnerable to a denial of service issue because the application does not correctly handle embedded Web pages using the HTML Object tag. Microsoft Internet Explorer version 6 SP2 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/399304

• 05.22.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Hummingbird Connectivity 10 FTP Daemon Heap Overflow
• Description: Hummingbird Connectivity is a suite of applications for Microsoft Windows operating systems designed to provide X Windows, NFS, and other Unix services. Hummingbird Connectivity 10 FTP daemon is affected by a remote heap-based buffer overflow vulnerability. Hummingbird Connectivity versions 10.0 and earlier are known to be vulnerable.
• Ref: http://connectivity.Hummingbird....ort/nc/exceed/ftpd_advisory.html

• 05.22.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Hummingbird Connectivity 10 LPD Daemon Stack Overflow
• Description: Hummingbird Connectivity is a suite of applications for Microsoft Windows operating systems designed to provide X Windows, NFS, and other Unix services. Hummingbird Connectivity 10 LPD daemon has a remote stack-based buffer overflow vulnerability. The issue manifests due to a lack of sufficient boundary checks performed on user-supplied data. With successful exploitation, an unauthenticated attacker is able to leverage this issue to obtain SYSTEM level access to a vulnerable computer. Hummingbird Connectivity versions 10.0, 9.0 and 7.1 are known to be vulnerable.
• Ref: http://connectivity.Hummingbird.com/support/nc/exceed/lpdw_advisory.html?cks=y

• 05.22.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: FutureSoft TFTP Server 2000 Multiple Remote Vulnerabilities
• Description: FutureSoft TFTP Server 2000 is a TFTP server. It is vulnerable to multiple security issues including buffer overflows, and directory traversal. These issues have been confirmed on TFTP Server 2000 Evaluation Version 1.0.0.1.
• Ref: http://secunia.com/advisories/15539/

• 05.22.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Compuware Softice DbgMsg.sys Denial Of Service
• Description: Compuware Softice is a visual code debugger and disassembler for Microsoft Windows platforms. The Compuware Softice "DbgMsg.sys" driver, is prone to a denial of service issue. Reports indicate that this issue arises because a pointer to Debug strings handled in the vulnerable "DbgMsg.sys" function is not properly validated. An attacker may exploit this issue to effectively deny service for legitimate users. Versions 3.1 and 3.2 are reported to be vulnerable.
• Ref: http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-05/0654.html

• 05.22.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Hosting Controller User Profile Unauthorized Access
• Description: Hosting Controller consolidates all hosting tasks into one interface. Insufficient authorization checks performed by the software while giving access to the "UserProfile.asp" file exposes itself to an unauthenticated access issue. Hosting Controller versions 6.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/13816

• 05.22.11 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ServersCheck Directory Traversal
• Description: ServersCheck is a network monitoring tool. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied data before accessing the host computer's file system. ServersCheck versions 5.9.0 and 5.10.0 are reported to be vulnerable.
• Ref: http://www.rgod.altervista.org/hacking/news/serverscheck.html

• 05.22.12 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Firefly Studios Stronghold 2 Remote Denial of Service
• Description: Firefly Studios Stronghold 2 is a network enabled game. Stronghold 2 is affected by a remote denial of service vulnerability. Stronghold versions 2.1.2 and earlier are known to be vulnerable.
• Ref: http://aluigi.altervista.org/adv/strong2boom-adv.txt

• 05.22.13 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Hosting Controller Multiple Vulnerabilities
• Description: Hosting Controller is an application that consolidates all hosting tasks into one interface. It is vulnerable to multiple issues that can allow an attacker to gain unauthorized access to data and carry out SQL injection attacks. Hosting Controller versions 6.1 HotFix 2.0 and earlier are affected.
• Ref: http://www.securitytracker.com/alerts/2005/May/1014071.html

• 05.22.14 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: PicoWebServer Remote Buffer Overflow
• Description: Newmad Technologies PicoWebServer is a light weight web server for Pocket PC. When processing a GET request, the application checks for an "0D 0A 0D 0A" byte sequence. If this sequence is encountered, the request is converted to Unicode and passed to the "swprintf()" function without bound checks leading to a buffer overflow. PicoWebServer version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/13807

• 05.22.15 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Terminator 3: War of the Machines Remote Denial of Service
• Description: Terminator 3: War of the Machines is a multiplayer game developed by Clever's Games. Terminator 3: War of the Machines game server is affected by a remote denial of service vulnerability. Terminator 3: War of the Machines version 1.16 is affected by this issue.
• Ref: http://aluigi.altervista.org/adv/t3wmbof-adv.txt

• 05.22.16 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: MailEnable Unspecified SMTP Authentication Denial of Service
• Description: MailEnable is a commercially available mail server for the Microsoft Windows platform. It is vulnerable to an unspecified denial of service issue in its SMTP authentication handling that causes the server to crash. MailEnable Professional 1.54 and earlier and MailEnable Enterprise 1.0.4 and earlier are vulnerable.
• Ref: http://www.mailenable.com/hotfix/

• 05.22.17 - CVE: CAN-2005-1795
• Platform: Mac Os
• Title: ClamAV Mac OS X Command Execution
• Description: Clam Anti-Virus ClamAV is a freely available, open source virus scanning utility. ClamAV running on Mac OS X is affected by a command execution vulnerability. This issue is due to an input validation error when handling specially crafted file names. This can allow an attacker to gain unauthorized access to an affected computer. ClamAV versions 0.80rc4 to 0.84rc2 are affected by this issue.
• Ref: http://www.sentinelchicken.com/advisories/clamav/

• 05.22.18 - CVE: CAN-2005-1408
• Platform: Mac Os
• Title: Apple Keynote Local File Disclosure
• Description: Apple Keynote is presentation software. It is affected by a file disclosure issue. It is possible to read local files on the affected computer and then send their contents to an arbitrary network location. Apple has addressed the vulnerability by limiting access by Keynote to external resources, in addition to disabling the URI protocol handler.
• Ref: http://www.securityfocus.com/bid/13771

• 05.22.19 - CVE: Not Available
• Platform: HP-UX
• Title: HP-UX Trusted System Unauthorized Access
• Description: HP-UX Trusted System is an HP-UX operating system. It is vulnerable to an unspecified remote unauthorized access issue. HP-UX Trusted Systems versions B.11.00, B.11.11, B.11.22, and B.11.23 are reported to be vulnerable.
• Ref: http://www.securityfocus.com/advisories/8631

• 05.22.20 - CVE: Not Available
• Platform: Unix
• Title: GNU Binutils Binary File Descriptor Library Integer Overflow
• Description: GNU Binutils is a collection of binary tools. The Binary File Descriptor Library, which is part of Binutils, is vulnerable to an integer overflow issue. An attacker could exploit this issue to run arbitrary code in the context of the vulnerable utility. GNU Binutils versions 2.16-r1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/13830/info

• 05.22.21 - CVE: CAN-2005-1523
• Platform: Unix
• Title: GNU Mailutils Imap4D Command Tag Remote Format String
• Description: GNU Mailutils "imap4d" is an email daemon that allows a remote user to retrieve email using the Internet Message Access Protocol (IMAP). imap4d has a remote format string handling vulnerability. The issue manifests itself when the service handles malicious client command identifier prefixes. A successful attack may result in arbitrary code execution. GNU Mailutils versions 0.5 and 0.6 are vulnerable.
• Ref: http://www.idefense.com/application/poi/display?id=246&type=vulnerabilities

• 05.22.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Ulrich Drepper Elfutils Integer Overflow Vulnerability
• Description: Ulrich Drepper Elfutils is a set of libraries and utilities that are designed to handle ELF objects. It is vulnerable to an integer overflow issue. An attacker could exploit this issue to execute arbitrary code in the context of the vulnerable utility. Ulrich Drepper Elfutils versions prior to 0.108 are vulnerable.
• Ref: http://www.securityfocus.com/advisories/8647

• 05.22.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Symantec Brightmail AntiSpam Remote Information Disclosure
• Description: Symantec Brightmail AntiSpam is an Anti-spam product that runs at the gateway. Symantec Brightmail AntiSpam is susceptible to a remote information disclosure vulnerability. This issue is due to a failure of the application to ensure that remote database access is properly disabled. Symantec Brightmail AntiSpam utilizes a database to store quarantined spam email messages. Before version 6.0, the database allowed remote access and contained only quarantined email. This vulnerability allows remote attackers to gain access to potentially sensitive database content.
• Ref: http://www.securityfocus.com/bid/13828

• 05.22.24 - CVE: CAN-2005-1796
• Platform: Cross Platform
• Title: Ettercap Remote Format String
• Description: Ettercap is a multipurpose packet sniffer for Linux and BSD based systems. Ettercap is affected by a remote format string vulnerability. Ettercap versions 0.7.2 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/13783

• 05.22.25 - CVE: CAN-2005-1806
• Platform: Cross Platform
• Title: Peercast.org PeerCast Remote Format String
• Description: PeerCast is a streaming audio server. PeerCast is affected by a remote format string vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input data prior to using it in a formatted-printing function. The vulnerability arises when the server attempts to handle a malformed HTTP GET request. PeerCast versions 0.1211 and earlier are affected.
• Ref: http://www.peercast.org/forum/viewtopic.php?t=2838

• 05.22.26 - CVE: CAN-2005-1776
• Platform: Cross Platform
• Title: C'Nedra Network Plug-in Read_TCP_String Remote Buffer Overflow
• Description: C'Nedra is an open source virtual reality framework. C'Nedra Network Plug-in has a remotely exploitable buffer overflow vulnerability. The issue exists due to inadequate bounds checking of user-supplied data handled by the READ_TCP_STRING() function. This could let an attacker corrupt sensitive regions of memory adjacent to the affected buffer, allowing for control of process execution flow. C'Nedra versions 0.4.0 and earlier are known to be vulnerable.
• Ref: http://aluigi.altervista.org/adv/cnedrabof-adv.txt

• 05.22.27 - CVE: Not Available
• Platform: Cross Platform
• Title: Advanced Encryption Standard Cache Timing Key Disclosure
• Description: The Advanced Encryption Standard (AES) (Rijndael) is a block cipher encryption algorithm. High-speed implementations of AES are prone to a timing attack vulnerability. The attack is based on observations of time taken to complete certain critical AES cryptographic functions (Input dependant Table lookups). An attacker may exploit this issue to retrieve an entire AES secret key from a target vulnerable AES implementation. Implementations based on OpenSSL versions 0.7.9 and earlier are known to be vulnerable.
• Ref: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

• 05.22.28 - CVE: CAN-2005-1773
• Platform: Cross Platform
• Title: L-Soft Listserv Multiple Unspecified Vulnerabilities
• Description: Listserv is a publicly available multi-platform application used to manage mailing lists. It is reported vulnerable to multiple unspecified security issues. These can lead to arbitrary code execution or even denial of service attacks.
• Ref: http://www.securityfocus.com/bid/13768/

• 05.22.29 - CVE: CAN-2005-1800
• Platform: Web Application
• Title: JAWS Glossary Cross-Site Scripting
• Description: JAWS is reported vulnerable to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. This can be used towards theft of cookie-based authentication credentials from legitimate clients. The vulnerability has been reported in versions 0.4 through 0.5.1.
• Ref: http://secunia.com/advisories/15547/

• 05.22.30 - CVE: Not Available
• Platform: Web Application
• Title: Invision Power Board Privilege Escalation
• Description: Invision Power Board is web forum software. A privilege escalation issue is exposed because the application allows the attacker to simply move users including themselves to the root administrator group without providing sufficient authentication credentials. Invision Power Board versions 1.0 to 2.0.4 are affected.
• Ref: http://www.securityfocus.com/bid/13797

• 05.22.31 - CVE: CAN-2005-1782
• Platform: Web Application
• Title: BookReview Multiple Cross-Site Scripting Vulnerabilities
• Description: BookReview is a web based book review forum. Insufficient sanitization of user-supplied input exposes the application to multiple cross-site scripting issues. BookReview version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/13783

• 05.22.32 - CVE: Not Available
• Platform: Web Application
• Title: ZonGG Login.ASP SQL Injection
• Description: ZonGG is web management software. It is vulnerable to an SQL injection issue due to insufficient sanitization of user supplied input to the "password" parameter of "login.asp" script. ZonGG version 1.2 is vulnerable.
• Ref: http://www.under9round.com/zongg.txt

• 05.22.33 - CVE: CAN-2005-1777, CAN-2005-1778
• Platform: Web Application
• Title: PostNuke SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: PostNuke is a freely available web-based content management system. It is vulnerable to SQL injection and cross-site scripting issues. These could allow compromise of the backend database, and theft of cookie-based authentication credentials from legitimate clients. PostNuke 0.750 and subsequent versions are affected by these issues.
• Ref: http://www.securityfocus.com/bid/13789

• 05.22.34 - CVE: CAN-2005-1787
• Platform: Web Application
• Title: PHPStat Setup.PHP Authentication Bypass
• Description: phpStat is a reporting application for IM clients. It is vulnerable to an authentication bypass issue because the application permits an unauthenticated remote user to reset the administrator username and password. An attacker could exploit this vulnerability to gain administrative access to the affected application. phpStat version 1.5 is vulnerable.
• Ref: http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt

• 05.22.35 - CVE: Not Available
• Platform: Web Application
• Title: Hosting Controller SendPassword.ASP Cross-Site Scripting
• Description: Hosting Controller is an application that consolidates all hosting tasks into one interface. It has a cross-site scripting vulnerability. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
• Ref: http://www.securityfocus.com/bid/13829

• 05.22.36 - CVE: Not Available
• Platform: Web Application
• Title: I-Man File Attachments Arbitrary PHP Script Execution
• Description: I-Man is a web-based application that serves as a knowledge, general information or contact database. The application fails to verify if file attachments uploaded to the server are PHP scripts which can allow an attacker to upload and execute a malicious PHP script. I-Man versions 0.9 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/13831

• 05.22.37 - CVE: Not Available
• Platform: Web Application
• Title: NEXTWEB (i)Site Login.ASP SQL Injection
• Description: NEXTWEB (i)Site is a web-based content-mangement system implemented in ASP. It is affected by an SQL injection vulnerability. All versions of NEXTWEB (i)Site are known to be vulnerable.
• Ref: http://www.zone-h.org/advisories/read/id=7605

• 05.22.38 - CVE: Not Available
• Platform: Web Application
• Title: Zeroboard preg_replace Remote Command Execution
• Description: Zeroboard is a web bulletin board system. Insufficient sanitization of the data that is passed to the "preg_replace" function exposes the application to a remote command execution issue. Zeroboard versions 4.1 pl2 to 4.1 pl5 are affected.
• Ref: http://www.securityfocus.com/bid/13823

• 05.22.39 - CVE: Not Available
• Platform: Web Application
• Title: FreeStyle Wiki Attachment HTML Injection
• Description: FreeStyle Wiki and WikiLite are wiki clones. They are vulnerable to an HTML injection vulnerability due to a failure in the applications to properly sanitize user-supplied input before using it in dynamically generated content. An attacker can exploit this issue to steal cookie-based authentication credentials and other attacks. FreeStyle Wiki versions upto 3.5.7 and WikiLite versions up to 0.0.10 are vulnerable.
• Ref: http://www.securityfocus.com/bid/13824/info

• 05.22.40 - CVE: Not Available
• Platform: Web Application
• Title: Calendarix Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: Calendarix is a web based calendar implemented using PHP and MySQL. It is vulnerable to multiple input validation issues due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit these issues to compromize the application or steal cookie based authentication. Calendarix Advanced version 1.5.20050501 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/401195/30/0/threaded

• 05.22.41 - CVE: Not Available
• Platform: Web Application
• Title: Calendarix CalPath Remote File Include issue
• Description: Calendarix is a web-based calendar. It is vulnerable to a remote file include issue due to a remote URI is passed to the "calpath" variable of "admin/cal_admintop.php" script. Calendarix Advanced version 1.5.20050501 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/399489

• 05.22.42 - CVE: Not Available
• Platform: Web Application
• Title: MyBB Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: MyBB is web forum software implemented in PHP utilizing a MySQL backend. MyBB is affected by multiple cross-site scripting and SQL injection vulnerabilities. MyBB versions RC4 and earlier are known to be vulnerable.
• Ref: http://mybboard.com/community/showthread.php?tid=2559&pid=15910#pid15910

• 05.22.43 - CVE: Not Available
• Platform: Web Application
• Title: Qualiteam X-Cart SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: X-Cart is a web-based shopping card application. It is prone to SQL injection and cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. X-Cart version 4.0.8 is reportedly vulnerable.
• Ref: http://www.x-cart.com/

• 05.22.44 - CVE: CAN-2005-0282
• Platform: Web Application
• Title: MyBB Website Field HTML Injection
• Description: MyBB is web forum software. It is vulnerable to an HTML injection issue due to insufficient sanitization of user supplied input to the Website field of a users profile. MyBulletinBoard version RC4 and earlier are reported to be vulnerable.
• Ref: http://mybboard.com/community/showthread.php?tid=2559&pid=15910#p id15910 http://www.securityfocus.com/archive/1/399328

• 05.22.45 - CVE: Not Available
• Platform: Web Application
• Title: PowerDownload IncDir Remote File Include
• Description: PowerDownload is web-based download management software, implemented in PHP utilizing a MySQL database. PowerDownload has a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the web server process. Versions 3.0.2 and 3.0.3 of the software are reported vulnerable.
• Ref: http://www.powerscripts.org/?page=projects&projectid=6

• 05.22.46 - CVE: Not Available
• Platform: Web Application
• Title: NewLife Blogger Multiple Unspecified SQL Injection Vulnerabilities
• Description: NewLife Blogger is web-blog software. It is vulnerable to multiple SQL injection issues that could allow compromise of the remote backend database. These issues have been addressed in NewLife Blogger versions 3.3.1 and later.
• Ref: http://secunia.com/advisories/15523/

• 05.22.47 - CVE: Not Available
• Platform: Web Application
• Title: NikoSoft WebMail Unspecified Cross-Site Scripting
• Description: NikoSoft WebMail is a web-based email application. It is reported vulnerable to an unspecified cross-site scripting issue. This could allow theft of cookie-based authentication credentials from legitimate clients. NikoSoft WebMail versions 0.10.4 and earlier are affected.
• Ref: http://secunia.com/advisories/15518/

• 05.22.48 - CVE: CAN-2005-1810
• Platform: Web Application
• Title: Wordpress Cat_ID Parameter SQL Injection
• Description: Wordpress allows users to generate news pages and web logs dynamically. Insufficient sanitization of the "cat_id" parameter exposes the application to an SQL injection issue. WordPress versions 1.5 and 1.5.1 are affected.
• Ref: http://www.securityfocus.com/bid/13809

• 05.22.49 - CVE: CAN-2005-1789
• Platform: Web Application
• Title: India Software Solution Shopping Cart SQL Injection
• Description: India Software Solution Shopping Cart is an e-commerce application implemented in ASP. It is vulnerable to a SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "password" parameter of the "shopcart/signin.asp" script before using it in an SQL query. An attacker could exploit this issue to compromise the application, disclosure or modification of data. All current versions of India Software Solution Shopping Cart are vulnerable.
• Ref: http://ir-hackers.com/indsc.txt

• 05.22.50 - CVE: Not Available
• Platform: Web Application
• Title: Invision Power Board Unauthorized Access
• Description: Invision Power Board is web forum software. Invision Power Board is affected by an unauthorized access vulnerability. Invision Power Board versions 1.0 to 1.3 Final are known to be vulnerable.
• Ref: http://forums.invisionpower.com/index.php?showtopic=168016

• 05.22.51 - CVE: CAN-2005-1637, CAN-2005-1803, CAN-2005-1804
• Platform: Web Application
• Title: NPDS Multiple Input Validation Vulnerabilities
• Description: NPDS is forum software written in PHP. NPDS is affected by multiple vulnerabilities resulting from input validation errors. These issues may allow remote attackers to carry out HTML injection, cross-site scripting and SQL injection attacks. All versions of NPDS are considered vulnerable to these issues at the moment.
• Ref: http://www.securityfocus.com/bid/13803/discuss

• 05.22.52 - CVE: CAN-2005-1805
• Platform: Web Application
• Title: OS4E LOGIN.ASP SQL Injection
• Description: os4e is a web application that allows users to create web sites. It is reported vulnerable to a SQL injection issue. This can be leveraged to compromise the remote backend database. All versions are considered to be vulnerable at the moment.
• Ref: http://www.securityfocus.com/bid/13804/

• 05.22.53 - CVE: CAN-2005-1807
• Platform: Web Application
• Title: PHPMailer Data() Function Remote Denial of Service
• Description: PHPMailer is a email transport class. A denial of service condition is exposed when an attacker sends a email message with a header field of 998 or more characters. PHPMailer versions 1.72 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/13805

• 05.22.54 - CVE: Not Available
• Platform: Network Device
• Title: Nortel Networks VPN Router 600 Remote Denial of Service
• Description: Nortel Networks VPN router 600 is affected by a remote denial of service vulnerability. Nortel Networks VPN Router models 600, 1010, 1050, 1100, 1600, 1700, 1740, 2600, 2700, 4500, 4600, and 5000 are known to be vulnerable. Upgrade to version 5.05.200 or install patched version of 4.76, 4.85, 4.90, or 5.00 when available.
• Ref: http://www.nta-monitor.com/news/vpn-flaws/nortel/vpn-router-dos/

• 05.22.55 - CVE: Not Available
• Platform: Network Device
• Title: Sony Ericsson P900 Beamer Denial of Service
• Description: Sony Ericsson P900 handset is affected by a remote denial of service condition. This issue is exposed while handling certain malformed files in the Bluetooth Beamer application.
• Ref: http://www.securityfocus.com/bid/13782

• 05.22.56 - CVE: CAN-2005-1801
• Platform: Hardware
• Title: Nokia 9500 vCard Viewer Remote Denial of Service
• Description: Nokia vCards are attachments which are used for exchanging address book information. An attacker can craft a vCard by specifying a name "N:" field that is longer than 245 characters. When the vCard viewer application handles this file it leads to a USER Panic 11 error and results in crashing the application.
• Ref: http://www.securityfocus.com/bid/13784/info

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.