Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 23
June 9, 2005

SANS Newsletters Home

WebSphere from IBM has a substantial vulnerability (See #1) that could cause numerous web servers to be compromised. Also, any site that has not installed the patch in Microsoft's MS04-007 (from last year) is probably being hit by the new worm described in #5 below.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 2 (#6)
    • Third Party Windows Apps
    • 7 (#7)
    • Mac OS X
    • 0 (#3)
    • Solaris
    • 1
    • Irix
    • 1
    • Cross Platform
    • 11 (#1, #2, #4)
    • Web Application
    • 24 (#5)

************* This Issue Sponsored by hold NetIQ ************************
Sarbanes-Oxley Compliance Whitepaper

Get the best practices you require to maintain proper internal control frameworks as you strive to meet Sarbanes-Oxley requirements with NetIQ's free whitepaper, "Meeting Sarbanes-Oxley IT Control Requirements with NetIQ." You'll learn how to dramatically reduce your time and effort spent auditing, reporting on, and controlling essential areas such as policies, file access rights, provisioning and change control.

Download this FREE whitepaper now.
http://www.netiq.com/f/form/form.asp?id=2529&origin=NS_SANS_061005
*********************************************************************
Extraordinary New Security Training Programs: www.sans.org
*********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Solaris
Irix
Cross Platform
Web Application

*************************** Sponsored Links **************************

1) AirWave's RAPIDS software automatically detects unauthorized rogue wireless access points anywhere on your network. Sign up for a live demo and free evaluation copy! http://www.sans.org/info.php?id=800

2) WebInspect Product Trial: Test For 5,100 Web Application Vulnerabilities http://www.sans.org/info.php?id=801

3) SANS is happy to bring you the latest in our complimentary series of ISC Threat Update Webcasts. Join us on Thursday, June 16 at 1:00 PM as SANS presents: http://www.sans.org/info.php?id=802
*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: IBM WebSphere Administrative Console Buffer Overflow
  • Affected:
    • WebSphere version 5.0.2

  • Description: IBM WebSphere Application Server is popularly used by large e-businesses to create dynamic websites. The administrative console is a web-based graphical tool that can manage a single or a cluster of WebSphere application servers. This console contains a buffer overflow that can be triggered by a specially crafted HTTP authentication request containing unicode characters. The flaw can be exploited by an unauthenticated attacker to execute arbitrary code on the server. Note that the compromise may lead to further compromise of other application servers.

  • Status: IBM has confirmed and released WebSphere Application Server 5.0.2 Cumulative Fix 11. A workaround is to block the ports 9080/tcp, 9090/tcp and 9043/tcp at the network perimeter. Another workaround is to disable the "global security" option as the flaw exists only when this option is enabled (not a default setting).

  • Council Site Actions: Three of the council sites are still assessing the level of exposure/threat and determining their timeframe and options for remediation. One council site is only running the affected software on internal systems and plans to deploy the patch during their next regularly scheduled system update process.

  • References:
  • (2) MODERATE: Multiple Vendor HTTP Request Smuggling
  • Affected:
    • Configurations involving a number of popular web proxy/cache servers and
    • web application firewalls

  • Description: A new attack technique named "HTTP Request Smuggling" has been reported to affect configurations that involve one or more web entities (i.e. a web proxy server, a web cache server or a web application firewall) between a user and a web server. The attack can be carried out by crafting back-to-back HTTP requests that are interpreted differently by the web entities. For example, if an HTTP request is crafted with two distinct HTTP "Content-Length" headers, the two web entities may process the same request by honoring either the first or the last "Content-Length" header. The discoverers have shown how an attacker can exploit such behaviors by crafting HTTP requests that may result in web cache poisoning, bypassing the web firewall, cross-site scripting (requiring no user interaction) or session hijacking. The vulnerable example configurations listed in the discoverers' posting include Sun ONE proxy server, Sun ONE webserver, CheckPoint Firewall, Microsoft IIS server, Microsoft ISA server, Apache, Jakarta Tomcat server, IBM WebSphere, BEA WebLogic, Oracle9iAS, Squid, Delegate and Oracle WebCache.

  • Status: Squid and CheckPoint have distributed patches. The status regarding other vendors is not currently known.

  • Council Site Actions: Two council sites are still evaluating if they are vulnerable. One site has already patched their system.

  • References:
  • (3) MODERATE: Apple Mac OS X Security Update 2005-006
  • Affected:
    • Mac OS X Client and Server version 10.4.1

  • Description: Apple has released a security update 2005-006 for Mac OS X client and server systems that fixes a number of vulnerabilities. The major flaws that can be remotely exploited to compromise Mac OS systems and have been fixed in this update are: (a) Multiple vulnerabilities in PHP prior to version 4.3.11 that can be exploited to cause a DoS or execute arbitrary code on a webserver running PHP. (b) A buffer overflow in the implementation of the Apple File Server (AFP) protocol that can be exploited to execute arbitrary code.

  • Status: Apply the Apple Security Update 2005-006.

  • References:
  • (4) MODERATE: Mozilla Browsers Frame Injection Vulnerability
  • Affected:
    • Firefox version 1.0.4
    • Mozilla version 1.7.8

  • Description: An old vulnerability has been rediscovered in the Mozilla and Firefox browsers. This vulnerability permits a malicious website to inject a "frame" into the browser window of another website. For example, the content from http://www.malicious.com can be loaded into another window displaying the content from http://www.mybank.com. The flaw can be exploited by a malicious webpage to spoof its identity as a trusted site. This may lead to stealing sensitive user information such as passwords, or further compromise of the user system. Proof-of-concept browser test tools have been publicly posted.

  • Status: Mozilla has not confirmed, no patches available.

  • References:
  • (5) UPDATE: phpBB bbcode.php Vulnerability

  • Description: The discoverers have released the complete technical details for the phpBB vulnerability discussed in a previous @RISK newsletter. The posting shows how a certain URL, for example, can be used to modify registry settings of a phpBB user, who has been enticed to click the crafted URL. The flaw can be exploited to install malware on the unsuspecting phpBB users' systems. Since there are reports that the flaw is being exploited in the wild, phpBB administrators should apply the fix on a priority basis. Please ensure that phpBB files as well as the phpBB database have been updated.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4372 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.23.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Server SecureNAT Unspecified Denial of Service
  • Description: Microsoft ISA Server 2000 has a remote unspecified denial of service vulnerability when handling SecureNAT clients. The issue presents itself when heavy traffic originating from SecureNAT clients is handled by the affected application. This vulnerability allows attackers to crash the affected firewall service, denying service to legitimate users.
  • Ref: http://www.securityfocus.com/bid/13846
  • 05.23.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Outlook Express File Extension Obfuscation
  • Description: Microsoft Outlook Express has an attachment file extension obfuscation vulnerability that may be leveraged to make the attached email message executable. This issue may lure an unsuspecting user into a false sense of security and may result in inadvertent or unintentional execution of attacker-supplied code.
  • Ref: http://www.securityfocus.com/bid/13837/
  • 05.23.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: GoodTech SMTP Denial of Service
  • Description: GoodTech Systems SMTP server is vulnerable to a denial of service issue when the application handles a specially crafted "RCTP TO" request. GoodTech SMTP Server version 5.14 is vulnerable.
  • Ref: http://secunia.com/advisories/15623/
  • 05.23.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Kaspersky Anti-Virus Klif.Sys Privilege Escalation
  • Description: Kaspersky Anti-Virus for Microsoft Windows platforms is vulnerable to a privilege escalation issue which may be exploited by an attacker to run arbitrary code in system kernel context. Kaspersky Anti-Virus versions 5.0.227, 5.0.228, and 5.0.335 when running on Microsoft Windows 2000 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/401679/30/0/threaded
  • 05.23.5 - CVE: CAN-2005-1655
  • Platform: Third Party Windows Apps
  • Title: AOL Instant Messenger Buddy Icon Remote Denial of Service
  • Description: AOL Instant Messenger is affected by a remote denial of service vulnerability. This issue is due to a lack of sanity checks performed on GIF files used for Buddy Icons. Specifically, this vulnerability presents itself in the GIF parser residing in "ateimg32.dll". AOL Instant Messenger versions 5.9.3797 and earlier are affected.
  • Ref: http://www.aim.com/index.adp
  • 05.23.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Crob FTP Server RMD Command Stack Buffer Overflow
  • Description: Crob FTP Server is a commercially available file transfer utility developed for the Windows platform. It is vulnerable to a remote stack buffer overflow issue when handling the RMD FTP command. A remote attacker can exploit this issue to execute arbitrary machine code in the context of the affected server process. Crob FTP Server versions 3.6.1 and earlier are vulnerable.
  • Ref: http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-06
  • 05.23.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Crob FTP Server Remote Heap Buffer Overflow
  • Description: Crob FTP Server is a file transfer utility. Insufficient sanitization of the "?" and "*" characters in the LIST or NLST command exposes the application to a heap overflow issue. Crob FTP Server version 3.6.1 is affected.
  • Ref: http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-06
  • 05.23.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SPA-PRO Mail @Solomon IMAP Server Multiple Directory Traversal Vulnerabilities
  • Description: SPA-PRO Mail @Solomon IMAP Server is a IMAP4 server for Microsoft Windows operating systems. It is vulnerable to directory traversal issues in multiple IMAP commands due to a failure of the application to properly sanitize user-supplied input. Remote attackers may exploit these issues to read, modify, or destroy other users' mail and other attacks. SPA-PRO mail servers earlier than 4.0.5 are vulnerable.
  • Ref: http://www.security.org.sg/vuln/spa-promail4.html
  • 05.23.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SPA-PRO Mail @Solomon IMAP Server Buffer Overflow
  • Description: SPA-PRO Mail @Solomon IMAP Server is a IMAP4 server. When an overly long argument is passed to the IMAP CREATE command the application crashes due to a buffer overflow issue. SPA-PRO Mail @Solomon version 4.0.5 is released to fix this issue.
  • Ref: http://www.security.org.sg/vuln/spa-promail4.html
  • 05.23.10 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun One Application Server File Disclosure
  • Description: Sun One Application Server is an application server and is vulnerable to an undisclosed file disclosure vulnerability. Sun ONE Application Server versions 6.5 SP1 MU6 and earlier are reported to be vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101690-1
  • 05.23.11 - CVE: CAN-2005-0139, CAN-2005-0138
  • Platform: Irix
  • Title: SGI IRIX RPC.MountD Mount Unspecified File Access
  • Description: SGI IRIX is susceptible to an unspecified file access vulnerability. This issue is due to a failure of the NFS server to properly enforce privileges on client computers. This issue allows client computers to gain access beyond that which the administrator has allowed. In certain unspecified circumstances, NFS clients may gain inappropriate read-write access to files contained in read-mostly network shares. SGI IRIX versions 6.5.25 through 6.5.27 are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8660
  • 05.23.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ObjectWeb Consortium C-JDBC Query Result Cache Disclosure
  • Description: ObjectWeb Consortium C-JDBC is a middleware application that allows a Java application to access a cluster of databases through JDBC. C-JDBC is affected by an information disclosure vulnerability. C-JDBC versions 1.3 and earlier are known to be vulnerable.
  • Ref: http://forge.objectweb.org/forum/forum.php?forum_id=790
  • 05.23.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: C.J. Steele Tattle Remote Command Execution
  • Description: C.J. Steele Tattle is a Perl script that parses sshd logs. It is affected by a remote command execution vulnerability. Insufficient sanitization of the "|" characters in the "getemails" subroutine allows execution of attacker supplied commands. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13883
  • 05.23.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Multiple HTTP Request Smuggling
  • Description: Multiple vendors are prone to a new class of attack named "HTTP Request Smuggling". This class of attack basically revolves around piggybacking a HTTP request inside of another HTTP request. By leveraging failures to implement the HTTP/1.1 RFC properly, it is demonstrated that this class of attack may result in cache poisoning, cross-site scripting, session hijacking and other attacks. Reports indicate that Microsoft IIS 5.0 is affected.
  • Ref: http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
  • 05.23.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: YaPiG Remote and Local File Include
  • Description: Yet Another PHP Image Gallery (YaPiG) is an image gallery Web application written in PHP. YaPiG is affected by remote and local file include vulnerabilities. YaPiG versions 0.94u and earlier are known to be vulnerable.
  • Ref: http://secwatch.org/advisories/secwatch/20050530_yapig.txt
  • 05.23.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: LPanel Multiple Input Validation Vulnerabilities
  • Description: LPanel is a multi-platform web hosting control panel. It is vulnerable to multiple input validation issues which can be exploited by an attacker to cause HTML injection or change DNS values for target domains. LPanel versions 1.59 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13869/info
  • 05.23.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FlexCast Audio Video Streaming Server Unspecified Vulnerability
  • Description: FlexCast Audio Video Streaming Server is a media streaming server. It has an unspecified vulnerability in terminal authentication. The vendor has addressed this issue in version 2.0.
  • Ref: http://freshmeat.net/projects/flexcast/?branch_id=35817&release_id=196787
  • 05.23.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Rakkarsoft RakNet Remote Denial of Service
  • Description: Rakkarsoft RakNet is a network library designed to be used with online games. It is vulnerable to a remote denial of service issue due to a failure in the application to handle exceptional conditions. RakNet versions 2.33 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13862/info
  • 05.23.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sawmill Unspecified Privilege Escalation
  • Description: Sawmill is a log file analysis application. It is vulnerable to an unspecified remote privilege escalation issue. This issue is likely due to a failure in the application to properly sanitize user-supplied input. Sawmill versions 7.1.5 and earlier are vulnerable.
  • Ref: http://www.sawmill.net/version_history7.html
  • 05.23.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Dzip Remote Directory Traversal
  • Description: Dzip is affected by a directory traversal vulnerability that can allow the attacker to place potentially malicious files in arbitrary locations. Dzip versions 2.9 and earlier versions are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8652
  • 05.23.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Drupal Unspecified Privilege Escalation
  • Description: Drupal is an open-source content management system. Drupal is affected by an unspecified privilege escalation vulnerability. Drupal versions 4.6.0 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13852/info
  • 05.23.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SIG Bluetooth Protocol Device Pairing Process Vulnerability
  • Description: Bluetooth is an open protocol specification for wireless short-range communications. The protocol is affected by a device pairing process issue. It allows a malicious third party device to force device pairing in order to determine a valid link key and in turn launch attacks designed to crack a target PIN (Personal Identification Number). All current versions are affected.
  • Ref: http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/
  • 05.23.23 - CVE: Not Available
  • Platform: Web Application
  • Title: info2html Unspecified Cross-Site/Cross-Frame Scripting
  • Description: info2html is a perl script that translates info nodes from an info file to HTML. It is vulnerable to multiple cross-site/cross-frame scripting issues due to a failure in the application to sanitize user-supplied data. An attacker might exploit this issue to steal cookie-based authentication credentials or carry out other attacks. All versions of info2html are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8657
  • 05.23.24 - CVE: Not Available
  • Platform: Web Application
  • Title: Mortiforo Unauthorized Access Issue
  • Description: Mortiforo is a web based forum implemented in Java. It is vulnerable to an unauthorized access issue due to an access validation error which allows a remote attacker to access private forums without providing proper authentication credentials. Mortiforo version 0.9 is vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2005/Jun/1014120.html
  • 05.23.25 - CVE: Not Available
  • Platform: Web Application
  • Title: Early Impact ProductCart Multiple SQL Injection Vulnerabilities
  • Description: ProductCart is web shopping cart software implemented in ASP. ProductCart is affected by multiple SQL injection vulnerabilities. ProductCart versions 2.7 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13881/info
  • 05.23.26 - CVE: Not Available
  • Platform: Web Application
  • Title: FlatNuke Multiple Input Validation Vulnerabilities
  • Description: FlatNuke is a content management system. It has multiple input validation issues including cross-site scripting, remote PHP code execution, and information disclosure issues. An attacker may leverage these issues to execute arbitrary PHP code, execute client-side script code in the browsers of unsuspecting users through cross-site scripting attacks, and gain access to sensitive information.
  • Ref: http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt
  • 05.23.27 - CVE: Not Available
  • Platform: Web Application
  • Title: YaPiG View.PHP Multiple HTML Injection Vulnerabilities
  • Description: Yet Another PHP Image Gallery (YaPiG) is an image gallery web application. It has multiple HTML injection issues that can be used to execute arbitrary script code in legitimate client browsers. These issues are reported to affect YaPiG versions 0.92b, 0.93u and 0.94u.
  • Ref: http://secwatch.org/advisories/secwatch/20050530_yapig.txt
  • 05.23.28 - CVE: Not Available
  • Platform: Web Application
  • Title: YaPiG View.PHP Cross-Site Scripting
  • Description: Yet Another PHP Image Gallery (YaPiG) is an image gallery web application. Insufficient sanitization of the "phid" parameter of the "view.php" script exposes the application to a cross site scripting issue. YaPiG versions 0.92b, 0.93u and 0.94u are affected.
  • Ref: http://www.securityfocus.com/bid/13875
  • 05.23.29 - CVE: Not Available
  • Platform: Web Application
  • Title: YaPiG Upload.PHP Directory Traversal
  • Description: Yet Another PHP Image Gallery (YaPiG) is an image gallery web application. It is vulnerable to a directory traversal issue due to a failure in the application to properly sanitize user-supplied input. YaPiG versions 0.94u and earlier are vulnerable.
  • Ref: http://secwatch.org/advisories/secwatch/20050530_yapig.txt
  • 05.23.30 - CVE: Not Available
  • Platform: Web Application
  • Title: YaPiG Upload.PHP Remote Arbitrary File Upload Vulnerability
  • Description: Yet Another PHP Image Gallery (YaPiG) is an image gallery web application. It has a remote arbitrary file upload vulnerability. This issue can ultimately facilitate unauthorized access in the context of the Web server. This issue is reported to affect YaPiG versions 0.92b, 0.93u and 0.94u.
  • Ref: http://secwatch.org/advisories/secwatch/20050530_yapig.txt
  • 05.23.31 - CVE: CAN-2005-1824
  • Platform: Web Application
  • Title: GNU Mailutils Authentication Module SQL Injection
  • Description: GNU Mailutils is a collection of mail-related utilities. Insufficient sanitization of the "" character in the "sql_escape_string" function exposes the application to an SQL injection issue.
  • Ref: http://www.securityfocus.com/advisories/8653
  • 05.23.32 - CVE: Not Available
  • Platform: Web Application
  • Title: WWWeb Concepts Events System LOGIN.ASP SQL Injection
  • Description: WWWeb Concepts Events System is a web-based control panel for managing web sites. Insufficient sanitization of the "Password" parameter of the "login.asp" script exposes the application to an SQL injection issue. WWWeb Concepts Events System version 1.0 is affected.
  • Ref: http://www.under9round.com/wecs.txt
  • 05.23.33 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki Page Template HTML Injection
  • Description: MediaWiki is a wiki engine designed to run Wikipedia. It is freely available under the GNU public license. MediaWiki is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.
  • Ref: http://wikipedia.sourceforge.net/
  • 05.23.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Sawmill Add User Cross-Site Scripting
  • Description: Sawmill is a log file analysis application with a web enabled interface and utilizes a MySQL database backend. Sawmill is affected by a cross-site scripting vulnerability. Sawmill versions 7.1.5 and earlier are known to be vulnerable.
  • Ref: http://www.sawmill.net/version_history7.html
  • 05.23.35 - CVE: Not Available
  • Platform: Web Application
  • Title: Sawmill License Key Cross-Site Scripting
  • Description: Sawmill is a log file analysis application with a web enabled interface and utilizes a MySQL database backend. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input of a "license key" in the Licensing page. Versions 7.0.x, 7.1.1, 7.1.2, 7.1.3, 7.1.4 and 7.1.5 are vulnerable.
  • Ref: http://www.sawmill.net/version_history7.html
  • 05.23.36 - CVE: Not Available
  • Platform: Web Application
  • Title: LiteWeb Server Authentication Bypass
  • Description: Perception LiteWeb Server is a web server. It is vulnerable to an authentication bypass issue due to insufficient sanitization of slash "/" characters. Perception LiteWeb Server version 2.5 is vulnerable.
  • Ref: http://securitytracker.com/alerts/2005/Jun/1014096.html
  • 05.23.37 - CVE: Not Available
  • Platform: Web Application
  • Title: MWChat Start_Lobby.PHP Remote File Include
  • Description: MWChat is a web-based chat system implemented in PHP. MWChat is affected by a remote file include vulnerability. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the web server process.
  • Ref: http://www.defacers.com.mx/advisories/4.txt
  • 05.23.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Popper Webmail ChildWindow.Inc.PHP Remote File Include
  • Description: Popper is a webmail client. Popper is affected by a remote file include vulnerability. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer.
  • Ref: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0026.html
  • 05.23.39 - CVE: Not Available
  • Platform: Web Application
  • Title: MSN iLoveMessenger Cross-Site Scripting
  • Description: ilovemessenger, located at MSN.com, is a web repository for MSN Messenger related tools and accessories. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "mkt" parameter. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks.
  • Ref: http://www.net-force.nl/files/articles/hotmail_xss/
  • 05.23.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Liberum Help Desk CastNewPost.ASP Multiple HTML Injection Vulnerabilities
  • Description: Liberum Help Desk is a web interface for managing and tracking technical support problems. Insufficient sanitization of user supplied input in the astNewPost.ASP file exposes the application to multiple HTML injection issues. Liberum Help Desk version 0.97.3 is affected.
  • Ref: http://www.securityfocus.com/bid/13840/info
  • 05.23.41 - CVE: CAN-2005-1838, CAN-2005-1839
  • Platform: Web Application
  • Title: Liberum Help Desk Multiple SQL Injection Vulnerabilities
  • Description: Liberum Help Desk manages and tracks support problems. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user supplied input to the "id" parameter of "view.asp" and "print.asp", and the "edit" parameter of the "register.php" script. Liberum Help Desk version 0.97.3 is vulnerable.
  • Ref: http://echo.or.id/adv/adv14-theday-2005.txt
  • 05.23.42 - CVE: Not Available
  • Platform: Web Application
  • Title: phpCMS Parser.PHP File Disclosure
  • Description: phpCMS is a freely available, open source PHP-based web content management system. phpCMS is affected by a file disclosure vulnerability. phpCMS versions 1.2.1 pl1 and earlier are known to be vulnerable.
  • Ref: http://www.phpcms.de/download/index.en.html
  • 05.23.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Exhibit Engine List.PHP SQL Injection
  • Description: Exhibit Engine is an online photo gallery application written in PHP. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "$search_row", "$sort_row", "$order", and "$perpage" parameters before using the input in SQL queries. Exhibit Engine versions 1.22 and 1.54 are vulnerable.
  • Ref: http://photography-on-the.net/ee/
  • 05.23.44 - CVE: Not Available
  • Platform: Web Application
  • Title: phpThumb Arbitrary File Information Disclosure
  • Description: phpThumb is a web application for automatically creating thumbnails. Insufficient sanitization of the "src" parameter of the "phpThum.php" script exposes the application to an information disclosure issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/13842/info
  • 05.23.45 - CVE: Not Available
  • Platform: Web Application
  • Title: JiRo's Upload System SQL Injection
  • Description: JiRo's Upload System is a web-based file upload system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "password" parameter of the "login.asp" script. JiRo's Upload System version 1.0 is vulnerable.
  • Ref: http://www.under9round.com/jus.txt
  • 05.23.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Livingcolor Livingmailing LOGIN.ASP SQL Injection
  • Description: Livingcolor Livingmailing is a web-based application implemented in ASP. Livingmailing is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "Password" parameter of the "login.asp" script before using it in an SQL query. Livingmailing version 1.3 is vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2005/Jun/1014087.html

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

SANS instructors are top tier on all training classes.
-Fuchu Liu, First Quadrant

NetWars - Cyber Range

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc