Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 24
June 17, 2005

SANS Newsletters Home

Microsoft Windows users have a huge load of work to do to block attacks using any of the first eight items. So far this year, Microsoft has issued a very large security bulletin every other month with a lighter one issued in between. June is one of the heavy months. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 4 (#2, #3, #6, #8)
    • Other Microsoft Products
    • 8 (#1, #4, #5, #7)
    • Third Party Windows Apps
    • 2 (#9)
    • Mac Os
    • 1
    • Linux
    • 4
    • UNIX
    • 1
    • Cross Platform
    • 9 (#10)
    • Web Application
    • 17
    • Network Device
    • 1

******************** Sponsored by Clearswift **************************
Sign up for your complementary copy of "E-MAIL RULES" courtesy of Clearswift, The MIMEsweeper(TM) Company.

"E-MAIL RULES", created by the ePolicy Institute is a powerful guide to assessing costly e-mail risks and creating an effective communications policy.

Clearswift has 300 books exclusively for SANS Members. http://www.clearswift.com/sans

*Set up your e-policy and ENFORCE it with MIMEsweeper.*
*************************************************************************

Amazing SANS Security Courses, live on line, all starting in the next few weeks: See www.sans.org for list and schedule.

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Unix
Cross Platform
Web Application
Network Device

*********************** Sponsored link: *******************************

1) WebInspect Product Trial: Test For 5,100 Web Application Vulnerabilities
http://www.sans.org/info.php?id=805
*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Microsoft Internet Explorer Cumulative Update (MS05-025)
  • Affected:
    • Internet Explorer version 5.01 SP3/SP4
    • Internet Explorer version 5.5 SP2
    • Internet Explorer version 6.0 and SP1
    • Windows 98/ME/SE/2000 SP3 and SP4/XP SP1 and SP2/2003 including SP1

  • Description: Microsoft has released a cumulative security update for Internet Explorer - MS05-025, which replaces the previously released update MS05-020. This update fixes the following vulnerabilities: (a) Portable Network Graphics (PNG) is a format for rendering images and used as an alternative to GIF. A PNG image consists of a PNG header followed by a sequence of "chunks" (PNG specification defines 18 such chunk types). Microsoft's PNG library contains a heap-based buffer overflow that can be triggered by a PNG image with a certain large chunk size. This library is used by Internet Explorer for displaying PNG images; hence, a webpage displaying a crafted PNG file can exploit this overflow to execute arbitrary code on a client system. (b) A vulnerability in Internet Explorer can be exploited by a malicious webpage to read local or non-local XML files, potentially providing the attacker with sensitive information. The vulnerability is a variation of the one patched by MS02-047. Proof-of-concept exploit code is publicly available for the older vulnerability. (c) The update also sets the kill bit for the older versions of DigWebX ActiveX control as it reportedly contains a yet undisclosed vulnerability.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS05-025.

  • Council Site Actions: All council sites plan to deploy this patch, either during their next regularly scheduled system update process or within the next week.

  • References:
  • (3) HIGH: Windows SMB Protocol Processing Overflow (MS05-027)
  • Affected:
    • Windows 2000 SP3 and SP4/XP SP1 and SP2/2003 including SP1

  • Description: Server Message Block (SMB) protocol is used by Windows to share files and printers and to communicate between computers. The server implementation of the protocol contains a heap-based buffer overflow. An anonymous user can exploit this flaw by sending specially crafted SMB messages to execute arbitrary code with kernel privileges. The technical details required to leverage this flaw have not been posted yet. Note that exploiting the flaw to execute arbitrary code is reportedly challenging as it involves kernel shell code.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS05-026. To prevent exploitation from the Internet, block ports 139/tcp and 445/tcp at the firewall.

  • Council Site Actions: Most of the council sites plan to deploy this patch, either during their next regularly scheduled system update process or within the next week.

  • References:
  • (4) MODERATE: Microsoft Outlook NNTP LIST Command Response Overflow (MS05-030)
  • Affected:
    • Outlook Express version 5.5 SP2/SP3
    • Outlook Express version 6.0 and SP1
    • Windows 98/ME/SE/2000 SP3 and SP4/XP SP1/2003

  • Description: Microsoft Outlook Express can be used as the default newsgroup reader. In this configuration, an attacker can trigger a stack-based buffer overflow in the Outlook Express by sending a specially crafted response to the NTTP LIST command. Specifically, sending an overlong string for the number of "last known article" triggers the overflow that can be exploited to execute arbitrary code with the privileges of the logged-on user. In order to conduct this attack, an attacker can entice a victim to connect to his NNTP server via "news://" URL (in a webpage or an HTML email). However, the victim would need to accept the NNTP server listing prior to successful exploitation.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS05-030.

  • Council Site Actions: All council sites plan to deploy this patch, either during their next regularly scheduled system update process or within the next week. One site commented they block NNTP at their network perimeter and they have disabled MSOE in their standards desktop build. Another site commented that their implementation of Cisco Security Agent will detect and stop any attempt to exploit these vulnerabilities.

  • References:
  • (5) MODERATE: Microsoft Step-by-Step Interactive Training Buffer Overflow (MS05-031)
  • Affected:
    • Windows 98/ME/SE/2000 SP3 and SP4/XP SP1 and SP2/2003 including SP1 with
    • Step-by-Step Training Software installed

  • Description: Microsoft Step-by-Step Interactive Training software is used for interactive training provided by Microsoft Press and other vendors. This software provides a user the ability to bookmark a training topic. The bookmark file is a text file with a ".cbo", ".cbm" or ".cbl" extension. The Interactive Training software contains a stack-based buffer overflow that can be triggered by a bookmark file with an overlong "USER" parameter. A malicious webpage or an HTML e-mail containing a malicious bookmark file can exploit this overflow to execute arbitrary code on a client system with the privileges of the logged-on user. Note that Internet Explorer can automatically open the Interactive bookmark file i.e. no user interaction is required to leverage the flaws on the systems with the Interactive program installed. The iDefense advisory shows how to craft a malicious bookmark file.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS05-031. Note that this software is not installed by default on most systems, which reduces the risk for this vulnerability.

  • Council Site Actions: Several reporting council sites plan to deploy this patch during their next regularly scheduled system update process.

  • References:
  • (6) MODERATE: Microsoft Agent Content Spoofing Vulnerability (MS05-032)
  • Affected:
    • Windows 98/ME/SE/2000 SP3 and SP4/XP SP1 and SP2/2003 including SP1

  • Description: Microsoft Agent is a software technology that provides an enhanced user interface for applications and web pages with interactive animated characters. A malicious webpage can use the Microsoft Agent ActiveX control to hide security warnings such as the file download prompts, which may lead to installing malicious code on the client systems. Note that the ActiveX control need not be pre-installed on the systems to exploit this flaw; the attacker's page can lead to its installation.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS05-032.

  • Council Site Actions: Several reporting council sites plan to deploy this patch during their next regularly scheduled system update process.

  • References:
  • (7) MODERATE: Microsoft ISA Server Cumulative Update (MS05-034)
  • Affected:
    • ISA Server 2000 SP2
    • Small Business Server 2000/2003

  • Description: Microsoft's ISA server is vulnerable to the "HTTP Request Smuggling" attacks described in the last issue of the @RISK newsletter. Such attacks can lead to web cache poisoning of the ISA server, or lead to cross-site scripting attacks. The proof-of-concept examples to carry out such attacks have also been posted.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS05-034. Note that there is no workaround for this vulnerability.

  • Council Site Actions: Only a few council sites are using the affected software. They plan to deploy the patch during their next regularly scheduled system update process.

  • References:
  • (8) MODERATE: Microsoft Web Client Service Remote Code Execution (MS05-029)
  • Affected:
    • Windows XP SP1/2003

  • Description: The Web Client Service on Windows XP/2003 systems allows users to create and modify files on web servers via WebDAV protocol. This service contains a flaw that can be exploited by authenticated users to execute arbitrary code. Note that this service is enabled by default on Windows XP, and if the "Guest" access is enabled the flaw can be exploited by any user. No technical details regarding how to trigger the vulnerability have been disclosed yet. Note that the service can be also be reached via "DAV RPC SERVICE" named pipe on ports 139/tcp and 445/tcp.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS05-028. Block ports 139/tcp and 445/tcp to prevent RPC accesses to this service.

  • Council Site Actions: Only a few council sites are using the affected software. They plan to deploy the patch during their next regularly scheduled system update process.

  • References:
  • (9) MODERATE: Adobe License Management Service Buffer Overflow
  • Affected:
    • The following products on Windows platform
    • Adobe PhotoShop CS
    • Adobe Creative Suite version 1.0
    • Adobe Premiere version 1.5

  • Description: The Adobe License Management service is installed with certain Adobe products that require product activation. This service contains a buffer overflow that can be exploited to execute arbitrary code with "SYSTEM" privileges. No further technical details about the flaw have been posted yet.

  • Status: Adobe has released an update for the License Management Service for the affected products.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (10) MODERATE: Sun Java Web Start and JRE Security Bypass
  • Affected:
    • Java Web Start in J2SE 5.0 and Update 1 for Windows/Linux/Solaris
    • J2SE version 1.4.2_07 and earlier for Windows/Linux/Solaris

  • Description: Java Web Start Technology is designed for easy deployment of Java-based applications to client desktops. The technology is based on Java Network Launching Protocol and API (JNLP). The JNLP file on a client describes how to download and launch an application. From the workarounds Sun has posted, it appears that a crafted JNLP file may be used to turn-off the "sandbox" restrictions for java applets. This, in turn, may be used to launch malicious applets that download malware to the client system. Sun JRE is also reported to contain a vulnerability that may allow an untrusted applet to elevate privileges. No technical details have been posted about either flaw.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary. One site said their Sun Java environment is updated on a regular basis to the latest version as part of their standard imaging and maintenance cycle.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 24, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4385 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.24.1 - CVE: CAN-2005-1208
  • Platform: Windows
  • Title: Windows HTML Help Remote Code Execution
  • Description: Microsoft Windows provides a standard help interface entitled HTML Help that may be used to create help content for applications. HTML Help also provides the ability to reference online help content. Microsoft Windows HTML Help is affected by a remote code execution vulnerability. It was reported that this issue arises because HTML Help does not properly validate user-supplied input data. An attacker may exploit this issue from a malicious web page or through HTML email to execute arbitrary code with the privileges of the currently logged in user.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx
  • 05.24.2 - CVE: CAN-2005-1207
  • Platform: Windows
  • Title: Windows Web Client Service Remote Code Execution
  • Description: Microsoft Windows Web Client Service is used by Win32 applications to remotely create, read, and write files on Internet file servers using WebDAV. It is affected by a remote code execution vulnerability. This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers. A successful attack can allow a remote attacker to gain elevated privileges on an affected computer.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-028.mspx
  • 05.24.3 - CVE: CAN-2005-1214
  • Platform: Windows
  • Title: Windows Agent Trusted Content Spoofing Vulnerability
  • Description: Microsoft Agent is a set of ActiveX controls that allows enhanced interfaces for applications and web interfaces featuring animated characters. A vulnerability in Microsoft Agent could allow a malicious web site to spoof trusted content. An attacker could exploit this issue to trick users into accepting malicious files or content believing that it is safe. Refer to the link below for affected versions.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-032.mspx
  • 05.24.4 - CVE: CAN-2005-1206
  • Platform: Windows
  • Title: Windows Incoming SMB Packet Validation Remote Buffer Overflow
  • Description: SMB (Server Message Block) is an implementation of the CIFS (Common Internet File System) network filesystem. It is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. Remote attackers may exploit this vulnerability to execute arbitrary machine code in the context of the kernel or cause a denial of service condition.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx
  • 05.24.6 - CVE: CAN-2005-1211
  • Platform: Other Microsoft Products
  • Title: Internet Explorer PNG Image Rendering Buffer Overflow
  • Description: Microsoft Internet Explorer is affected by a buffer overflow issue which exists in the PNG image rendering library used by the browser. An overly large PNG chunk may trigger memory corruption of the process heap when rendered by the library due to a boundary condition error. All current versions are affected,
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx
  • 05.24.7 - CVE: CAN-2005-1217
  • Platform: Other Microsoft Products
  • Title: ISA Server HTTP/HTTPS Service Basic Auth Information Disclosure
  • Description: Microsoft Internet Security and Acceleration (ISA) server is affected by an information disclosure issue which occurs when an ISA server is publishing a web service that has "Basic authentication" enabled, but the web publishing rules that process the request are configured as "SSL required". ISA server version 2000 is affected.
  • Ref: http://support.microsoft.com/?id=821724
  • 05.24.8 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Unspecified GIF and BMP Denial of Service
  • Description: Microsoft Internet Explorer is affected by a denial of service vulnerability when rendering malformed GIF and BMP images. Microsoft Internet Explorer versions 6.0 SP2 and earlier are known to be vulnerable.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-025.mspx
  • 05.24.9 - CVE: CAN-2005-1212
  • Platform: Other Microsoft Products
  • Title: Windows Step-By-Step Interactive Training Buffer Overflow
  • Description: Microsoft Step-By-Step Interactive Training is a training engine that is used by Microsoft Press and other vendors. It has a buffer overflow vulnerability. This is due to a boundary condition error related to validation of data in bookmark link files. Successful exploitation will result in the execution of arbitrary code in the context of the user who is currently logged in.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-031.mspx
  • 05.24.10 - CVE: CAN-2005-1216
  • Platform: Other Microsoft Products
  • Title: ISA Server NetBIOS Predefined Filter Policy Bypass
  • Description: Microsoft Internet Security and Acceleration (ISA) server is prone to a policy bypass issue which occurs when an ISA server is utilizing the "NetBIOS (all)" predefined filter. The issue is caused due to a flaw in the way NetBIOS connections are validated by the "NetBIOS (all)" predefined filter. ISA server version 2000 is affected.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-034.mspx
  • 05.24.11 - CVE: CAN-2005-1215
  • Platform: Other Microsoft Products
  • Title: ISA Server HTTP Request Smuggling Vulnerability
  • Description: Microsoft Internet Security and Acceleration (ISA) server is prone to an HTTP request smuggling attack due to a failure of the application to handle invalid HTTP requests with multiple "Content-Length" values. A remote attacker may exploit this issue to launch cache poisoning or other attacks against the affected server. Microsoft ISA server 2000 SP2 and earlier are vulnerable to this issue.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-034.mspx
  • 05.24.12 - CVE: CAN-2002-0648
  • Platform: Other Microsoft Products
  • Title: Internet Explorer XML Redirect Information Disclosure
  • Description: Microsoft Internet Explorer is affected by an information disclosure issue. It allows an XML data source in a domain other than the "Internet Zone" to be specified. As a result, it is possible to redirect an XML data source into a local file. Microsoft has stated that Windows Server 2003 with "Enhanced Security Configuration" enabled is not affected.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-025.mspx
  • 05.24.13 - CVE: CAN-2005-1812
  • Platform: Third Party Windows Apps
  • Title: FutureSoft TFTP Server 2000 Remote Denial of Service
  • Description: FutureSoft TFTP Server 2000 is a TFTP server for Microsoft Windows. It is vulnerable to a remote denial of service issue that surfaces when the TFTP server handles default UDP datagrams generated by the "hping2" utility. A remote attacker may exploit this issue to crash the affected service, denying service to legitimate users. FutureSoft TFTP Server 2000 version 1.0.0.1 is vulnerable to this issue.
  • Ref: http://secunia.com/advisories/15539
  • 05.24.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Pragma TelnetServer Log Obfuscation
  • Description: Pragma TelnetServer is affected by a log obfuscation vulnerability. An attacker can submit the "<!--" tag followed by malicious commands and a "-->" tag to the server through the command line. The arbitrary data contained within the tags will not be logged, causing log entries to be obfuscated. Pragma TelnetServer version 6.0 is affected.
  • Ref: http://www.securitytracker.com/alerts/2005/Jun/1014127.html
  • 05.24.15 - CVE: CAN-2005-1721, CAN-2005-1720, CAN-2005-1722,CAN-2005-1726, CAN-2005-1727, CAN-2005-1725, CAN-2005-1723,CAN-2005-1728, CAN-2005-1724
  • Platform: Mac Os
  • Title: Apple Mac OS X Security Update 2005-006 Multiple Vulnerabilities
  • Description: Apple released Security Update 2005-006 to address multiple Mac OS X local and remote vulnerabilities. These include buffer overflows, a denial of service, a race condition and privilege escalation issues. Refer to the link below for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/advisories/8664
  • 05.24.16 - CVE: Not Available
  • Platform: Linux
  • Title: ViRobot Linux Server Remote Buffer Overflow
  • Description: ViRobot Linux Server is an application server that provides antivirus protection. It has a remote buffer overflow vulnerability affecting the web-based management interface. ViRobot Linux Server version 2.0 is vulnerable to this issue.
  • Ref: http://www.digitalmunition.com/DMA%5B2005-0614a%5D.txt
  • 05.24.17 - CVE: CAN-2005-1760
  • Platform: Linux
  • Title: RedHat Linux Sysreport Proxy Information Disclosure
  • Description: up2date is the RedHat Update Agent software that allows users to download official updates and fixes. Sysreport is a utility designed to collect system information. Proxy authentication information is stored in the up2date configuration file "/etc/sysconfig/rhn/up2date". When sysreport executes, it discloses the contents of this file, including proxy authentication usernames and passwords. All unpatched versions are affected.
  • Ref: http://rhn.redhat.com/errata/RHSA-2005-502.html
  • 05.24.18 - CVE: CAN-2005-0064
  • Platform: Linux
  • Title: libextractor Multiple Buffer Overflow Vulnerabilities
  • Description: libextractor is a library that extracts meta-data from files. It is vulnerable to multiple remote buffer overflow issues due to insufficent boundary checks before copying user-supplied data into process buffers. libextractor versions 0.4.2 and eariler are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8673
  • 05.24.19 - CVE: CAN-2005-1911
  • Platform: Linux
  • Title: Leafnode Fetchnews Client Remote Denial of Service
  • Description: Leafnode is a Usenet news proxy. Leafnode fetchnews is affected by a remote denial of service vulnerability. Leafnode versions 1.11.3 and earlier are known to be vulnerable.
  • Ref: http://leafnode.sourceforge.net/leafnode-SA-2005-01.txt
  • 05.24.20 - CVE: CAN-2005-1952
  • Platform: Unix
  • Title: Pico Server File Access
  • Description: Pico Server is a small web server written in C. A vulnerability in Pico Server may allow for remote attackers to view file contents or execute programs outside of the web root directory. The vulnerability can be exploited to obtain the contents of files outside of the web root directory. Version 3.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/13935
  • 05.24.21 - CVE: CAN-2005-1306
  • Platform: Cross Platform
  • Title: Acrobat Reader File Existence Disclosure
  • Description: Adobe Acrobat and Adobe Reader are applications designed for reading Portable Document Format (PDF) files. The applications may allow remote attackers to determine the existence of files on a vulnerable computer using specially crafted XML external entities embedded in JavaScript. Adobe Acrobat and Adobe Reader version 7.0 and version 7.0.1 on Microsoft Windows and Apple Mac OS X platforms are affected.
  • Ref: http://www.adobe.com/support/techdocs/331710.html
  • 05.24.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java Runtime Environment Unspecified Privilege Escalation
  • Description: The Java Runtime Environment (JRE) is the virtual Java platform on which all Java applications are run. Sun Java Runtime Environment is affected by an unspecified privilege escalation vulnerability. Sun Java Runtime Environment versions 1.4.2 and earlier are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1
  • 05.24.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Finjan SurfinGate ASCII File Extension File Filter Circumvention
  • Description: SurfinGate is a commercially available content filtering and application firewall package. It is vulnerable to an issue that may allow an attacker to circumvent file filters. This issue arises due to insufficient sanitization of user-supplied data. SurfinGate versions 7.0 SP2 and 7.0 SP3 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/13959/exploit
  • 05.24.24 - CVE: CAN-2005-0836
  • Platform: Cross Platform
  • Title: Java Web Start Privilege Escalation
  • Description: Sun Java Web Start is a utility to facilitate remote deployment of Java applications. It is vulnerable to an argument privilege escalation vulnerability via the value parameter of a property tag in a JNLP file. Sun Java 2 Standard Edition SDK and Runtime Environment version 1.5.0_02 are not vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101748-1
  • 05.24.25 - CVE: CAN-2005-1756, CAN-2005-1757, CAN-2005-1758
  • Platform: Cross Platform
  • Title: Novell NetMail Multiple Remote Vulnerabilities
  • Description: Novell NetMail is an e-mail and calendaring system. Novell NetMail is susceptible to multiple remote buffer overflows and denial of service issues. Please refer to the referenced advisory for details.
  • Ref: http://www.novell.com/products/netmail/
  • 05.24.26 - CVE: CAN-2005-1269
  • Platform: Cross Platform
  • Title: Gaim Yahoo! Protocol Support File Download Denial of Service
  • Description: Gaim is an instant messaging client that supports numerous protocols. Gaim is affected by a denial of service vulnerability during the download of a file using the Yahoo! protocol. This issue can allow remote attackers to cause an affected client to fail. Gaim versions prior to 1.3.1 are reportedly affected by this vulnerability.
  • Ref: http://gaim.sourceforge.net/security/index.php?id=18
  • 05.24.27 - CVE: CAN-2005-1934
  • Platform: Cross Platform
  • Title: Gaim MSN Protocol Denial of Service
  • Description: Gaim is an instant messaging client. It is vulnerable to a denial of service issue when handling malformed messages using the MSN protocol. Gaim versions prior to 1.3.1 are not vulnerable.
  • Ref: http://gaim.sourceforge.net/security/index.php?id=19
  • 05.24.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Ovidentia FX Remote File Include
  • Description: Ovidentia FX is a web-based portal application implemented in PHP. Ovidentia FX is affected by a remote file include vulnerability. All current versions are affected.
  • Ref: http://www.defacers.com.mx/advisories/5.txt
  • 05.24.29 - CVE: CAN-2005-1267
  • Platform: Cross Platform
  • Title: tcpdump BGP Decoding Routines Denial of Service
  • Description: tcpdump has a vulnerability that may allow a remote attacker to cause a denial of service condition in the software. The issue occurs due to the way tcpdump decodes Border Gateway Protocol (BGP) packets. An attacker may exploit this issue to deny tcpdump service for legitimate users. Please refer to the following link for more details.
  • Ref: http://www.securityfocus.com/advisories/8671
  • 05.24.30 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Open Source Com_Contents SQL Injection
  • Description: Mambo is an open source web based content management system. Mambo "com_contents" component is affected by an SQL injection vulnerability. Mambo versions 4.5.2.1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13966
  • 05.24.31 - CVE: CAN-2005-0780, CAN-2005-0781, CAN-2005-0782,CAN-2005-0952
  • Platform: Web Application
  • Title: paFileDB Multiple Input Validation Vulnerabilities
  • Description: paFileDB is a Web-based file management utility implemented in PHP with an SQL database back end. paFileDB is prone to multiple input validation vulnerabilities. Please refer to the advisory for further details. Version 3.1 is reported to be vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00082-06142005
  • 05.24.32 - CVE: CAN-2005-1975
  • Platform: Web Application
  • Title: Annuaire 1Two Index.PHP Cross-Site Scripting
  • Description: Annuaire 1Two is web forum software implemented in PHP. Annuaire 1Two is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "id" parameter of "index.php". An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
  • Ref: http://www.hackisknowledge.org/Advisories/Annuaire%201Two%20v1.0/Annuaire%201Two
    %20v1.0.html
  • 05.24.33 - CVE: CAN-2005-1975
  • Platform: Web Application
  • Title: Annuaire 1Two Commentaires.PHP Multiple HTML Injection Vulnerabilities
  • Description: Annuaire 1Two is web forum software. It has multiple HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would be executed in the context of the affected web site, potentially allowing for theft of cookie-based authentication credentials.
  • Ref: http://www.hackisknowledge.org/Advisories/Annuaire%201Two%20v1.0/Annuaire%201Two
    %20v1.0.html
  • 05.24.34 - CVE: Not Available
  • Platform: Web Application
  • Title: McGallery Lang Argument File Disclosure Vulnerability
  • Description: McGallery is a web-based photo gallery application. It is implemented in PHP. It is vulnerable to a file disclosure issue due to insufficient validation of data supplied to the application through URI arguments. A remote attacker can exploit this issue to access files on the computer in the context of the web server process.
  • Ref: http://www.securityfocus.com/bid/13963/info
  • 05.24.35 - CVE: CAN-2005-1959
  • Platform: Web Application
  • Title: JamMail Jammail.pl Remote Arbitrary Command Execution
  • Description: JamMail is a web mail script. It has a remote arbitrary command execution vulnerability. Successful exploitation of this issue results in command execution with the privileges of the web server process. JamMail version 1.8 is affected by this issue.
  • Ref: http://www.securitytracker.com/alerts/2005/Jun/1014175.html
  • 05.24.36 - CVE: CAN-2005-1955
  • Platform: Web Application
  • Title: Singapore Image Gallery Index.PHP Cross-Site Scripting Vulnerability
  • Description: Singapore is a web-based image gallery implemented in PHP. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "gallery" parameter of "index.php". An attacker may leverage this issue to steal cookie-based authentication or other attacks.
  • Ref: http://marc.theaimsgroup.com/?l=bugtraq&m=111868634003167&w=2
  • 05.24.37 - CVE: Not Available
  • Platform: Web Application
  • Title: FusionBB Multiple Input Validation Vulnerabilities
  • Description: FusionBB is a bulletin board application. It is affected by multiple file include and SQL injection issues due to insufficient sanitization of user-supplied input. FusionBB version 0.12 Beta was released to fix these issues.
  • Ref: http://www.securityfocus.com/bid/13939/info
  • 05.24.38 - CVE: CAN-2005-1965
  • Platform: Web Application
  • Title: Siteframe Siteframe.php Remote File Include Vulnerability
  • Description: Siteframe is a content-management system. It has a remote file include vulnerability. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the web server process.
  • Ref: http://www.securityfocus.com/bid/13928/
  • 05.24.39 - CVE: CAN-2005-1966
  • Platform: Web Application
  • Title: e107 ePing Remote Command Execution
  • Description: e107 Website System is a web-based content management system. A remote command execution issue is exposed due to insufficient sanitization of the "eping_cmd", "eping_host", and "eping_count" parameters in the "doping.php" script. ePing version 1.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/13929/info
  • 05.24.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Darryl Burgdorf Webhints Remote Command Execution
  • Description: Darryl Burgdorf Webhints is a hint generation script implemented in Perl. It is vulnerable to a remote command execution issue due to a failure in the application to properly sanitize user-supplied input. An attacker could leverage this issue to run arbitrary commands in the context of the hosting web server. Webhints versions 1.03 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/402339/30/0/threaded
  • 05.24.41 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 eTrace Remote Command Execution
  • Description: eTrace is a plug-in for e107 Website System, which is used to call a tracert from a Windows and Linux Shell and display the output into an IFRAME. eTrace is affected by a remote command execution vulnerability. eTrace versions 1.0.1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/13934
  • 05.24.42 - CVE: CAN-2005-1945, CAN-2005-1946
  • Platform: Web Application
  • Title: Invision Community Blog Multiple Input Validation Vulnerabilities
  • Description: Invision Community Blog is a blog system that can be used as a plug-in for Invision Power Board. Invision Power Board is web forum software. Multiple input validation vulnerabilities reportedly affect Invision Community Blog. These issues are due to a failure of the application to properly sanitize user-supplied input prior to using it to carry out critical actions. An attacker may leverage these issues to carry out cross-site scripting and SQL injection attacks against the affected application.
  • Ref: http://www.gulftech.org/?node=research&article_id=00078-06072005
  • 05.24.43 - CVE: CAN-2005-1948
  • Platform: Web Application
  • Title: Invision Gallery SQL Injection
  • Description: Invision Gallery is a gallery system that can be used as a plug-in for Invision Power Board. Insufficient sanitization of the "comment" parameter of the "index.php" script exposes the application to an SQL injection issue. Invision Gallery versions 1.3.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/13907/info
  • 05.24.44 - CVE: CAN-2005-1962
  • Platform: Web Application
  • Title: Cerberus Helpdesk Multiple Cross-Site Scripting Vulnerabilities
  • Description: Cerberus Helpdesk is a web-based help desk application. It is vulnerable to multiple cross-site scripting issues due to a failure of the application to properly sanitize user-supplied URI input. An attacker could leverage this issue to steal cookie-based authentication credentials or perform other attacks. Cerberus Helpdesk versions 0.97.3 to 2.6.1 are vulnerable to these issues.
  • Ref: http://www.securitytracker.com/alerts/2005/Jun/1014128.html
  • 05.24.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Loki Download Manager Default.ASP SQL Injection
  • Description: Loki Download Manager is a web-based file download manager. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "default.asp" script. A remote attacker could exploit this issue to get hold of sensitive information or modify database contents.
  • Ref: http://www.securityfocus.com/bid/13898
  • 05.24.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Loki Download Manager SQL Injection
  • Description: Loki Download Manager is a file download manager. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "cat" parameter of the "catinfo.asp" script. Loki Download Manager Category Version 2.0 is vulnerable.
  • Ref: http://secunia.com/advisories/15633/
  • 05.24.47 - CVE: CAN-2005-1942
  • Platform: Network Device
  • Title: Cisco Voice VLAN 802.1x Authentication Bypass
  • Description: Cisco switches are susceptible to an authentication bypass vulnerability, allowing attackers to gain anonymous access to the voice VLAN. Attackers may spoof Cisco Discovery Protocol (CDP) packets, and impersonate a Cisco IP phone, in order to join the voice VLAN. This allows attackers to gain access to network resources without the expected 802.1x authentication sequence. Once attackers gain access to the voice VLAN, they may be able to launch further attacks against servers and other hosts, or eavesdrop on VOIP conversations. Please refer to the link below for a list of vulnerable systems.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sn-20050608-8021x.shtml

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end== Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Real world people giving real world training.
-John Szyszlo, The Gem Group, Inc.

Mentor Program

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd