@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Veritas Backup Software Multiple Vulnerabilities
• (2) HIGH: RealNetworks RealPlayer Multiple Vulnerabilities
• (3) LOW: Multiple Browsers Dialogue Box Spoofing

Other Software

• (4) HIGH: Cacti and Bitrix Remote File Include Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 05.25.1 - Internet Explorer Dialog Box Origin Spoofing

Third Party Windows Apps

• 05.25.2 - Veritas Backup Exec/NetBackup Request Packet Denial Of Service
• 05.25.3 - Veritas Backup Exec Remote Agent Null Pointer Dereference Denial Of Service
• 05.25.4 - Veritas Backup Exec Remote Agent Servers Privilege Escalation
• 05.25.5 - Veritas Backup Exec Server Remote Registry Access
• 05.25.6 - Veritas Backup Exec Admin Plus Pack Remote Heap Overflow
• 05.25.7 - RealVNC Server Remote Information Disclosure

Mac Os

• 05.25.8 - Safari Dialog Box Origin Spoofing

Linux

• 05.25.9 - Asterisk Manager Interface Command Processing Remote Buffer Overflow
• 05.25.10 - Ruby XMLRPC Server Command Execution
• 05.25.11 - Vipul Razor-agents Multiple Unspecified Denial of Service Vulnerabilities
• 05.25.12 - SuSE Linux GPG2 S/MIME Signing Unspecified Vulnerability

Solaris

• 05.25.13 - Sun ONE/iPlanet Messaging Server Webmail HTML Injection

Unix

• 05.25.14 - NanoBlogger Arbitrary Command Execution
• 05.25.15 - Heimdal TelnetD Remote Buffer Overflow
• 05.25.16 - Yaws Source Code Disclosure
• 05.25.17 - SpamAssassin Malformed Email Header Remote Denial of Service

Cross Platform

• 05.25.18 - Slim Browser Dialog Box Origin Spoofing Vulnerability
• 05.25.19 - Veritas Backup Exec Remote Agent Authentication Buffer Overflow
• 05.25.20 - Veritas Backup Exec Web Administration Console Remote Buffer Overflow
• 05.25.21 - Avant Browser Dialog Box Origin Spoofing
• 05.25.22 - Tor Arbitrary Memory Information Disclosure
• 05.25.23 - Mozilla Firefox Dialog Box Origin Spoofing
• 05.25.24 - Opera Web Browser Dialog Box Origin Spoofing Vulnerability
• 05.25.25 - iCab Web Browser Dialog Box Origin Spoofing Vulnerability
• 05.25.26 - JBoss Malformed HTTP Request Remote Information Disclosure
• 05.25.27 - Bitrix Site Manager Remote File Include
• 05.25.28 - Opera XMLHttpRequest Object Cross-Domain Access
• 05.25.29 - Opera Cross-Site Scripting and Local File Disclosure

Web Application

• 05.25.30 - DUclassmate Multiple SQL Injection Vulnerabilities
• 05.25.31 - DUpaypal Pro SQL Injection
• 05.25.32 - DUamazon Pro Multiple SQL Injection Vulnerabilities
• 05.25.33 - RaXnet Cacti SQL Injection
• 05.25.34 - Moodle Unspecified Text Filtering Vulnerability
• 05.25.35 - RaXnet Cacti Config_Settings.PHP Remote File Include
• 05.25.36 - RaXnet Cacti Remote File Include
• 05.25.37 - MercuryBoard Index.PHP Remote SQL Injection
• 05.25.38 - Moodle Teacher Privilege Escalation
• 05.25.39 - i-Gallery Folder Argument Cross-Site Scripting
• 05.25.40 - Fortibus CMS SQL Injection
• 05.25.41 - cPanel User Parameter Cross-Site Scripting
• 05.25.42 - LaGarde StoreFront Shopping Cart LOGIN.ASP SQL Injection
• 05.25.43 - paFaq Database Unauthorized Access
• 05.25.44 - paFaq Question Cross-Site Scripting
• 05.25.45 - paFaq Administrator Username SQL Injection
• 05.25.46 - i-Gallery Directory Traversal
• 05.25.47 - Contelligent Preview Privilege Escalation
• 05.25.48 - Trac Unauthorized File Upload/Download Vulnerability
• 05.25.49 - Uapplication Ublog Reload Multiple SQL Injection Vulnerabilities
• 05.25.50 - Ublog Reload Trackback.ASP Cross-Site Scripting
• 05.25.51 - osCommerce Multiple HTTP Response Splitting Vulnerabilities
• 05.25.52 - XAMMP Lang.PHP HTML Injection
• 05.25.53 - XAMMP Lang.PHP Directory Traversal Vulnerability
• 05.25.54 - ATutor Multiple Cross-Site Scripting Vulnerabilities
• 05.25.55 - Cool Cafe Chat LOGIN.ASP SQL Injection
• 05.25.56 - e107 Website System Multiple Input Validation and Information Disclosure Vulnerabilities
• 05.25.57 - Ultimate PHP Board Weak Password Encryption
• 05.25.58 - Ultimate PHP Board Multiple Cross-Site Scripting Vulnerabilities
• 05.25.59 - SquirrelMail Multiple Unspecified Cross-Site Scripting Vulnerabilities

Network Device

• 05.25.60 - Enterasys Networks Vertical Horizon Default Backdoor Account Vulnerability
• 05.25.61 - Enterasys Networks Vertical Horizon Remote Denial of Service
• 05.25.62 - Cisco VPN Concentrator Groupname Enumeration Weakness

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 25, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4389 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.25.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Dialog Box Origin Spoofing
• Description: Microsoft Internet Explorer is vulnerable to a dialog box origin spoofing issue. A remote attacker may be able to display a spoofed dialog box to a user that seemingly originates from a trusted site to carry out phishing style attacks. All currently supported versions of Internet Explorer are vulnerable.
• Ref: http://www.microsoft.com/technet/security/advisory/902333.mspx

• 05.25.2 - CVE: CAN-2005-0772
• Platform: Third Party Windows Apps
• Title: Veritas Backup Exec/NetBackup Request Packet Denial Of Service
• Description: Veritas Backup Exec and NetBackup for NetWare Media Servers are vulnerable to a denial of service issue due to improper handling of a malformed request packet. A remote attacker could leverage this issue to cause a denial of service on a vulnerable machine. Please refer to the link for a list of vulnerable versions.
• Ref: http://seer.support.veritas.com/docs/276533.htm

• 05.25.3 - CVE: CAN-2005-0772
• Platform: Third Party Windows Apps
• Title: Veritas Backup Exec Remote Agent Null Pointer Dereference Denial Of Service
• Description: Veritas Backup Exec Remote Agent is prone to a remotely exploitable denial of service vulnerability. This could cause a denial of service on the computer hosting the application. In particular, a malformed request may cause a null pointer dereference in the application. This could impact availability of the service and the computer hosting the application.
• Ref: http://seer.support.veritas.com/docs/276533.htm

• 05.25.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Veritas Backup Exec Remote Agent Servers Privilege Escalation
• Description: Veritas Backup Exec is a network enabled backup solution from Veritas. It is affected by a privilege escalation vulnerability. This issue can allow remote users to gain elevated privileges and completely compromise an affected computer. Veritas Software Backup Exec version 10.0 rev.5520 has been released to fix the issue.
• Ref: http://www.securityfocus.com/bid/14026

• 05.25.5 - CVE: CAN-2005-0771
• Platform: Third Party Windows Apps
• Title: Veritas Backup Exec Server Remote Registry Access
• Description: Veritas Backup Exec is a network enabled backup solution from Veritas. The Windows version is prone to an access validation vulnerability which may be leveraged by a remote attacker to gain "Administrator" access to the vulnerable computer's registry. Veritas Software Backup Exec version 10.0 rev.5520 has been released to fix the issue.
• Ref: http://www.securityfocus.com/bid/14020

• 05.25.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Veritas Backup Exec Admin Plus Pack Remote Heap Overflow
• Description: Veritas Backup Exec is a network enabled backup solution from Veritas. Veritas Backup Exec is affected by a remote heap overflow vulnerability. This issue affects Backup Exec running on Microsoft Windows platforms. Veritas Backup Exec versions 10.0 rev. 5484 SP1 and earlier are known to be vulnerable.
• Ref: http://seer.support.veritas.com/docs/276607.htm

• 05.25.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: RealVNC Server Remote Information Disclosure
• Description: RealVNC (Virtual Network Computing) allows users to access remote computers for administration purposes. RealVNC is affected by a remote information disclosure vulnerability. Reports indicate that scanning TCP port 5900 using the DFind tool reveals sensitive information such as RealVNC version and the underlying operating system. This information may aid in other attacks against an affected computer.
• Ref: http://www.realvnc.com/pipermail/vnc-list/2005-June/051336.html

• 05.25.8 - CVE: Not Available
• Platform: Mac Os
• Title: Safari Dialog Box Origin Spoofing
• Description: Apple Safari is a web browser and it is vulnerable to a dialog box origin spoofing issue when dialog boxes from inactive windows may appear in other active windows. Apple Safari versions 1.3 and earlier are vulnerable.
• Ref: http://secunia.com/secunia_research/2005-12/advisory/

• 05.25.9 - CVE: Not Available
• Platform: Linux
• Title: Asterisk Manager Interface Command Processing Remote Buffer Overflow
• Description: Asterisk is a software-based PBX system. It is reported to be vulnerable to a remote buffer overflow issue due to improper boundary checks performed by command line interface processing routines. Asterisk version 1.0.7 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14031

• 05.25.10 - CVE: CAN-2005-1992
• Platform: Linux
• Title: Ruby XMLRPC Server Command Execution
• Description: Ruby is an object-oriented scripting language. It is vulnerable to an unspecified command execution issue. The XMLRPC server in utils.rb for the ruby library (libruby) sets an invalid default value that prevents "security protection". Ruby version 1.8.2 is vulnerable.
• Ref: http://www.security focus.com/advisories/8719"> http://www.security focus.com/advisories/8719 http://www.security focus.com/advisories/8718

• 05.25.11 - CVE: CAN-2005-1266
• Platform: Linux
• Title: Vipul Razor-agents Multiple Unspecified Denial of Service Vulnerabilities
• Description: Vipul Razor is a distributed spam detection and filtering network. Vipul Razor-agents is affected by multiple unspecified denial of service vulnerabilities. Vipul Razor versions 2.72 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/advisories/8715

• 05.25.12 - CVE: CAN-2005-2023
• Platform: Linux
• Title: SuSE Linux GPG2 S/MIME Signing Unspecified Vulnerability
• Description: SuSE Linux is affected by an unspecified vulnerability related to S/MIME signing using gpg2. The cause and impact of this issue is currently unknown but it's likely that this is a remote vulnerability. SuSE Linux version 9.3 is vulnerable.
• Ref: http://www.securityfocus.com/advisories/8709

• 05.25.13 - CVE: CAN-2005-2022
• Platform: Solaris
• Title: Sun ONE/iPlanet Messaging Server Webmail HTML Injection
• Description: Sun ONE/iPlanet Messaging Server Webmail with users who access webmail with Internet Explorer is vulnerable to an HTML injection vulnerability due to insufficent sanitization of HTML and the script code. Sun ONE Messaging Server version 6.2 and Sun iPlanet Messaging Server 5.2 are vulnerable.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101770-1

• 05.25.14 - CVE: CAN-2005-2039
• Platform: Unix
• Title: NanoBlogger Arbitrary Command Execution
• Description: NanoBlogger is a small weblog engine written in Bash for the command line. NanoBlogger is affected by a vulnerability regarding the execution of arbitrary commands. This issue is due to an input or access validation failure within the "recent_entries" and "master_archive" plugins. This reportedly leads to the execution of arbitrary commands. The vendor has addressed this issue in NanoBlogger version 3.2.2 and later; earlier versions are reported vulnerable.
• Ref: http://www.securityfocus.com/bid/14006

• 05.25.15 - CVE: CAN-2005-2040
• Platform: Unix
• Title: Heimdal TelnetD Remote Buffer Overflow
• Description: Heimdal is a free implementation of the Kerberos 5 network authentication protocol. Heimdal telnetd is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. This vulnerability may be exploited by remote attackers to influence the proper flow of execution of the application, resulting in attacker-supplied machine code being executed in the context of the affected network service.
• Ref: http://www.pdc.kth.se/heimdal/advisory/2005-06-20/

• 05.25.16 - CVE: Not Available
• Platform: Unix
• Title: Yaws Source Code Disclosure
• Description: Yaws is an HTTP server. It is vulnerable to a disclosure of source code issue due to insufficient sanitization of HTTP requests. Yaws versions 1.55 and earlier are vulnerable.
• Ref: http://www.sec-consult.com/181.html

• 05.25.17 - CVE: CAN-2005-1266
• Platform: Unix
• Title: SpamAssassin Malformed Email Header Remote Denial of Service
• Description: SpamAssassin is a mail filter designed to identify and process spam. It is prone to a remote denial of service issue due to a failure in the application to properly handle overly long email headers. SpamAssassin versions 3.0.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/13978

• 05.25.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Slim Browser Dialog Box Origin Spoofing Vulnerability
• Description: Slim Browser is reported to be vulnerable to a dialog box origin spoofing issue. The issue presents itself when dialog boxes from inactive windows appear in other active windows.
• Ref: http://www.securityfocus.com/bid/14038

• 05.25.19 - CVE: CAN-2005-0773
• Platform: Cross Platform
• Title: Veritas Backup Exec Remote Agent Authentication Buffer Overflow
• Description: Veritas Backup Exec Remote Agent is affected by a remotely exploitable buffer overflow issue when handling authentication requests. This issue is due to a boundary condition error that is exposed during authentication requests to the application. Backup Exec for NetWare Servers version 9.1.1156 and Backup Exec version 10.0 rev.5520 have been released to fix this issue.
• Ref: http://www.securityfocus.com/bid/14022

• 05.25.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Veritas Backup Exec Web Administration Console Remote Buffer Overflow
• Description: Veritas Backup Exec is a network enabled backup solution from Veritas. It is reported to be vulnerable to a remote buffer overflow issue due to improper boundary checks.
• Ref: http://www.securityfocus.com/bid/14025

• 05.25.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Avant Browser Dialog Box Origin Spoofing
• Description: Avant Browser is affected by a dialog box origin spoofing vulnerability. Avant Browser versions 10.0 Build 029 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14012

• 05.25.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Tor Arbitrary Memory Information Disclosure
• Description: Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service. Tor is affected by an arbitrary memory information disclosure vulnerability. Tor versions 0.0.9.9 and earlier are known to be vulnerable.
• Ref: http://archives.seul.org/or/announce/Jun-2005/msg00001.html

• 05.25.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox Dialog Box Origin Spoofing
• Description: Mozilla Firefox browsers are prone to a dialog box origin spoofing issue which can allow remote attackers to carry out phishing style attacks. Mozilla Firefox versions 1.0.4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/14008

• 05.25.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Dialog Box Origin Spoofing Vulnerability
• Description: Opera Web Browser is vulnerable to a dialog box origin spoofing issue that may allow a malicious user to spoof an interface of a trusted web site and carry out phishing style attacks. All current versions of Opera Web Browser are vulnerable.
• Ref: http://www.securityfocus.com/bid/14009/info

• 05.25.25 - CVE: Not Available
• Platform: Cross Platform
• Title: iCab Web Browser Dialog Box Origin Spoofing Vulnerability
• Description: iCab web browser is reported to be vulnerable to a dialog box origin spoofing issue. The issue presents itself when dialog boxes from inactive windows appear in other active windows. iCab version 2.9.8 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14010

• 05.25.26 - CVE: CAN-2005-2006
• Platform: Cross Platform
• Title: JBoss Malformed HTTP Request Remote Information Disclosure
• Description: JBoss is a Java Application server. Insufficient sanitization of the "%" character in the HTTP parsing of the "org.jboss.web.WebServer" class exposes the issue. JBoss versions 4.0.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/13985

• 05.25.27 - CVE: Not Available
• Platform: Cross Platform
• Title: Bitrix Site Manager Remote File Include
• Description: Bitrix Site Manager is a web-based content management system. It is vulnerable to a remote file include issue due to insufficent sanitization of user-supplied input when passing data through the "_SERVER[DOCUMENT_ROOT]" parameter of the "start.php" script. Bitrix Site Manager versions 4.0.5 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/13965

• 05.25.28 - CVE: CAN-2005-1475
• Platform: Cross Platform
• Title: Opera XMLHttpRequest Object Cross-Domain Access
• Description: Opera Web Browser is prone to an issue that allows a violation of the cross-domain security model. This issue arises due to an access validation error affecting the "XMLHttpRequest" object. The cross-domain security model restrictions can be bypassed due to insufficient checks performed on server side redirects. Opera Web Browser version 8.0 is affecetd.
• Ref: http://www.securityfocus.com/bid/13970

• 05.25.29 - CVE: CAN-2005-1669
• Platform: Cross Platform
• Title: Opera Cross-Site Scripting and Local File Disclosure
• Description: Opera is affected by cross-site scripting and local file disclosure issues. These issues are exposed when malformed "javascript:" URIs are opened in a new window or frame. Opera version 8.0 is affected.
• Ref: http://www.securityfocus.com/bid/13969/info

• 05.25.30 - CVE: Not Available
• Platform: Web Application
• Title: DUclassmate Multiple SQL Injection Vulnerabilities
• Description: DUclassmate is a classmates listing and friends search web application. Insufficient sanitization of the "iPro" parameter of the "edit.asp" script and "iState" paramter of the "default.asp" script exposes the application to an SQL injection issue. DUclassmate version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/14036

• 05.25.31 - CVE: Not Available
• Platform: Web Application
• Title: DUpaypal Pro SQL Injection
• Description: DUpaypal Pro is a professional Paypal-based E-Commerce storefront. DUpaypal Pro is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. These vulnerabilities could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
• Ref: http://www.securityfocus.com/bid/14034

• 05.25.32 - CVE: Not Available
• Platform: Web Application
• Title: DUamazon Pro Multiple SQL Injection Vulnerabilities
• Description: DUamazon Pro is a web storefront for affiliates of Amazon. DUamazon Pro is affected by multiple SQL injection vulnerabilities. DUamazon Pro versions 3.1 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14033

• 05.25.33 - CVE: CAN-2005-1525
• Platform: Web Application
• Title: RaXnet Cacti SQL Injection
• Description: RaXnet Cacti is a complete front-end to the RRDTool. Cacti is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. These issues could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic and other attacks. Cacti versions prior to 0.8.6e are affected by these vulnerabilities.
• Ref: http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities

• 05.25.34 - CVE: Not Available
• Platform: Web Application
• Title: Moodle Unspecified Text Filtering Vulnerability
• Description: Moodle is a PHP web application that provides training. A malicious user with remote web access may craft an arbitrary text sequence to trigger this vulnerability. This text sequence is said to allow unauthorized access to the application. Moodle version 1.1.1 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14018

• 05.25.35 - CVE: CAN-2005-1526
• Platform: Web Application
• Title: RaXnet Cacti Config_Settings.PHP Remote File Include
• Description: RaXnet Cacti is a front-end to the RRDTool. It is affected by a remote file include issue due to a failure of the application to properly sanitize "config[include_path]" parameter of the "config_settings.php" script. Raxnet Cacti versions 0.8.6d and earlier are affected.
• Ref: http://www.securityfocus.com/bid/14028

• 05.25.36 - CVE: CAN-2005-1524
• Platform: Web Application
• Title: RaXnet Cacti Remote File Include
• Description: RaXnet Cacti is a front-end to the RRDTool. It is vulnerable to a remote file include issue due to a failure of the application to properly sanitize user-supplied input prior to using it in a PHP "include()" function call in the "top_graph_header.php" script. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. RaXnet Cacti versions earlier than 0.8.6 e are vulnerable.
• Ref: http://www.cacti.net/release_notes_0_8_6e.php

• 05.25.37 - CVE: CAN-2005-2028
• Platform: Web Application
• Title: MercuryBoard Index.PHP Remote SQL Injection
• Description: MercuryBoard is a web-based message board application. Insufficient sanitization of the "index.php" script exposes an SQL injection issue in the application. MercuryBoard version 1.1.4 is affected.
• Ref: http://www.securityfocus.com/bid/14015

• 05.25.38 - CVE: Not Available
• Platform: Web Application
• Title: Moodle Teacher Privilege Escalation
• Description: Moodle provides online web-based training. It is reported to be vulnerable to a privilege escalation issue. The issue presents itself when an authenticated "teacher" account is able to obtain administrative access to the web application. Moodle versions 1.1.1. and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14013

• 05.25.39 - CVE: Not Available
• Platform: Web Application
• Title: i-Gallery Folder Argument Cross-Site Scripting
• Description: i-Gallery is a web-based photo gallery application. i-Gallery is affected by a cross-site scripting vulnerability. i-Gallery versions 3.x and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14002

• 05.25.40 - CVE: CAN-2005-2037
• Platform: Web Application
• Title: Fortibus CMS SQL Injection
• Description: Fortibus CMS is a content management system. It is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. These vulnerabilities affect the "logon.asp", "WeeklyNotesDisplay.asp" and the search page scripts of the application. These issues could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic and other attacks. Fortibus CMS 4.0 is vulnerable to these issues.
• Ref: http://www.securityfocus.com/bid/14004

• 05.25.41 - CVE: Not Available
• Platform: Web Application
• Title: cPanel User Parameter Cross-Site Scripting
• Description: cPanel is a web hosting control panel that allows a user to manage their hosted account through a web-based interface. cPanel is affected by a vulnerability that is identified in the application that may allow a remote attacker to execute HTML or script code in a user's browser. cPanel versions 9.1 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/13996

• 05.25.42 - CVE: CAN-2003-0557
• Platform: Web Application
• Title: LaGarde StoreFront Shopping Cart LOGIN.ASP SQL Injection
• Description: StoreFront Shopping Cart is a ecommerce shopping cart implemented in ASP. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied data in "login.asp" script. A remote attacker could exploit this issue to get hold of sensitive information or modify data. StoreFront Shopping Cart version 5.0 is vulnerable.
• Ref: http://www.zone-h.org/en/advisories/read/id=2684/

• 05.25.43 - CVE: CAN-2005-2014
• Platform: Web Application
• Title: paFaq Database Unauthorized Access
• Description: paFaq is a FAQ and knowledge base system. Insufficient access validation in the "backup.php" script exposes an issue by which a remote unauthenticated user can invoke the script and retrieve a complete backup of the application database. paFaq Beta version 4.0 is affected.
• Ref: http://www.securityfocus.com/bid/13999

• 05.25.44 - CVE: Not Available
• Platform: Web Application
• Title: paFaq Question Cross-Site Scripting
• Description: paFaq is a knowledge base system. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "id" parameter during a "Question" action. An attacker may leverage this issue to steal cookie-based authentication credentials as well as other attacks. All current versions of paFaq are vulnerable.
• Ref: http://www.securityfocus.com/bid/14001/info

• 05.25.45 - CVE: CAN-2005-2012
• Platform: Web Application
• Title: paFaq Administrator Username SQL Injection
• Description: paFaq is a FAQ and knowledge base system. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "username" parameter. paFaq version Beta 4 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14003

• 05.25.46 - CVE: Not Available
• Platform: Web Application
• Title: i-Gallery Directory Traversal
• Description: i-Gallery is a photo gallery web application. It is vulnerable to a directory traversal issue due to insufficient sanitization of "../" path variable. i-gallery versions 3.x are vulnerable.
• Ref: http://www.hat-squad.com/en/000169.html

• 05.25.47 - CVE: Not Available
• Platform: Web Application
• Title: Contelligent Preview Privilege Escalation
• Description: Contelligent is a web-based content management system. It is reported to be vulnerable to a privilege escalation issue because it allows an attacker with preview access to gain elevated access to the system. Contelligent versions 9.0.15 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/13987

• 05.25.48 - CVE: CAN-2005-2007
• Platform: Web Application
• Title: Trac Unauthorized File Upload/Download Vulnerability
• Description: Edgewall Software Trac is a wiki and bug tracking system. Insufficient sanitization of the "id" parameter exposes an unauthorized file upload and download vulnerability. Trac versions 0.8.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/13990

• 05.25.49 - CVE: CAN-2005-2009
• Platform: Web Application
• Title: Uapplication Ublog Reload Multiple SQL Injection Vulnerabilities
• Description: Ublog Reload is a web log software. It is reported to be vulnerable to multiple SQL injection issues due to improper sanitization of user-supplied input. Ublog version 1.0.5 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/13991

• 05.25.50 - CVE: CAN-2005-0925
• Platform: Web Application
• Title: Ublog Reload Trackback.ASP Cross-Site Scripting
• Description: Ublog Reload is web log software. It is vulnerable to a cross-site scripting issue due to insufficent sanitization of user-supplied input to the "btitle" parameter of the "trackback.asp" script. Uapplication Ublog Reload version 1.0.5 is vulnerable.
• Ref: http://echo.or.id/adv/adv18-theday-2005.txt

• 05.25.51 - CVE: Not Available
• Platform: Web Application
• Title: osCommerce Multiple HTTP Response Splitting Vulnerabilities
• Description: osCommerce is an e-commerce suite. It is reported to be vulnerable to multiple HTTP response splitting issues due to improper sanitization of user-supplied input. osCommerce versions 2.2 ms2 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/13979

• 05.25.52 - CVE: Not Available
• Platform: Web Application
• Title: XAMMP Lang.PHP HTML Injection
• Description: XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMMP is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. This issue is reported to affect the Linux distribution of XAMMP.
• Ref: http://www.securityfocus.com/bid/13982

• 05.25.53 - CVE: Not Available
• Platform: Web Application
• Title: XAMMP Lang.PHP Directory Traversal Vulnerability
• Description: XAMPP is an easy to install Apache distribution containing MySQL, PHP and Perl. XAMMP is prone to a directory traversal vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to "lang.php" before using it in an include() function call. Exploitation of this vulnerability could lead to a loss of confidentiality. This issue is reported to affect the Linux distribution of XAMMP.
• Ref: http://www.securityfocus.com/bid/13983

• 05.25.54 - CVE: Not Available
• Platform: Web Application
• Title: ATutor Multiple Cross-Site Scripting Vulnerabilities
• Description: ATutor is a web-based Learning Content Management System. It is vulnerable to multiple cross-site scripting vulnerabilities due to a insufficent sanitization of user supplied input. ATutor versions 1.4.3 and 1.5 RC1 are vulnerable.
• Ref: http://lostmon.blogspot.com/

• 05.25.55 - CVE: Not Available
• Platform: Web Application
• Title: Cool Cafe Chat LOGIN.ASP SQL Injection
• Description: Cool Cafe Chat is a web-based chat application. Cool Cafe Chat is affected by an SQL injection vulnerability. Cool Cafe Chat versions 1.2.1 and earlier are known to be vulnerable.
• Ref: http://exploitlabs.com/files/advisories/EXPL-A-2005-009-coolcafe.txt

• 05.25.56 - CVE: Not Available
• Platform: Web Application
• Title: e107 Website System Multiple Input Validation and Information Disclosure Vulnerabilities
• Description: e107 Website System is a web-based content management system implemented in PHP. e107 Website System is prone to multiple input validation and information disclosure vulnerabilities. The application is also vulnerable to several cross-site scripting and HTML injection vulnerabilities. Refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/13974

• 05.25.57 - CVE: CAN-2005-2030
• Platform: Web Application
• Title: Ultimate PHP Board Weak Password Encryption
• Description: Ultimate PHP Board (UPB) is affecetd by a weak password encryption issue. The "users.dat" file contains user and password information which is stored in a remotely accessible location. The passwords contained within the file are encrypted using a trivial substitution cipher.
• Ref: http://www.securityfocus.com/bid/13975

• 05.25.58 - CVE: CAN-2005-2004
• Platform: Web Application
• Title: Ultimate PHP Board Multiple Cross-Site Scripting Vulnerabilities
• Description: Ultimate PHP Board (UPB) is an open source PHP Bulletin Board. It is vulnerable to multiple cross-site scripting issues due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to steal cookie-based authentication credentials as well as other attacks.
• Ref: URL: http://secunia.com/advisories/15732

• 05.25.59 - CVE: CAN-2005-1769
• Platform: Web Application
• Title: SquirrelMail Multiple Unspecified Cross-Site Scripting Vulnerabilities
• Description: SquirrelMail is a web mail application. It is reported to be vulnerable to multiple cross-site scripting issues due to improper sanitization of user-supplied input. SquirrelMail 1.4.4 and earlier versions are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/13973

• 05.25.60 - CVE: Not Available
• Platform: Network Device
• Title: Enterasys Networks Vertical Horizon Default Backdoor Account Vulnerability
• Description: Enterasys Networks Vertical Horizon is a network switch appliance. It has a backdoor administrative account with username "tiger" and password "tiger123".
• Ref: http://www.securityfocus.com/bid/14014

• 05.25.61 - CVE: CAN-2005-2027
• Platform: Network Device
• Title: Enterasys Networks Vertical Horizon Remote Denial of Service
• Description: Enterasys Networks Vertical Horizon is a network switch appliance. It is vulnerable to a privilege escalation issue that allows an attacker to invoke administrative commands after connecting as a guest to the administrative Telnet interface. Exploitation of this issue allows a remote attacker to deny service for other legitimate users that are connected to the switch. Enterasys Networks Vertical Horizon VH-2402S versions 02.05.00 and 02.05.09.07 are vulnerable.
• Ref: http://www.enterasys.com/support/relnotes/VH-2402S-2050908-patch-rel.pdf

• 05.25.62 - CVE: CAN-2005-2025
• Platform: Network Device
• Title: Cisco VPN Concentrator Groupname Enumeration Weakness
• Description: The VPN Concentrator is a hardware and firmware security solution available from Cisco systems. It is vulnerable to a remote groupname enumeration weakness due to a design error that could assist a remote attacker in enumerating groupnames and carrying out bruteforce attacks. Please refer the following link for a list of vulnerable versions.
• Ref: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/471con3k.htm#wp5
  60292

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.