Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 27
July 8, 2005

SANS Newsletters Home

@RISK readers may get a free subscription to SANS Advisor, the security newsletter that offers practical tips and guidance as well as early warnings and breaking news on IT Security, Audit, Privacy. Volume 1, Number 1 is available for downloading from: www.sans.org/newsletters/advisor/ If you enjoy SANS Advisor and want to make sure you are notified when the next edition comes out, sign up at http://www.sans.org/newsletters

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 0 (#1)
    • Third Party Windows Apps
    • 6
    • Linux
    • 2
    • BSD
    • 2
    • Unix
    • 2 (#2)
    • Novell
    • 1
    • Cross Platform
    • 5
    • Web Application
    • 31 (#3, #4)
    • Network Device
    • 1

************************ Sponsored by NetIQ *************************** Sarbanes-Oxley IT Control Requirements Whitepaper Get the best practices you require to maintain proper internal control frameworks as you strive to meet Sarbanes-Oxley requirements with NetIQ's free whitepaper, "Meeting Sarbanes-Oxley IT Control Requirements with NetIQ." You'll learn how to dramatically reduce your time and effort spent auditing, reporting on, and controlling essential areas such as policies, file access rights, provisioning and change control. Download this FREE whitepaper now. http://www.netiq.com/f/form/form.asp?id=2529&origin=NS_SANS_070805 *************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
BSD
Unix
Novell
Cross Platform
Web Application
Network Device

*********************** Sponsored Link *********************************

1) Secure remote access to locked-down endpoints is a challenge. FREE SSL VPNs and Lockdown Loophole White Paper. http://www.sans.org/info.php?id=814

******************** Security Training News******************************

1) SANS@HOME: Live courses with SANS best teachers - without leaving your home or office - amazingly effective and satisfying. Hacker Techniques, Auditing, Forensics, SANS Security Essentials, Firewalls, and Windows al start within the next three weeks. Sign up today at www.sans.org

2) Save $150 on SANS Washington 2005 by signing up by Thursday http://www.sans.org/washington2005

3) SANS Network Security 2005 in New Orleans (October) just opened for registration http://www.sans.org/ns2005

Why Attend SANS Training Instead of Less Effective Courses? "SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) UPDATE: Internet Explorer javaprxy.dll Heap Overflow

  • Description: An exploit for the Internet Explorer flaw discussed in last week's issue of @RISK, has been publicly posted. The flaw was rated "LOW" last week because the discoverer reported that Microsoft team could not reproduce the flaw at that time. Microsoft has now issued an advisory for this vulnerability. The advisory also lists workarounds on how to disable the javaprxy.dll COM object and how to prevent this object from running in Internet Explorer. Note that even if javaprxy.dll is not installed on a user's machine, an attacker can force its download via the "codebase" attribute while instantiating this object.

  • Council Site Actions: Several of the council sites are still reviewing the workarounds from Microsoft and waiting to see if a specific patch for this problem is released next Tuesday. One site commented that their default configuration for IE included the recommended patches and workarounds. Another site has a large number of vulnerable systems, about 12,000. In some cases, the end users are manually visiting the Microsoft Download Center to obtain the registry update that disables javaprxy.dll. They have not yet made an attempt to roll out this registry update on a widespread basis, and have not yet sent a general announcement to Windows users about the vulnerability. At a minimum, the great majority of their systems will obtain an update through the public Windows Update site, or through their local SUS server, whenever Microsoft happens to release a patch for this.

  • References:
Other Software
  • (2) HIGH: Adobe Acrobat Reader UnixAppOpenFilePerform() Overflow
  • Affected:
    • Adobe Acrobat Reader for UNIX versions 5.0.9 and 5.0.10

  • Description: Adobe Acrobat Reader for UNIX systems contains an overflow in the UnixAppOpenFilePErform function. This stack-based overflow can be triggered by a malicious PDF document containing an overlong "FileSpec" tag. A specially crafted PDF document on a webpage or in an email may exploit this overflow to execute arbitrary code on a client system with the privileges of the logged-on user. The technical details have been posted.

  • Status: Adobe advises the Linux and Solaris users to upgrade to Adobe Acrobat Reader 7.0. Adobe has also released version 5.0.11 for HP-UX and IBM-AIX users.

  • Council Site Actions: Only one of the council sites is running the affected software. They have approximately 800 workstations that are affected. They plan to obtain version 7.0 for Solaris later this month. For some Linux systems, they will allow user to choose to run either version 5.0.10 or version 7.0. They plan to discontinue support of 5.0.10 for Linux shortly.

  • References:
  • (4) UPDATE: PHP XML-RPC Remote Command Execution

  • Description: Exploits for the PHP XML-RPC and Pear XML-RPC remote command execution flaw discussed in the last week's newsletter have been posted. Other software packages that uses these libraries have also been identified: phpAdsNew, phpPgAds, Nucleus, eGroupware, phpGroupware, phpWiki and BLOG: CMS. Council Site Update: The affected software is not in production or widespread use.

  • References: Previous @RISK Newsletter Posting
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 27, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4402 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.27.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: McAfee IntruShield Security Management System Multiple Vulnerabilities
  • Description: McAfee IntruShield Security Management System is a management application for administering IntruShield appliances. Insufficient sanitization of user-supplied input exposes the application to multiple cross-site scripting issues and authorization bypass issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/14167
  • 05.27.2 - CVE: CAN-2001-0454
  • Platform: Third Party Windows Apps
  • Title: SlimServe HTTPD Directory Traversal
  • Description: SlimServe HTTPD is a web server application. It is vulnerable to directory traversal attacks, which may let an attacker read files outside of the web server root directory.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2001-02/0532.html
  • 05.27.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: PlanetFileServer Remote Buffer Overflow
  • Description: PlanetDNS PlanetFileServer is affected by a remote buffer overflow vulnerability. This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers. PlanetFileServer Standard (BETA) is affected.
  • Ref: http://www.securityfocus.com/bid/14138
  • 05.27.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Golden FTP Server Pro Multiple Remote Vulnerabilities
  • Description: Golden FTP Server Pro is affected by multiple remote vulnerabilities. These issues arise due to insufficient sanitization of user-supplied data passed to the "LS" command. Golden FTP Server Pro version 2.60 is affected.
  • Ref: http://www.securityfocus.com/bid/14124
  • 05.27.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Hitachi Hibun Viewer Unspecified Privilege Escalation
  • Description: Hitachi Hibun is a set of packages that are designed to prevent sensitive content information leakage. Hitachi Hibun is prone to an unspecified privilege escalation vulnerability. The details of this issue are not available, however reports indicate that the issue may be leveraged through the view function of Hibun Viewer from a client computer.
  • Ref: http://www.hitachi-support.com/security_e/vuls_e/HS05-010_e/index-e.html
  • 05.27.6 - CVE: CAN-2005-2137
  • Platform: Third Party Windows Apps
  • Title: NateOn Messenger Directory Listing Disclosure
  • Description: NateOn is an instant messenger application. It is vulnerable to a remote disclosure directory listing issue due to an unspecified input validation error. NateOn Messenger version 3.0 is vulnerable.
  • Ref: http://secunia.com/advisories/15819/
  • 05.27.7 - CVE: Not Available
  • Platform: Linux
  • Title: Courier Mail Server Remote Denial of Service
  • Description: Courier Mail Server is an email server application. It is reported to be vulnerable to a remote denial of service issue due to improper sanitization of Sender Policy Framework (SPF) data. Courier Mail Server version 0.50 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14135
  • 05.27.8 - CVE: CAN-2005-2069
  • Platform: Linux
  • Title: PADL Software PAM_LDAP TLS Plaintext Password
  • Description: PAM_LDAP is the PAM module package designed to allow authentication with LDAP servers via PAM-compliant authentication mechanisms. It is reported to be vulnerable to a potential password disclosure issue when used with TLS. The issue presents itself when LDAP client connects to the master which was redirected by LDAP slave, by using the same credentials but without TLS.
  • Ref: http://www.securityfocus.com/bid/14126
  • 05.27.9 - CVE: CAN-2005-2019
  • Platform: BSD
  • Title: FreeBSD IPFW Firewall Rule Bypass
  • Description: FreeBSD IPFW is a packet filtering firewall that is integrated into the operating systems' kernel. FreeBSD IPFW is affected by an atomicity error that might result in erroneous lookup table matching under certain circumstances. FreeBSD IPFW version 5.4-RELEASE is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14102
  • 05.27.10 - CVE: CAN-2005-2068
  • Platform: BSD
  • Title: FreeBSD TCP Stack Established Connection Denial of Service
  • Description: FreeBSD TCP stack is affected by a remote denial of service vulnerability. This issue arises due to a design error and allows an attacker to stall a TCP connection. An attacker with knowledge of the local and remote IP addresses and port numbers for a target connection can halt the connection and ultimately force a computer to drop the connection. This type of attack will effectively deny service for a target connection.
  • Ref: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc
  • 05.27.11 - CVE: CAN-2005-1625
  • Platform: Unix
  • Title: Adobe Reader For Unix Remote Buffer Overflow
  • Description: Adobe Reader is an application for reading, navigating, and printing PDF files. It is affected by a remote buffer overflow vulnerability. This issue presents itself because the application fails to perform boundary checks in the "UnixAppOpenFilePerform" function, which is typically called when the application opens a PDF file containing a "/Filespec" tag. Adobe Reader versions 5.0.9 and 5.0.10 are affetced.
  • Ref: http://www.securityfocus.com/bid/14153
  • 05.27.12 - CVE: CAN-2005-1922
  • Platform: Unix
  • Title: ClamAV MS-Expand File Parsing Remote Denial Of Service
  • Description: ClamAV is a freely available, open source virus scanning utility. A remote denial of service vulnerability affects ClamAV. This issue is due to a failure of the application to properly handle malicious file content. The problem presents itself when the affected utility attempts to process MS-Expand files that are maliciously crafted. An attacker may leverage this issue to cause the Clam Anti-Virus daemon to cease functioning correctly, leaving an affected computer open to infection by malicious code.
  • Ref: http://www.idefense.com/application/poi/display?id=276&type=vulnerabili ties
  • 05.27.13 - CVE: Not Available
  • Platform: Novell
  • Title: Novell NetMail Automatic Script Execution Vulnerability
  • Description: Novell NetMail email client is prone to an input validation vulnerability. HTML and JavaScript attached to received email messages is executed automatically, when the email message is viewed. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/14171
  • 05.27.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Notes Automatic Script Execution Vulnerability
  • Description: IBM Lotus Notes email client is prone to an input validation vulnerability. HTML and JavaScript attached to received email messages is executed automatically, when the email message is viewed. A successful attack may allow the attacker to obtain Light-weight Third Party Authentication (LPTA) session cookies. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/14164
  • 05.27.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Webmatic Unspecified Vulnerabilities
  • Description: Webmatic is a system that dynamically creates a Web site. It is vulnerable to multiple unspecified security issues. Webmatic version 1.81.1 resolves these issues.
  • Ref: http://www.securityfocus.com/bid/14118
  • 05.27.16 - CVE: CAN-2005-2069
  • Platform: Cross Platform
  • Title: OpenLDAP TLS Plaintext Password Vulnerability
  • Description: OpenLDAP is a LDAP protocol implementation. It is vulnerable to a password disclosure issue when used with TLS. An attacker could sniff network traffic to obtain user credentials. OpenLDAP version 2.1.25 is vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8783
  • 05.27.17 - CVE: CAN-2005-2139
  • Platform: Cross Platform
  • Title: Pavsta Auto Site Remote File Inclusion
  • Description: Pavsta Auto File is a Web based message board. It is vulnerable to a remote file inclusion issue due to the input passed to the "sitepath" parameter in the "user_check.php" script isn't verified. Pavsta Auto Site is vulnerable.
  • Ref: http://secunia.com/advisories/15873
  • 05.27.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Soldier Of Fortune 2 Ignore Command Denial of Service
  • Description: Soldier of Fortune 2: Double Helix is a computer game. It is reported to be vulnerable to a remote denial of service issue due to improper sanitization of the "ignore" command. Soldier of Fortume 2 version 1.0.3 and 1.0.2 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14098
  • 05.27.19 - CVE: Not Available
  • Platform: Web Application
  • Title: News-TNK Unspecified Security Vulnerability
  • Description: News-TNK is a script to manage news on a web sites. It is reportedly vulnerable to an unspecified, remotely exploitable security issue. The vendor has released a new version that addresses the issue.
  • Ref: http://www.linux-sottises.net/software/news-tnk/CHANGES
  • 05.27.20 - CVE: Not Available
  • Platform: Web Application
  • Title: QuickBlogger Comments HTML Injection
  • Description: QuickBlogger is a flatfile PHP blog script. Insufficient sanitization of the "comments" and "your name" fields exposes the application to an HTML injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/14152
  • 05.27.21 - CVE: Not Available
  • Platform: Web Application
  • Title: Plague News System Delete.PHP Access Restriction Bypass
  • Description: Plague News System is web based news management software. Plague News System is prone to an access restriction bypass vulnerability. The issue exists due to a lack of sanity checks performed by "delete.php" on deletion requests passed to the script. A specially formatted request will bypass access restrictions and allow an attacker to delete Plague News System site content. A remote attacker may exploit this issue to delete site content and deny service for legitimate users.
  • Ref: http://dark-assassins.com/forum/viewtopic.php?t=90
  • 05.27.22 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPGroupWare Addressbook Unspecified Vulnerability
  • Description: PHPGroupWare is a multi-user groupware suite. It is vulnerable to an unspecified remote vulnerability related to its addressbook. PHPGroupWare versions earlier than 0.9.16 are vulnerable.
  • Ref: http://secunia.com/advisories/15852/
  • 05.27.23 - CVE: Not Available
  • Platform: Web Application
  • Title: Geeklog User Comment Retrieval SQL Injection
  • Description: Geeklog is weblog software. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input. Geeklog version 1.3.11 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14143
  • 05.27.24 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPPGAdmin Login Form Directory Traversal
  • Description: PHPPGAdmin is a front end to PostgreSQL database administration. It is vulnerable to a directory traversal issue due to insufficient sanitization of the "formLanguage" parameter of the login form. PHPPgAdmin versions 3.5.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14142
  • 05.27.25 - CVE: Not Available
  • Platform: Web Application
  • Title: GlobalNoteScript Read.CGI Remote Command Execution
  • Description: GlobalNoteScript is a Perl application. GlobalNoteScript is affected by a remote arbitrary command execution vulnerability. GlobalNoteScript versions 4.20 and earlier are known to be vulnerable.
  • Ref: http://zone-h.org/advisories/read/id=7765
  • 05.27.26 - CVE: Not Available
  • Platform: Web Application
  • Title: Quick & Dirty PHPSource Printer Directory Traversal
  • Description: Quick & Dirty PHPSource Printer is a PHP application for printing PHP source code. It is affected by a directory traversal vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. A remote unauthorized user can disclose the contents of arbitrary local files through the use of directory traversal strings "../". Quick & Dirty PHPSource Printer version 1.1 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14147
  • 05.27.27 - CVE: Not Available
  • Platform: Web Application
  • Title: RaXnet Cacti Config.PHP Design Error
  • Description: RaXnet Cacti is a front-end to RRDTool. A design error affects Cacti that can allow an attacker to prevent "session_start()" and "addslashes()" from being called. A remote attacker may exploit these issues to gain administrative access to the affected software. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/14130
  • 05.27.28 - CVE: Not Available
  • Platform: Web Application
  • Title: EasyPHPCalendar Multiple Remote File Include Vulnerabilities
  • Description: EasyPHPCalendar is a web calendar application. It has multiple remote file include vulnerabilities. An attacker may leverage any of these issues to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access. EasyPHPCalendar version 6.1.5 is reported to be vulnerable.
  • Ref: http://www.albaniafuckgreece.org/adviso/easyphpcalendar.txt
  • 05.27.29 - CVE: Not Available
  • Platform: Web Application
  • Title: NaboPoll Remote File Include
  • Description: NaboPoll is a web voting and survey system. Insufficient sanitization of the "path" variable in the "survey.in.php" script exposes the application to a remote file include issue. NaboPoll versions 1.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/14134
  • 05.27.30 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPNews News.PHP SQL Injection
  • Description: PHPNews is a news application. It is vulnerable to an SQL injection issue due to a failure of the application to properly sanitize user-supplied input prior to utilizing it in an SQL query in the "news.php" script. An attacker may exploit this issue to manipulate and inject SQL queries into the underlying database. PHPNews versions earlier than 1.2.6 are vulnerable to this issue.
  • Ref: http://sourceforge.net/project/shownotes.php?group_id=66322&release_id=33931
    7
  • 05.27.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Plague News System CID Parameter Cross Site Scripting
  • Description: Plague News System is a web-based news management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "cid" parameter of the "index.php" script. FrozenPlague Plague News System versions 0.7 and earlier are vulnerable.
  • Ref: http://dark-assassins.com/forum/viewtopic.php?t=90
  • 05.27.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Plague News System CID Parameter SQL Injection
  • Description: Plague News System is a web-based news management software. Plague News System is affected by an SQL injection vulnerability. Plague News System version 0.7 is known to be vulnerable.
  • Ref: http://dark-assassins.com/forum/viewtopic.php?t=90
  • 05.27.33 - CVE: CAN-2005-1437
  • Platform: Web Application
  • Title: osTicket Multiple Input Validation Vulnerabilities
  • Description: osTicket is an open source support ticket system. It is vulnerable to multiple input validation issues such as insufficient sanitization of user supplied data to the "ticket" variable of the "class.ticket.php" script. osTicket versions 1.3.1 beta and earlier are vulnerable.
  • Ref: http://www.gulftech.org/?node=research&article_id=00071-05022005
  • 05.27.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Open Source MosDBTable Class Unspecified Vulnerability.
  • Description: Mambo is an Open Source web-based content management system written in PHP. Mambo is affected by an unspecified vulnerability pertaining to the bind method in the Mambo mosDBTable class. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/14120
  • 05.27.35 - CVE: Not Available
  • Platform: Web Application
  • Title: RaXnet Cacti Input Filter Multiple SQL Injection Vulnerabilities
  • Description: RaXnet Cacti is a complete front-end to RRDTool. It is implemented in PHP and employs an SQL back end database. Cacti is prone to multiple SQL injection vulnerabilities. These issues are due to a bug in the input filters that lead to a failure in the application to properly sanitize user-supplied input, before using it in SQL queries. These vulnerabilities could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
  • Ref: http://www.hardened-php.net/advisory-032005.php
  • 05.27.36 - CVE: Not Available
  • Platform: Web Application
  • Title: RaXnet Cacti Remote Command Execution Variant
  • Description: RaXnet Cacti is a complete front-end to RRDTool. It has a remote command execution vulnerability that exists in the "graph_image.php" script. If successfully exploited this issue allows attackers to execute arbitrary commands in the context of the server.
  • Ref: http://www.hardened-php.net/advisory-042005.php
  • 05.27.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Open Source Session ID Spoofing
  • Description: Mambo is an open source web-based content management system. Mambo is prone to a session ID spoofing vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. This results in a loss of integrity and possibly confidentiality. The vendor has addressed this issue in Mambo 4.5.2.2 and later; earlier versions are reported vulnerable.
  • Ref: http://www.securityfocus.com/bid/14119
  • 05.27.38 - CVE: Not Available
  • Platform: Web Application
  • Title: TikiWikki Cross Site Scripting
  • Description: TikiWikki is a web-based content management system. A vulnerabililty exists that allows an attacker to perform cross-site scripting attacks on the "tiki-error.php" script. This may facilitate the theft of cookie-based authentication credentials.
  • Ref: http://www.securityfocus.com/bid/14121
  • 05.27.39 - CVE: CAN-2005-2002
  • Platform: Web Application
  • Title: Mambo Open Source Multiple Unspecified Injection Vulnerabilities
  • Description: Mambo is an open source web-based content management system. Mambo is affected by multiple unspecified injection vulnerabilities. Mambo versions 4.5.2.1 and earlier are known to be vulnerable.
  • Ref: http://help.mamboserver.com/index.php?option=com_content&task=view&id=70
    6&Itemid=88
  • 05.27.40 - CVE: CAN-2005-2138
  • Platform: Web Application
  • Title: Comdev eCommerce Review Form HTML Injection
  • Description: Comdev eCommerce is a web-based ordering system. It is vulnerable to an HTML injection vulnerability. This is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. An attacker could exploit this issue to steal cookie-based authentication credentials and other attacks. Comdev eCommerce versions 3.0 and 3.1 are vulnerable.
  • Ref: http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_
    group=64
  • 05.27.41 - CVE: CAN-2003-0509
  • Platform: Web Application
  • Title: CyberStrong eShop 10expand.ASP SQL Injection
  • Description: CyberStrong eShop is a web-based shopping system written in ASP. CyberStrong eShop is affected by an SQL injection vulnerability. CyberStrong eShop version 4.2 is known to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2003-07/0006.html
  • 05.27.42 - CVE: Not Available
  • Platform: Web Application
  • Title: CyberStrong EShop 10browse.ASP SQL Injection
  • Description: CyberStrong eShop is a web-based shopping system. It has an SQL injection vulnerability. This can be used to compromise the backend database.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2003-07/0006.html
  • 05.27.43 - CVE: Not Available
  • Platform: Web Application
  • Title: FSboard Directory Traversal Vulnerability
  • Description: FSboard is a web-based bulletin. Insufficient sanitization of the "filename" parameter of the "default.asp" script exposes the application to a directory traversal issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/14095
  • 05.27.44 - CVE: CAN-2005-2106
  • Platform: Web Application
  • Title: Drupal Arbitrary PHP Code Execution
  • Description: Drupal is a content management system. It is vulnerable to an issue that permits the execution of arbitrary PHP code. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may exploit this issue to run arbitrary code in the context of the Web server process. Drupal versions earlier than 4.6.2 and 4.5.4 are vulnerable.
  • Ref: http://drupal.org/drupal-4.6.2
  • 05.27.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Content Management System SQL Injection
  • Description: Mambo is a web-based content management system. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of the "username" parameter in the "mambo.php" script. Mambo versions 4.5.1 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14115
  • 05.27.46 - CVE: Not Available
  • Platform: Web Application
  • Title: YaPig Password Protected Directory Access Vulnerability
  • Description: YaPig provides a user with a method of displaying an image gallery on the Web. Malicious users may view the HTML source generated by the application to obtain the directory path to other users' image galleries.
  • Ref: http://www.securityfocus.com/bid/14099
  • 05.27.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Xoops Multiple Cross-Site Scripting Vulnerabilities
  • Description: Xoops has multiple cross-site scripting vulnerabilities. This may facilitate the theft of cookie-based authentication credentials. Xoops versions prior to version 2.0.12 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/401987
  • 05.27.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Phorum Read.PHP SQL Injection
  • Description: Phorum is a web-based content management system. Insufficient sanitization of user-supplied input in the "read.php" script exposes the application to an SQL injection issue. Phorum versions 5.0.11 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/14095
  • 05.27.49 - CVE: CAN-2005-2111
  • Platform: Web Application
  • Title: Community Link Pro Login.CGI Remote Command Execution
  • Description: Community Link Pro is a web-based application. It is vulnerable to a remote arbitrary command execution issue due to insufficient sanitization of user-supplied data. An attacker could exploit this issue to run arbitrary commands in the context of the server. All current versions of Community Link Pro are vulnerable.
  • Ref: http://secunia.com/advisories/15880
  • 05.27.50 - CVE: CAN-2005-2105
  • Platform: Network Device
  • Title: Cisco IOS AAA RADIUS Authentication Bypass
  • Description: Cisco IOS Remote Authentication Dial In User Service (RADIUS) is vulnerable to a remote authentication bypass issue when the fallback method is set to "none", via a long username. Cisco IOS versions 12.2T through 12.4 are vulnerable.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

This course opened my eyes and gave new perspectives of web app penetration testing.
-Ji Lee, Seamless Web

Get an iPad or Nexus 10 with Online Training

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU