Last Day to Save $200 on SANS Cyber Defense San Diego 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 29
July 22, 2005

Unpatched flaws reported in both Internet Explorer and Oracle this week. (#1 and #2 below). There's a workaround for the Oracle flaw; Firefox may be the workaround for the IE flaw. Plus more reason to ensure your Cisco Call Manager is patched (#7). Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#3, #6)
    • Other Microsoft Products
    • 3 (#1)
    • Third Party Windows Apps
    • 11 (#4, #7)
    • Mac Os
    • 1
    • Linux
    • 2
    • Unix
    • 2
    • Cross Platform
    • 18 (#2, #5)
    • Web Application
    • 32
    • Hardware
    • 1

******************** Security Training News******************************

1) SANS@HOME: Live courses with SANS best teachers - without leaving your home or office - amazingly effective and satisfying. Hacker Techniques, Auditing, Forensics, SANS Security Essentials, and Firewalls all start within the next week or two. Sign up today at www.sans.org

2) SANS Network Security 2005 in New Orleans (October) just opened for registration http://www.sans.org/ns2005

3) SANS Silicon Valley (September) just opened for registration. 12 tracks and a vendor exposition. http://www.sans.org/siliconvalley2005/

Why Attend SANS Training Instead of Less Effective Courses? "SANS reminds me of 'The Matrix'. You can take the blue pill and go on happily thinking your network is safe, or you can take the red pill and find out what the computer world is really like. This class is the red pill, and if it doesn't drive you insane in the process, you will leave better prepared to handle the real world of security." (Shawn Wenzel, Par Pharmaceutical)

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Unix
Cross Platform
Web Application
Hardware

************************* SPONSORED LINK ********************************

1) Twelve Intrusion Prevention Systems (IPS) are tested and evaluated. Find out which one is selected as the SC Magazine "Best Buy"? http://www.sans.org/info.php?id=833

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
Other Software
  • (4) HIGH: Nullsoft Winamp ID3v2 Buffer Overflow
  • Affected:
    • Winamp versions 5.03a, 5.09 and 5.091
  • Description: Winamp, a popular media player, contains an overflow in processing MP3 files. The overflow can be triggered by an MP3 file containing overlong "ID3v2" tag such as the "ARTIST" or "TITLE", and exploited to execute arbitrary code on the client system. The researcher has reported that although the flaw is difficult to exploit due to an internal check in the program, he has been able to execute code on Windows 2000 SP0 and XP systems. The technical details have been included in the discoverer's posting.

  • Status: Winamp to release a fixed version soon.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (5) HIGH: Sybase EAServer Buffer Overflow
  • Affected:
    • Sybase EAServer versions 5.2 and prior
  • Description: Sybase EAServer is an open application server for running business critical applications. This server contains a stack-based overflow that can be triggered by passing an overlong parameter to the "TreeAction.do" script, and exploited to execute arbitrary code with the privileges of "jagserv" process. The script requires authentication privileges; however, the default installations of EAServer have "jagadmin" userid set to a blank password.

  • Status: Sybase has confirmed the flaw and released patches. Administrators of this server should change the blank password for jagadmin userid, if they have not done so after the installation.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 29, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4430 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 05.29.1 - CVE: Not Available
  • Platform: Windows
  • Title: Windows Kernel Unspecified Remote Denial of Service
  • Description: An unspecified remote denial of service vulnerability has been reported in the kernel for Microsoft Windows which could permit a remote attacker to crash the system. Microsoft Windows XP SP2 with the firewall enabled is known to be vulnerable. Other versions of Windows may also be affected.
  • Ref: http://security-protocols.com/modules.php?name=News&file=article&sid=278
    3

  • 05.29.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: MSN Messenger and Internet Explorer Image ICC Profile Processing Vulnerability
  • Description: ICC (International Color Consortium) profiles are data tables that facilitate color calibration in printing image data. Microsoft Internet Explorer and MSN Instant Messenger can be crashed if image data with malformed embedded ICC profile data is processed. The crash occurs if the "Tag Count" field in the profile is set to 0xFFFFFFFF. Please see the attached link for details.
  • Ref: http://www.securityfocus.com/archive/1/405377

  • 05.29.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer JPEG Image Rendering Denial of Service
  • Description: Microsoft Internet Explorer includes support for rendering images of JPEG format. It is reported to be vulnerable to an unspecified denial of service issue. Internet Explorer 6 SP2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405298

  • 05.29.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Rendering Memory Consumption Denial of Service
  • Description: Microsoft Internet Explorer is vulnerable to an unspecified denial of service issue when the JPEG image rendering library is used. Microsoft Internet Explorer version 6 SP2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405298

  • 05.29.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Alt-N MDaemon IMAP Server CREATE Remote Buffer Overflow
  • Description: Alt-N MDaemon is a Windows-based mail server product. Its IMAP Server is affected by a remote buffer overflow vulnerability caused by failure to do boundary checks on user-supplied data to the "CREATE" command. Alt-N MDaemon versions 8.03 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14315

  • 05.29.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Alt-N MDaemon IMAP Server Authentication Remote Buffer Overflow
  • Description: Alt-N MDaemon IMAP Server is affected by a remote buffer overflow issue due to the application failing to perform boundary checks prior to copying user-supplied data into sensitive process buffers. Alt-N MDaemon version 8.03 is affected.
  • Ref: http://www.securityfocus.com/bid/14317/info

  • 05.29.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SmarterTools SmarterMail Cross-Site Scripting
  • Description: SmarterTools SmarterMail is a web-based email server. A cross-site scripting vulnerability has been identified due to insufficient sanitization of user-supplied data in the "frmCompose.aspx" script. SmarterMail versions 1.61 and prior have been reported to be prone to this issue.
  • Ref: http://www.securityfocus.com/bid/9805

  • - CVE: CAN-2005-2219 CAN-2005-2077
  • Platform: Third Party Windows Apps
  • Title: Hosting Controller Multiple Remote Vulnerabilities
  • Description: Hosting Controller is an application that consolidates all hosting tasks into one interface. It is vulnerable to multiple issues that could allow an attacker to carry out SQL injection attacks, gain unauthorized access to scripts, gain elevated privileges and carry out potential denial of service attacks. Hosting Controller version 6.1 hotfix 2.1 is vulnerable to these issues.
  • Ref: http://marc.theaimsgroup.com/?l=bugtraq&m=111997456519685&w=2

  • 05.29.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Internet Explorer JPEG Image Rendering Denial of Service
  • Description: Microsoft Internet Explorer includes support for rendering images of JPEG (Joint Photographic Experts Group) format. Microsoft Internet Explorer is affected by an unspecified denial of service vulnerability in the JPEG image rendering library used by the browser. Internet Explorer versions 6 SP2 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405298

  • 05.29.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Winamp Malformed ID3v2 Tag Buffer Overflow
  • Description: Nullsoft Winamp is a media player. It is vulnerable to a buffer overflow issue due to insufficent boundary checking before copying overly long ID3v2 tags into a fixed size memory buffer. Nullsoft Winamp versions 5.03a, 5.09, and 5.091 are vulnerable.
  • Ref: http://security.lss.hr/index.php?page=details&ID=LSS-2005-07-14

  • 05.29.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: DG Remote Control Server Remote Denial of Service
  • Description: DG Remote Control Server is used to manage Microsoft Windows computers from a remote location. DG Remote Control Server is affected by a remote denial of service vulnerability. DG Remote Control Server versions 1.6.2 and earlier are known to be vulnerable.
  • Ref: http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_
    group=72

  • 05.29.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Cisco CallManager Multiple Failed Logins Remote Denial of Service
  • Description: Cisco CallManager is the software based call processing component of the Cisco IP Telephony solution. It is reported to be vulnerable to a denial of service issue when MLA (Multi Level Admin) is enabled due to a small amont of memory leak. Cisco Call Manager version 4.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14253

  • 05.29.13 - CVE: CAN-2005-2244
  • Platform: Third Party Windows Apps
  • Title: Cisco CallManager AUPair Service Heap Buffer Overflow
  • Description: Cisco CallManager an application based call processing component of the Cisco IP Telephony. The CallManager aupair service is vulnerable to an unspecified remote buffer overflow issue due to insufficient boundry check of user-supplied data. Cisco Call Manager versions 3.3 (3)ES61 and above are not vulnerable.
  • Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a00804c0c26.s
    html

  • 05.29.14 - CVE: CAN-2005-2242
  • Platform: Third Party Windows Apps
  • Title: Cisco CallManager CTI Remote Denial of Service
  • Description: Cisco CallManager is a call processing component of the IP Telephony solution. It is affected by a denial of service issue. When the "ctimgr.exe" process receives malformed network data, it may restart after utilizing more that one gigabyte of memory. Please see the cisco advisory link below for details.
  • Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a00804c0c26.s
    html

  • 05.29.15 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Cisco CallManager CCM.EXE Remote Denial of Service
  • Description: Cisco CallManager is vulnerable to a remote denial of service issue due to excessive memory consumption issue exploitable through network packets. An attacker could leverage this issue to restart the service remotely, denying service to legitimate users. Please refer to the link below for a list of vulnerable versions.
  • Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a00804c0c26.s
    html

  • 05.29.16 - CVE: CAN-2005-2196
  • Platform: Mac Os
  • Title: Apple Mac OS X AirPort Card Automatic Network Association Vulnerability
  • Description: Apple Mac OS X is affected by a vulnerability that may cause a computer to connect to a potentially malicious network without prior notification. This issue arises due to a design error. Apple Mac OS X versions 10.4.1 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8901

  • 05.29.17 - CVE: CAN-2005-1851
  • Platform: Linux
  • Title: EKG Unspecified Command Execution
  • Description: EKG is a console Gadu Gadu client. It is vulnerable to an unspecified command execution vulnerability. EKG version 2005-04-11 is vulnerable.
  • Ref: http://www.debian.org/security/2005/dsa-760

  • 05.29.18 - CVE: Not Available
  • Platform: Linux
  • Title: Shorewall MACLIST Firewall Rules Bypass
  • Description: Shorewall is a high-level tool for configuring Netfilter. It is susceptible to a firewall rule bypass vulnerability caused by a faulty implementation of MAC address-based filtering. This issue arises when "MACLIST_TTL" is greater than 0, or "MACLIST_DISPOSITION" is configured as "ACCEPT". This vulnerability allows attackers to bypass firewall rules, letting them attack protected services and computers. Shorewall versions 2.4.1 and earlier are affected.
  • Ref: http://shorewall.net/News.htm#20050717

  • 05.29.19 - CVE: Not Available
  • Platform: Unix
  • Title: BitDefender Antivirus and Antispam Scan Evasion
  • Description: BitDefender Antivirus and Antispam for Mail Servers is vulnerable to an antivirus scan evasion issue. The application only scans the first UUencoded attachment in an email that contains multiple attachments. BitDefender Antivirus and Antispam for Linux and FreeBSD Mail Servers versions 1.6.1 and earlier are vulnerable.
  • Ref: http://secunia.com/advisories/16085/

  • 05.29.20 - CVE: CAN-2004-2154
  • Platform: Unix
  • Title: Easy Software Products CUPS Access Control List Bypass
  • Description: CUPS, Common UNIX Printing System, is a set of printing utilities for UNIX-based systems. It is susceptible to an ACL bypass vulnerability due to a faulty case-sensitive comparison algorithm for testing incoming print requests against the list of configured ACLs. If an administrator has configured a printer name as "Example", and an attacker sends a print job to "example", the ACL for "Example" will be ignored. This vulnerability allows attackers to bypass configured ACLs, allowing them to print jobs on printers. Easy Software Products CUPS versions 1.1.20 and earlier are vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2005-571.html

  • 05.29.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox Weak Authentication Mechanism
  • Description: Mozilla Firefox is a web browser developed and supported by Mozilla. Firefox is affected by a vulnerability that may result in sending authentication credentials across the network in plaintext format. Reportedly, this vulnerability presents itself when a client connects to a server that supports multiple authentication mechanisms. By default, the browser chooses basic authentication even if other authentication schemas such as Digest or NTLM are available. Mozilla Firefox versions 1.0.4 and 1.0.5 running on Windows are confirmed to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405666

  • 05.29.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Reports Server XML File Disclosure
  • Description: Oracle Reports Server is a reporting application. It is vulnerable to a file disclosure issue due to insufficient access validation. An attacker could exploit this issue to get hold of sensitive information and design further attacks against a computer. All current versions of Oracle Reports Server are reported to be vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/405693/30/0/threaded

  • 05.29.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Reports Server Arbitrary File Disclosure
  • Description: Oracle Reports Server is a reporting application designed to provide access to various reporting formats for selected data sets. It is reported to be vulnerable to an arbitrary file disclosure issue due to improper sanitization of user-supplied input to the "desformat" parameter of the "rwservlet" file. All versions of Oracle Reports Server are reported to be vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/14312

  • 05.29.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Reports Server Multiple Cross-Site Scripting Vulnerabilities
  • Description: Oracle Reports Server is a reporting application. It is vulnerable to multiple remote cross-site scripting vulnerabilities due to insuffient sanitization of user-supplied input such as when code is passed to the application through the "debug" parameter of "rwservlet/showenv". Oracle Reports Server version 10g 9.0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/14313

  • 05.29.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Reports Server DESName Remote File Overwrite
  • Description: Oracle Reports Server is a reporting application designed to provide access to various reporting formats for selected data sets. Oracle Reports Server is affected by an arbitrary file overwrite vulnerability in its Web interface. Oracle Reports Server versions 10g 9.0.4.3.3 and earlier are known to be vulnerable.
  • Ref: http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.
    html

  • 05.29.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ToCA Race Driver Multiple Format String and Buffer Overflow Vulnerabilities
  • Description: ToCA Race Driver is a racing game. It is reported to be vulnerable to multiple remote format strings and buffer overflow issues due to improper use of "sprintf" function. ToCA Race Driver version 1.2.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405540

  • 05.29.27 - CVE: CAN-1999-1566
  • Platform: Cross Platform
  • Title: iParty Conferencing Server Denial of Service
  • Description: iParty is a small voice conferencing application created by Intel Experimental Technologies Department. iParty is affected by a denial of service vulnerability. iParty versions 1.2 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/6844

  • 05.29.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PowerDNS LDAP Backend Query Escape Failure Vulnerability
  • Description: PowerDNS is a nameserver application. It is possible for requests to fail without answering questions if used with LDAP as back-end. PowerDNS version 2.9.17 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14290

  • 05.29.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PowerDNS Recursive Query Denial of Service
  • Description: PowerDNS is a nameserver application. PowerDNS is vulnerable to a denial of service when an error in the handling of requests from clients, which are denied recursion. PowerDNS versions 2.9.17 and earlier are vulnerable.
  • Ref: http://secunia.com/advisories/16111/

  • 05.29.30 - CVE: CAN-2005-2297
  • Platform: Cross Platform
  • Title: Sybase EAServer Remote Buffer Overflow
  • Description: Sybase EAServer is an application server. It is affected by a remote buffer overflow vulnerability caused by improper sanitization of user-supplied input to the parameters of the "TreeAction.do" script. Sybase Enterprise Application Server versions 5.2 and earlier are reported to be vulnerable.
  • Ref: http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm

  • 05.29.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle HTTP Server MOD_ORADAV DAV_PUBLIC Access Control Vulnerability
  • Description: The mod_oradav module for Oracle HTTP Server is prone to a vulnerability related to the default access controls on the "/dav_public" directory. A malicious user may potentially abuse this issue to fill up the "/dav_public" directory, likely resulting in a denial of service. Oracle HTTP server version 9.0.2.3 is vulnerable.
  • Ref: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

  • 05.29.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle HTTP Server MOD_ORADAV Unauthorized Database Access
  • Description: Oracle HTTP Server includes the mod_oradav module to extend support for Apache mod_dav WebDAV module that allows access to an Oracle Database. It is reported to be vulnerable to allow unauthorized database access. Oracle9i Application Server version 9.0.2.3 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14277

  • 05.29.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Webcache SSL Encryption Downgrade Weakness
  • Description: Oracle Webcache is affected by an issue where documents may be served with weaker SSL encryption than configured in Oracle HTTP Server. Oracle Webcache versions 9.0.2.3 and earlier are known to be vulnerable.
  • Ref: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

  • 05.29.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle9i 9.0.1.5 FIPS Single Sign-On Server Cross-Site Scripting
  • Description: A cross-site scripting vulnerability exists in the Single Sign-On Server (SSO) for Oracle Database Server. The vulnerability is due to insufficient sanitization of input submitted through URI variables or other means. This input will be included in dynamically generated Web pages. All editions of Oracle9i version 9.0.1.5 FIPS are vulnerable.
  • Ref: http://www.red-database-security.com/whitepaper/cpu_july_2005_silently_fixed_bug
    s.html

  • 05.29.35 - CVE: CAN-2005-1530
  • Platform: Cross Platform
  • Title: Sophos Anti-Virus BZip2 Archive Handling Remote Denial of Service
  • Description: Sophos Anti-Virus is a commercially available virus scanning software. Sophos Anti-Virus is affected by a remote denial of service vulnerability when it is configured to "Scan inside archive files". Sophos Anti-Virus versions 5.0.1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405221

  • 05.29.36 - CVE: CAN-2005-2306
  • Platform: Cross Platform
  • Title: Macromedia JRun Unauthorized Session Access
  • Description: Macromedia JRun is a J2EE application server. It is affected by a vulnerability that may allow a user's session to be shared with another user. This issue is caused due to a design error as the application may generate two sessions with the same authentication token. JRun version 4.0, ColdFusion MX version 7.0 Enterprise Multi-Server Edition, and ColdFusion MX version 6.1 Enterprise with JRun are affected by this vulnerability.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb05-05.html

  • 05.29.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle HTTP Server Unspecified Malformed Request Denial Of Service
  • Description: Oracle HTTP Server is prone to a denial of service attack caused by a specific malformed request. This issue was listed as bug ID 3174425 in the patch readme for the Oracle Critical Patch Update for July. Oracle9i Application Server versions 9.0.3.1 and 9.0.2.3 are reportedly affected.
  • Ref: http://www.red-database-security.com/whitepaper/cpu_july_2005_silently_fixed_bug
    s.html

  • 05.29.38 - CVE: CAN-2005-2295
  • Platform: Cross Platform
  • Title: netPanzer Remote Denial of Service
  • Description: netPanzer is an online multiplayer tactical warfare game. netPanzer is affected by a remote denial of service vulnerability. netPanzer versions 0.8 and earlier are known to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/panzone-adv.txt

  • 05.29.39 - CVE: Not Available
  • Platform: Web Application
  • Title: Form Sender Processform.PHP3 Name Cross Site Scripting Vulnerability
  • Description: CreativePHP Form Sender is an email form tool written in PHP. It is vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "name" variable of the "processform.php3" script. Form Sender version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/14324/info

  • 05.29.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Form Sender Processform.PHP3 Cross Site Scripting
  • Description: CreativePHP Form Sender is an email form tool. Insufficient sanitization of the "failed" variable in the "processform.php3" script exposes the application to a cross-site scripting issue. Form Sender version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/14326/info

  • 05.29.41 - CVE: CAN-2005-2215
  • Platform: Web Application
  • Title: MediaWiki Unspecified Remote Cross-Site Scripting
  • Description: MediaWiki is a collaborative editing application. It is vulnerable to cross-site scripting issues due to insufficient sanitization of user-supplied data prior to using it in dynamically generated web page content. An attacker could exploit this issue to steal cookie-based authentication credentials and perform other attacks. MediaWiki versions 1.4.6 and earlier are vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=342530

  • 05.29.42 - CVE: Not Available
  • Platform: Web Application
  • Title: CuteNews Search.PHP Cross-Site Scripting
  • Description: CuteNews is a news management system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of "selected_search_arch" parameter of the "search.php" script. CuteNews version 1.3.6 is affected.
  • Ref: http://www.securityfocus.com/bid/14328

  • 05.29.43 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Surveyor Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHP Surveyor is a set of PHP scripts that interact with MySQL to develop surveys, publish surveys and collect responses to surveys. PHP Surveyor is affected by multiple cross-site scripting vulnerabilities. PHP Sureveyor version 0.98 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14329

  • 05.29.44 - CVE: CAN-2005-2332
  • Platform: Web Application
  • Title: PHPPageProtect Admin.PHP Cross Site Scripting
  • Description: PHPPageProtect is a user authentication system used to password protect web pages. It is prone to a cross-site scripting vulnerability issue due to a failure of the application to properly sanitize user-supplied input to the "username" parameter of the "admin.php" script. PHPPageProtect version 1.0a and earlier are reported to be susceptible.
  • Ref: http://www.securityfocus.com/bid/14314

  • 05.29.45 - CVE: Not Available
  • Platform: Web Application
  • Title: SEO-Board Smilies_popup.PHP Cross Site Scripting
  • Description: SEO-Board is a web-based forum application. It is vulnerable to a cross-site scripting issue due to a failure of the application to properly sanitize user-supplied URI input that will be output in dynamically generated Web pages. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. SEO-Board version 1.0 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/14320/info

  • 05.29.46 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPPageProtect login.php Cross Site Scripting
  • Description: PHPPageProtect is a user authentication system. It is vulnerable to a cross site scripting issue due to insufficient sanitization of user-supplied URI input through the "username" parameter of the "login.php" script. PHPPageProtect versions 1.0b and ealier are vulnerable.
  • Ref: http://secunia.com/advisories/16110/

  • 05.29.47 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPFinance Inc.login.PHP Authentication Bypass
  • Description: PHPFinance is a web based financial management program that can be used for income/expense flow managing, reporting and logging. PHPFinance is affected by an authentication bypass vulnerability. PHPFinance version 0.3 is known to be vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=343135

  • 05.29.48 - CVE: Not Available
  • Platform: Web Application
  • Title: osCommerce Update.PHP Information Disclosure
  • Description: osCommerce is a PHP based e-commerce suite. It is prone to an information disclosure vulnerability caused by improper sanitization of user-supplied input to the "readme_file" variable of "update.php". An attacker can supply an absolute or relative path to a file on the affected system, such as "/etc/passwd", and have the contents of the file displayed. osCommerce version 2.2 milestone 2 is vulnerable.
  • Ref: http://www.oscommerce.com/community/bugs,2835/search,update.php

  • 05.29.49 - CVE: CAN-2005-2276
  • Platform: Web Application
  • Title: Novell GroupWise WebAccess HTML Injection
  • Description: Novell GroupWise WebAccess is a web-accessible version of the GroupWise groupware application. Insufficient sanitization of e-mail content exposes the application to an HTML injection issue. Groupwise versions 6.5 SP4 and earlier are affected.
  • Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm

  • 05.29.50 - CVE: Not Available
  • Platform: Web Application
  • Title: VP-ASP Shopproductselect.ASP SQL Injection
  • Description: Virtual Programming VP-ASP is a shopping cart application for e-commerce enabled sites. Insufficient sanitization of the "Productid" parameter in the "shopproductselect.asp" script exposes the application to an SQL injection issue.
  • Ref: http://www.securityfocus.com/bid/14305/info

  • 05.29.51 - CVE: Not Available
  • Platform: Web Application
  • Title: VP-ASP Shopaddtocartnodb.ASP SQL Injection
  • Description: Virtual Programming VP-ASP is a shopping cart application for e-commerce enabled sites. It is vulnerable to a remote SQL injection issue due to a failure of the application to sanitize user-supplied input before using it in an SQL query. An attacker may leverage this issue to get hold of sensitive information or perform other attacks. Please refer to the link below for a list of vulnerable versions.
  • Ref: http://www.vpasp.com/virtprog/info/faq_securityfixes.htm

  • 05.29.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Y.SAK Scripts Multiple Remote Arbitrary Command Execution Vulnerabilities
  • Description: Y.SAK Scripts are a set of web scripts written in Perl. It is reported to be vulnerable to multiple remote arbitrary command execution issues due to improper sanitization of user-specified "no" URL parameter of "w_s3mbfm.cgi", "w_s3adix.cgi" and "w_s3sbfm.cgi" scripts.
  • Ref: http://www.securityfocus.com/bid/14299

  • 05.29.53 - CVE: CAN-2005-1788, CAN-2005-2077, CAN-2005-2219
  • Platform: Web Application
  • Title: Hosting Controller Multiple Vulnerabilities
  • Description: Hosting Controller application consolidates all hosting tasks into one interface. It is vulnerable to multiple vulnerabilities such as SQL injection attacks and gain unauthorized access to scripts. Hosting Controller version 6.1 hotfix 2.2 is vulnerable.
  • Ref: http://hostingcontroller.com/english/logs/hotfixlogv61_2_2.html

  • 05.29.54 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 Website System Nested BBCode URL Tag Script Injection
  • Description: e107 Website System is a web-based content management system implemented in PHP. e107 Website System is affected by a script injection vulnerability. e107 Website Sytem versions 0.617 and earlier are known to be vulnerable.
  • Ref: http://www.milw0rm.com/id.php?id=1106

  • 05.29.55 - CVE: Not Available
  • Platform: Web Application
  • Title: tForum Member.PHP Cross-Site Scripting
  • Description: tForum is a web bulletin-board system implemented in PHP. tForum is prone to a cross-site scripting vulnerability caused by failure to sanitize user-supplied input to the "username" parameter of "member.php" script. tForum version b0.915 is affected.
  • Ref: http://www.securityfocus.com/bid/14303

  • 05.29.56 - CVE: Not Available
  • Platform: Web Application
  • Title: VP-ASP Shopaddtocart.ASP SQL Injection
  • Description: Virtual Programming VP-ASP is a shopping cart application for e-commerce enabled sites. It is prone to an SQL injection vulnerability due to improper sanitization of user input to the "prodid" parameter of the "shopaddtocart.asp" script. VP-ASP version 5.0 and earlier are vulnerable.
  • Ref: http://www.vpasp.com/virtprog/info/faq_securityfixes.htm

  • 05.29.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Clever Copy Calendar.PHP Cross-Site Scripting
  • Description: Clever Copy is a PHP based web-site portal and news posting system. It is vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input. The problem presents itself when HTML and script code is supplied through the "yr" variable of the "calendar.php" script. Clever Copy version 2.0a and earlier are vulnerable.
  • Ref: http://lostmon.blogspot.com/

  • 05.29.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision PowerBoard SQL Injection Privilege Escalation
  • Description: Invision PowerBoard is a web-based forum suite. It is vulnerable to an input validation issue, which allows an attacker to hijack other user accounts. All current versions of Invision PoweBoard are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405386

  • 05.29.59 - CVE: Not Available
  • Platform: Web Application
  • Title: CaLogic Multiple Remote File Include Vulnerabilities
  • Description: CaLogic is web calendar software. Insuccificent sanitization of the "CLPATH" parameter in the "cl_minical.php","clmcpreload.php", "mcconfig.php" and "mcpi-demo.php" files expose the application to a file include issue. CaLogic version 1.2.2 is affected.
  • Ref: http://www.albaniafuckgreece.org//adviso/calogic.txt

  • 05.29.60 - CVE: Not Available
  • Platform: Web Application
  • Title: MooseGallery Display.PHP File Include
  • Description: MooseGallery is a web-based image viewing application. Insufficient sanitization of the "type" parameter of the "display.php" script exposes the application to a file include issue. MooseGallery versions 1.0.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/14280/info

  • 05.29.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple Message Board User.CFM Cross-Site Scripting
  • Description: Simple Message Board is a web-based message board system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to "UID" parameter of the "user.cfm" script. Simple Mesage Board version 2.0 beta1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14267

  • 05.29.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple Message Board Forum Cross Site Scripting
  • Description: Simple Message Board is a Web based message board system. It is vulnerable to a cross site scripting issue due to insufficient sanitization of user supplied input through the "FID" parameter of the "forum.cfm" script. Man And Machine Ltd. Simple Mesage Board version 2.0 beta1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405204

  • 05.29.63 - CVE: CAN-2005-1383
  • Platform: Web Application
  • Title: Oracle HTTP Server mod_osso Application Cookie Expiration
  • Description: The Oracle HTTP Server mod_osso single sign-on module does not properly expire partner application cookies. Application cookies may persist in the system for longer than expected or required which could present a security threat if a malicious user has a means to gain unauthorized access to partner application cookies. Oracle HTTP Server 9.0.2.3 is affetced.
  • Ref: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

  • 05.29.64 - CVE: CAN-2005-2328
  • Platform: Web Application
  • Title: Laffer IM.PHP File Include
  • Description: Laffer is a web-based instant messenger client written in PHP. Laffer is susceptible to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may exploit this issue to execute arbitrary PHP code on an affected computer with the privileges of the Web server process. Laffer versions 0.3.2.7 and 0.3.2.6 are affected.
  • Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1235463&group_i
    d=101249&atid=629313

  • 05.29.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Class-1 Forum Users.PHP Cross Site Scripting Vulnerabilities
  • Description: Class-1 Forum is a web-based forum application. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of "viewuser_id" and "group" parameters of the "users.php" script. class-1 forum versions 0.24.4 and 0.23.2 are reported to be vulnerable.
  • Ref: http://lostmon.blogspot.com/2005/07/class-1-forum-software-cross-site.html

  • 05.29.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple Message Board Search.CFM Cross-Site Scripting
  • Description: Simple Message Board is a web-based message board system. Insufficient sanitization of the "PostDate" parameter in the "search.cfm" script exposes the application to a cross-site scripting issue. Simple Mesage Board version 2.0 beta1 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/405204

  • 05.29.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple Message Board Thread.CFM Cross-Site Scripting
  • Description: Simple Message Board is a web-based message board system. It is vulnerable to a cross site scripting issue due to a failure of the application to properly sanitize user-supplied URI input that will be output in dynamically generated Web pages. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks.
  • Ref: http://www.securityfocus.com/archive/1/405204

  • 05.29.68 - CVE: CAN-2005-2288
  • Platform: Web Application
  • Title: PHPCounter EpochPrefix Cross Site Scripting
  • Description: PHPCounter is a web-site page and hit counter written in PHP. It is susceptible to a cross-site scripting vulnerability due to improper sanitization of the user-supplied input to the "EpochPrefix" parameter of the "index.php" script. PHPCounter version 7.2 is reportedly vulnerable.
  • Ref: http://www.priestmaster.org/advisories.html

  • 05.29.69 - CVE: CAN-2005-2095
  • Platform: Web Application
  • Title: SquirrelMail Unspecified Variable Handling Vulnerability
  • Description: SquirrelMail is a Web mail application. It is affected by an unspecified variable-handling vulnerability. It was reported that an attacker can exploit this vulnerability to disclose and manipulate users' preferences, write to arbitrary files in the context of "www-data" and carry out cross-site scripting attacks.
  • Ref: http://www.securityfocus.com/bid/14254/

  • 05.29.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Hosting Controller Multiple SQL Injection Vulnerabilities
  • Description: Hosting Controller is an array of web hosting automation tools. Insufficient sanitization of the "search" parameter in the "IISManagerDB.asp" and "AccountManager.asp" scripts exposes the application to multiple SQL injection issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/14258/info

  • 05.29.71 - CVE: CAN-2005-2329
  • Platform: Hardware
  • Title: MRV Communications In-Reach Servers Access Control Bypass
  • Description: MRV Communications In-Reach is a family of console servers. They are vulnerable to an access control bypass issue due to a design error. An attacker could exploit this issue to gain unauthorized access to devices and carry out other attacks. This issue affects In-Reach LX-8000, 4000 and 1000 series devices running software version 3.5.0.
  • Ref: http://www.securityfocus.com/bid/14300

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.