LAST CHANCE to Get a MacBook Air with Online Courses

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 3
January 20, 2005

This was a big week for newly discovered vulnerabilities. Action: Oracle users should install the new patch covering 23 vulnerabilities including SQL injection and buffer overflows. Prediction: This is the year you will see application level attacks mature and proliferate. As hackers focus more on applications, Oracle may start competing with Microsoft as the vendor delivering software with the most critical vulnerabilities. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 1 (#4, #10)
    • Third Party Windows Apps
    • 9 (#2, #7)
    • Linux
    • 1
    • BSD
    • 1
    • Solaris
    • 1
    • Unix
    • 5 (#3, #8)
    • Cross Platform
    • 8 (#1, #5, #9, #11)
    • Web Application
    • 25 (#6)
    • Network Device
    • 1

**************** Sponsored by SANS Orlando 2005 *************************

The largest security training conference in Orlando starts in just 14 days. Practical, timely, exciting training programs for every security professional. Fourteen immersion tracks for security practitioners, managers and auditors. Those seeking ISC2 CISSP certification will find the nation's top rated prep course at SANS Orlando, too. Plus seven one and two day short courses. And Orlando is comfortably warm in February! Details: http://www.sans.org/orlando05/

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
BSD
Solaris
Unix
Cross Platform
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Oracle Critical Patch Update
  • Affected:
    • The following support Oracle Products:
    • Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3 and 10.1.0.3.1
    • Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5 and 9.2.0.6
    • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 (9.0.1.5 FIPS)
    • Oracle8i Database Server Release 3, version 8.1.7.4
    • Oracle8 Database Release 8.0.6, version 8.0.6.3
    • Oracle Application Server 10g Release 2 (10.1.2)
    • Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
    • Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
    • Oracle9i Application Server Release 1, version 1.0.2.2
    • Oracle Collaboration Suite Release 2, version 9.0.4.2
    • Oracle E-Business Suite and Applications Release 11i (11.5)
    • Oracle E-Business Suite and Applications Release 11.0
  • Description: Oracle has issued a critical patch update (CPU) for various products on January 18, 2005. The patch fixes 23 vulnerabilities including PL/SQL injection flaws and buffer overflows. This update is cumulative in nature i.e. it also includes fixes that were included in the Alert #68. While the vulnerabilities in the Oracle database server require limited privileges/access to be exploited, unauthenticated attackers can exploit some of the vulnerabilities in the Oracle Application server and the Oracle Collaboration Suite. The technical details regarding some of the security issues have been publicly posted. Another security group plans to release the technical details in April 2005.

  • Status: Apply the patch referenced in the Oracle's CPU - Jan 2005.

  • Council Site Actions: Most of the reporting council sites are responding to this issue. Most sites are regression testing their applications prior to rollout of the patches. Some of the sites are also blocking the Oracle service ports at their network security perimeters. Two of the sites are still waiting for vendor patches for their specific affected products.

  • References:
  • (2) MODERATE: Nullsoft Winamp Multiple DLL Vulnerabilities
  • Affected:
    • Winamp version 5.08 and prior
  • Description: Nullsoft has released version 5.08c for Winamp, a widely used media player. The vendor has reported security issues in "in_mp4.dll", "enc_mp4.dll" and "libmp4v2.dll". In addition, a buffer overflow (rated "critical" by the vendor) has been reported in the "in_cdda.dll", the DLL associated with processing the playlist files. Note that another buffer overflow vulnerability, for which exploit code is publicly available, was reported in this DLL in December 2004. No technical details about the new flaws have been publicly posted.

  • Status: The flaws were reported by the vendor. Upgrade to version 5.08c.

  • Council Site Actions: Only two of the reporting council sites are responding to this item. Neither site provides support for the application; however, they have both advised their users of the risk. One of the sites is investigating whether they can provide an easy upgrade path for the users.

  • References:
  • (3) MODERATE: Squid Proxy Gopher Response Overflow
  • Affected:
    • Squid version 2.5 and prior
  • Description: Squid, a popularly used proxy and web caching server, contains a buffer overflow that can be triggered by an overlong response from a gopher server. The flaw can be exploited to execute arbitrary code on the proxy server. An attacker can exploit the flaw by enticing a user behind the proxy server to visit his malicious gopher server. Note that many browsers interpret the "gopher://" URLs; hence, to exploit the flaw the attacker can craft a webpage or an HTML email. A malicious webpage, for instance, can contain an HTML frame with its source set to the attacker's gopher server.

  • Status: Vendor confirmed, patch available. This patch fixes another denial-of-service vulnerability in Squid.

  • Council Site Actions: Only one council site is using the affected software in the vulnerable configuration. They don't believe that Red Hat has published a patch yet. As such, they have implemented a workaround ACL fix that was recommended by Squid.

  • References:
  • (4) MODERATE: Internet Explorer File Download Security Warning Bypass
  • Affected:
    • Internet Explorer on XP SP2
  • Description: It has been reported that the security warning (information bar) presented to the users, while downloading executable files from the Internet, can be bypassed in Internet Explorer on XP SP2. HTML pages, which dynamically create a frame with its source as an executable file, can be used for such a purpose. A malicious webpage may exploit this flaw to download malware like Spyware or adware on the Windows clients. A proof-of-concept exploit is included in the discoverer's posting. Note that the "standard" file download dialogue is still presented to the user prior to the download. Hence, the flaw can be exploited only with user interaction.

  • Status: Microsoft not confirmed, no patches available. Please refer to the links in the references for configuring IE with limited privileges as a general IE security trick.

  • Council Site Actions: All council sites are waiting for confirmation and a patch from Microsoft. Several sites said that they would roll out the patch during their next regularly scheduled system update process.

  • References:
Other Software
  • (6) HIGH: AWStats Remote Command Execution
  • Affected:
    • AWStats version 6.1 and prior
  • Description: AWStats is a perl-based log analyzer that can generate statistics for web, ftp or mail servers from the log files. When this software is run as a cgi application, it contains a remote command execution vulnerability. A specially crafted "configdir" parameter containing shell metacharacter such as a "|"(pipe) passed to this cgi can result in execution of arbitrary commands on the webserver. The problem occurs because the "configdir" parameter is not sanitized prior to being used in a perl "open" call.

  • Status: Vendor confirmed, upgrade to version 6.3.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (7) HIGH: Mnet Soft Factory NodeManager SNMP Trap Overflow
  • Affected:
    • NodeManager Professional version 2.00 (Japanese Software)
  • Description: The Mnet NodeManager is a network management tool for Windows platforms that can receive SNMP traps and display them on the screen. The SNMP trap processing contains a buffer overflow that can be triggered by a specially crafted ASN.1 "octet string" in the trap. Specifically, any octet string greater than 512 bytes triggers the overflow that can be exploited to execute arbitrary code. Exploit code has been publicly posted.

  • Status: Vendor confirmed, upgrade to version 2.01.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (8) MODERATE: Xpdf MakeFileKey2 Buffer Overflow
  • Affected:
    • Xpdf version 3.00
  • Description: Xpdf is an open source viewer for PDF files on UNIX systems. The viewer contains a stack-based overflow in its "MakeFieKey2" decryption function. A malicious PDF document may exploit the buffer overflow to execute arbitrary code on a UNIX client. Note that Xpdf may be configured as a helper application for web browsers, in which case, the flaw may be triggered when a user clicks a link pointing to a malicious PDF file. The technical details regarding the flaw have been posted.

  • Status: Vendor confirmed, patch available.

  • Council Site Actions: Only one of the responding council sites is using the affected software. They plan to deploy their patch via their Up2Date servers.

  • References: iDefense Advisory
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 3, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4024 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 05.3.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Remote Information Disclosure
  • Description: Microsoft Internet Explorer is affected by a remote information disclosure issue. The application fails to properly secure scripts that reside on a local computer. If a user navigates to a remote malicious script, it is possible for the remote malicious script to load and execute. All current versions of Internet Explorer are affected.
  • Ref: http://secunia.com/advisories/13872/

  • 05.3.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Blackberry Enterprise Server Denial of Service
  • Description: Blackberry Enterprise Server is communications middleware. An error in the processing of malformed WML (Wireless Markup Language) pages in the "Mobile Data" service exposes the application to a denial of service condition. Blackberry Enterprise Server versions 4.x and earlier are affected.
  • Ref: http://secunia.com/advisories/13861/

  • 05.3.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Mnet Soft Factory NodeManager Buffer Overflow
  • Description: Mnet Soft Factory NodeManager Professional is an SNMP logging and management utility. It is reported to be vulnerable to a remote buffer overflow issue due to improper boundary checks on SNMP LinkDown-Trap field data. NodeManager version 2.0 is reported to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2005-01/0188.html

  • 05.3.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Halocon Remote Denial of Service
  • Description: Halocon is a remote game server management application. It is vulnerable to a denial of service if it receives an empty UDP packet on port 2305. Halocon versions 2.0.0.81 and earlier are reported to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/halocon-adv.txt

  • 05.3.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Brat Designs Breed Remote Denial of Service
  • Description: Brat Designs Breed is a network enabled PC game. It is reported to be vulnerable to a denial of service issue. The issue presents itself when an empty UDP packet is sent to the server.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2005-01/0155.html

  • 05.3.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: forumKIT Cross-Site Scripting
  • Description: forumKIT is a web-based forum application. It is affected by a cross-site scripting vulnerability due to insufficient sanitization in the "members" parameter of the "f.aspx" script. forumKIT version 1.0 is known to be affected.
  • Ref: http://www.securityfocus.com/archive/1/387027

  • 05.3.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Winamp Multiple Buffer Overflow Vulnerabilities
  • Description: Winamp is a media player from Nullsoft. It is reported to be vulnerable to multiple buffer overflow issues in the files "in_mp4.dll", "enc_mp4.dll" and "libmp4v2.dll". Winamp versions 5.0.8 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12245/info/

  • 05.3.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Network Assistant Remote Denial of Service
  • Description: Network Assistant is a real-time communication utility for the office environment. It is reported to be vulnerable to a remote denial of service condition while handling certain malformed UDP packets. Attackers could leverage this to deny service to legitimate users of the utility. Network Assistant version 3.2.5.2260 is reported to be vulnerable.
  • Ref: http://nst.e-nex.com/bug-traq/Nasidos.txt

  • 05.3.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: JohnyTech Remote Denial of Service
  • Description: JohnyTech Encrypted Messenger is a plug-in that creates an encrypted chat between two jabber clients. It is vulnerable to a remote denial of service condition when specially crafted strings are processed. JohnyTech Encrypted Messenger Plug-in version 3.0.71 is affected.
  • Ref: http://www.securityfocus.com/bid/12211

  • 05.3.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Serv-U FTP Server Resource Exhaustion Denial of Service
  • Description: RhinoSoft Serv-U FTP server is reported to be vulnerable to a remote denial of service condition. This issue occurs since it does not properly handle multiple connection attempts. Attackers could leverage this to deny service to legitimate clients. Serv-U FTP version 2.5 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12213/

  • 05.3.11 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel Multiple Unspecified Vulnerabilities
  • Description: Linux kernel version 2.6.9 is vulnerable to multiple unspecified issues in coda, xfs, network bridging, rose network protocol, and sdla wan drivers.
  • Ref: http://www.securityfocus.com/bid/12239/info/

  • 05.3.12 - CVE: Not Available
  • Platform: BSD
  • Title: OpenBSD TCP Timestamp Remote Denial of Service
  • Description: A remote denial of service vulnerability affects the TCP timestamp processing functionality of OpenBSD. The issue exists due to failure of handling malicious network data. OpenBSD versions 3.6 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12250/info/

  • 05.3.13 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris Management Console Insecure Account Creation
  • Description: SUN Solaris Management Console (SMC) Graphical User Interface facilitates administration of Solaris computers. It is vulnerable to an insecure account creation issue that allows accounts with no password to be created. Attackers who leverage this issue can gain unauthorized access to the vulnerable system.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57717-1&searchclaus
    e=

  • 05.3.14 - CVE: CAN-2005-0064
  • Platform: Unix
  • Title: Xpdf makeFileKey2 Function Buffer Overflow
  • Description: The Xpdf PDF file viewer is reported to be vulnerable to a buffer overflow condition. This issue occurs due to insufficient boundary checks while copying user supplied data. An attacker can exploit this issue by enticing a vulnerable user to open a malformed PDF file. Successful exploitation could lead to arbitrary code execution. Xpdf version 3.00 is reported to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities

  • 05.3.15 - CVE: Not Available
  • Platform: Unix
  • Title: Squid Proxy Remote Denial of Service
  • Description: The Squid web proxy is reported to be vulnerable to a denial of service condition in its Web Cache Communication Protocol (WCCP). This is due to improper handling of certain malformed network data. A remote attacker may leverage this issue to crash the affected Squid Proxy. All current versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7833

  • 05.3.16 - CVE: Not Available
  • Platform: Unix
  • Title: Squid Proxy Remote Buffer Overflow
  • Description: Squid is web proxy software. Failure of the application to validate the length of user-supplied strings prior to copying them into a static buffer exposes a remote buffer overflow issue. Squid versions 2.5 and earlier are affected.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200501-25.xml

  • 05.3.17 - CVE: CAN-2004-0560, CAN-2004-0561
  • Platform: Unix
  • Title: University of Minnesota Gopher Multiple Remote Vulnerabilities
  • Description: University of Minnesota Gopher is vulnerable to multiple security issues such as integer overflow and format string vulnerabilities. Gopher version 3.0.3 is known to be vulnerable.
  • Ref: http://www.debian.org/security/2005/dsa-638

  • 05.3.18 - CVE: CAN-2004-1039
  • Platform: Unix
  • Title: UnixWare NFS Mountd Denial of Service
  • Description: SCO UnixWare is affected by a denial of service condition. UnixWare versions 7.1.1, 7.1.3, and 7.1.4 are known to be affected.
  • Ref: http://www.securityfocus.com/bid/12225

  • 05.3.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AWStats Remote Command Execution Vulnerability
  • Description: AWStats is a CGI log analyzer generates statistics reports based on HTTP, SMTP or FTP logs. It is reported to be vulnerable to a remote arbitrary command execution due to insufficient sanitization of user-supplied data. AWStats versions 5.7 through 6.2 are reported to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities&
    amp;flashstatus=true

  • 05.3.20 - CVE: CAN-2005-0005
  • Platform: Cross Platform
  • Title: ImageMagick Document Parsing Client Buffer Overflow
  • Description: ImageMagick is an image manipulation program. A client-side buffer overflow vulnerability affects the Photoshop document parsing functionality of the application. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static buffers. ImageMagick versions 6.1.0 and 6.1.7 are affected.
  • Ref: http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities&
    amp;flashstatus=true

  • 05.3.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SparkleBlog Multiple Input Validation Vulnerabilities
  • Description: SparkleBlog is a PHP script designed to provide an interface for updating web logs. SparkleBlog is affected by multiple input validation vulnerabilities. SparkleBlog version 2.1 is known to be affected.
  • Ref: http://www.securityfocus.com/archive/1/387308

  • 05.3.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Anti-Virus Gateway Bypass Weakness
  • Description: Anti-virus gateway products from multiple vendors are reported to be vulnerable to a security bypass issue. The issue presents itself when a malicious base64 encoded image is sent through the "data" parameter in URL.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2005-01/0083.html

  • 05.3.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MySQL MaxDB Remote Buffer Overflow Vulnerability
  • Description: MySQL MaxDB WebAgent WebSQL is vulnerable to a remote buffer overflow issue due to insufficient sanitization of the "password" parameter. MaxDB version 7.5.00 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12265

  • 05.3.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IlohaMail Disclosure of Sensitive Information
  • Description: IlohaMail is a web mail application. The default installation does not install sensitive configuration files in a secure manner. The files "conf/conf.inc", "conf/custom_auth.inc", and "conf/login.inc" are world readable. IlohaMail versions 0.8.14RC1 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12252/info/

  • 05.3.25 - CVE: CAN-2005-0002
  • Platform: Cross Platform
  • Title: POP Password Changer Unauthorized Access
  • Description: POP Password Changer (poppassd_pam) uses PAM (Pluggable Authentication Modules) to change passwords. Due to incorrect call order of the "pam_chauthtok" function before calling "pam_authenticate" unauthorized users can change the administrator passwords. poppassd_pam version 1.0 is affected.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200501-22.xml

  • 05.3.26 - CVE: CAN-2004-1182
  • Platform: Cross Platform
  • Title: HylaFAX Remote Access Control Bypass Vulnerability
  • Description: HylaFAX is a FAX management application. It is reported to be vulnerable to an access control bypass issue allowing remote unauthenticated users to gain unauthorized access. HylaFAX versions prior to 4.2.1 are reported to be vulnerable.
  • Ref: http://bugs.hylafax.org/bugzilla/show_bug.cgi?id=610

  • 05.3.27 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPGroupWare WEbDAV ACL_Check Vulnerability
  • Description: phpGroupWare is a web-based groupware application. phpGroupWare has a security issue in the "acl_check" function that allows users to bypass the ACL capabilities. phpGroupWare version 0.9.16RC3 was released to fix this issue.
  • Ref: https://savannah.gnu.org/bugs/?func=detailitem&item_id=7227

  • 05.3.28 - CVE: Not Available
  • Platform: Web Application
  • Title: VBulletin unspecified Init.PHP script Vulnerability
  • Description: VBulletin is a web-based bulletin board application. An unspecified vulnerability is present due to the "includes/init.php" script with "register_globals" enabled. VBulletin versions 3.04 and earlier with PHP 4 are reported to be vulnerable.
  • Ref: http://www.vbulletin.com/forum/showthread.php?t=125480

  • 05.3.29 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Gift Registry Multiple SQL Injection Vulnerabilities
  • Description: PHP Gift Registry is a web-based application to track gift registries. It is vulnerable to multiple SQL injections due to insufficient user-supplied data sanitization. PHP Gift Registry versions 1.4.0 and earlier are known to be vulnerable.
  • Ref: http://secunia.com/advisories/13873/

  • 05.3.30 - CVE: Not Available
  • Platform: Web Application
  • Title: SafeHTML HTML Entity Bypass Vulnerability
  • Description: SafeHTML is an HTML parser to strip malicious content. It is possible to bypass its functionality by using hexadecimal characters. SafeHTML versions 1.2.0 and earlier are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/13869/

  • 05.3.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Gallery Multiple Cross Site Scripting Vulnerabilities
  • Description: Gallery is a web application that allows users to manage images on their web site. Multiple cross site scripting vulnerabilites exist due to insufficient sanitization of user input. Gallery versions 1.x and 2.0 Alpha are vulnerable.
  • Ref: http://theinsider.deep-ice.com/texts/advisory69.txt

  • 05.3.32 - CVE: Not Available
  • Platform: Web Application
  • Title: AWStats Unspecified Input Validation Vulnerabilities
  • Description: AWStats is a CGI log analyzer that generates graphical statistic reports. It is reported that multiple unspecified remote input validation vulnerabilities exist. These issues are due to insufficient sanitization of user-supplied input. AWStats versions 6.2 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12270/info/

  • 05.3.33 - CVE: Not Available
  • Platform: Web Application
  • Title: phpGroupWare Access Control Vulnerability
  • Description: phpGroupWare is a groupware system. The "class.vfs_dav.inc.php" module creates the ".htaccess" access file incorrectly leading to various security issues. phpGroupWare version 0.9.16.000 is affected.
  • Ref: https://savannah.gnu.org/bugs/?func=detailitem&item_id=8359

  • 05.3.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Siteman Page Parameter Cross-Site Scripting
  • Description: Siteman is a content management system. Insufficient sanitization of the "page" parameter in the "forum.php" script exposes a cross-site scripting issue in the application. Siteman version 1.1.9 is affected.
  • Ref: http://www.securityfocus.com/archive/1/387179

  • 05.3.35 - CVE: Not Available
  • Platform: Web Application
  • Title: MPM Guestbook Multiple Vulnerabilities
  • Description: MPM Guestbook is a web-based guest-book application. It is reported to be vulnerable to multiple input-validation issues. These include remote PHP-file include, and directory traversal possibilities. Attackers can leverage this to cause arbitrary code execution or sensitive information disclosure on a vulnerable system. MPM Guestbook version 1.05 is reported to be vulnerable.
  • Ref: http://www.systemsecure.org/public/ss11012005.txt

  • 05.3.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Zeroboard Print_Category.PHP Source Injection
  • Description: Zeroboard is a PHP web bulletin board system. A source injection vulnerability exists due to insufficient sanitization of user-supplied input to the uninitialized "dir" variable of the "print_category.php" script. Zeroboard versions 4.1pl5 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/387076

  • 05.3.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Zeroboard Multiple File Disclosure Vulnerabilities
  • Description: Zeroboard is a bulletin board system. Insufficient sanitization of the "_zb_path" and "dir" parameters exposes various file disclosure issues in the application. Zeroboard versions 4.1pl5 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/387076

  • 05.3.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Horde Multiple Cross-Site Scripting Vulnerabilities
  • Description: The Horde Application Framework is reported to be vulnerable to a cross-site scripting issue. This is due to insufficient user-input sanitization in some of its web scripts. This issue can be leveraged by attackers to steal cookie-based authentication credentials. Horde version 3.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/387045

  • 05.3.39 - CVE: Not Available
  • Platform: Web Application
  • Title: SGallery PHPNuke Module SQL Injection
  • Description: The SGallery module for PHPNuke is reported to be vulnerable to an SQL injection issue. This allows attackers to compromise the remote backend database. SGallery version 1.01 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/386960

  • 05.3.40 - CVE: Not Available
  • Platform: Web Application
  • Title: BiTBOARD Cross-Site Scripting
  • Description: BiTBOARD is a web-based bulletin board application. BiTBOARD is vulnerable to a cross-site scripting issue due to insufficient sanitization of the "IMG" parameter. BiTBOARD versions 2.5 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/386935

  • 05.3.41 - CVE: Not Available
  • Platform: Web Application
  • Title: VideoDB Unspecified HTML Injection Vulnerability
  • Description: VideoDB is a web-based interface to manage your personal video collection. Due to an unspecified HTML injection issue, attackers could steal cookie-based authentication credentials from legitimate clients. The vendor reported this issue for VideoDB version 2.0.2.
  • Ref: http://www.securityfocus.com/bid/12221/

  • 05.3.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Dokeos Course Cross-Site Scripting
  • Description: Dokeos is an e-learning and collaboration application. A cross-site scripting vulnerablity exists due to insufficient sanitization of user input. Dokeos versions 1.5.5 and prior are vulnerable.
  • Ref: http://users.pandora.be/bratax/advisories/b004.html

  • 05.3.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Guestserver Path Disclosure
  • Description: Guestserver is a web-based guestbook application. Guestserver is vulnerable to a path disclosure issue due to insufficient sanitization of the "user" parameter in the "guestserver.cgi" script. Guestserver version 5 is known to be vulnerable.
  • Ref: http://www.systemsecure.org/public/ss10012005.txt

  • 05.3.44 - CVE: Not Available
  • Platform: Web Application
  • Title: VideoDB SQL Injection
  • Description: VideoDB is a database front-end to manage video collections. Insufficient sanitization of user-supplied input exposes an SQL injection issue in the application. VideoDB versions 2.0.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/12219/info/

  • 05.3.45 - CVE: Not Available
  • Platform: Web Application
  • Title: eMotion MediaPartner Enterprise Multiple Vulnerabilities
  • Description: eMotion MediaPartner Enterprise is a digital asset management application. Its web server is vulnerable to multiple issues that allow remote attackers to obtain sensitive information, carry out directory traversal and cross-site scripting attacks, and gain administrative access to an affected server. MediaPartner versions 5.1 and 5.0 are affected by these issues.
  • Ref: http://www.securityfocus.com/bid/12236

  • 05.3.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Guestserver HTML Injection
  • Description: Guestserver is a guestbook application. It is vulnerable to an HTML injection issue due to insufficient sanitization in the "message" parameter of the "guestserver.cgi" script. Guestserver version 5 is known to be vulnerable.
  • Ref: http://www.systemsecure.org/public/ss10012005.txt

  • 05.3.47 - CVE: Not Available
  • Platform: Web Application
  • Title: WebSeries Design Errors
  • Description: Bottomline Technologies WebSeries is affected by four security issues, all of which appear to be due to design oversights. The issues include unauthorized password change, bad password length checks, information leaks and absolute path disclosures. WebSeries version 4.0 is affected.
  • Ref: http://www.securityfocus.com/bid/12231/info/

  • 05.3.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Apache mod_auth_radius Integer Overflow
  • Description: Apache mod_auth_radius is the RADIUS authentication module. It is vulnerable to an integer overflow error in handling certain "RADIUS_ACCESS_CHALLENGE" RADIUS packets. All versions of mod_auth_radius are reported to vulnerable. Ref: http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02

  • 05.3.49 - CVE: Not Available
  • Platform: Web Application
  • Title: WoltLab Burning Board Lite SQL Injection
  • Description: WoltLab Burning Board Lite is a web-based bulletin board system. Insufficient sanitization of user-supplied parameters in the "addentry.php" script exposes an SQL injection issue. WoltLab Burning Board Lite versions 1.0 Gold and 1.1.1e are affected.
  • Ref: http://www.securityfocus.com/archive/1/386776

  • 05.3.50 - CVE: Not Available
  • Platform: Web Application
  • Title: PRADO Page Parameter Remote File Include
  • Description: PRADO is an event driven web programming framework for PHP5. It is possible to execute arbitrary code due to improper sanitization of the "page" parameter in the "phonebook.php" script. PRADO Framework versions 1.5 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12209/info/

  • 05.3.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Webseries Payment Application Access Control Bypass
  • Description: BottomLine Webseries Payment Application is a lifecycle application. The application allows any authenticated user to access all administrative scripts by requesting them directly using a URI. WebSeries Payment Application version 4.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/386765

  • 05.3.52 - CVE: Not Available
  • Platform: Network Device
  • Title: NetGear FVS318 ProSafe VPN Firewall Switch Multiple Vulnerabilities
  • Description: NetGear FVS318 ProSafe VPN Firewall switch is a Firewall/VPN/Router hardware device. Insufficient sanitization of user-supplied input exposes the switch to various URI filter bypass and cross-site scripting issues. NetGear FVS318 devices with firmware 2.4 are affected.
  • Ref: http://www.securinews.com/vuln.htm?vulnid=103

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.