Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 30
July 29, 2005

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 8 (#2, #6)
    • Linux
    • 2
    • BSD
    • 1
    • Unix
    • 6 (#4)
    • Cross Platform
    • 11 (#1, #3, #5)
    • Web Application
    • 29
    • Network Device
    • 3 (#7)

************************ Sponsored by Q1 Labs ***************************

In the fight against worms, hacking, spyware and data theft, you need a situational threat awareness that covers your network completely and continuously. You must also demonstrate compliance with audit and regulatory requirements. Managing these functions across large networks grows more difficult - unless you have a single, integrated solution that tells you exactly what you need to know:

Attend a FREE online demo. Register today! http://www.q1labs.com/news/monthly.html *************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
BSD
Unix
Cross Platform
Web Application
Network Device

********************* SECURITY TRAINING NEWS ****************************

1) Finally, an online security training program that works and that is interesting and alive. SANS Security Essentials is available now; Hacking Exploits and Incident Handling will be ready soon. You get to hear the instructor teaching SANS exclusive classroom materials, see the visuals, read the course books and text, hands on cookbook and CD and built in assessment and practice exams, so you know you are preparing well for the certification exam. For SANS On-Demand details, email: ondemand@sans.org

2) On-site programs training is the security training available if you have 25 or more people who can participate. The classes are customized; the discussions are uniquely valuable to solving the problems your organization faces, and the instructors are still the best in the world. SANS@WORK details: http://www.sans.org/atwork

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: ClamAV Multiple Buffer Overflows
  • Affected: ClamAV version 0.86.1 and prior

  • Description: ClamAV is an open-source antivirus software designed mainly for scanning emails on UNIX mail gateways. The software includes a virus scanning library - libClamAV. This library is used by many third party email, web, FTP scanners as well as mail clients. The library contains three integer overflows that can be triggered by specially crafted TNEF (Microsoft Rich Text), CHM (Microsoft Help) and FSG (Packed Executable Format) files. The attacker can send the malicious files via email, web, FTP or a file share, and exploit the heap-based overflows to execute arbitrary code on the system running the ClamAV library. The technical details can be obtained by comparing the fixed and the affected versions of the software. Note that for compromising the mail/web/FTP gateways no user interaction is required.

  • Status: The vendor has released ClamAV 0.86.2 to address these issues. Please look for third party updates for the software linked to libClamAV.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (3) UPDATE: Oracle Critical Update July 2005
  • Affected: Oracle Database Server 9iR2

  • Description: The discoverer of a DoS vulnerability in Oracle Database server has reported that the flaw has not been fixed for version 9iR2 in the July 2005 Critical Update. The update fixes the flaw only in version 10g. Oracle is working on back porting the update. Note that database user privileges are required to leverage the DoS flaw.

  • Council Site Actions: Only one of the reporting council sites is using the affected software. They are relying on their existing network perimeter controls until the vendor releases a patch.

  • References:
Other Software
  • (4) MODERATE: fetchmail Multiple Buffer Overflows
  • Affected: fetchmail version 6.2.5 and prior

  • Description: fetchmail is a mail retrieval and forwarding utility for UNIX systems and supports all versions of POP and IMAP protocols. fetchmail's POP3 protocol handling contains a stack-based buffer overflow that can be triggered by an overlong "UIDL" command response. A malicious POP3 server can exploit the flaw to execute arbitrary code with the privileges of the fetchmail process potentially root. Note that in configurations downloading mailboxes of multiple users, fetchmail typically runs with root privileges. An attacker would need to either entice a user to download mail from his malicious POP server, or compromise a POP server to launch a successful attack.

  • Status: Upgrade to version 6.2.5.2. Don't upgrade to 6.2.5.1 that was originally released to fix this overflow as this version introduces a DoS flaw.

  • Council Site Actions: Only one of the reporting council sites are using the affected software. They have a very small population of fetchmail users and will ask them to apply the appropriate patches.

  • References:
  • (5) MODERATE: Ethereal Multiple Protocol Decoder Vulnerabilities
  • Affected: Ethereal versions prior to 0.10.12

  • Description: Ethereal is a popular open source network sniffer and protocol analyzer for Unix and Windows platforms. The software contains format string or buffer overflow vulnerabilities in parsing multiple network protocols. These flaws can be exploited to execute arbitrary code with the privileges of the ethereal process (typically "root" when ethereal is being used as a sniffer). To exploit these flaws, an attacker has to either inject the malicious packets into the network traffic being sniffed by ethereal, or entice a client to open a specially crafted packet capture file. The technical details can be obtained by examining the fixed code. Note that any network applications based on ethereal protocol decoder modules may also be affected.

  • Status: Vendor confirmed. Upgrade to version 0.10.12. In addition, this update fixes the zlib buffer overflow vulnerability discussed in a previous @RISK newsletter.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4442 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.30.1 - CVE: CAN-2002-1741
  • Platform: Third Party Windows Apps
  • Title: MDaemon Content Filter Directory Traversal
  • Description: MDaemon server is prone to a directory traversal vulnerability. A specially crafted email with a virus infected attachment to the server, with a filename containing "../../../../" directory traversal sequences exposes the issue. Alt-N MDaemon version 8.1 is released to fix this issue.
  • Ref: http://www.securityfocus.com/bid/14400
  • 05.30.2 - CVE: CAN-2005-2219
  • Platform: Third Party Windows Apps
  • Title: Hosting Controller Unauthorized Access
  • Description: Hosting Controller is an application that consolidates all hosting tasks into one interface. It is prone to an unauthorized access issue due to insufficient access control in the "comgetfile.asp" script. Hosting Controller versions 6.1 Hotfix 2.2 and earlier are affeceted.
  • Ref: http://www.securityfocus.com/bid/14393/info
  • 05.30.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FTPShell Server Denial of Service
  • Description: FTPshell server is a Microsoft Windows FTP service. FTPshell is affected by a remote denial of service vulnerability. FTPshell version 3.38 is known to be vulnerable.
  • Ref: http://reedarvin.thearvins.com/20050725-01.html
  • 05.30.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ares Fileshare Remote Buffer Overflow
  • Description: Ares Fileshare is a P2P application for Microsoft Windows. Ares Fileshare is affected by a remote buffer overflow vulnerability. This issue arises because the application fails to sanitize user-supplied data prior to copying it into sensitive process buffers. Specifically, this vulnerability arises when the application handles search strings that are longer than 1065 bytes. A successful attack can result in memory corruption leading to arbitrary code execution in the context of the user running the application. Ares FileShare 1.1 is affected by this vulnerability.
  • Ref: www.securityfocus.com/bid/14377
  • 05.30.5 - CVE: CAN-2005-2387
  • Platform: Third Party Windows Apps
  • Title: GoodTech SMTP Server Multiple Buffer Overflow Vulnerabilities
  • Description: GoodTech Systems SMTP server is affected by a remote buffer overflow issue due to a failure of the application to properly performs bounds checking of the "RCPT TO" data prior to copying it to fixed size memory buffers. GoodTech version 5.17 is released to fix the issue.
  • Ref: http://www.securityfocus.com/archive/1/406321
  • 05.30.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Veritas NetBackup Access Violation
  • Description: Veritas NetBackup is a network enabled backup solutions from Veritas. Veritas NetBackup is affected by an access violation error. Veritas NetBackup versions 5.1 and earlier are known to be vulnerable.
  • Ref: http://class101.org/viewtopic.php?p=519&sid=aacf1d12222126b9b9a1df6236e529bf
    #519
  • 05.30.7 - CVE: CAN-2005-2384,CAN-2005-1770
  • Platform: Third Party Windows Apps
  • Title: Avast! Multiple Vulnerabilities
  • Description: Avast! is affected by multiple remote vulnerabilities. These issues can allow an attacker to write files to arbitrary directories and exploit a remote buffer overflow to execute arbitrary code. Please refer to the link below for a list of affected versions.
  • Ref: http://secunia.com/secunia_research/2005-20/advisory/
  • 05.30.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WhitSoft Development SlimFTPd Remote Buffer Overflow
  • Description: WhitSoft Development SlimFTPd is an FTP server. WhitSoft Development SlimFTPd is affected by a remote buffer overflow vulnerability. WhitSoft Development SlimFTPd versions 3.16 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405916
  • 05.30.9 - CVE: CAN-2005-2390
  • Platform: Linux
  • Title: ProFTPD Shutdown Message Format String
  • Description: ProFTPD is an FTP server implementation that is available for UNIX and Linux platforms. A format string vulnerability exists in ProFTPD. This issue is related to how shutdown messages are output when the "ftpshut" command is run. This issue would most likely be exploited by an authenticated FTP user with access to create directories on the host. Successful exploitation will result in arbitrary code execution in the context of the server.
  • Ref: http://www.securityfocus.com/bid/14381
  • 05.30.10 - CVE: Not Available
  • Platform: Linux
  • Title: ProFTPD SQLShowInfo Output Format String
  • Description: ProFTPD is an FTP server. It is vulnerable to a format string issue when the SQLShowInfo directive is enabled. ProFTPD Project ProFTPD versions 1.3.0rc1 and earlier are vulnerable.
  • Ref: http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc2
  • 05.30.11 - CVE: CAN-2005-2359
  • Platform: BSD
  • Title: FreeBSD IPsec Session AES-XCBC-MAC Authentication Constant Key Usage
  • Description: IP Security (IPsec) is a set of protocols used to encrypt packets at the IP layer. FreeBSD is affected by a vulnerability that may allow remote unauthorized attackers to establish an IPsec session. Specifically, the vulnerability presents itself when the "AES-XCBC-MAC" algorithm is used for authentication without any other method of Ipsec encryption. FreeBSD versions 5.4 and 5.3 are affected.
  • Ref: http://www.securityfocus.com/advisories/8963
  • 05.30.12 - CVE: Not Available
  • Platform: Unix
  • Title: FtpLocate Remote Command Execution
  • Description: FtpLocate is a Perl script that utilizes the Glimpse search utility to create a web accessible FTP search service. It is prone to a remote arbitrary command execution vulnerability. The issue arises when user-specified values are passed to the "fsite" argument of the "flsearch.pl" script. The supplied value is then supplied to the Perl "open()" routine without prior sanitization. FtpLocate version 2.0.2 and earlier is affected.
  • Ref: http://www.securityfocus.com/archive/1/406373
  • 05.30.13 - CVE: Not Available
  • Platform: Unix
  • Title: Hobbit Monitor Remote Denial of Service
  • Description: Hobbit Monitor is system for monitoring of hosts and networks, providing real-time monitoring, an easy web-interface, historical data, availability reports and performance graphs. Hobbit Monitor is affected by a remote denial of service vulnerability. This issue is due to a failure in the application to handle exception conditions. Hobbit Monitor versions 4.0.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14365
  • 05.30.14 - CVE: CAN-2005-2132
  • Platform: Unix
  • Title: SCO UnixWare RPC Portmapper Denial of Service
  • Description: SCO UnixWare is reported prone to a denial of service vulnerability. The cause of this issue is currently unknown. Reportedly, this issue arises when the application handles multiple invalid portmap requests. UnixWare 7.x versions are reported to be affected.
  • Ref: http://www.securityfocus.com/bid/14360
  • 05.30.15 - CVE: CAN-2005-2070
  • Platform: Unix
  • Title: ClamAV Multiple Integer Overflow Vulnerabilities
  • Description: ClamAV is susceptible to multiple integer overflow vulnerabilities. These issues are due to a failure of the application to properly ensure that user-supplied input does not result in the overflowing of integer values. This may result in data being copied past the end of a memory buffer. ClamAV version 0.86.1 and earlier are affected.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200507-25.xml
  • 05.30.16 - CVE: CAN-2005-2355
  • Platform: Unix
  • Title: Fetchmail POP3 Client Buffer Overflow
  • Description: Fetchmail is a mail retrieval utility. Its POP3 client is prone to a buffer overflow issue due to a failure of the application to perform boundary checks prior to copying server-supplied data into process buffers. Fetchmail version 1.02 is affected.
  • Ref: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
  • 05.30.17 - CVE: CAN-2005-1852
  • Platform: Unix
  • Title: EKG LIbGadu Multiple Remote Integer Overflow Vulnerabilities
  • Description: EKG is a console Gadu Gadu client. EKG comes with the libgadu library that implements the Gadu-Gadu protocol. It is susceptible to multiple remote integer overflow vulnerabilities due to a failure of the application to properly sanitize user-supplied input data prior to using it in memory allocation and copy operations. For a list of affected versions please refer to the link below.
  • Ref: http://www.securityfocus.com/bid/14345/references
  • 05.30.18 - CVE: CAN-2005-2346
  • Platform: Cross Platform
  • Title: Novell GroupWise Client Remote Buffer Overflow
  • Description: Novell GroupWise Client is a client application used to access the GroupWise groupware application. Novell GroupWise Client is affected by a remote buffer overflow vulnerability. It should be noted that an attacker can compromise all clients of GroupWise by exploiting this issue. This issue affects all versions of Novell GroupWise 6.5 client dated prior to July 15, 2005.
  • Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098314.htm
  • 05.30.19 - CVE: CAN-2005-1460
  • Platform: Cross Platform
  • Title: Ethereal Multiple Protocol Dissector Vulnerabilities
  • Description: Ethereal is a multi-platform network protocol sniffer and analyzer. Vulnerabilities in the various protocol dissectors have been disclosed by the vendor. The SMB dissector is susceptible to an unspecified buffer overflow due to improper bounds checking of user-supplied data.
  • Ref: http://www.ethereal.com/appnotes/enpa-sa-00020.html
  • 05.30.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino Password Encryption Weakness
  • Description: IBM Lotus Domino is affected by a password encryption weakness. Reportedly, the algorithm used by Lotus Domino to encrypt user passwords does not use a salt value. This can cause the hash for a password value to be static; always hashing to the same value. The values of hashed strings of two identical passwords will be identical as well. This can aid in brute force attacks by significantly reducing the time needed to crack a password. All versions of Lotus Domino are considered to be affected by this weakness.
  • Ref: http://www.securityfocus.com/bid/14392
  • 05.30.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SPI Dynamics WebInspect Cross Application Script Injection
  • Description: SPI Dynamics WebInspect is a commercial security scanner designed to find vulnerabilities in web applications. WebInspect is vulnerable to a cross-application script injection vulnerability due to a failure of the application to properly sanitize user-supplied data prior to including it in content rendered in an Internet Explorer COM object.
  • Ref: http://www.securityfocus.com/bid/14385
  • 05.30.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Netquery Multiple Remote Vulnerabilities
  • Description: Netquery is a PHP/SQL open-source toolkit of network information utilities. Netquery is affected by multiple remote vulnerabilities. Netquery version 3.1 is known to be vulnerable.
  • Ref: http://www.rgod.altervista.org/netquery.html
  • 05.30.24 - CVE: CAN-2005-2368
  • Platform: Cross Platform
  • Title: Vim ModeLines Further Variant Arbitrary Command Execution
  • Description: Vim is a text editor. It is susceptible to an arbitrary command execution vulnerability which can be caused by modifying a text file to include "ModeLines" containing the "glob()" or "expand()" functions with shell metacharacters. Vim version 6.3.082 is released to fix this issue.
  • Ref: http://www.securityfocus.com/advisories/8955
  • 05.30.25 - CVE: CAN-2005-1268
  • Platform: Cross Platform
  • Title: Apache mod_ssl CRL Handling Off-By-One Buffer Overflow
  • Description: mod_ssl is the implementation of SSL (Secure Socket Layer) for the Apache Web server. It is prone to an off-by-one buffer overflow condition when an instance of the server has been configured to use certificate revocation lists. This issue affects Apache versions 2.0.46 and 2.0.52.
  • Ref: http://www.securityfocus.com/bid/14366
  • 05.30.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sophos Anti-Virus Library Remote Heap Overflow
  • Description: Sophos Anti-Virus is virus scanning software. The library is vulnerable to an unspecified remote heap overflow issue due to insufficient boundary checks of user-supplied input. Sophos Anti-Virus versions 5.0.4 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14362
  • 05.30.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Greasemonkey Multiple Remote Information Disclosure Vulnerabilities
  • Description: Greasemonkey is a Firefox extension that allows users to create scripts to arbitrarily alter the functionality or rendered look of web sites. It is susceptible to multiple remote information disclosure issues due to a design error allowing insecure JavaScript functions to be executed by remote Web sites. Greasemonkey version 0.3.5 has been released to fix the issue.
  • Ref: http://www.securityfocus.com/bid/14336/references
  • 05.30.28 - CVE: CAN-2005-1849
  • Platform: Cross Platform
  • Title: Zlib Compression Library Decompression Denial of Service
  • Description: The Zlib compression library is an open source library designed for fast compression and decompression of data. It is susceptible to a denial of service vulnerability. This issue is due to a failure of the library to properly handle unexpected input to its decompression routines. Various operating systems using the Zlib library are reported to be affected.
  • Ref: http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=112208705631203&
    amp;w=2
  • 05.30.29 - CVE: Not Available
  • Platform: Web Application
  • Title: BMForum Multiple Cross-Site Scripting Vulnerabilities
  • Description: BMForum is a web-based forum application written in PHP. BMForum is affected by multiple cross-site scripting vulnerabilities. BMForum versions 3.0 RC4 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14396
  • 05.30.30 - CVE: Not Available
  • Platform: Web Application
  • Title: PNG Counter Demo.PHP Cross-Site Scripting
  • Description: PNG Counter is a hit counter written in PHP. PNG Counter is affected by a cross-site scripting vulnerability. PNG Counter version 1.0 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14392
  • 05.30.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Advanced Guestbook User-Agent HTML Injection
  • Description: Advanced Guestbook is a guest book script written in PHP. It is prone to an HTML injection vulnerability casued due to improper sanitization of user-supplied input. Advanced Guestbook version 2.3.3 is susceptible.
  • Ref: http://www.securityfocus.com/bid/14391
  • 05.30.32 - CVE: CAN-2005-2397
  • Platform: Web Application
  • Title: NETonE PHPBook Guestbook.PHP Cross Site Scripting
  • Description: NETonE PHPBook is a web-based guestbook application. It is prone to a cross-site scripting vulnerability caused due to improper sanitization of user-supplied input to the "admin" parameter of the "guestbook.php" script. NETonE GuestBook version 1.4.6 is vulnerable.
  • Ref: http://securitytracker.com/alerts/2005/Jul/1014573.html
  • 05.30.33 - CVE: CAN-2005-2326, CAN-2005-2324, CAN-2005-2322
  • Platform: Web Application
  • Title: Clever Copy Multiple Cross-Site Scripting Vulnerabilities
  • Description: Clever Copy is a web site portal and news posting system. Clever Copy is prone to multiple cross-site scripting vulnerabilities due to a failure in the application to properly sanitize user-supplied input to the "searchtype" and "searchterm" variables of the "results.php" and "categorysearch.php" scripts. Clever Copy versions 2.0a and 2.0 are susceptible.
  • Ref: http://lostmon.blogspot.com/2005/07/clever-copy-path-disclosure-and-xss.html
  • 05.30.34 - CVE: CVE-MAP-NOMATCH
  • Platform: Web Application
  • Title: VBZoom Forum Show.PHP SQL Injection
  • Description: VBZooM Forum is web forum software implemented in PHP. VBZooM Forum is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "SubjectID" parameter of the "show.php" script. VBZoom version 1.11 is reported to be affected.
  • Ref: http://www.securityfocus.com/bid/14383
  • 05.30.35 - CVE: CAN-2005-2386
  • Platform: Web Application
  • Title: CartWIZ ViewCart.ASP Cross Site Scripting
  • Description: CartWIZ is a shopping cart application prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "message" parameter of the "storeviewCart.asp" script. Elemental Software CartWIZ versions 1.20 and 1.10 are reported to be affected.
  • Ref: http://www.securityfocus.com/bid/14386
  • 05.30.36 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPFirstpost Block.PHP Remote File Include
  • Description: Phpfirstpost is a PHP web-log system. It is susceptible to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "Include" parameter of the "block.php" script.
  • Ref: http://www.securityfocus.com/archive/1/406371
  • 05.30.37 - CVE: CAN-2005-1691
  • Platform: Web Application
  • Title: SAP Internet Graphics Server Directory Traversal
  • Description: The Internet Graphics Server (IGS) is a subcomponent of the SAP R/3 enterprise environment. It is affected by a directory traversal vulnerability caused by improper sanitization of user-supplied input in the document path before retrieving documents. SAP Internet Graphics Server version 6.40 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/406375
  • 05.30.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Atomic Photo Album Remote File Include
  • Description: Atomic Photo Album is vulnerable to a remote file include issue due to insufficient sanitization of the "apa_module_basedir" parameter of the "apa_phpinclude.inc.php" script. Atomic Photo Album versions 1.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/406364
  • 05.30.39 - CVE: CAN-2005-2403
  • Platform: Web Application
  • Title: RealChat User Impersonation
  • Description: RealChat is a commercial chat server written in Java. It is susceptible to a user impersonation vulnerability. This issue is due to a design error in the application. RealChat Server version 3.5.1 b is reportedly affected.
  • Ref: http://seclists.org/lists/bugtraq/2005/Jul/0403.html
  • 05.30.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Beehive Forum Webtag Multiple SQL Injection Vulnerabilities
  • Description: Beehive Forum is web-based forum software. It is prone to multiple SQL injection vulnerabilities caused by improper sanitization of user-supplied input to the "webtag" parameter used in many scripts. Beehive Forum versions 0.6 RC2 and 0.6 RC1 are susceptible.
  • Ref: http://www.securityfocus.com/archive/1/406365
  • 05.30.41 - CVE: CVE-MAP-NOMATCH
  • Platform: Web Application
  • Title: Beehive Forum Webtag Multiple Cross-Site Scripting Vulnerabilities
  • Description: Beehive Forum is web-based forum software. It is prone to multiple cross-site scripting vulnerabilities due to improper sanitization of user-supplied input to the "webtag" parameter used in many scripts. Beehive Forum versions 0.6 RC2 and 0.6 RC1 are susceptible.
  • Ref: http://www.securityfocus.com/archive/1/406365
  • 05.30.42 - CVE: CVE-MAP-NOMATCH
  • Platform: Web Application
  • Title: Contrexx Multiple Input Validation Vulnerabilities
  • Description: Contrexx is a content management system. It is affected by multiple input validation vulnerabilities caused by failure of the application to properly sanitize user-supplied input to the search form and the blog aggregation, poll and gallery modules. An information disclosure issue also affects the application by which an attacker can obtain the application's version by accessing the "/config/version.xml" file. Contrexx versions prior to 1.0.5 are affected.
  • Ref: http://www.securityfocus.com/bid/14352
  • 05.30.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Sendcard SQL Injection
  • Description: Sendcard is an application for the creation of e-cards. It is vulnerable to an SQL injection issue due to insufficient sanitization of user supplied input to the "id" parameter of the "sendcard.php" script. Sendcard version 3.2.3 is vulnerable.
  • Ref: http://secunia.com/advisories/16165/
  • 05.30.44 - CVE: CVE-MAP-NOMATCH
  • Platform: Web Application
  • Title: PHP TopSites Setup.PHP Authentication Bypass
  • Description: PHP TopSites is a Web site ranking application written in PHP. It is prone to an authentication bypass vulnerbility. An error in the authentication mechanism can permit attackers to bypass authentication and gain access to the vulnerable application. PRO PHP TopSites version 2.2 (both PRO and FREE) is reported to be vulnerable.
  • Ref: http://exploitlabs.com/files/advisories/EXPL-A-2005-012-PHPTopSites.txt
  • 05.30.45 - CVE: Not Available
  • Platform: Web Application
  • Title: ASN Guestbook Multiple Cross-Site Scripting Vulnerabilities
  • Description: ASN Guestbook, a web guestbook implemented in PHP is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "version" parameter of "header.php" and "footer.php" scripts. ASN Guestbook version 1.5 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14356
  • 05.30.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Ultimate PHP Remote HTML Injection Vulnerabilities
  • Description: Ultimate PHP is a site search engine. It is prone to multiple HTML injection issues due to a failure in the application to properly sanitize user-supplied input to the "User-Agent" HTTP Header field of the "index.php" and "register.php" scripts. Ultimate PHP Board versions 1.9.6 and earlier are affected.
  • Ref: http://www.rgod.altervista.org/upbgold196poc.php.txt
  • 05.30.47 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPSiteSearch Search.PHP Query Cross-Site Scripting
  • Description: PHPSiteSearch is a site search engine. Insufficient sanitization of the "query" parameter in the "search.php" script exposes the application to a cross-site scripting issue. PHPSiteSearch version 1.7.7d is affected.
  • Ref: http://www.rgod.altervista.org/PHPSiteSearch177dpoc.txt
  • 05.30.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Pyrox Search Newsearch.PHP Whatdoreplace Cross-Site Scripting
  • Description: Pyrox Search is a web-based search engine written in PHP. Pyrox Search is affected by a cross-site scripting vulnerability caused by insufficient sanitization of the "whatdoreplace" parameter of the "NEWSEARCH.php" script. Proxy Search version 1.0.5 is known to be vulnerable.
  • Ref: http://www.rgod.altervista.org/pyroxsearchpoc.txt
  • 05.30.49 - CVE: CAN-2005-2392
  • Platform: Web Application
  • Title: CMSimple Index.PHP Search Cross-Site Scripting
  • Description: A cross-site scripting vulnerability affects CMSimple. This issue is due to a failure of the application to properly sanitize user-supplied input to the "search" variable of the "index.php" script. CMSimple Content Management System versions 2.4 and earlier are affected.
  • Ref: http://lostmon.blogspot.com/2005/07/cmsimple-search-variable-xss.html
  • 05.30.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Ultimate PHP Board Multiple Cross-Site Scripting Vulnerabilities
  • Description: Ultimate PHP Board is a site search engine. It is vulnerable to multiple cross-site scripting issues due to failure of the application to properly sanitize user-supplied input to the "css" parameter of the "top.php", "main.php", "send.php", and "users.php" scripts, as well as the "title" parameter in the "header.php" script. Ultimate PHP Board versions 1.9.6 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14348
  • 05.30.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Website Generator Remote Code Execution
  • Description: Website Generator is a web-based site generation tool. It is affected by a remote script code execution issue due to a failure of the application to properly sanitize ".jpeg" file extensions in the "img_library.php" script. Website Generator version 3.3 is affected.
  • Ref: http://www.rgod.altervista.org/pyroxsearchpoc.txt
  • 05.30.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Website Generator Multiple Cross Site Scripting Vulnerabilities
  • Description: Website Generator is a web-based site generation application. It is vulnerable to multiple cross-site scripting vulnerabilities due to insufficient sanitization of the "img_url" variable of the "img_popup.php" script, as well as the "theme" variable of the "colorpicker.php", "table.php", "td.php", "confirm.php", "a.php", and "banner_library.php" scripts. Website Generator versions 3.3 and earlier are reported to be vulnerable.
  • Ref: http://www.rgod.altervista.org/pyroxsearchpoc.txt
  • 05.30.53 - CVE: CVE-MAP-NOMATCH
  • Platform: Web Application
  • Title: dxxo Count Web Statistics Multiple SQL Injection Vulnerabilities
  • Description: dxxo Count Web Statistics is a web-based statistical gathering tool. It is affected by multiple SQL injection vulnerabilities that are caused by improper sanitization of user-supplied input to the "QDay", "QMonth" and "QYear" parameters of the "StatDay.asp", "StatMonth.asp" and "StatYear.asp" scripts.
  • Ref: http://www.securityfocus.com/bid/14341
  • 05.30.54 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Surveyor Multiple SQL Injection Vulnerabilities
  • Description: PHP Surveyor is a set of PHP scripts that interact with MySQL to develop surveys, publish surveys and collect responses to surveys. It is affected by multiple SQL Injection vulnerabilities due to insufficient sanitization of user supplied input. PHP Sureveyor version 0.98 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/405735
  • 05.30.55 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Fusion BBcode Color Tag Code Injection
  • Description: PHP-Fusion is a light weight open-source content management system written in PHP. PHP-Fusion fails to properly sanitize BBCode "[color]" tags in message posts. This issue can be exploited to inject certain CSS (Cascading Style Sheet) code into the browser of an unsuspecting user in the context of the affected site. PHP-Fusion versions 6.0 106 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/14332
  • 05.30.56 - CVE: CAN-2005-2383
  • Platform: Web Application
  • Title: PHPNews Auth.PHP SQL Injection
  • Description: PHPNews is a web-based news reader application. It is prone to an SQL injection vulnerability due to a failure in the application to properly sanitize user-supplied input to the "user" parameter of the "auth.php" script. PHPNews versions 1.2.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/405768
  • 05.30.57 - CVE: Not Available
  • Platform: Web Application
  • Title: ReviewPost Showproduct.PHP Sort SQL Injection
  • Description: ReviewPost is a web based application which allows users to post product reviews. Insufficient sanitization of the "sort" parameter in the "showproduct.php" script exposes the application to an SQL injection issue. ReviewPost version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/14335/info
  • 05.30.58 - CVE: Not Available
  • Platform: Network Device
  • Title: Siemens Santis 50 Wireless Router Web Interface Denial Of Service
  • Description: The Siemens Santis 50 Wireless router is a wi-fi (802.11b) ADSL router. It's web interface is affected by a remote denial of service vulnerability. This bug provides access to the management CLI, without authentication, after a DOS attack to a specific service port. Siemens Santis 50 Wireless router with firmware version 4.2.8.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/406379
  • 05.30.59 - CVE: CAN-2005-2391
  • Platform: Network Device
  • Title: 3Com OfficeConnect Wireless 11g Access Point Remote Information Disclosure
  • Description: 3Com OfficeConnect Wireless 11g Access Point is reported to be prone to an information disclosure vulnerability. It is likely that this issue arises from an access validation error. 3Com OfficeConnect Wireless 11g Access Point 3CRWE454G72 firmware versions prior to 1.03.12 are reported prone to this vulnerability.
  • Ref: http://secunia.com/advisories/16207
  • 05.30.60 - CVE: Not Available
  • Platform: Network Device
  • Title: ECI Telecom B-FOCuS Router 312+ Unauthorized Access
  • Description: ECI Telecom B-FOCuS Router 312+ is a Ethernet Port 10/100 ADSL2+ Router-Firewall device. B-FOCuS Router 312+ is affected by an unauthorized access vulnerability.
  • Ref: http://www.securityfocus.com/archive/1/406372

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

It's very dynamic and I will be able to apply what I learned directly into my area of work.
-Wagner Nascimento, eBay, Inc.

vLive FOR508

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU