@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: CA BrightStor ARCServe Backup Agent Overflow
• (2) MODERATE: Cisco IOS IPv6 Processing Flaw

Other Software

• (3) HIGH: jabberd Multiple Buffer Overflows

Patches

• (4) Oracle for Openview Critical Patch Update July 2005

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 05.31.1 - Microsoft ActiveSync Network Synchronization Multiple Vulnerabilities

Third Party Windows Apps

• 05.31.2 - ProRat Server Remote Buffer Overflow
• 05.31.3 - Quick 'n Easy FTP Server User Command Buffer Overflow
• 05.31.4 - Shiny Entertainment Sacrifice Remote Arbitrary Code Execution Vulnerabilities
• 05.31.5 - NetCPlus BusinessMail Multiple Remote Buffer Overflow Vulnerabilities
• 05.31.6 - Novell eDirectory NMAS Authentication Bypass Vulnerability

Mac Os

• 05.31.7 - Apple Mac OS X Font Book Font Collection Buffer Overflow

Linux

• 05.31.8 - Debian Apt-Cacher Remote Command Execution
• 05.31.9 - Kismet Multiple Unspecified Remote Vulnerabilities
• 05.31.10 - EKG Libgadu Multiple Memory Alignment Remote Denial of Service Vulnerabilities

Unix

• 05.31.11 - No-Brainer SMTP Client Log_Msg() Remote Format String

Cross Platform

• 05.31.12 - GXT Editor Buffer Overflow
• 05.31.13 - Metasploit Framework MSFWeb Defanged Mode Restriction Bypass
• 05.31.14 - nCipher CHIL Random Cache Leakage
• 05.31.15 - Computer Associates BrightStor ARCserve Backup Remote Buffer Overflow
• 05.31.16 - Immunity CANVAS Unspecified Remote Vulnerability
• 05.31.17 - Metasploit Framework Unspecified Vulnerability
• 05.31.18 - BusinessObjects Enterprise/Crystal Reports Server Unspecified Denial of Service
• 05.31.19 - Jabber Studio JabberD Multiple Remote Buffer Overflow Vulnerabilities
• 05.31.20 - MySQL Eventum Multiple SQL Injection Vulnerabilities
• 05.31.21 - HP NonStop Server DCE Core Services Remote Denial of Service
• 05.31.22 - LibTiff Tiff Image Header Divide By Zero Denial of Service
• 05.31.23 - Thomson Web Skill Vantage Manager SQL Injection
• 05.31.24 - Opera Web Browser Image Dragging Cross-Domain Scripting and File Retrieval
• 05.31.25 - Opera Browser Content-Disposition Header Download Dialog File Extension Spoofing

Web Application

• 05.31.26 - Naxtor Shopping Cart Cross-Site Scripting
• 05.31.27 - Naxtor Shopping Cart Shop_Display_Products.PHP SQL Injection
• 05.31.28 - Fusebox Index.CFM Cross-Site Scripting
• 05.31.29 - AderSoftware CFBB Index.CFM Cross-Site Scripting
• 05.31.30 - ChurchInfo Multiple SQL Injection Vulnerabilities
• 05.31.31 - PHPFreeNews Multiple Cross-Site Scripting Vulnerabilities
• 05.31.32 - PHPFreeNews Admin Login SQL Injection
• 05.31.33 - OpenBook Admin.PHP SQL Injection
• 05.31.34 - MySQL Eventum Multiple Cross-Site Scripting Vulnerabilities
• 05.31.35 - Simplicity oF Upload Download.PHP Remote File Include
• 05.31.36 - Kayako LiveResponse Multiple Input Validation Vulnerabilities
• 05.31.37 - PluggedOut CMS Multiple Input Validation Vulnerabilities
• 05.31.38 - PC-Experience/Toppe PM.PHP Cross-Site Scripting
• 05.31.39 - PC-Experience/Toppe Unauthorized User Access Vulnerability
• 05.31.40 - Ragnarok Online Control Panel Authentication Bypass
• 05.31.41 - Easypx41 Multiple Cross-Site Scripting Vulnerabilities
• 05.31.42 - @Mail Multiple Cross-Site Scripting Vulnerabilities
• 05.31.43 - VBZooM Forum Multiple Cross-Site Scripting Vulnerabilities
• 05.31.44 - Easypx41 Multiple Variable Injection Vulnerabilities
• 05.31.45 - Ung Arbitrary Email Header Injection
• 05.31.46 - Gforge Multiple Cross-Site Scripting Vulnerabilities
• 05.31.47 - Website Baker Browse.PHP Cross-Site Scripting Vulnerability
• 05.31.48 - UseBB BBcode Color Tag Code Injection
• 05.31.49 - UseBB Search SQL Injection
• 05.31.50 - Clever Copy Private Message Unauthorized Access
• 05.31.51 - PHPList Admin Page SQL Injection
• 05.31.52 - Website Baker Arbitrary File Upload

Network Device

• 05.31.53 - Cisco IOS IPv6 Processing Arbitrary Code Execution
• 05.31.54 - Linksys WRT54G Wireless Router Default SSL Certificate

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 31, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4453 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.31.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft ActiveSync Network Synchronization Multiple Vulnerabilities
• Description: Microsoft ActiveSync is software designed to synchronize with various mobile devices. Several specific issues have been identified with the network synchronization protocol used by Microsoft ActiveSync. Please refer to the advisory for specifics about these issues. These issues combine to allow remote attackers to gain access to potentially sensitive information. Attackers may also alter or destroy data by simulating the synchronization protocol, or crash the ActiveSync service.
• Ref: http://www.securityfocus.com/bid/14457

• 05.31.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ProRat Server Remote Buffer Overflow
• Description: ProRat Server is a remote administration application for Microsoft Windows platforms. It is affected by a remote buffer overflow vulnerability that presents itself when an excessively long null ping command is sent to the server process. An attacker can supply a command of approximately 640 bytes to corrupt process memory. ProRat Server version 1.9 Fix2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/14458

• 05.31.3 - CVE: CVE-MAP-NOMATCH
• Platform: Third Party Windows Apps
• Title: Quick 'n Easy FTP Server User Command Buffer Overflow
• Description: Pablo Software Solutions Quick'n Easy FTP Server is a Microsoft Windows based FTP Server. It is prone to a remotely exploitable buffer overflow that may be triggered by a client through an overly long argument for the USER command. Quick 'n Easy FTP Server version 3.0 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/407083

• 05.31.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Shiny Entertainment Sacrifice Remote Arbitrary Code Execution Vulnerabilities
• Description: Shiny Entertainment Sacrifice is a network enabled strategy game. Sacrifice is affected by multiple remote arbitrary code execution vulnerabilities. These issues include a remote buffer overflow and a remote format string vulnerability. These vulnerabilities allow remote attackers to modify arbitrary memory locations, resulting in the control of program execution, leading to the ability to execute arbitrary machine code in the context of the affected server.
• Ref: http://aluigi.altervista.org/adv/sacrifice-adv.txt

• 05.31.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: NetCPlus BusinessMail Multiple Remote Buffer Overflow Vulnerabilities
• Description: NetCPlus BusinessMail is an email server. Insufficient sanitization of the SMTP "HELO" and "MAIL FROM" commands expose the application to a buffer overflow issue. BusinessMail version 4.60 is affected.
• Ref: http://www.securityfocus.com/bid/14434

• 05.31.6 - CVE: CVE-2002-1552
• Platform: Third Party Windows Apps
• Title: Novell eDirectory NMAS Authentication Bypass Vulnerability
• Description: eDirectory is a directory server software package distributed by Novell for the Microsoft Windows platform. It is vulnerable to an issue that could result in unauthorized access to a user's account. An unauthorized attacker could exploit this issue to gain access to a users's account. eDirectory NMAS versions earlier than 2.3.8 are affected.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971485.htm

• 05.31.7 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X Font Book Font Collection Buffer Overflow
• Description: Apple Mac OS X contains support for handling font collections with the Font Book application. It is reported to be vulnerable to a buffer overflow issue due to improper sanitization of user-supplied input.
• Ref: http://www.securityfocus.com/bid/14445

• 05.31.8 - CVE: CAN-2005-1854
• Platform: Linux
• Title: Debian Apt-Cacher Remote Command Execution
• Description: Debian apt-cacher is a caching system. It is affected by a remote command execution issue due to insufficient sanitization of user-supplied data. Debian apt-cacher version 0.9.4 sarge1 is released to fix this issue.
• Ref: http://www.securityfocus.com/bid/14459

• 05.31.9 - CVE: CVE-MAP-NOMATCH
• Platform: Linux
• Title: Kismet Multiple Unspecified Remote Vulnerabilities
• Description: Kismet is a wireless sniffer and network detection tool. It is prone to three unspecified remote vulnerabilities. It is believed that these issues are memory corruption vulnerabilities related to parsing of wireless network traffic, though this has not been confirmed. Kismet versions 3.1.0 and earlier are susceptible.
• Ref: http://www.securityfocus.com/bid/14430

• 05.31.10 - CVE: CAN-2005-2370
• Platform: Linux
• Title: EKG Libgadu Multiple Memory Alignment Remote Denial of Service Vulnerabilities
• Description: EKG is a console Gadu Gadu client. EKG comes with the libgadu library that implements the Gadu-Gadu protocol. EKG libgadu is susceptible to multiple remote denial of service vulnerabilities. These issues are likely due to a failure of the application to properly handle exception conditions. A malformed incoming message can trigger a bus error and lead to a crash.
• Ref: http://www.securityfocus.com/bid/14415

• 05.31.11 - CVE: Not Available
• Platform: Unix
• Title: No-Brainer SMTP Client Log_Msg() Remote Format String
• Description: nbSMTP no-brainer SMTP is a SMTP client. Improper sanitization of user-supplied data in the "msg_log()" function exposes the application to a remote format string issue. nbSMTP nbSMTP version 1.0 has been released to fix this issue.
• Ref: http://www.securityfocus.com/bid/14441

• 05.31.12 - CVE: Not Available
• Platform: Cross Platform
• Title: GXT Editor Buffer Overflow
• Description: GXT Editor is a text editor designed to view GXT files generated by Grand Theft Auto: San Andreas. It is reported to be vulnerable to a buffer overflow issue due to improper sanitization of boundary checks. GXT Editor version 1.3 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14462

• 05.31.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Metasploit Framework MSFWeb Defanged Mode Restriction Bypass
• Description: Metasploit Framework is a tool for penetration testing and exploit development. It is reported to be vulnerable to a restriction bypass issue in msfweb due to improper implementation of access control restrictions. Metasploit Framework versions 2.4 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14455

• 05.31.14 - CVE: Not Available
• Platform: Cross Platform
• Title: nCipher CHIL Random Cache Leakage
• Description: CHIL is the cryptographic Hardware Interface Library offered by nCipher. It is affected by a random cache leakage vulnerability. This issue is due to a design error. All current versions are known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14452

• 05.31.15 - CVE: CAN-2005-1018
• Platform: Cross Platform
• Title: Computer Associates BrightStor ARCserve Backup Remote Buffer Overflow
• Description: Computer Associates BrightStor ARCserve Backup and BrightStor Enterprise Backup Agents for Windows are vulnerable to a remote stack-based buffer overflow issue due to a failure of the application to perform proper bounds checking on data sent to port 6070. A remote attacker may exploit this issue to execute arbitrary code on a vulnerable computer.
• Ref: URL: http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities

• 05.31.16 - CVE: CVE-MAP-NOMATCH
• Platform: Cross Platform
• Title: Immunity CANVAS Unspecified Remote Vulnerability
• Description: Immunity CANVAS is a commercial tool for penetration testing and exploit development. It is prone to an unspecified vulnerability likely exploited by returning malicious data to the application in unknown network connections, causing arbitrary code to be executed in the context of the scanning application.
• Ref: http://www.securityfocus.com/bid/14446

• 05.31.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Metasploit Framework Unspecified Vulnerability
• Description: Metasploit Framework is a tool for penetration testing and exploit development. It is affected by a remote unspecified vulnerability. Metasploit Framework versions 2.4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/14431

• 05.31.18 - CVE: CVE-MAP-NOMATCH
• Platform: Cross Platform
• Title: BusinessObjects Enterprise/Crystal Reports Server Unspecified Denial of Service
• Description: BusinessObjects Enterprise and Crystal Reports Server are prone to an unspecified remote denial of service vulnerability. This issue affects those who are using the software to permit reports to be viewed over the Web. BusinessObjects Enterprise/Crystal Reports Server version XI is affected.
• Ref: http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_
  june05.asp

• 05.31.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Jabber Studio JabberD Multiple Remote Buffer Overflow Vulnerabilities
• Description: Jabber Studio jabberd is an open-source project implementing the Jabber instant messaging protocol. It is affected by multiple remote buffer overflow issues because the application fails to perform boundary checks prior to copying user-supplied data into process buffers. An attacker may leverage these issues to execute arbitrary code on a computer with the privileges of the server process. Jabberd versions 2.0s8 and earlier are vulnerable.
• Ref: http://j2.openaether.org/bugzilla/show_bug.cgi?id=99

• 05.31.20 - CVE: Not Available
• Platform: Cross Platform
• Title: MySQL Eventum Multiple SQL Injection Vulnerabilities
• Description: MySQL Eventum is a software bug-tracking application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user supplied input to the "report", "release" and "auth" classes. MySQL AB Eventum versions 1.5.5 are reported to be vulnerable.
• Ref: http://www.gulftech.org/?node=research&article_id=00093-07312005

• 05.31.21 - CVE: CVE-MAP-NOMATCH
• Platform: Cross Platform
• Title: HP NonStop Server DCE Core Services Remote Denial of Service
• Description: HP NonStop Server is an application server providing DCE Core Services. The DCE Core Services are affected by a remote denial of service vulnerability caused when a NonStop Server running T8403 DCE Core Services handles remote malformed client requests that originate from non-DCE clients. HP NonStop Servers running T8403 DCE Core Services revision ABH or prior on G06.14 through G06.26 are vulnerable.
• Ref: http://www.securityfocus.com/bid/14418

• 05.31.22 - CVE: Not Available
• Platform: Cross Platform
• Title: LibTiff Tiff Image Header Divide By Zero Denial of Service
• Description: LibTIFF is a library designed to facilitate the reading and manipulation of Tag Image File Format (TIFF) files. It is reported to be vulnerable to a denial of service issue due to improper sanitization of "YCBCr subsampling" value in TIFF image header. LibTIFF version 3.6.1 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14417

• 05.31.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Thomson Web Skill Vantage Manager SQL Injection
• Description: Thomson Web Skill Vantage Manager is online training software. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the login page. Thomson NETg Web Skill Vantage Manager version 2.5 is susceptible.
• Ref: http://www.securityfocus.com/bid/14409

• 05.31.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Image Dragging Cross-Domain Scripting and File Retrieval
• Description: Opera is a web browser available for a number of platforms. It is affected by an issue which may allow an attacker to carry out cross-domain scripting attacks and retrieve files from the local computer. Opera Web Browser versions 8.02 and earlier are affected.
• Ref: http://www.opera.com/windows/changelogs/802/

• 05.31.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Browser Content-Disposition Header Download Dialog File Extension Spoofing
• Description: Opera Web Browser is vulnerable to an issue that could allow remote attackers to spoof file extensions through the download dialog. A remote attacker could exploit this issue to execute arbitrary files on a vulnerable system. Opera Web Browser versions earlier than 8.02 are vulnerable.
• Ref: http://www.securityfocus.com/bid/14402

• 05.31.26 - CVE: Not Available
• Platform: Web Application
• Title: Naxtor Shopping Cart Cross-Site Scripting
• Description: Naxtor Shopping Cart is an online shopping application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user supplied input to the "email" parameter of the "lost_password.php" script. Naxtor Cart Standard Edition and Professional Edition version 1.0 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/407104

• 05.31.27 - CVE: Not Available
• Platform: Web Application
• Title: Naxtor Shopping Cart Shop_Display_Products.PHP SQL Injection
• Description: Naxtor Shopping Cart is a Web based shopping cart application. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "cat_id" parameter of the "shop_display_products.php" script. A remote attacker could exploit this issue to compromise the application. Nextor Shopping Cart version 1.0 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/archive/1/407104

• 05.31.28 - CVE: Not Available
• Platform: Web Application
• Title: Fusebox Index.CFM Cross-Site Scripting
• Description: Fusebox is a standard framework for building ColdFusion and PHP Web applications. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "fuseaction" parameter of "index.cfm". An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. Fusebox versions 4.1.0 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/14460/info

• 05.31.29 - CVE: Not Available
• Platform: Web Application
• Title: AderSoftware CFBB Index.CFM Cross-Site Scripting
• Description: CFBB is a web forum software implemented in Cold Fusion. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "page" parameter of "index.cfm" script. AderSoftware CFBB version 1.1 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14440

• 05.31.30 - CVE: Not Available
• Platform: Web Application
• Title: ChurchInfo Multiple SQL Injection Vulnerabilities
• Description: ChurchInfo is Web software to help churches track members, families, groups, pledges and payments; it is implemented in PHP. ChurchInfo is prone to Multiple SQL injection vulnerabilities. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
• Ref: http://www.securityfocus.com/archive/1/406959

• 05.31.31 - CVE: CVE-MAP-NOMATCH
• Platform: Web Application
• Title: PHPFreeNews Multiple Cross-Site Scripting Vulnerabilities
• Description: PHPFreeNews is a web-based news application. It is affected by multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the following script and parameter pairs: "Footer.php" - "ScriptVersion", "ScriptFunctions.php" - "NewsDir", "ScriptFunctions.php" - "PopupWidth" and "ScriptFunctions.php" - "PopupHeight". PHPFreeNews versions 1.32 and earlier are susceptible.
• Ref: http://www.securityfocus.com/bid/14439

• 05.31.32 - CVE: Not Available
• Platform: Web Application
• Title: PHPFreeNews Admin Login SQL Injection
• Description: PHPFreeNews is a web-based news application. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "password" parameter of the "Admin" login. A remote attacker could exploit this issue to compromise the application. PHPFreeNews versions 1.32 and earlier are vulnerable.
• Ref: http://rgod.altervista.org/flex.html

• 05.31.33 - CVE: Not Available
• Platform: Web Application
• Title: OpenBook Admin.PHP SQL Injection
• Description: OpenBook is a guestbook application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user supplied input to the "password" and "userid" variables of the "admin.php" script. OpenBook version 1.2.2 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/406954

• 05.31.34 - CVE: Not Available
• Platform: Web Application
• Title: MySQL Eventum Multiple Cross-Site Scripting Vulnerabilities
• Description: MySQL Eventum is designed to be a software bug-tracking application. It is reported to be vulnerable to multiple cross-site scripting issues due to improper sanitization of user-supplied input to the "id" parameter of "view.php" script. MySQL AB Eventum versions 1.5.5 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14436

• 05.31.35 - CVE: Not Available
• Platform: Web Application
• Title: Simplicity oF Upload Download.PHP Remote File Include
• Description: Simplicity oF Upload is susceptible to a remote file include vulnerability. Insufficient sanitization of the "language" parameter in the "download.php" script exposes the issue to a remote file include vulnerability. Simplicity oF Upload version 1.3 is affected.
• Ref: http://rgod.altervista.org/simply.html

• 05.31.36 - CVE: Not Available
• Platform: Web Application
• Title: Kayako LiveResponse Multiple Input Validation Vulnerabilities
• Description: Kayako LiveResponse is a Web-based live help desk support application. It is vulnerable to multiple cross-site scripting, SQL injection, and HTML injection issues due to input validation errors. A remote attacker could exploit these issues to compromise the software or attack the underlying database. Kayako LiveResponse version 2.0 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/406914

• 05.31.37 - CVE: Not Available
• Platform: Web Application
• Title: PluggedOut CMS Multiple Input Validation Vulnerabilities
• Description: PluggedOut CMS is a web-based content management system. It is reported to be vulnerable to multiple cross-site scripting and SQL injection issues due to improper sanitization of user-supplied input.
• Ref: http://www.securityfocus.com/bid/14426

• 05.31.38 - CVE: Not Available
• Platform: Web Application
• Title: PC-Experience/Toppe PM.PHP Cross-Site Scripting
• Description: PC-Experience is a content management system and Toppe is a derivative of PC-Experience. Both are vulnerable to cross-site scripting attacks due to insufficient sanitazation of URI input with the "$msg" parameter of the "pm.php" script. Toppe CMS and PC-Experience versions 2.0 and 1.15 are reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/406915

• 05.31.39 - CVE: Not Available
• Platform: Web Application
• Title: PC-Experience/Toppe Unauthorized User Access Vulnerability
• Description: PC-Experience is a content management system that is implemented in PHP. It is reported to be vulnerable to unauthorized user access to arbitrary user accounts due to an access validation error related to cookie authentication. PC-Experience versions 2.0 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14427

• 05.31.40 - CVE: Not Available
• Platform: Web Application
• Title: Ragnarok Online Control Panel Authentication Bypass
• Description: Ragnarok Online Control Panel (ROCP) is prone to a vulnerability that may let remote attackers bypass user authentication. This issue is related to how PHP variables are handled, letting an attacker influence a variable that is used to check user authentication. Exploitation could yield administrative access to the ROCP site.
• Ref: http://www.securityfocus.com/archive/1/406921

• 05.31.41 - CVE: Not Available
• Platform: Web Application
• Title: Easypx41 Multiple Cross-Site Scripting Vulnerabilities
• Description: Easypx41 is a web-based portal creation application. It is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "members" parameter of the "viewprofil.php" script, and the "forum" parameter of the "viewtopic.php" script. Easypx41 version 1.0 is affecetd.
• Ref: http://www.securityfocus.com/bid/14416

• 05.31.42 - CVE: Not Available
• Platform: Web Application
• Title: @Mail Multiple Cross-Site Scripting Vulnerabilities
• Description: @Mail is a web-based application to access email. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user supplied input. @Mail versions 4.11 and 4.03 are reported to be vulnerable.
• Ref: http://lostmon.blogspot.com/2005/07/mail-multiple-variable-cross-site.html

• 05.31.43 - CVE: Not Available
• Platform: Web Application
• Title: VBZooM Forum Multiple Cross-Site Scripting Vulnerabilities
• Description: VBZooM is web forum software. Insufficient sanitization of the "UserName" parameter of the "profile.php" script and the "UserID" parameter of the "login.php" script exposes the application to multiple cross-site scripting issues. VBZoom versions 1.11 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/14423

• 05.31.44 - CVE: Not Available
• Platform: Web Application
• Title: Easypx41 Multiple Variable Injection Vulnerabilities
• Description: Easypx41 is a web-based Web site creation application written in PHP. Easypx41 is prone to multiple variable injection vulnerabilities. An attacker can manipulate multiple script input variables and bypass access controls to retrieve sensitive and privileged information.
• Ref: http://www.securityfocus.com/bid/14416

• 05.31.45 - CVE: CVE-MAP-NOMATCH
• Platform: Web Application
• Title: Ung Arbitrary Email Header Injection
• Description: UNG is a directory browser which creates a hierarchy of categories and pictures. It is prone to a vulnerability regarding the injection of arbitrary email headers, and subsequently allows uncontrolled delivery of Web based email submissions. UNG Not Gallery version 20050502 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14422

• 05.31.46 - CVE: Not Available
• Platform: Web Application
• Title: Gforge Multiple Cross-Site Scripting Vulnerabilities
• Description: Gforge is a source code management application written in PHP. Gforge is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize input variables. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
• Ref: http://www.securityfocus.com/bid/14405

• 05.31.47 - CVE: Not Available
• Platform: Web Application
• Title: Website Baker Browse.PHP Cross-Site Scripting Vulnerability
• Description: Website Baker is an open source content management system. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "dir" parameter of "admin/media/browse.php". An attacker may leverage this issue to steal cookie-based authentication credentials or perform other attacks. Website Baker version 2.5.2 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/14404

• 05.31.48 - CVE: Not Available
• Platform: Web Application
• Title: UseBB BBcode Color Tag Code Injection
• Description: UseBB BBcode is a bulletin board system. It is reported to be vulnerable to a code injection issue due to improper sanitization of "[color]" tags in message posts.
• Ref: http://www.securityfocus.com/bid/14412

• 05.31.49 - CVE: Not Available
• Platform: Web Application
• Title: UseBB Search SQL Injection
• Description: UseBB is web bulletin board application. It is vulnerable to an SQL injection issue due to insufficent sanitization of user supplied input when using the search function. UseBB versions 0.5.1a and later resolves this issue.
• Ref: http://www.securityfocus.com/bid/14413

• 05.31.50 - CVE: Not Available
• Platform: Web Application
• Title: Clever Copy Private Message Unauthorized Access
• Description: Clever Copy is a web and news portal application. It is vulnerable to an unauthorized access issue due to insufficient proper authentication before granting access to private message functions. Clever Copy versions 2.0a and 2.0 are vulnerable.
• Ref: http://lostmon.blogspot.com/2005/07/clever-copy-unauthorized-read-delete.html

• 05.31.51 - CVE: Not Available
• Platform: Web Application
• Title: PHPList Admin Page SQL Injection
• Description: PHPList is a web-based utility to manage personalized mailing and customer lists. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "id" parameter of "public_html/lists/admin/?page=admin".
• Ref: http://www.securityfocus.com/bid/14403

• 05.31.52 - CVE: Not Available
• Platform: Web Application
• Title: Website Baker Arbitrary File Upload
• Description: Website Baker is a content management application. It is vulnerable to an arbitrary file upload issue due to improper verification of the extension of the uploaded media files. Website Baker version 2.5.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/14406

• 05.31.53 - CVE: CAN-2005-0195
• Platform: Network Device
• Title: Cisco IOS IPv6 Processing Arbitrary Code Execution
• Description: A remote arbitrary code execution vulnerability affects the IPv6 processing functionality of Cisco IOS. The problem presents itself when an affected device running a vulnerable version of IOS attempts to process a specially crafted IPv6 packet from the local segment received on logical and physical interfaces. Please refer to the cisco advisory below for details.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml

• 05.31.54 - CVE: Not Available
• Platform: Network Device
• Title: Linksys WRT54G Wireless Router Default SSL Certificate
• Description: The Linksys WRT54G is a wireless router appliance, developed to meet 54Mbps wireless networking standards. Linksys WRT54G wireless routers contain a default SSL certificate and private key. This issue can allow an attacker to carry out man in the middle attacks and ultimately compromise the device.
• Ref: http://www.securityfocus.com/bid/14407

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.