Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 32
August 12, 2005

SANS Newsletters Home

Although Symantec's Veritas shows up again on the high risk list (#4) with no patch, this week was dominated by Microsoft telling us more ways that their products put us at immediate risk. (#1, #2, #3) Some analysts expect a worm to exploit one of the Microsoft vulnerabilities (#1), but the attackers have moved past worms to use widespread new vulnerabilities in stealth mode to take over hundreds of thousands of systems without announcing their presence the way a worm would. Also if you were an early downloader of one of the Microsoft patches (#2, Special Note), you'll need to do it again because the first one had problems.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 8 (#1, #2, #3, #4, #6)
    • Third Party Windows Apps
    • 1 (#5, #8)
    • Mac OS
    • 1
    • Linux
    • 2
    • Solaris
    • 1
    • Unix
    • 1
    • Cross Platform
    • 6
    • Web Application
    • 39 (#7)
    • Network Device
    • 2

************************************************************************* Announcing the SANS Advisor

A newsletter that gets straight to the point with tips and breaking news on IT Security, Audit, and Privacy. Volume 1, Number 2 is complimentary and available for downloading from: http://www.sans.org/ newsletters/advisor/1.2.pdf"> http://www.sans.org/ newsletters/advisor/1.2.pdf If you enjoy SANS Advisor and want to make sure you are notified when the next edition comes out, sign up at http://www.sans.org/ newsletters

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Mac Os
Linux
Solaris
Unix
Cross Platform
Web Application
Network Device

************************* Sponsored Link *******************************

1) Solve remote connectivity and security problems. FREE Top 10 Malware Protection Techniques for Remote Access Connections. http://www.sans.org/info.php?id=843

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Windows Plug and Play Service Buffer Overflow (MS05-039)
  • Affected:
    • Windows 2000/XP/2003

  • Description: Windows Plug and Play service is designed to detect new hardware devices connected to a computer. The service is started by default on all Windows 2000/XP/2003 systems, and is reachable remotely via "ntsvcs" named pipe on ports 139/tcp or 445/tcp. This service contains a stack-based buffer overflow that can be triggered by an RPC message invoking function #54, and exploited to execute arbitrary code with "SYSTEM" privileges. Windows 2000 systems are critically affected as any anonymous user can connect remotely to this service and trigger the overflow. Windows XP and 2003 systems require user authentication before the overflow can be leveraged. Multiple exploits have been posted and seen in the wild. The exploit seen in the wild also attempts certain RPC "evasions" to bypass IDS/IPS systems. A worm targeting Windows 2000 systems can be expected soon.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-039. A workaround is to block ports 139/tcp and 445/tcp at the network perimeter. Note that last year's Sasser worm exploited a similar vulnerability in the LSASS service.

  • Council Site Actions: All council sites are responding to all Microsoft items. For this item, most plan to deploy the patch during their next regularly schedule system update process (for some sites that is next week). Several sites are expediting the patch on this item and have already deployed the patch or will do it as soon as they are done with their QA process

  • References:
  • (3) CRITICAL: Windows Spooler Service Buffer Overflow (MS05-043)
  • Affected:
    • Windows 2000/XP/2003

  • Description: Windows print spooler service (spoolsv.exe) is responsible for tasks related to printing such as scheduling a print job, sending data to printer etc. This service is started by default, and is reachable remotely via "spoolss" named pipe on ports 139/tcp and 445/tcp. This service contains a buffer overflow that can be exploited to execute arbitrary code with "SYSTEM" privileges. Windows 2000 and Windows XP SP1 are critically affected as any anonymous user can remotely connect to this service, and trigger the overflow. Windows XP and 2003 systems require user authentication before the overflow can be leveraged; hence, affected to a lesser degree. No technical details have been posted yet.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-043. A workaround is to block the ports 139/tcp and 445/tcp at the network perimeter. Additional ports associated with the printing service that can be blocked from the Internet are listed here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/d
    58ce7b9-49cf-4f5e-95e9-1ade005c13e0.mspx

  • Council Site Actions: All council sites are responding to all Microsoft items. For this item, most plan to deploy the patch during their next regularly schedule system update process (for some sites that is next week). Several sites are expediting the patch on this item and have already deployed the patch or will do it as soon as they are done with their QA process

  • References:
  • (6) LOW: Microsoft RDP DoS Vulnerability (MS05-041)
  • Affected:
    • Windows 2000 Server/XP/2003

  • Description: Remote Desktop Protocol (RDP) helps create a virtual session with a Windows desktop that can be used to access all the data and the applications residing on the desktop. Microsoft's RDP protocol implementation contains a denial-of-service vulnerability that can be triggered by a malformed RDP packet. In addition to Microsoft, eEye researchers have also confirmed that the flaw cannot be exploited to execute arbitrary code. Exploit code has been publicly posted. Note that RDP service is not enabled by default on Windows systems except on XP Media Center edition.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-041. Block port 3389/tcp at the network perimeter to prevent any attacks from the Internet. Disable RDP service if not required.

  • Council Site Actions: All council sites are responding to all Microsoft items. For this item, most plan to deploy the patch during their next regularly schedule system update process (for some sites that is next week).

  • References:
Other Software
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 32, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4467 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.32.1 - CVE: CAN-2005-1982
  • Platform: Windows
  • Title: Microsoft Windows Kerberos PKINIT Man In The Middle
  • Description: Microsoft Windows contains support for authentication using the Kerberos protocol. The PKINIT implementation of Kerberos in Microsoft Windows is vulnerable to a man in the middle issue due to a failure of the software to properly validate network data. An attacker could exploit this issue to sniff sensitive information from wire traffic.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx
  • 05.32.2 - CVE: CAN-2005-1981
  • Platform: Windows
  • Title: Microsoft Windows Kerberos Denial of Service
  • Description: Microsoft Windows contains support for authentication using the Kerberos protocol. It is reported to be vulnerable to a denial of service issue. The issue presents itself when an attacker sends specially crafted packets to the service on TCP or UDP port 88. An attacker requires valid logon credentials to exploit this vulnerability.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-042.mspx
  • 05.32.3 - CVE: CAN-2005-0058
  • Platform: Windows
  • Title: Microsoft Windows Telephony Service Buffer Overflow
  • Description: Microsoft Windows Telephony Service supports the Telephony Application Programming Interface. It is vulnerable to a buffer overflow issue due to insufficient boundary checking with user supplied data passed to "tapisrv.dll".
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-040.mspx
  • 05.32.4 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Internet Explorer Unspecified ActiveX Vulnerability
  • Description: Microsoft Internet Explorer is affected by an unspecified vulnerability in the SharePoint Portal Service Log Sink ActiveX control. Microsoft Internet Explorer versions 6.0 SP2 and earlier are known to be vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx
  • 05.32.5 - CVE: CAN-2005-1984
  • Platform: Windows
  • Title: Microsoft Windows Print Spooler Buffer Overflow
  • Description: The Microsoft Windows Print Spooler service manages printing processes. This service is prone to a buffer overflow vulnerability. This vulnerability facilitates local privilege escalation and unauthorized remote access depending on the underlying operating system.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-043.mspx
  • 05.32.6 - CVE: CAN-2005-1989
  • Platform: Windows
  • Title: Microsoft Internet Explorer Web Folder Behaviors Cross-Domain Scripting
  • Description: Microsoft Internet Explorer is prone to a cross-domain security vulnerability when handling URIs while rendering a web folder view. As a result, a web page may execute malicious script code in the context of an arbitrary domain or browser security zone. Microsoft Internet Explorer versions 6.0 SP2 and earlier are susceptible.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx
  • 05.32.7 - CVE: CAN-2005-1983
  • Platform: Windows
  • Title: Microsoft Windows Plug and Play Buffer Overflow
  • Description: The Microsoft Windows Plug and Play (PnP) service is affected by a buffer overflow issue because the application does not perform boundary checks prior to copying user-supplied data into sensitive process buffers. Microsoft has reported that other protocols such as Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) may be vulnerable to this issue as well.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
  • 05.32.8 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows Unspecified Remote Arbitrary Code Execution
  • Description: Microsoft Windows is affected by an unspecified remote arbitrary code execution vulnerability. Reports indicate that this issue may lend itself to the development of self-propagating malicious code due to the lack of user interaction required for exploitation.
  • Ref: http://www.eeye.com/html/research/upcoming/20050801.html
  • 05.32.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Acunetix Web Vulnerability Scanner Remote Denial of Service
  • Description: Acunetix is a web vulnerability scanner. It is reported to be vulnerable to an unspecified remote denial of service issue. Acunetix Web Vulnerability Scanner version 2.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14488
  • 05.32.10 - CVE: Not Available
  • Platform: Mac Os
  • Title: Safari Web Browser JavaScript Invalid Address Denial of Service
  • Description: Apple Safari Web Browser is prone to a vulnerability that may result in a browser crash. This issue occurs when a malicious Web page is viewed in the affected browser. Safari version 1.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/407702
  • 05.32.11 - CVE: Not Available
  • Platform: Linux
  • Title: GNOME Evolution Multiple Format String Vulnerabilities
  • Description: GNOME Evolution is an email client for the GNOME desktop. Evolution is affected by multiple format string vulnerabilities. Evolution versions 2.3.6.1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14532
  • 05.32.12 - CVE: CAN-2005-1761
  • Platform: Linux
  • Title: Linux Kernel NFSACL Protocol XDR Data Remote Denial of Service
  • Description: Linux Kernel is affected by a remote denial of service vulnerability when handling XDR data for the nfsacl protocol. An attacker could leverage this issue to deny service to legitimate users and possibly gain unauthorized access to the machine. Please refer the link below for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/advisories/9010
  • 05.32.13 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Printd Arbitrary File Deletion
  • Description: Sun Solaris printd is affected by an arbitrary file deletion vulnerability. A remote or local attacker can delete arbitrary files on a computer with the privileges of printd. Solaris versions 10.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14510
  • 05.32.14 - CVE: CAN-2005-2097
  • Platform: Unix
  • Title: Easy Software Products CUPS Denial of Service
  • Description: CUPS is a set of printing utilities for UNIX-based systems. It is vulnerable to a denial of service issue due to improper bounds checking done by the application when handling malformed PDF files. Easy Software Products CUPS versions 1.1.23 rc1 and earlier are vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2005-706.html
  • 05.32.15 - CVE: CAN-2005-2097
  • Platform: Cross Platform
  • Title: XPDF Loca Table Verification Remote Denial of Service
  • Description: xpdf is an open source implementation of a PDF viewer for the X window system. It is reported to be vulnerable to a remote denial of service issue due to improper handling of exceptional conditions. Xpdf version 3.0 pl3 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14529
  • 05.32.17 - CVE: CAN-2005-1527
  • Platform: Cross Platform
  • Title: AWStats Referrer Arbitrary Command Execution
  • Description: AWStats is a CGI log analyzer that generates statistic reports based on HTTP, SMTP or FTP logs. AWStats is affected by an arbitrary command execution vulnerability. The application stores the referrer of users visiting the Web site, however, the application fails to sanitize the "url" parameter of the "ShowInfoURL" script. AWStats versions 6.3 and earlier are susceptible.
  • Ref: http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities
  • 05.32.18 - CVE: CVE-MAP-NOMATCH
  • Platform: Cross Platform
  • Title: MySQL User-Defined Function Buffer Overflow
  • Description: MySQL is vulnerable to a buffer overflow issue due to insufficient bounds checking of user data in the "init_syms()" function. MySQL versions 5.0.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/407648/30/0/threaded
  • 05.32.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SysCP Multiple Script Execution Vulnerabilities
  • Description: System Control Panel (SysCP) is a web-based server administration application. It is affected by multiple script execution vulnerabilities. One issue involves insufficient sanitization of user-supplied data to the "language" parameter and in another issue, an attacker can call arbitrary functions and scripts by using curly braces to bypass input sanitization implemented in the application's template engine. SysCP 1.2.10 and prior versions are prone to these vulnerabilities.
  • Ref: http://www.securityfocus.com/bid/14490
  • 05.32.20 - CVE: CAN-2005-2484
  • Platform: Cross Platform
  • Title: Denora IRC Stats Buffer Overflow
  • Description: Denora IRC Stats is a set of statitics services for IRC networks. It is vulnerable to a remote buffer overflow issue in the "rdb_query" function when an attacker supplies malformed strings values. Denora IRC Stats version 1.0 is vulnerable.
  • Ref: http://denora.nomadirc.net/viewsvn/viewsvn.php?project=denora&path=/trunk/Ch
    anges
  • 05.32.21 - CVE: CVE-MAP-NOMATCH
  • Platform: Web Application
  • Title: PHPTB Topic Board Multiple SQL Injection
  • Description: PHPTB is a web portal application. It is vulnerable to multiple SQL injection issues due to a failure in the application to properly sanitize user-supplied input to the "profile.php", "newpn.php" and "post.php" scripts. PHPTB Topic Board version 2.0 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/14535
  • 05.32.22 - CVE: Not Available
  • Platform: Web Application
  • Title: PHlyMail Unspecified Authentication Bypass
  • Description: PHlyMail is a web based email system. It is reported to be vulnerable to an unspecified authentication bypass issue. PHlyMail version 3.0.2.00 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14537
  • 05.32.23 - CVE: CVE-MAP-NOMATCH
  • Platform: Web Application
  • Title: WordPress Cookie Data PHP Code Injection
  • Description: WordPress allows users to generate news pages and Web logs dynamically. WordPress is affected by a remote PHP code injection vulnerability. The issue presents itself when user-supplied input via cookie data is passed to the "cache_lastpostdate" parameter. WordPress versions 1.5.x are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14533
  • 05.32.24 - CVE: CVE-MAP-NOMATCH
  • Platform: Web Application
  • Title: ezUpload Multiple Remote File Include Vulnerabilities
  • Description: ezUpload is a PHP script that lets users or visitors upload files to the server. It is prone to multiple remote file include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input passed to the "path" parameter of the "customize.php", "form.php", "index.php" and "initialize.php" scripts. ezUpload version 2.2 is susceptible.
  • Ref: http://www.securityfocus.com/bid/14534
  • 05.32.25 - CVE: Not Available
  • Platform: Web Application
  • Title: Mozilla Firefox and Thunderbird Long URI Obfuscation
  • Description: A vulnerability is reported in Mozilla Firefox and Thunderbird that may allow an attacker to obfuscate the URI of a link. If an overly long URI is passed on, the address bar goes completely white, making the URI invisible to the user. This could facilitate the impersonation of legitimate Web sites in order to steal sensitive information from unsuspecting users. Mozilla Firefox 1.0.6, and Thunderbird 1.0 are affected by this issue.
  • Ref: http://www.securityfocus.com/bid/14526
  • 05.32.26 - CVE: CAN-2005-0885
  • Platform: Web Application
  • Title: XMB Forum U2U.Inc.PHP SQL Injection
  • Description: XMB Forum is a web-based message board application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user supplied input to the "in" parameter of the "u2u.inc.php" script. XMB Forum version 1.9.1 is vulnerable.
  • Ref: http://forums.xmbforum.com/viewthread.php?tid=754523
  • 05.32.27 - CVE: Not Available
  • Platform: Web Application
  • Title: TriggerTG TClanPortal Multiple SQL Injection Vulnerabilities
  • Description: TClanPortal is a web portal application implemented in PHP utilizing a MySQL backend. TClanPortal is affected by multiple SQL injection vulnerabilities. TClanPortal versions 3.0 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14532
  • 05.32.28 - CVE: CAN-2005-2318
  • Platform: Web Application
  • Title: DVBBS Multiple Cross-Site Scripting Vulnerabilities
  • Description: DVBBS is a bulletin board application. It is vulnerable to multiple cross site scripting issues due to insufficient sanitization of user supplied input. Dvbbs versions 7.1 Sp2 and earlier are reported to be vulnerable.
  • Ref: http://lostmon.blogspot.com/2005/08/dvbbs-multiple-variable-cross-site.html
  • 05.32.29 - CVE: Not Available
  • Platform: Web Application
  • Title: myFAQ Multiple SQL Injection Vulnerabilities
  • Description: myFAQ is a "frequently asked questions" application written in PHP and mySQL. It is affected by multiple SQL injection vulnerabilities. myFAQ version 1.0 is known to be vulnerable.
  • Ref: http://svt.nukleon.us/lab/svadvisory13.txt
  • 05.32.30 - CVE: Not Available
  • Platform: Web Application
  • Title: FunkBoard Multiple Cross-Site Scripting Vulnerabilities
  • Description: FunkBoard is a bulletin board and message system. It is prone to multiple cross-site scripting vulnerabilities in the "ditpost.php", "prefs.php", "newtopic.php", "reply.php", "profile.php" and "register.php" scripts. FunkBoard version 0.66 CF is vulnerable.
  • Ref: http://www.securityfocus.com/bid/14507/
  • 05.32.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Chipmunk CMS Fontcolor Cross-Site Scripting
  • Description: Chipmunk CMS is a content management application prone to a cross-site scripting vulnerability. This issue occurs due to improper sanitization of the user supplied input to the "fontcolor" parameter. Chipmunk PHP Scripts CMS verson 1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/14506
  • 05.32.32 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 Website System Submitted Link HTML Injection
  • Description: e107 Website System is a web-based content management system. Insufficient sanitization of the "name" parameter exposes the applicaion to an HTML injection issue. e107 Website System versions 0.617 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/14508/info
  • 05.32.33 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 Website System Attached File Cross-Site Scripting
  • Description: e107 Website System is a web-based content management system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input. e107 Website System versions 0.6.17 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14495
  • 05.32.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Gravity Board X Login SQL Injection
  • Description: Gravity Board X (GBX) is a message board application. It is vulnerable to an SQL injection issue. This issue is due to insufficient sanitization of user-supplied input to the "login" parameter of the login form. Gravity Board X version 1.1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/407577
  • 05.32.35 - CVE: Not Available
  • Platform: Web Application
  • Title: Gravity Board X DeleteThread.PHP Cross-Site Scripting
  • Description: Gravity Board X (GBX) is a message board system implemented in PHP utilizing a MySQL backend. GBX is affected by a cross-site scripting vulnerability. GBX versions 1.1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/407577
  • 05.32.36 - CVE: CAN-2005-2411
  • Platform: Web Application
  • Title: tDiary Cross-Site Request Forgery
  • Description: tDiary is a web-based diary, implemented in Ruby. tDiary is prone to a cross-site request forgery vulnerability. This issue may allow a remote attacker to delete data and configuration settings and potentially execute commands on an affected computer. The vulnerablity presents itself when an attacker crafts a malicious web site and entices a user to visit the site while their tDiary session is still valid. tDiary 2.0.1 and prior and tDiary 2.1.1 are affected by this issue.
  • Ref: http://www.securityfocus.com/bid/14500
  • 05.32.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Gravity Board X CSS Template Unauthorized Access
  • Description: Gravity Board X (GBX) is a message board system that is affected by an unauthorized access vulnerability. This issue is due to a failure in the application to perform proper access validation before granting access to the "editcss.php" script. An attacker can exploit this vulnerability and modify an existing CSS template to include arbitrary PHP code. GBX version 1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/407577
  • 05.32.38 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenBB Multiple SQL Injection Vulnerabilities
  • Description: OpenBB is a bulletin board application. Insufficient sanitization of the "FID" parameter in the "board.php" script, the "TID" parameter in the "read.php" script, and the "action" parameter in the "member.php" script exposes the application to an SQL injection issue. OpenBB version 1.1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/407580
  • 05.32.39 - CVE: Not Available
  • Platform: Web Application
  • Title: Calendar Express Multiple SQL Injection Vulnerabilities
  • Description: Calendar Express is a web-based calendar. It is vulnerable to multiple SQL injection issues due to a failure in the application to properly sanitize user-supplied input to the "cid" parameter of the following scripts: login.php, month.php, auth.php, year.php, week.php, day.php and subscribe.php. Calender Express version 2.0 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/14504
  • 05.32.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Calendar Express Search.PHP Cross-Site Scripting
  • Description: Calendar Express is a web-based calendar system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "allwords" parameter of the "search.php" script. Calendar Express version 2.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14505
  • 05.32.41 - CVE: CAN-2005-2357
  • Platform: Web Application
  • Title: EMC Navisphere Manager Directory Traversal and Information Disclosure
  • Description: EMC Navisphere Manager allows you to manage EMC CLARiiON storage systems from a web browser. It is vulnerable to directory traversal and information disclosure issues due to a failure in the application to properly sanitize user-supplied input. Exploitation of these vulnerabilities could lead to a loss of confidentiality and information disclosure. EMC Navisphere Manager versions 6.6 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14487
  • 05.32.42 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Fusion Messages.PHP SQL Injection
  • Description: PHP-Fusion is a Web content management system. It is vulnerable to an SQL injection issue due to insuffient sanitization of user-supplied input to the "msg_view" parameter of "messages.php" script. PHP-Fusion versions 6.0.105 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14489
  • 05.32.43 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPSiteStats Unspecified Authentication Bypass
  • Description: PHPSiteStats is web-based management and monitoring software. It is prone to an unspecified authentication bypass issue. A successful attack can allow unauthorized attackers to bypass the authentication routines and gain access to the application. PHPSiteStats version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/14493/info
  • 05.32.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board Attached File Cross-Site Scripting
  • Description: Invision Power Board is web-based forum software. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to steal cookie-based authentication credentials as well as other attacks. Invision Power Board versions earlier than 2.0 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/407471
  • 05.32.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Jax PHP Scripts Multiple Cross-Site Scripting Vulnerabilities
  • Description: Jax PHP Scripts is a collection of PHP scripts to enhance an existing web site. It is reported to be vulnerable to multiple cross-site scripting issues due to improper sanitization of user-supplied input.
  • Ref: http://www.securityfocus.com/bid/14481
  • 05.32.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Jax PHP Scripts Multiple Information Disclosure Vulnerabilities
  • Description: Jax PHP Scripts are a collection of web enhancement PHP scripts. It is vulnerable to multiple remote information disclosure issues due to improper access validation. Jax Scripts Petitionbook 3.31, Newsletter 2.14, LinkLists 1.0, Guestbook 3.31, DWT Editor 1.0 and Calendar 1.34 are reported to be vulnerable.
  • Ref: http://lostmon.blogspot.com/2005/08/jax-php-scripts-multiple.html
  • 05.32.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Comdev eCommerce WCE.Download.PHP Directory Traversal
  • Description: Comdev eCommerce is a sales ordering system written in PHP. Comdev eCommerce is affected by a directory traversal vulnerability. Comdev eCommerce version 3.0 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14479
  • 05.32.48 - CVE: CAN-2005-0862
  • Platform: Web Application
  • Title: PHPOpenChat Multiple HTML Injection Vulnerabilities
  • Description: PHPOpenChat is a PHP based chat server. It is prone to multiple HTML injection vulnerabilities in the "profile.php", "profile_misc.php", "userpage.php", "mail.php" and "invite.php" scripts. PHPOpenChat version 3.0.2 is reportedly affected.
  • Ref: http://www.securityfocus.com/bid/14484
  • 05.32.49 - CVE: CAN-2005-2539
  • Platform: Web Application
  • Title: FlatNuke Multiple Cross Site Scripting Vulnerabilities
  • Description: FlatNuke is a web-based content management system that is prone to multiple cross-site scripting vulnerabilities. These issues are caused by improper sanitization of user-supplied input to various parameters of the "structure.php" and the "footer.php" scripts. FlatNuke version 2.5.5 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14483
  • 05.32.50 - CVE: Not Available
  • Platform: Web Application
  • Title: FlatNuke User Data Arbitrary PHP Code Execution
  • Description: FlatNuke is a content management system. It is affected by a execution issue due to a failure in the application to properly sanitize user-supplied input before storing it in a file in the "forum/users" directory.
  • Ref: http://www.rgod.altervista.org/flatnuke.html
  • 05.32.51 - CVE: Not Available
  • Platform: Web Application
  • Title: LogiCampus Helpdesk Unspecified Cross Site Scripting
  • Description: LogiCampus is a web-based, enterprise-wide classroom and campus management system written in PHP. LogiCampus is affected by a cross-site scripting vulnerability. LogiCampus version 1.1.0 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14472
  • 05.32.52 - CVE: Not Available
  • Platform: Web Application
  • Title: PortailPHP Index.PHP SQL Injection
  • Description: PortailPHP is a content management system written in PHP. It is prone to an SQL injection vulnerability. User supplied input to the "id" parameter of the "index.php" script is not properly sanitized. An attacker may compromise this application by using SQL injection techniques. PortailPHP version 2.4 is affected.
  • Ref: http://www.securityfocus.com/archive/1/407579
  • 05.32.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Comdev ECommerce Config.PHP Remote File Include
  • Description: Comdev eCommerce is a web-based ordering system. It is vulnerable to a remote file include issue due to a failure in the application to properly sanitize user-supplied input to the "path[docroot]" parameter in the "config.php" script. An attacker may leverage this issue to gain unauthorized access to the vulnerable application. Comdev eCommerce versions 3.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14478/info
  • 05.32.54 - CVE: CAN-2005-2478
  • Platform: Web Application
  • Title: Silvernews Admin.PHP SQL Injection
  • Description: Silvernews is a free news script. It is vulnerable to an SQL injection issue due to insufficient sanitization of the "user" input field in the "admin.php" script when the "magic_quotes" environment variable is set. SilverNews version 2.0.3 is vulnerable.
  • Ref: http://www.rgod.altervista.org/silvernews.html
  • 05.32.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Web Content Management Multiple Cross-Site Scripting Vulnerabilities
  • Description: Web content management is a simple to use basic content management system for news type content. Web content management is affected by multiple cross-site scripting vulnerabilities. All versions of Web content management are known to be vulnerable.
  • Ref: http://www.rgod.altervista.org/webc.html
  • 05.32.56 - CVE: CAN-2005-2489
  • Platform: Web Application
  • Title: Web Content Management Administrator Account Unauthorized Access
  • Description: Web content management is a simple to use basic content management system for news type content. Web content management is prone to an unauthorized access vulnerability. This issue is due to a failure in the application to ensure proper access to administrative functions. A remote user can directly access the "AddModifyInput.php" script and create an administrator account.
  • Ref: http://www.rgod.altervista.org/webc.html
  • 05.32.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Naxtor E-directory Message.ASP Cross Site Scripting
  • Description: Naxtor E-directory is a membership directory application affected by a cross-site scripting issue. This vulnerability occurs due to insufficient sanitization of user-supplied input to the "message" parameter of the "message.asp" script. Naxtor E-Directory version 1.0 is vulnerable.
  • Ref: http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_
    group=80
  • 05.32.59 - CVE: Not Available
  • Platform: Web Application
  • Title: NetworkActiv Web Server Cross-Site Scripting Vulnerability
  • Description: NetworkActiv Web Server is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input. NetworkActiv Web Server versions 3.5.13 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14473
  • 05.32.60 - CVE: Not Available
  • Platform: Network Device
  • Title: Winterm 1125SE Remote Denial of Service
  • Description: Wyse Winterm 1125SE is a thin client. It is affected by a remote denial of service issue because the application fails to handle an IP header with a "len" field of 0. Winterm 1125SE versions 4.4.061f and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/14536/info
  • 05.32.61 - CVE: CAN-2005-2487
  • Platform: Network Device
  • Title: McDATA E/OS Remote Denial Of Service
  • Description: McDATA Director and Fabric switches are SAN (Storage Area Network) connectivity devices running the E/OS operating system. McDATA Sphereon 4300, and 4500 Fabric Switches, Intrepid 6064, and 6140 Director Switches are susceptible to a remote denial of service vulnerability when running E/OS versions prior to 6.0.0. This issue is due to the affected devices failing to properly handle network broadcast storms.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101833-1

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Since I am fresh out of college this was a definite eye opener. This course was very valuable in that it gives a view of most tools available for auditing networks.
-Ryan Awai, Eisner LLP

Forensics 585

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU