@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Computer Associates Message Queuing Vulnerabilities

Other Software

• (2) HIGH: HP Openview Network Node Manager Remote Command Execution
• (3) HIGH: HAURI Anti-Virus Products Multiple Vulnerabilities
• (4) MODERATE: elm and mutt Mailer Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 05.34.1 - Microsoft Visual Studio .NET msdds.dll Remote Code Execution

Third Party Windows Apps

• 05.34.2 - Home Ftp Server Multiple Vulnerabilities
• 05.34.3 - LeapFTP LSQ File Buffer Overflow
• 05.34.4 - Sysinternals Process Explorer CompanyName Value Buffer Overflow

Linux

• 05.34.5 - Linux Kernel ISO File System Denial of Service
• 05.34.6 - Linux Kernel SNMP Handler Denial of Service

Unix

• 05.34.7 - PADL Software PAM_LDAP Authentication Bypass
• 05.34.8 - PCRE Regular Expression Heap Overflow
• 05.34.9 - Elm Expires Header Remote Buffer Overflow
• 05.34.10 - HAURI Anti-Virus Compressed Files Directory Traversal
• 05.34.11 - Cisco Clean Access Agent Installation Bypass
• 05.34.12 - Mutt Handler.c Buffer Overflow

Cross Platform

• 05.34.13 - MPlayer Audio Header Buffer Overflow
• 05.34.14 - Ventrilo Status Requests Denial of Service
• 05.34.15 - HAURI Anti-Virus ACE Archive Handling Remote Buffer Overflow
• 05.34.16 - Computer Associates Message Queuing Denial of Service
• 05.34.17 - Computer Associates Message Queuing Buffer Overflow
• 05.34.18 - Computer Associates Message Queuing CAFT Spoofing
• 05.34.19 - OpenVPN Failed Authentication Denial of Service
• 05.34.20 - OpenVPN Packet Decryption Failure Denial of Service
• 05.34.21 - OpenVPN Same Client Certificate Denial of Service
• 05.34.22 - OpenVPN MAC Address Spoofing Denial of Service
• 05.34.23 - Adobe Acrobat and Adobe Reader Remote Buffer Overflow
• 05.34.24 - phpPgAds Local File Include
• 05.34.25 - EMC Legato Networker Multiple Vulnerabilities

Web Application

• 05.34.26 - WebCalendar Send_Reminders.PHP Remote File Include
• 05.34.27 - SqWebMail File Attachment Script Injection
• 05.34.28 - paFileDB Auth.PHP SQL Injection
• 05.34.29 - SaveWebPortal Multiple Cross-Site Scripting Vulnerabilities
• 05.34.30 - SaveWebPortal Multiple Remote File Include Vulnerabilities
• 05.34.31 - SaveWebPortal Multiple Directory Traversal Vulnerabilities
• 05.34.32 - Netquery Host Parameter Arbitrary Command Execution
• 05.34.33 - SaveWebPortal Unauthorized Access
• 05.34.34 - PHPKit Multiple SQL Injection Vulnerabilities
• 05.34.35 - BEA WebLogic Portal Access Validation
• 05.34.36 - RunCMS Arbitrary Variable Overwrite Vulnerability
• 05.34.37 - PostNuke Multiple Vulnerabilities
• 05.34.38 - DTLink Software AreaEdit SpellChecker Plugin Arbitrary Command Execution
• 05.34.39 - RunCMS NewBB_Plus and Messages Modules Multiple SQL Injection Vulnerabilities
• 05.34.40 - PostNuke DL-viewdownload.PHP SQL Injection
• 05.34.41 - Coppermine Displayimage.PHP Script Injection
• 05.34.42 - NEPHP Browse.PHP Cross-Site Scripting
• 05.34.43 - MyBulletinBoard Search.PHP SQL Injection
• 05.34.44 - Woltlab Burning Board SQL Injection
• 05.34.45 - Land Down Under Multiple SQL Injection Vulnerabilities
• 05.34.46 - Land Down Under Multiple Cross-Site Scripting Vulnerabilities
• 05.34.47 - Mantis Multiple Input Validation Vulnerabilities
• 05.34.48 - W-Agora Site Parameter Directory Traversal
• 05.34.49 - ATutor Login.PHP Cross-Site Scripting
• 05.34.50 - Emefa Guestbook Multiple HTML Injection Vulnerabilities
• 05.34.51 - PHPOutsourcing Zorum Prod.PHP Arbitrary Command Execution
• 05.34.52 - BBCaffe Cross Site Scripting
• 05.34.53 - phpAdsNew Local File Include
• 05.34.54 - PHPFreeNews SearchResults.PHP Multiple SQL Injection Vulnerabilities
• 05.34.55 - PHPFreeNews Multiple Cross-Site Scripting Vulnerabilities
• 05.34.56 - PHPTB Topic Board Multiple Remote File Include Vulnerabilities
• 05.34.57 - Mediabox404 SQL Injection
• 05.34.58 - phpAdsNew SQL Injection

Network Device

• 05.34.59 - Cisco IDS Management Software SSL Certificate Validation
• 05.34.60 - Juniper Netscreen VPN Username Enumeration
• 05.34.61 - Xerox Web Server Multiple Authentication Bypass and Input Validation Vulnerabilities

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 34, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4484 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.34.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Visual Studio .NET msdds.dll Remote Code Execution
• Description: Microsoft Visual Studio .NET is a development tool for building applications on Microsoft platforms and web technology. It is reported to be vulnerable to a remote code execution issue. Malicious web page content may trigger this issue.
• Ref: http://www.securityfocus.com/bid/14594

• 05.34.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Home Ftp Server Multiple Vulnerabilities
• Description: Home Ftp Server is reported to be vulnerable to directory traversal and insecure password disclosure issues. Home Ftp Server 1.0.7 b45 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14653

• 05.34.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: LeapFTP LSQ File Buffer Overflow
• Description: LeapFTP is an FTP client. It is vulnerable to a remote buffer overflow issue due to insufficient boundary checks when the client handles a malformed LeapFTP Site Queue (.lsq) file. LeapWare LeapFTP versions to 2.7.6.611 and below are reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/409052

• 05.34.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sysinternals Process Explorer CompanyName Value Buffer Overflow
• Description: Process Explorer is an application to view running processes, handles and DLL processes that have been opened or are loaded. It is reported to be vulnerable to a buffer overflow issue due to a failure in the application to perform proper bounds checking on user-supplied data.
• Ref: http://www.securityfocus.com/bid/14616

• 05.34.5 - CVE: CAN-2005-2457
• Platform: Linux
• Title: Linux Kernel ISO File System Denial of Service
• Description: The Linux kernel driver for compressed ISO file systems is prone to a denial of service vulnerability. A malicious user may create a compressed ISO file system containing data that will trigger the exploit. Upon successful exploitation of this vulnerability, the kernel will attempt to mount this image, and will cause the Linux kernel to crash. Various versions of the kernel are vulnerable.
• Ref: http://www.securityfocus.com/bid/14614

• 05.34.6 - CVE: CAN-2005-2548
• Platform: Linux
• Title: Linux Kernel SNMP Handler Denial of Service
• Description: The Linux kernel is prone to an SNMP handler denial of service vulnerability. Linux kernel versions 2.6.8 rc2 and earlier are known to be vulnerable.
• Ref: http://lists.debian.org/debian-kernel/2005/08/msg00418.html

• 05.34.7 - CVE: CAN-2005-2641
• Platform: Unix
• Title: PADL Software PAM_LDAP Authentication Bypass
• Description: PAM_LDAP is the PAM module package designed to allow authentication with LDAP servers via PAM-compliant authentication mechanisms. PAM_LDAP is prone to an authentication bypass vulnerability. When handling new password policy control, if the LDAP server returns a passwordPolicyResponse control in a BindResponse without the optional "error" field, PAM_LDAP will not fall through to the account management module. Successful exploitation could allow an unauthorized user to bypass authentication.
• Ref: http://www.securityfocus.com/bid/14649

• 05.34.8 - CVE: CAN-2005-2491
• Platform: Unix
• Title: PCRE Regular Expression Heap Overflow
• Description: PCRE is a set of functions that implement regular expression pattern matching using the same syntax and semantics as Perl 5. PCRE is prone to a heap overflow vulnerability. This issue is due to a failure of the library to properly bounds check user-supplied data contained in a regular expression, resulting in the possibility of overflowing the destination heap buffer. PCRE versions 6.1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/14620

• 05.34.9 - CVE: CAN-2005-2665
• Platform: Unix
• Title: Elm Expires Header Remote Buffer Overflow
• Description: Elm is an electronic E-mail agent for Unix. It is vulnerable to a buffer overflow issue due to improper processing of the Expires header which could allow an attacker to execute malicious code. Please refer the link below the list of vulnerable machines.
• Ref: http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0688.html

• 05.34.10 - CVE: CAN-2005-2670
• Platform: Unix
• Title: HAURI Anti-Virus Compressed Files Directory Traversal
• Description: HAURI Anti-Virus for Unix and Linux is prone to a directory traversal vulnerability due to improper sanitization of user-supplied input. The application extracts compressed files into a temporary directory before scanning. An unauthorized user can exploit this vulnerability to write files to arbitrary locations by supplying directory traversal strings "../" in archived file names. Hauri ViRobot Linux Server version 2.0, Hauri ViRobot Expert version 4.0, Hauri ViRobot Advanced Server and Hauri LiveCall are affected.
• Ref: http://secunia.com/secunia_research/2005-24/advisory/

• 05.34.11 - CVE: CAN-2005-2631
• Platform: Unix
• Title: Cisco Clean Access Agent Installation Bypass
• Description: Cisco Clean Access (CCA) is a software solution that scans devices attempting to connect to a network. The software can check for installed patches and malicious code infections then quarantine devices as necessary until issues have been addressed. Cisco Clean Access is affected by a vulnerability that can bypass the mandatory installation of the agent.
• Ref: http://www.securityfocus.com/archive/1/408603

• 05.34.12 - CVE: CAN-2005-2642
• Platform: Unix
• Title: Mutt Handler.c Buffer Overflow
• Description: Mutt is a file browser which is used to send and receive email and it is prone to a buffer overflow vulnerability. The problem lies in Mutt's "handler.c" source code, specifically the "mutt_decode_xbit()" subroutine and the allocation size of the "bufi" buffer. Mutt version 1.5.10 is vulnerable.
• Ref: http://www.securityfocus.com/bid/14596

• 05.34.13 - CVE: Not Available
• Platform: Cross Platform
• Title: MPlayer Audio Header Buffer Overflow
• Description: MPlayer is a multimedia video and audio application. It is affected by a buffer overflow issue which is caused by a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers. MPlayer versions 1.0 pre7, pre6-r4 and pre6-3.3.5 are affected.
• Ref: http://www.sven-tantau.de/public_files/mplayer/mplayer_20050824.txt

• 05.34.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Ventrilo Status Requests Denial of Service
• Description: Flagship Industries Ventrilo is a voice over IP application. It is vulnerable to a denial of service issue due to insufficient handling of malformed UDP packets. Flagship Industries Ventrilo versions 2.3 and earlier are vulnerable.
• Ref: http://aluigi.altervista.org/adv/ventboom-adv.txt

• 05.34.15 - CVE: Not Available
• Platform: Cross Platform
• Title: HAURI Anti-Virus ACE Archive Handling Remote Buffer Overflow
• Description: HAURI Anti-Virus is anti-virus software for Unix and Linux. HAURI Anti-Virus is affected by a remote buffer overflow vulnerability when handling ACE archives. HAURI Anti-Virus versions ViRobot Expert 4.0, ViRobot Advanced Server, ViRobot Linux Server 2.0 and HAURI LiveCall are known to be vulnerable.
• Ref: http://secunia.com/secunia_research/2005-33/advisory/

• 05.34.16 - CVE: CAN-2005-2667
• Platform: Cross Platform
• Title: Computer Associates Message Queuing Denial of Service
• Description: Computer Associates Message Queuing software (CAM) is a messaging sub-component that provides a "store and forward" messaging framework for applications. A number of CA applications use CAM for their messaging requirements. CAM is prone to a remote denial of service vulnerability. The problem is most likely due to a failure in the application to handle excessive connection attempts to the TCP port and as a result no further connections to the TCP port can take place. CAM versions 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 are vulnerable.
• Ref: http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp

• 05.34.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Computer Associates Message Queuing Buffer Overflow
• Description: Computer Associates Message Queuing software (CAM) is a messaging sub-component that provides a "store and forward" messaging framework for applications. CAM is affected by a buffer overflow issue when a remote or local attacker sends specifically formatted data to the listening ports of the CAM server. Please refer to the link for details on affected products.
• Ref: http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp

• 05.34.18 - CVE: CAN-2005-2669
• Platform: Cross Platform
• Title: Computer Associates Message Queuing CAFT Spoofing
• Description: Computer Associates Message Queuing software (CAM) is a messaging sub-component used by a number of CA applications. It is vulnerable to an issue that could permit spoofing of an application using the CAM instance and ultimately allow execution of arbitrary commands. Please refer the link below for a list of vulnerable applications.
• Ref: http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp

• 05.34.19 - CVE: CAN-2005-2531
• Platform: Cross Platform
• Title: OpenVPN Failed Authentication Denial of Service
• Description: OpenVPN is an OpenSSL based tunneling application to securely tunnel IP networks. Improper management of the OpenSSL error queues exposes the application to a denial of service condition. All current versions are affected.
• Ref: http://www.securityfocus.com/advisories/9102

• 05.34.20 - CVE: CAN-2005-2532
• Platform: Cross Platform
• Title: OpenVPN Packet Decryption Failure Denial of Service
• Description: OpenVPN is an OpenSSL based tunneling application to securely tunnel IP networks over the TCP and UDP protocols. It is vulnerable to a denial of service issue due to a cross session error propagation. An authenticated attacker could exploit this issue to deny service to legitimate users. Versions of OpenVPN earlier than 2.0.1 are vulnerable.
• Ref: http://openvpn.net/changelog.html

• 05.34.21 - CVE: CAN-2005-2534
• Platform: Cross Platform
• Title: OpenVPN Same Client Certificate Denial of Service
• Description: OpenVPN is an OpenSSL based tunneling application. It is reported to be vulnerable to a denial of service issue. The issue presents itself when two or more clients use the same client certificate to connect to the OpenVPN server. OpenVPN version 2.0 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14610

• 05.34.22 - CVE: CAN-2005-2533
• Platform: Cross Platform
• Title: OpenVPN MAC Address Spoofing Denial of Service
• Description: OpenVPN is an OpenSSL based tunneling application. It is vulnerable to a denial of service issue if the server receives many packets containing spoofed MAC addresses when an authenticated client is in "dev tap" ethernet bridging mode. OpenVPN versions 2.0 and earlier are vulnerable.
• Ref: http://openvpn.net/changelog.html

• 05.34.23 - CVE: CAN-2005-2470
• Platform: Cross Platform
• Title: Adobe Acrobat and Adobe Reader Remote Buffer Overflow
• Description: Adobe Acrobat and Adobe Reader are applications for reading, navigating, and printing PDF (Portable Document Format) files. Adobe Acrobat and Adobe Reader are affected by a remote buffer overflow vulnerability. Adobe Acrobat and Adobe Reader versions 7.0.2 and earlier are known to be vulnerable.
• Ref: http://www.adobe.com/support/techdocs/321644.html

• 05.34.24 - CVE: Not Available
• Platform: Cross Platform
• Title: phpPgAds Local File Include
• Description: phpPgAds is a banner ad management application written in PHP. phpPgAds is affected by a local file include vulnerability. phpPgAds versions 2.0.5 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14584

• 05.34.25 - CVE: CAN-2005-0357, CAN-2005-0358, CAN-2005-0359
• Platform: Cross Platform
• Title: EMC Legato Networker Multiple Vulnerabilities
• Description: EMC Legato Networker is affected by multiple denial of service, privilege escalation, unauthorized access and arbitrary command execution vulnerabilities. Please refer to the advisory for further details.
• Ref: http://www.legato.com/support/websupport/product_alerts/081605_NW-7x.htm

• 05.34.26 - CVE: CVE-MAP-NOMATCH
• Platform: Web Application
• Title: WebCalendar Send_Reminders.PHP Remote File Include
• Description: WebCalendar is a web-based calendar application that is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input passed to the "includedir" parameter of "send_reminders.php" script. WebCalendar versions 1.0 RC3 and earlier are reportedly affected.
• Ref: http://www.securityfocus.com/bid/14651

• 05.34.27 - CVE: Not Available
• Platform: Web Application
• Title: SqWebMail File Attachment Script Injection
• Description: SqWebMail is a web-based mail application. It is vulnerable to an email script injection issue permitting an attacker to generate and attach malicious script code to emails sent to users of the affected application. This can be exploited to read or send emails from an users account. SqWebMail 5.04 and earlier are vulnerable.
• Ref: http://secunia.com/secunia_research/2005-35/advisory/

• 05.34.28 - CVE: Not Available
• Platform: Web Application
• Title: paFileDB Auth.PHP SQL Injection
• Description: paFileDB is a web-based file management utility implemented in PHP with an SQL database back end. paFileDB is affected by an SQL injection vulnerability. paFileDB versions 3.1 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/409047

• 05.34.29 - CVE: Not Available
• Platform: Web Application
• Title: SaveWebPortal Multiple Cross-Site Scripting Vulnerabilities
• Description: SaveWebPortal is affected by multiple cross-site scripting issues. Insufficient sanitization of user-supplied input exposes these issues. SaveWebPortal version 3.4 is affected.
• Ref: http://www.securityfocus.com/bid/14642/info

• 05.34.30 - CVE: Not Available
• Platform: Web Application
• Title: SaveWebPortal Multiple Remote File Include Vulnerabilities
• Description: SaveWebPortal is a web portal application. It is vulnerable to multiple remote file include issues due to a failure of the application to properly sanitize user-supplied input. A remote attacker could exploit this issue to get unauthorized access. SaveWebPortal version 3.4 is vulnerable.
• Ref: http://rgod.altervista.org/save_yourself_from_savewebportal34.html

• 05.34.31 - CVE: Not Available
• Platform: Web Application
• Title: SaveWebPortal Multiple Directory Traversal Vulnerabilities
• Description: SaveWebPortal is a web portal application. It is reported to be vulnerable to a directory traversal issue due to improper sanitization of user-supplied data. SaveWebPortal version 3.4 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14643

• 05.34.32 - CVE: CAN-2005-2684
• Platform: Web Application
• Title: Netquery Host Parameter Arbitrary Command Execution
• Description: Netquery is a PHP/SQL open-source toolkit of network information utilities. Netquery is affected by a remote command execution vulnerability. This issue can allow an attacker to execute commands in the context of an affected server and potentially gain unauthorized access. Netquery version 3.11 is affected by this vulnerability.
• Ref: http://www.securityfocus.com/bid/14637

• 05.34.33 - CVE: CVE-MAP-NOMATCH
• Platform: Web Application
• Title: SaveWebPortal Unauthorized Access
• Description: SaveWebPortal is a web portal application and it is prone to an unauthorized access vulnerability. This issue is due to a failure in the application to limit access to administrative scripts. The "editerfichier.php" script is not configured solely for administrative access, allowing a remote user to modify the contents of PHP header scripts namely the "header.php" script. SaveWebPortal version 3.4 is affected.
• Ref: http://www.securityfocus.com/bid/14639

• 05.34.34 - CVE: Not Available
• Platform: Web Application
• Title: PHPKit Multiple SQL Injection Vulnerabilities
• Description: PHPKit is a content management application. Insufficient sanitization of the "letters" and "usernick" parameters of the "member.php" script and the "im_receiver" parameter of the "imcenter.php" script exposes the application to various SQL injection issues.
• Ref: http://www.securityfocus.com/bid/14629/info

• 05.34.35 - CVE: CAN-2005-2680
• Platform: Web Application
• Title: BEA WebLogic Portal Access Validation
• Description: BEA WebLogic Portal is vulnerable to an access validation due to failure of the application to implement proper access controls under certain circumstances. An attacker could gain unauthorized access by exploiting this issue. WebLogic Portal versions 8.1 Service Pack 4 and prior are affected by this vulnerability.
• Ref: http://dev2dev.bea.com/pub/advisory/137

• 05.34.36 - CVE: Not Available
• Platform: Web Application
• Title: RunCMS Arbitrary Variable Overwrite Vulnerability
• Description: RunCMS is a web based messaging system. It is reported to be vulnerable to an arbitrary variable overwrite issue due to a design error in the "/includes/common.php" script that overwrites global variables with user-supplied POST data, if "register_globals" is off. RunCMS versions 1.2 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14634

• 05.34.37 - CVE: CAN-2005-1778
• Platform: Web Application
• Title: PostNuke Multiple Vulnerabilities
• Description: PostNuke is a content management application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user supplied input. PostNuke version 0.76 RC4b is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408818

• 05.34.38 - CVE: CAN-2005-2682
• Platform: Web Application
• Title: DTLink Software AreaEdit SpellChecker Plugin Arbitrary Command Execution
• Description: DTLink Software AreaEdit is a web-based editor implemented in PHP. AreaEdit is affected by a remote arbitrary command execution vulnerability. Successful exploitation of this issue results in command execution with the privileges of the web server process. This can lead to various attacks including unauthorized access to an affected computer.
• Ref: http://www.securityfocus.com/bid/14627

• 05.34.39 - CVE: CVE-MAP-NOMATCH
• Platform: Web Application
• Title: RunCMS NewBB_Plus and Messages Modules Multiple SQL Injection Vulnerabilities
• Description: RunCMS is a web-based messaging system that is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "forum" parameter of the scripts "newbb_plus/newtopic.php", "newbb_plus/edit.php" and "newbb_plus/reply.php". RunCMS versions 1.2 and earlier are vulnerable.
• Ref: http://www.gulftech.org/?node=research&article_id=00094-08192005

• 05.34.40 - CVE: Not Available
• Platform: Web Application
• Title: PostNuke DL-viewdownload.PHP SQL Injection
• Description: PostNuke is a content management system written in PHP. PostNuke is affected by an SQL injection vulnerability. PostNuke versions 0.76 RC4b and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408818

• 05.34.41 - CVE: Not Available
• Platform: Web Application
• Title: Coppermine Displayimage.PHP Script Injection
• Description: Coppermine is an image gallery application. It is reported to be vulnerable to a script injection issue due to improper sanitization of user-supplied input. Coppermine Photo Gallery versions 1.3.3 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14625

• 05.34.42 - CVE: Not Available
• Platform: Web Application
• Title: NEPHP Browse.PHP Cross-Site Scripting
• Description: NEPHP is a web-based content management application. It is vulnerable to a cross site scripting issue due to insufficient sanitization of user supplied input when data is passed to the "keywords" parameter of the "browse.php" script. NEPHP version 3.0.4 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408757

• 05.34.43 - CVE: Not Available
• Platform: Web Application
• Title: MyBulletinBoard Search.PHP SQL Injection
• Description: MyBulletinBoard is web forum software. Insufficient sanitization of the "uid" parameter of the "search.php" script exposes it to an SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/archive/1/408624

• 05.34.44 - CVE: Not Available
• Platform: Web Application
• Title: Woltlab Burning Board SQL Injection
• Description: WoltLab Burning Board is a web bulletin board application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user supplied input to the "x" and "y" parameters of "modcp.php" script. Woltlab Burning Board versions 2.3.3 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408660

• 05.34.45 - CVE: Not Available
• Platform: Web Application
• Title: Land Down Under Multiple SQL Injection Vulnerabilities
• Description: Land Down Under is a content management system designed to facilitate easy creation of a personal web site, it is implemented in PHP and utilizes a MySQL backend. Land Down Under is affected by multiple SQL injection vulnerabilities. Land Down Under versions 800 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408664

• 05.34.46 - CVE: CAN-2005-2674
• Platform: Web Application
• Title: Land Down Under Multiple Cross-Site Scripting Vulnerabilities
• Description: Land Down Under is a content management system designed to facilitate easy creation of a personal web site; it is implemented in PHP and utilizes a MySQL backend. Land Down Under is prone to multiple cross-site scripting vulnerabilities. Please note that the vendor has disputed this issue. Check with the vendor if your system is affected.
• Ref: http://www.securityfocus.com/archive/1/408664

• 05.34.47 - CVE: CAN-2005-2556, CAN-2005-2557
• Platform: Web Application
• Title: Mantis Multiple Input Validation Vulnerabilities
• Description: Mantis is a web-based bug tracking system implemented in PHP utilizing a MySQL database as the back end. Mantis is prone to multiple input validation vulnerabilities. These issues range from SQL injection to cross-site scripting.
• Ref: http://www.securityfocus.com/advisories/9092

• 05.34.48 - CVE: CAN-2005-2648
• Platform: Web Application
• Title: W-Agora Site Parameter Directory Traversal
• Description: W-Agora is web publishing and forum software, written in PHP. It is prone to a directory traversal vulnerability. An unauthorized user can retrieve arbitrary files by supplying directory traversal strings "../". Exploitation of this vulnerability could lead to a loss of confidentiality.
• Ref: http://www.securityfocus.com/bid/14597

• 05.34.49 - CVE: Not Available
• Platform: Web Application
• Title: ATutor Login.PHP Cross-Site Scripting
• Description: ATutor is a web-based Learning Content Management System (LCMS). Insufficient sanitization of the "course" parameter in the "login.php" script exposes the application to a cross-site scripting issue. ATutor version 1.5.1 is affected.
• Ref: http://www.securityfocus.com/bid/14598/info

• 05.34.50 - CVE: CAN-2005-2650
• Platform: Web Application
• Title: Emefa Guestbook Multiple HTML Injection Vulnerabilities
• Description: Emefa Guestbook is a web-based guestbook application. It is vulnerable to multiple HTML injection issues due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. A remote attacker could exploit this issue to steal cookie based authentication and other attacks. Emefa Guestbook version 1.2 is vulnerable.
• Ref: http://systemsecure.org/ssforum/viewtopic.php?t=91

• 05.34.51 - CVE: Not Available
• Platform: Web Application
• Title: PHPOutsourcing Zorum Prod.PHP Arbitrary Command Execution
• Description: Zorum is a web-based forum application. It is reported to be vulnerable to an arbitrary command execution issue due to improper sanitization of user-supplied input.
• Ref: http://www.securityfocus.com/bid/14601

• 05.34.52 - CVE: CAN-2005-2653
• Platform: Web Application
• Title: BBCaffe Cross Site Scripting
• Description: BBCaffe is a web bulletin board and messaging application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user supplied input to the "e-mail" parameter. Bbcaffe version 2.0 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408503

• 05.34.53 - CVE: Not Available
• Platform: Web Application
• Title: phpAdsNew Local File Include
• Description: phpAdsNew is a banner ad management application written in PHP. phpAdsNew is prone to a local file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker could retrieve the contents of arbitrary local files.
• Ref: http://www.securityfocus.com/bid/14591

• 05.34.54 - CVE: CAN-2005-2637
• Platform: Web Application
• Title: PHPFreeNews SearchResults.PHP Multiple SQL Injection Vulnerabilities
• Description: PHPFreeNews is a web-based news application and it is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "match" and "CatID" parameters of the "SearchResults.php" script. PHPFreeNews version 1.40 is susceptible.
• Ref: http://www.securityfocus.com/bid/14589

• 05.34.55 - CVE: Not Available
• Platform: Web Application
• Title: PHPFreeNews Multiple Cross-Site Scripting Vulnerabilities
• Description: PHPFreeNews is a web-based news application. Insufficient sanitization of user-supplied input to the "NewsMode" parameter of the "NewsCategoryForm.php" script and "match", "CatID" parameters of the "SearchResults.php" script exposes the application to multiple cross-site scripting issues. PHPFreeNews version 1.40 is affected.
• Ref: http://www.securityfocus.com/bid/14590/info

• 05.34.56 - CVE: CAN-2005-2633
• Platform: Web Application
• Title: PHPTB Topic Board Multiple Remote File Include Vulnerabilities
• Description: PHPTB is a web portal application. It is vulnerable to multiple remote file include issues due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage these issues to gain unauthorized access. PHPTB versions 2.0 and earlier are vulnerable.
• Ref: http://marc.theaimsgroup.com/?l=bugtraq&m=112431407619802&w=2

• 05.34.57 - CVE: CAN-2005-2632
• Platform: Web Application
• Title: Mediabox404 SQL Injection
• Description: Mediabox404 is a web radio playlist management application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user supplied input to the "User" variable of the "admin/login_admin_mediabox404.php" script. Mediabox404 versions 1.2 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408418

• 05.34.58 - CVE: CAN-2005-2636
• Platform: Web Application
• Title: phpAdsNew SQL Injection
• Description: phpAdsNew is a banner ad management application. It is vulnerable to a SQL injection issue due to insufficient sanitization of user supplied input to the "clientid" parameter of the "lib-view-direct.inc.php" script. phpAdsNew version 2.0.5 is affected.
• Ref: http://secunia.com/advisories/16468/

• 05.34.59 - CVE: Not Available
• Platform: Network Device
• Title: Cisco IDS Management Software SSL Certificate Validation
• Description: CiscoWorks Management Center for IDS Sensors (IDSMC) is management software for Cisco Intrusion Detection and Intrusion Prevention systems. CiscoWorks Management Center for IDS Sensors and Cisco Monitoring Center for Security are both affected by an SSL certificate validation vulnerability. Cisco CiscoWorks Monitoring Center for Security and Cisco CiscoWorks Management Center for IDS Sensors versions 2.1 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408780

• 05.34.60 - CVE: Not Available
• Platform: Network Device
• Title: Juniper Netscreen VPN Username Enumeration
• Description: Juniper Netscreen VPN is affected by a username enumeration vulnerability. Juniper Netscreen VPN versions 5.1.0r3a and earlier, using support for IKE aggressive mode with pre-shared key authentication, are known to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/408478

• 05.34.61 - CVE: Not Available
• Platform: Network Device
• Title: Xerox Web Server Multiple Authentication Bypass and Input Validation Vulnerabilities
• Description: Xerox MicroServer is a server utility that includes a web server. It is reported to be vulnerable to multiple authentication bypass and input validation issues due to improper sanitization of user-supplied input. Xerox Document Centre versions 555 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14586/info

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.