@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) MODERATE: Cisco IOS Firewall FTP and Telnet Authentication Proxy Overflow

Other Software

• (2) HIGH: Barracuda Networks Spam Firewall Remote Command Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 05.36.1 - Microsoft Internet Explorer Unspecified Remote Code Execution

Third Party Windows Apps

• 05.36.2 - ALZip ACE Archive File Name Buffer Overflow
• 05.36.3 - CSystems WebArchiveX ActiveX Component Arbitrary File Vulnerabilities
• 05.36.4 - Rediff Bol Instant Messenger ActiveX Control Information Disclosure Vulnerability
• 05.36.5 - AttachmateWRQ Reflection for Secure IT Windows Server Renamed Account Remote Login
• 05.36.6 - AttachmateWRQ Reflection for Secure IT Windows Server Access Restriction Bypass
• 05.36.7 - 3Com Network Supervisor Directory Traversal Vulnerability
• 05.36.8 - WhitSoft Development SlimFTPd Remote Denial of Service

Unix

• 05.36.9 - OpenTTD Multiple Unspecified Format String Vulnerabilities

Cross Platform

• 05.36.10 - Symantec Brightmail AntiSpam Deeply Nested Zip File Denial Of Service
• 05.36.11 - Symantec Brightmail AntiSpam Winmail.DAT Decomposer Denial of Service
• 05.36.12 - HP OpenView Event Correlation Services Unspecified Remote Privilege Escalation
• 05.36.13 - Squid Proxy SSLConnectTimeout Remote Denial Of Service
• 05.36.14 - Multiple Vendor Web Vulnerability Scanners HTML Injection
• 05.36.15 - NetMail Remote IMAP Heap Buffer Overflow
• 05.36.16 - OpenSSH DynamicForward Inadvertent GatewayPorts Activation
• 05.36.17 - OpenSSH GSSAPI Credential Disclosure Vulnerability

Web Application

• 05.36.18 - man2web Multiple Scripts Command Execution
• 05.36.19 - Land Down Under Events.PHP HTML Injection
• 05.36.20 - Feedback Form Perl Script CHFeedBack.PL Unauthorized Mail Relay
• 05.36.21 - Unclassified NewsBoard Description Field HTML Injection
• 05.36.22 - MAXdev MD-Pro Arbitrary Remote File Upload
• 05.36.23 - MAXdev MD-Pro Multiple Cross-Site Scripting Vulnerabilities
• 05.36.24 - GuppY PrintFAQ.PHP Cross-Site Scripting
• 05.36.25 - GuppY Error.PHP HTML Injection
• 05.36.26 - MyBulletinBoard Forumdisplay.PHP Cross-Site Scripting
• 05.36.27 - myBloggie login.php SQL Injection
• 05.36.28 - MAXdev MD-Pro Cross-Site Scripting
• 05.36.29 - SqWebMail HTML Email Script Tag Script Injection
• 05.36.30 - PBLang Bulletin Board System Multiple Remote Vulnerabilities
• 05.36.31 - Plain Black Software WebGUI Remote Perl Command Execution Vulnerabilities
• 05.36.32 - DownFile Multiple Cross-Site Scripting Vulnerabilities
• 05.36.33 - DownFile Administrator Unauthorized Access
• 05.36.34 - Greymatter Gm.CGI HTML Injection
• 05.36.35 - CMS Made Simple Cross-Site Scripting
• 05.36.36 - PHPGroupWare Main Screen Message Script Injection
• 05.36.37 - gBook Multiple Unspecified Cross-Site Scripting Vulnerabilities
• 05.36.38 - Phorum Register.PHP Cross-Site Scripting

Network Device

• 05.36.39 - Cisco IOS Firewall Authentication Proxy Buffer Overflow
• 05.36.40 - Barracuda Spam Firewall IMG.PL Remote Command Execution
• 05.36.41 - Barracuda Spam Firewall IMG.PL Remote Directory Traversal

PART I Critical Vulnerabilities

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 36, 2005

• 05.36.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Internet Explorer Unspecified Remote Code Execution
• Description: Microsoft Internet Explorer is affected by an unspecified remote vulnerability. Reportedly, this vulnerability allows a remote attacker to execute arbitrary code and potentially gain unauthorized access in the context of the user running the browser. This issue affects Internet Explorer versions 6.0 SP1 and earlier, Microsoft Outlook versions 2003 and earlier, and Microsoft Outlook Express versions 6.0 SP1 and earlier.
• Ref: http://www.securityfocus.com/bid/14755

• 05.36.2 - CVE: CAN-2005-0160
• Platform: Third Party Windows Apps
• Title: ALZip ACE Archive File Name Buffer Overflow
• Description: ALTools ALZip is an archiving utility. It is vulnerable to a buffer overflow when handling ACE archives that contain files with overly long names. ALTools ALZip versions 6.11 and earlier are reported to be vulnerable.
• Ref: http://secunia.com/secunia_research/2005-41/advisory/

• 05.36.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: CSystems WebArchiveX ActiveX Component Arbitrary File Vulnerabilities
• Description: WebArchiveX is an ActiveX component that is used to create MHTML (MHT) Web archives. WebArchiveX is affected by two read and write vulnerabilities. WebArchiveX versions 5.5.0.76 and earlier are known to be vulnerable. Ref: http://www.security-assessment.com/Advisories/WebArchiveX_-_Unsafe_Methods_Vulnerability.pdf

• 05.36.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Rediff Bol Instant Messenger ActiveX Control Information Disclosure Vulnerability
• Description: Rediff Bol Instant Messenger is reported to be vulnerable to an information disclosure issue through the "Fetch.FetchContact.1" ActiveX control. Rediff Bol version 7.0 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14740

• 05.36.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: AttachmateWRQ Reflection for Secure IT Windows Server Renamed Account Remote Login
• Description: AttachmateWRQ Reflection for Secure IT Windows Server is a commercial SSH server for Microsoft Windows platforms. It is vulnerable to a renamed account remote login vulnerability. This issue presents itself when the Administrator or Guest accounts are renamed after SSH services have been enabled for them. In this scenario, the application still allows connections associated with the previously configured SSH keys to succeed. AttachmateWRQ Reflection for Secure IT version 6.0 is vulnerable.
• Ref: http://support.wrq.com/techdocs/1867.html

• 05.36.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: AttachmateWRQ Reflection for Secure IT Windows Server Access Restriction Bypass
• Description: AttachmateWRQ Reflection for Secure IT Windows Server is a commercial SSH server for Microsoft Windows platforms. It is susceptible to an access restriction bypass vulnerability. This issue is due to a change in the processing of access control list regular expressions. This vulnerability allows previously blocked users to gain access to computers running the affected software.
• Ref: http://support.wrq.com/techdocs/1867.html

• 05.36.7 - CVE: CAN-2005-2020
• Platform: Third Party Windows Apps
• Title: 3Com Network Supervisor Directory Traversal Vulnerability
• Description: 3Com Network Supervisor is used to monitor services on multiple hosts. It is reported to be vulnerable to a directory traversal issue due to improper sanitization of user-supplied input. 3Com Network Supervisor versions 5.1 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14715

• 05.36.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: WhitSoft Development SlimFTPd Remote Denial of Service
• Description: WhitSoft Development SlimFTPd is an FTP server designed for low storage requirements and a small memory footprint. SlimFTPd is affected by a remote denial of service vulnerability. SlimFTPd versions 3.17 and earlier are known to be vulnerable.
• Ref: http://www.critical.lt/?vulnerabilities/8

• 05.36.9 - CVE: CAN-2005-2763
• Platform: Unix
• Title: OpenTTD Multiple Unspecified Format String Vulnerabilities
• Description: OpenTTD is an open source clone of the game Transport Tycoon Deluxe. OpenTTD is prone to multiple remote format string vulnerabilities. Successful exploitation could result in a failure of the application or arbitrary code execution. Specific details of this vulnerability are not currently known.
• Ref: http://www.securityfocus.com/advisories/9195

• 05.36.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Symantec Brightmail AntiSpam Deeply Nested Zip File Denial Of Service
• Description: Symantec Brightmail AntiSpam is an anti-spam product. It is vulnerable to a denial of service issue due to improper processing of deeply nested zip files. An attacker could exploit this issue by sending a malicious email to be processed by the application to cause a denial of service.
• Ref: http://secunia.com/advisories/16733/

• 05.36.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Symantec Brightmail AntiSpam Winmail.DAT Decomposer Denial of Service
• Description: Symantec Brightmail AntiSpam is an anti-spam product that runs at the gateway. It is reported to be vulnerable to a denial of service issue. The issue presents itself when the application processes a message that includes a MIME attachment that contains an embedded "winmail.dat" object.
• Ref: http://secunia.com/advisories/16733/

• 05.36.12 - CVE: CAN-2005-1433
• Platform: Cross Platform
• Title: HP OpenView Event Correlation Services Unspecified Remote Privilege Escalation
• Description: The HP OpenView Event Correlation Service is prone to an unspecified privilege escalation vulnerability. This vulnerability may be exploited by a remote attacker. HP OpenView Event Correlation Services versions 3.33, 3.32 and 3.31 are reportedly affected by this issue. HP has released security bulletin HPSBMA01225 dealing with this issue.
• Ref: http://www.securityfocus.com/bid/14737

• 05.36.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Squid Proxy SSLConnectTimeout Remote Denial Of Service
• Description: Squid Proxy is a freely available, open source web proxy software package. Squid Proxy is affected by a remote denial of service vulnerability. Squid Proxy versions 2.5 .STABLE9 and earlier are known to be vulnerable.
• Ref: http://www.squid-cache.org/bugs/show_bug.cgi?id=1355

• 05.36.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Vendor Web Vulnerability Scanners HTML Injection
• Description: N-Stealth and Nikto are web vulnerability scanners. They are reported to be vulnerable to an HTML injection issue due to improper sanitization of user-supplied input. Nikto version 1.35 and N-Stealth version 5.8 are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14717/info

• 05.36.15 - CVE: CAN-2005-1758
• Platform: Cross Platform
• Title: NetMail Remote IMAP Heap Buffer Overflow
• Description: Novell NetMail is an e-mail and calendaring application. It is vulnerable to a buffer overflow issue in the IMAP command continuation function in the IMAP agent. Novell NetMail versions 3.52B and ealier are vulnerable.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971588.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971590.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971591.htm

• 05.36.16 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenSSH DynamicForward Inadvertent GatewayPorts Activation
• Description: OpenSSH is a freely available, open source implementation of the Secure Shell protocol. OpenSSH is susceptible to a vulnerability that causes improper activation of the "GatewayPorts" option, allowing unintended hosts to utilize the SSH SOCKS proxy. This vulnerability allows remote attackers to utilize the SOCKS proxy to make arbitrary TCP connections through the configured SSH session. This issue affects OpenSSH 4.0 and 4.1.
• Ref: http://www.mindrot.org/pipermail/openssh-unix-announce/2005-September/000083.htm
  l

• 05.36.17 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenSSH GSSAPI Credential Disclosure Vulnerability
• Description: OpenSSH is reported to be vulnerable to a GSSAPI credential delegation issue. When a user has GSSAPI authentication configured and "GSSAPIDelegateCredentials" enabled, their kerberos credentials will be forwarded to remote hosts. OpenSSH versions prior to 4.2 are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14729

• 05.36.18 - CVE: CAN-2005-2812
• Platform: Web Application
• Title: man2web Multiple Scripts Command Execution
• Description: man2web is a web based application that converts man pages to HTML. man2web is affected by a command execution vulnerability caused by improper sanitization of user-supplied input to the "man-cgi", "man2web", and "man2html" scripts. man2web versions 0.88 and 0.87 are vulnerable.
• Ref: http://www.securityfocus.com/bid/14747

• 05.36.19 - CVE: Not Available
• Platform: Web Application
• Title: Land Down Under Events.PHP HTML Injection
• Description: Land Down Under is a content management system that is prone to an HTML Injection vulnerability. This issue is caused by improper sanitization of user-supplied input through the "Description" field of the "events.php?m=add" page. Land Down Under versions 801 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/14746

• 05.36.20 - CVE: Not Available
• Platform: Web Application
• Title: Feedback Form Perl Script CHFeedBack.PL Unauthorized Mail Relay
• Description: chfeedback.pl is a feedback form perl script available from thesitewizard.com. It is prone to a vulnerability that allows the application to be abused as a mail relay. This issue is due to a failure in the script to properly sanitize user-supplied input. chfeedback.pl version 2.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/14749

• 05.36.21 - CVE: Not Available
• Platform: Web Application
• Title: Unclassified NewsBoard Description Field HTML Injection
• Description: Unclassified NewsBoard is a Web-based message board system. It is vulnerable to an HTML injection issue due to a failure in the application to properly sanitize user-supplied input to the "Description" field of the "forum.php" script. An attacker could exploit this issue to steal cookie-based authentication credentials and perform other attacks. Unclassified NewsBoard version 1.5.3 is vulnerable.
• Ref: http://www.securityfocus.com/bid/14748/info

• 05.36.22 - CVE: Not Available
• Platform: Web Application
• Title: MAXdev MD-Pro Arbitrary Remote File Upload
• Description: MAXdev MD-Pro is a content management system implemented in PHP. It is reported to be vulnerable to an arbitrary file upload issue due to improper sanitization of user-supplied input. MD-Pro version 1.0.73 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14750

• 05.36.23 - CVE: Not Available
• Platform: Web Application
• Title: MAXdev MD-Pro Multiple Cross-Site Scripting Vulnerabilities
• Description: MAXdev MD-Pro is a content management application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user supplied input to the "print", "subjects", and "Messages" modules. MAXdev MD-Pro versions 1.0.73 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/409689

• 05.36.24 - CVE: Not Available
• Platform: Web Application
• Title: GuppY PrintFAQ.PHP Cross-Site Scripting
• Description: GuppY is web portal software implemented in PHP. GuppY is affected by a cross-site scripting vulnerability. GuppY versions 4.5.3a and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14752

• 05.36.25 - CVE: Not Available
• Platform: Web Application
• Title: GuppY Error.PHP HTML Injection
• Description: GuppY is web portal software implemented in PHP. GuppY is prone to an HTML injection vulnerability caused by improper sanitization of user-supplied input to the "Referer" and "User-Agent" HTTP headers submitted to the "error.php" script. GuppY versions 4.5.3a and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/14753

• 05.36.26 - CVE: Not Available
• Platform: Web Application
• Title: MyBulletinBoard Forumdisplay.PHP Cross-Site Scripting
• Description: MyBulletinBoard is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "datecut" parameter of the "forumdisplay.php" script. MyBulletinBoard versions RC4 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/14754

• 05.36.27 - CVE: Not Available
• Platform: Web Application
• Title: myBloggie login.php SQL Injection
• Description: myBloggie is a weblog application. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "login.php" script before using it in an SQL query. An attacker could exploit this issue to pass malicious input to database queries, resulting in compromise of the application. MyBloggie versions 2.1.1 to 2.1.3 are vulnerable.
• Ref: http://mywebland.com/forums/showtopic.php?t=399

• 05.36.28 - CVE: Not Available
• Platform: Web Application
• Title: MAXdev MD-Pro Cross-Site Scripting
• Description: MAXdev MD-Pro is a content management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of the "wl-search.php" and "dl-search.php" scripts. MAXdev MD-Pro version 1.0.72 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14742/info

• 05.36.29 - CVE: Not Available
• Platform: Web Application
• Title: SqWebMail HTML Email Script Tag Script Injection
• Description: SqWebMail is a web-based mail application written in PHP. SqWebMail is affected by a script tag injection vulnerability. SqWebMail versions 5.0.4 and earlier are known to be vulnerable.
• Ref: http://secunia.com/secunia_research/2005-44/advisory/

• 05.36.30 - CVE: Not Available
• Platform: Web Application
• Title: PBLang Bulletin Board System Multiple Remote Vulnerabilities
• Description: PBLang is a bulletin board application. It is vulnerable to multiple remote issues such as an access validation error. PBLand Bulletin Board versions 4.66 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/14728

• 05.36.31 - CVE: CAN-2005-2837
• Platform: Web Application
• Title: Plain Black Software WebGUI Remote Perl Command Execution Vulnerabilities
• Description: WebGUI may be exploited to execute arbitrary Perl commands. This issue presents itself due to insufficient sanitization of user-supplied data to parameters of multiple scripts. Versions of WebGUI prior to 6.7.3 are vulnerable. Ref: http://www.plainblack.com/getwebgui/advisories/security-exploit-found-in-6.x-versions

• 05.36.32 - CVE: Not Available
• Platform: Web Application
• Title: DownFile Multiple Cross-Site Scripting Vulnerabilities
• Description: DownFile is a web-based file repository implemented in PHP. It is prone to multiple cross-site scripting vulnerabilities. These issues are due to insufficient sanitization of user-supplied input to the "id" parameter of the "email.php", "index.php", "del.php" and "add_form.php" scripts. DownFile version 1.3 is reported to be affected.
• Ref: http://www.securityfocus.com/bid/14713

• 05.36.33 - CVE: Not Available
• Platform: Web Application
• Title: DownFile Administrator Unauthorized Access
• Description: DownFile is a web-based file repository. It is vulnerable to an unauthorized access issue due to a failure in the application to perform proper authentication before granting access to administrative functions. An attacker could exploit this issue to gain administrative access to the application. DownFile version 1.3 is vulnerable.
• Ref: http://www.securityfocus.com/bid/14714/info

• 05.36.34 - CVE: Not Available
• Platform: Web Application
• Title: Greymatter Gm.CGI HTML Injection
• Description: GreyMatter is a web blog system. It is vulnerable to an HTML injection issue due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. An attacker could run arbitrary code in the context of the web server and may be able to control how the site is rendered to the user. GreyMatter version 1.3.1 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/409649

• 05.36.35 - CVE: Not Available
• Platform: Web Application
• Title: CMS Made Simple Cross-Site Scripting
• Description: CMS Made Simple is a content management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "nls" parameter of the "/admin/lang.php" script. CMS Made Simple versions 0.10 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/409654

• 05.36.36 - CVE: CAN-2005-2761
• Platform: Web Application
• Title: PHPGroupWare Main Screen Message Script Injection
• Description: PHPGroupWare is a multi-user groupware suite written in PHP. It is prone to a script injection vulnerability. A malicious admin user can inject any script code into the main screen message of the PHPGroupWare site through the admin pages. Various versions of PHPGroupWare 0.9.16 are vulnerable.
• Ref: http://savannah.gnu.org/bugs/?func=detailitem&item_id=13863

• 05.36.37 - CVE: Not Available
• Platform: Web Application
• Title: gBook Multiple Unspecified Cross-Site Scripting Vulnerabilities
• Description: gBook is a web-based guestbook implemented using CGI scripts. gBook is prone to multiple unspecified cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. gBook versions 1.0.1 and 1.0 are vulnerable.
• Ref: http://www.securityfocus.com/bid/14725

• 05.36.38 - CVE: Not Available
• Platform: Web Application
• Title: Phorum Register.PHP Cross-Site Scripting
• Description: Phorum is a web-based content management system. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "Username" parameter of the "register.php" script. An attacker may leverage this issue to steal cookie based authentication credentials or perform other attacks. Phorum versions earlier than 5.0.18 are vulnerable.
• Ref: http://www.securityfocus.com/bid/14726/info

• 05.36.39 - CVE: Not Available
• Platform: Network Device
• Title: Cisco IOS Firewall Authentication Proxy Buffer Overflow
• Description: Cisco IOS Firewall Authentication Proxy is a feature that allows administrators to assign specific security policies on a per-user basis. The IOS Firewall Authentication Proxy is affected by a buffer overflow vulnerability. Cisco IOS versions 12.4T and earlier are known to be vulnerable.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml

• 05.36.40 - CVE: Not Available
• Platform: Network Device
• Title: Barracuda Spam Firewall IMG.PL Remote Command Execution
• Description: Barracuda Spam Firewall is an appliance that provides spam and virus protection. It is prone to a remote arbitrary command execution vulnerability due to insufficient sanitization of user-supplied input to the "f" parameter of the "img.pl" script. Barracuda Spam Firewall firmware versions 3.1.17 and prior are affected by this issue.
• Ref: http://www.securityfocus.com/bid/14712

• 05.36.41 - CVE: Not Available
• Platform: Network Device
• Title: Barracuda Spam Firewall IMG.PL Remote Directory Traversal
• Description: Barracuda Spam Firewall is an appliance that provides spam and virus protection. It is affected by a directory traversal vulnerability. Barracuda Spam Firewall firmware versions 3.1.17 and earlier are known to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/409665

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.