Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 37
September 16, 2005

SANS Newsletters Home

Firefox, Netscape and Mozilla browsers have a critical vulnerability this week. (#1)

A question about value: If @RISK is important to the security of your organization, please let us know how you are using it. (apaller@sans.org)

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 2
    • Third Party Windows Apps
    • 4 (#4)
    • Mac Os
    • 1
    • Linux
    • 4 (#3)
    • Unix
    • 6 (#1, #2)
    • Cross Platform
    • 7
    • Web Application
    • 25 (#5)
    • Network Device
    • 4 (#6)

********************* Sponsored by Permeo Technologies ******************

FREE SSL VPN Buyer's Guide

Need help selecting a SSL VPN solution ideal for your environment? Download security analyst Mark Bourchard's latest buyer's guide. You'll get expert advice on how to evaluate SSL VPN technology including a list of features to look for and implementation best practices. Download a copy today!

http://www.permeo.com/info/sans_bestpractices.asp

************************ Sponsored Links: *******************************

1) Don't be found non-compliant! Free white paper details compliance requirements for computer forensic capability. http://www.sans.org/info.php?id=876

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Unix
Cross Platform
Web Application
Network Device

Part I is compiled by Dinesh Sequeira (dinesh_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process Archives at http://www.sans.org/newsletters/risk

PART I Critical Vulnerabilities

Part I is compiled by Dinesh Sequeira (dinesh_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Gecko based browsers IDN URI Domain Name Buffer Overflow
  • Affected:
    • FireFox 1.0.6 and prior
    • FireFox 1.5 Beta 1(Deer Park Alpha 2)
    • Netscape 7.x and 8.x
    • Mozilla Suite 1.7.11 and prior

  • Description: International Domain Names' (IDN) are domain names, or web addresses, represented by local language characters, utilizing non-ASCII characters. Browsers like FireFox, Netscape, i.e Gecko (web browser layout engine) based browsers are vulnerable to a heap based buffer overflow when parsing certain IDN encoded URI's. An attacker could entice a user to view an HTML document with a malformed hyperlink, containing a long string of ONLY Unicode "soft hyphens" (U+00AD or hex AD) as the domain name in the URI and thus cause a DoS or execute arbitrary code on the affected system.

  • Status: Mozilla Foundation has issued a patch and also has a quick fix by manually configuring the browser to disable IDN.

  • Council Site Actions: The reporting council sites using the affected software plan to distribute the patch during their next regularly scheduled system update process or remove Netscape 7.x from their desktops since they recently implemented an ActiveX filtering solution and no longer need an alternate browser on their desktop.

  • References:
  • (2)MODERATE: Generated Oracle Reports SQL Injection Vulnerability
  • Affected: All generated Oracle Reports using lexical references since
    • Oracle Reports 2.0

  • Description: Oracle Reports, a component of Oracle Application Server and Oracle E-Business Suite, provides an enterprise class reporting tool, and has a feature called "lexical references". A "lexical reference" is a placeholder for text that you embed in a SELECT statement. Generated Oracle Reports are vulnerable against SQL Injection if lexical references are used without input validation. An attacker can add a parameter to the URL used to execute an Oracle Report, which causes a HTML window to appear. It is then possible to replace clauses appearing after SELECT, FROM, WHERE, GROUP BY, ORDER BY, HAVING, CONNECT BY and START WITH. PoC code is available. NOTE: This issue is not a bug in Oracle Reports itself. It is a problem of missing input validation in all generated Oracle Reports.

  • Status: No patch is available. It is necessary to validate all parameter values in every report before the SQL statement is executed in an After-Parameter-Form-Trigger.

  • Council Site Actions: This item came in too late to ask for feedback from Council sites.

  • References:
Other Software
  • (3) HIGH: RaXnet Cacti Graph_Image.Php Remote Command Execution Vulnerability
  • Affected: RaXnet Cacti 0.8.6 d and prior

  • Description: Cacti is a linux network graphing solution that helps create graphs from database information. Due to improper sanitization of a user supplied input parameter to 'graph_start' in the 'graph_image.php' script, a remote attacker could execute arbitrary commands on the webserver hosting the vulnerable software. The postings have PoC code, and exploits are available.

  • Status: Download the latest version that is availble at the vendor's website.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) MODERATE: NOD32 Anti-Virus ARJ Archive Handling Buffer Overflow
  • Affected: NOD32 for Windows NT/2000/2003/XP Trial Version 2.5 (with
    • nod32.002 version 1.033 build 1127)

  • Description: NOD32 AntiVirus System is a Anti-virus program for Windows, Unix/Linux, Novell and mail servers like MS Exchange, and Lotus Domino. A vulnerability exists due to an error in handling ARJ archives containing compressed files with an overly long filename. When a specially crafted ARJ archive is scanned it would cause a heap-based buffer overflow, and could allow arbitrary code execution.

  • Status: Update to the latest version available online at vendor's website

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (5) MODERATE: PHP-Nuke Multiple SQL Injection Vulnerabilities
  • Affected: php-Nuke 7.8 and prior.

  • Description: PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. Multiple SQL injection vulnerabilities are present as input to the "name", "sid", and "pid" parameters in "modules.php" via a POST request are not properly sanitised before being used in a SQL Query. Succesful exploitation could lead to compromise of the application. Poc code is available.

  • Status: No patch is available

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (6) MODERATE: Cisco Content Services Switches (CSS) SSL Authentication Bypass
  • Affected:
    • Cisco CSS 11500 Content Services Switches with the CSS5-SSL-K9 SSL module.
    • Cisco CSS 11501 Content Services Switch with SSL (CSS11501S-K9).

  • Description: Cisco CSS 11500 Series Content Services Switch is a modular high end switch for Web infrastructure. A vulnerability exists when client authentication using SSL certificates is enabled AND SSL encryption is performed. The target device may fail to properly renegotiate the SSL session, causing an attacker to bypass client certificate authentication and thus allow access to protected content without authorization.

  • Status: Patch and a workaround are available at vendor's website.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 37, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4499 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.37.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft IIS WebDAV HTTP Request Source Code Disclosure
  • Description: Microsoft IIS is a web server implementation. It is affected by a remote script source disclosure vulnerability due to a failure of the application to properly handle WebDAV HTTP requests with a "Translate: f" HTTP header containing Unicode characters in the file name. Microsoft IIS 5.1 is vulnerable. Ref: http://ingehenriksen.blogspot.com/2005/09/iis-51-allows-for-remote-viewing-of.html
  • 05.37.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Exchange Server 2003 Exchange Information Store Denial of Service
  • Description: Microsoft Exchange Server 2003 is prone to a denial of service vulnerability. This condition may occur in some circumstances when a user tries to list public folders via IMAP4rev1. All current versions of Microsoft Exchange Exchange 2003 are vulnerable.
  • Ref: http://support.microsoft.com/kb/840123
  • 05.37.3 - CVE: CAN-2005-1250
  • Platform: Third Party Windows Apps
  • Title: Ipswitch Whatsup Small Business 2004 File Disclosure
  • Description: Ipswitch Whatsup Small Business 2004 is a traffic monitoring application written for Microsoft Windows. Ipswitch Whatsup Gold is prone to a file disclosure vulnerability. This is due to a lack of proper sanitization of user-supplied input. A remote attacker may exploit this vulnerability to reveal files that contain potentially sensitive information.
  • Ref: http://www.securityfocus.com/bid/14792/
  • 05.37.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ipswitch Whatsup Gold Map.ASP Cross-Site Scripting
  • Description: Ipswitch Whatsup Gold is a traffic monitoring application written for Microsoft Windows. Ipswitch Whatsup Gold is prone to a cross-site scripting vulnerability. This issue is due to a lack of proper sanitization of user-supplied input to the "Map.ASP" script.
  • Ref: http://www.cirt.dk/advisories/cirt-35-advisory.pdf
  • 05.37.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: COOL! Remote Control Remote Denial of Service
  • Description: COOL! Remote Control is a remote control application for Microsoft Windows. It is vulnerable to a remote denial of service vulnerability. The vulnerability presents itself when an attacker sends malformed TCP packets containing specially crafted data in the form of remote commands to the client or server component of the application. COOL! Remote Control version 1.12 is affected by this issue. Other versions may be vulnerable as well. Ref: http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=90
  • 05.37.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AVIRA Desktop for Windows ACE Archive Handling Remote Buffer Overflow
  • Description: AVIRA Desktop for Windows is antivirus software for Windows. It is affected by a remote buffer overflow vulnerability when handling ACE archives. This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers. An attacker may exploit this vulnerability to gain unauthorized remote access in the context of SYSTEM. Desktop for Windows version 1.00.00.68 running AVPACK32.DLL version 6.31.0.3 is reportedly vulnerable. Ref: http://www.avira.com/en/news/avira_desktop_for_windows_patched_against_vulnerability.html
  • 05.37.7 - CVE: CAN-2005-2530
  • Platform: Mac Os
  • Title: Apple Mac OS X Untrusted Java Applet Privilege Escalation
  • Description: Apple Mac OS X is prone to a vulnerability that can allow an untrusted Java applet to gain elevated privileges. This issue likely results from a design error, however, this has not been confirmed. This issue is only specific to Java running on Mac OS X versions 10.3.9 and earlier.
  • Ref: http://www.securityfocus.com/advisories/9260
  • 05.37.8 - CVE: CAN-2005-2802
  • Platform: Linux
  • Title: Linux Kernel Netfilter ipt_recent Remote Denial of Service
  • Description: The Netfilter project maintains the packet filter component of the Linux kernel. The "ipt_recent" module can be used with Netfilter to verify if a source address has been recently seen. The "ipt_recent" module in the Linux Kernel is reported prone to a local denial of service vulnerability which can be exploited by sending specially crafted packets such as packets used to carry out an SSH brute force attack. Linux Kernel versions 2.6.8 and 2.6.10 are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/9223
  • 05.37.9 - CVE: Not Available
  • Platform: Linux
  • Title: Mailutils Imap4D Search Format String
  • Description: GNU Mailutils "imap4d" is an email daemon. It is vulnerable to a remote search format string issue due to insufficient sanitization of user input to the search commands. GNU Mailutils version 0.6 is reported to be vulnerable. Ref: http://www.idefense.com/application/poi/display?id=303&type=vulnerabilities
  • 05.37.10 - CVE: Not Available
  • Platform: Linux
  • Title: KAudioCreator CDDB Arbitrary File Overwrite
  • Description: KAudioCreator is an audio file creation solution for KDE. It is reported to be vulnerable to an arbitrary file overwrite vulnerability due to improper sanitization of user-supplied input.
  • Ref: http://www.securityfocus.com/bid/14805
  • 05.37.11 - CVE: Not Available
  • Platform: Linux
  • Title: Mark D. Roth PAM_Per_User Authentication Bypass
  • Description: Mark D. Roth pam_per_user is a PAM module package designed to allow for flexible configuration by allowing administrators to setup different per-user authentication methods. Pam_per_user is affected by an authentication bypass vulnerability. Pam_per_user versions 0.3 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/410283
  • 05.37.12 - CVE: Not Available
  • Platform: Unix
  • Title: IBM OS/400 Malformed SNMP Requests Remote Denial of Service
  • Description: IBM OS/400 contains support for SNMP via the QSYS/QTMSNMP job. It is susceptible to a remote denial of service vulnerability affecting its SNMP services. This issue presents itself due to the "*NOWRAP" specification in the error logging configuration of the SNMP process. IBM OS/400 V5R1M0 is vulnerable. Ref: http://www-1.ibm.com/support/docview.wss?uid=nas3798333f3a95c6c3886256c0e0047b28e
  • 05.37.13 - CVE: Not Available
  • Platform: Unix
  • Title: rdiff-backup Directory Access Restriction Bypass
  • Description: rdiff-backup is used to back up one directory to another over a network. rdiff-backup is affected by a directory access restriction bypass vulnerability. This issue results from an access validation error and it allows attackers to bypass directory access restrictions enforced by the "-restrict", "--restrict-read-only", and "--restrict-update-only" options. rdiff-backup versions 1.0 and earlier are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/14804
  • 05.37.14 - CVE: Not Available
  • Platform: Unix
  • Title: TMSNC Unspecified Format String
  • Description: TMSNC is a text based MSN client. TMSNC is prone to an unspecified format string vulnerability. Successful exploitation could cause the application to fail or may allow remote arbitrary code execution. TMSNC version 0.2.4 is affected.
  • Ref: http://www.securityfocus.com/bid/14810
  • 05.37.15 - CVE: Not Available
  • Platform: Unix
  • Title: Squid Proxy Aborted Requests Remote Denial of Service
  • Description: Squid Proxy is a freely available, open source Web proxy software package. A remote denial of service vulnerability affects the Squid Proxy. This issue is due to a failure of the application to properly handle exceptional network requests. A remote attacker may leverage this issue to crash the affected Squid Proxy, denying service to legitimate users.
  • Ref: http://www.securityfocus.com/bid/14761
  • 05.37.16 - CVE: Not Available
  • Platform: Unix
  • Title: FreeRADIUS Multiple Remote Vulnerabilities
  • Description: FreeRADIUS is an open source implementation of the RADIUS protocol. It is vulnerable to multiple remote vulnerabilities which can be used by remote attackers to crash the service and possibly run arbitrary code. FreeRADIUS version 1.0.4 is vulnerable to this issue.
  • Ref: http://www.freeradius.org/security.html
  • 05.37.17 - CVE: Not Available
  • Platform: Unix
  • Title: Distributed Checksum ClearingHouse Denial of Service
  • Description: Distributed Checksum ClearingHouse is an anti-spam content filter. It is vulnerable to a denial of service due to insufficient handling of malformed messages. Distributed Checksum ClearingHouse DCC versions 1.3.15 and earlier are reported to be vulnerable.
  • Ref: http://www.rhyolite.com/anti-spam/dcc/CHANGES
  • 05.37.18 - CVE: CAN-2005-2871
  • Platform: Cross Platform
  • Title: Mozilla/Netscape/Firefox Browsers Domain Name Remote Buffer Overflow
  • Description: Mozilla, Netscape and Firefox are Web browsers that are based on the Gecko engine. They are reported prone to a remote buffer overflow vulnerability caused when an affected browser handles a malformed URI containing a domain name consisting of "-" characters. Firefox versions 1.0.6 and 1.5 Beta 1 are vulnerable to this issue. Mozilla version 1.7.11, Netscape versions 8.0.3.3 and 7.2 are affected as well.
  • Ref: http://www.securityfocus.com/bid/14784
  • 05.37.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Web Proxy Server Unspecified Denial of Service
  • Description: Sun Java System Web Proxy Server (formerly Sun ONE Proxy Server) is a proxy server. It is reported to be vulnerable to an unspecified remote denial of service issue. Sun Java Web Proxy Server versions 3.6 SP7 and earlier are reported to be vulnerable.
  • Ref: https://vuln.intranet.qualys.com:8443/sans/edit.php?id=36.45
  • 05.37.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Zebedee Remote Denial of Service
  • Description: Zebedee is a freely available, open source, secure IP tunnel application. Zebedee is affected by a remote denial of service vulnerability. Zebedee versions 2.4.1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/410157
  • 05.37.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Snort PrintTcpOptions Remote Denial of Service
  • Description: Snort is an intrusion detection system. It is reported prone to a remote denial of service vulnerability. The vulnerability exists in the "PrintTcpOptions()" function of "log.c", and is a result of a failure to sufficiently handle packets that contain the TCP SACK option. It should be noted that the vulnerable code path is only executed when Snort is run with the "-v" (verbose) flag. This vulnerability is reported to affect Snort versions 2.0.0 to 2.4.0.
  • Ref: http://www.securityfocus.com/archive/1/410291
  • 05.37.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Application Server Disclosure
  • Description: Sun Java System Application Server is affected by an information disclosure vulnerability. Sun Java System Application Server Platform Editions 8.1 2005 Q1 UR1 and earlier are known to be vulnerable. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101905-1&searchclause=
  • 05.37.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: NOD32 Antivirus ARJ Archive Handling Remote Buffer Overflow
  • Description: Eset Software's NOD32 Antivirus System is a cross-platform antivirus application. It is reported to be vulnerable to a remote buffer overflow issue when handling ARJ archives. NOD32 for Windows version 2.5 running nod32.002 version 1.033 build 1127 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14773
  • 05.37.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SecurePlatform NGX Firewall Rules Bypass
  • Description: Check Point SecurePlatform NGX is a platform of network security applications. It is vulnerable to a firewall rules bypass issue due to insufficient implementation of expected firewall rules. Check Point Software SecurePlatform NGX version R60 Build 244 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/409877
  • 05.37.25 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBulletinBoard RateThread.PHP SQL Injection
  • Description: MyBulletinBoard is a web-based bulletin board system written in PHP. MyBulletinBoard is prone to an SQL injection vulnerability as a result of improper sanitization of user-supplied input to the "rating" field of the "ratethread.php" script. MyBulletinBoard version 1.0 PR2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14786
  • 05.37.26 - CVE: Not Available
  • Platform: Web Application
  • Title: Sawmill Unspecified Cross-Site Scripting
  • Description: Sawmill is a log file analysis application with a web enabled interface that utilizes a MySQL database backend. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input. Sawmill version 7.1.13 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14789
  • 05.37.27 - CVE: Not Available
  • Platform: Web Application
  • Title: phpTagCool HTTP Header SQL Injection Vulnerability
  • Description: phpTagCool is a web-based comment system. It is reported to be vulnerable to improper sanitization of user-supplied input to the "X-Forwarded-For" HTTP header. phpTagCool version 1.0.3 is reported to be vulnerable to the issue.
  • Ref: http://www.securityfocus.com/bid/14814
  • 05.37.28 - CVE: Not Available
  • Platform: Web Application
  • Title: Mall23 Infopage.ASP SQL Injection
  • Description: Mall23 is an ecommerce application written in ASP. It is vulnerable to an SQL injection issue due to lack of proper sanitization of user-supplied input to the "idPage" variable of the "infopage.asp" script.
  • Ref: http://systemsecure.org/ssforum/viewtopic.php?t=219
  • 05.37.29 - CVE: CAN-2005-2193
  • Platform: Web Application
  • Title: PunBB Multiple SQL Injection Vulnerabilities
  • Description: PunBB is a bulletin board application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user supplied input before using it in SQL queries. PunBB versions 1.2.6 and earlier are vulnerable.
  • Ref: http://www.punbb.org/changelogs/1.2.6_to_1.2.7.txt
  • 05.37.30 - CVE: Not Available
  • Platform: Web Application
  • Title: PunBB BBCode URL Tag HTML Injection
  • Description: PunBB is a bulletin board application written in PHP. PunBB is prone to an HTML injection vulnerability caused by improper sanitization of user-supplied input to the BBCode "url" tag. PunBB versions 1.2.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/14808
  • 05.37.31 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPNuke Multiple SQL Injection Vulnerabilities
  • Description: PHPNuke is a web-based content management application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of the "name", "pid" and "sid" parameters of the "modules.php" script. PHPNuke version 7.8 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/410314
  • 05.37.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Azerbaijan Development Group AzDGDatingLite Directory Traversal
  • Description: AzDGDatingLite is web-based forum software that is prone to a directory traversal vulnerability. The "/include/security.inc.php" script does not properly sanitize user-supplied input of directory traversal strings. To exploit this vulnerability, an attacker supplies directory traversal strings followed by a filename and a NULL byte character and includes an arbitrary local file. AzDGDatingLite version 2.1.3 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/410394
  • 05.37.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Subscribe Me Pro S.PL Remote Directory Traversal
  • Description: Subscribe Me Pro is an application designed to build, maintain, and track mailing lists. It is prone to a directory traversal vulnerability caused by improper sanitization of user-supplied input to the "l" parameter of the "s.pl" script. Subscribe Me Pro verisons 2.044.09P and earlier are affected by this vulnerability.
  • Ref: http://www.securityfocus.com/archive/1/410402
  • 05.37.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Handy Address Book Server Cross-Site Scripting
  • Description: Handy Address Book Server is a web-based contact manager and address book application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "SEARCHTEXT" parameter of the search function in the application. Handy Address Book Server version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/14818
  • 05.37.35 - CVE: Not Available
  • Platform: Web Application
  • Title: Mail-it Now! Upload2Server Arbitrary File Upload
  • Description: Mail-it Now! Upload2Server is a PHP script for checking various attributes of an email message and uploading them to the server. It is vulnerable to an arbitrary file upload issue due to a failure in the application to properly sanitize user-supplied input before uploading files. Mail-it Now! Upload2Server versions 1.5 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14821/info
  • 05.37.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Land Down Under Multiple SQL Injection Vulnerabilities
  • Description: Land Down Under is a content management system. It is reported to be vulnerable to multiple SQL injection issues due to improper sanitization of user-supplied input to the "m" parameter of the "auth.php" script, the "f" parameter of the "events.php" script, the and "e" parameter of the "plug.php" script. Land Down Under version 801 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14820
  • 05.37.37 - CVE: Not Available
  • Platform: Web Application
  • Title: ATutor Password_Reminder.PHP SQL Injection
  • Description: ATutor is a web-based Learning Content Management System. It is prone to an SQL injection vulnerability that is caused by improper sanitization of user-supplied input to the "email" field of the "password_reminder.php" script. ATutor version 1.5.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/410582
  • 05.37.38 - CVE: CAN-2005-2865
  • Platform: Web Application
  • Title: aMember Remote File Include
  • Description: aMember is a PHP application that manages membership and subscription for a Web site. aMember is prone to a remote file include vulnerability. Input passed to various scripts is not sufficiently sanitized. aMember Pro version 2.3.4 is reportedly affected.
  • Ref: http://www.packetstormsecurity.org/0509-exploits/aMemberPro234.txt
  • 05.37.39 - CVE: Not Available
  • Platform: Web Application
  • Title: Mimicboard2 Mimic2.Dat Unauthorized Access
  • Description: Mimicboard2 is Web blog software affected by an unauthorized access vulnerability. This issue is due to a failure in the application to perform any user authentication before granting access to privileged information stored in the "mimic2.dat" file. Mimicboard2 version 086 is vulnerable.
  • Ref: http://exploitlabs.com/files/advisories/EXPL-A-2005-013-mimic2.txt
  • 05.37.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Mimicboard2 Multiple HTML Injection Vulnerabilities
  • Description: Mimicboard2 is web blog software implemented in Perl. It is prone to multiple HTML injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "name", "comment" and "title" fields of a blog entry before using it in dynamically generated content. Mimicboard2 version 086 is reported to be vulnerable.
  • Ref: http://exploitlabs.com/files/advisories/EXPL-A-2005-013-mimic2.txt
  • 05.37.41 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBulletinBoard Multiple SQL Injection Vulnerabilities
  • Description: MyBulletinBoard is a bulletin board application and it is prone to multiple SQL injection vulnerabilities. These issues are due to improper sanitization of user-supplied input to the "fid" parameter of the "misc.php" script and the "icon" input field of the "newreply.php" script. MyBulletinBoard version PR2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/409743
  • 05.37.42 - CVE: Not Available
  • Platform: Web Application
  • Title: PBLang Bulletin Board System SetCookie.PHP Directory Traversal
  • Description: PBLang is a bulletin board system implemented in PHP. It is affected by a directory traversal vulnerability due to a failure in the application to properly sanitize user-supplied input to the "u" parameter of "setcookie.php" script. PBLang version 4.65 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/409808
  • 05.37.43 - CVE: Not Available
  • Platform: Web Application
  • Title: PBLang Bulletin Board System HTML Injection Vulnerability
  • Description: PBLang is a bulletin board system. It is reported to be vulnerable to an HTML injection issue due to improper sanitization of user-supplied input to the "location" field. PBLang version 4.65 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14766
  • 05.37.44 - CVE: CAN-2005-2323
  • Platform: Web Application
  • Title: Class-1 Forum SQL Injection
  • Description: Class-1 Forum is a web-based forum application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user supplied input to database queries. Class-1 Forum version 0.24.4 is vulnerable.
  • Ref: http://www.packetstormsecurity.org/0509-exploits/class1.html
  • 05.37.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Stylemotion WEB//NEWS Multiple SQL Injection
  • Description: WEB//NEWS is a news script with features of a content messaging system; it is implemented in PHP. WEB//NEWS is affected by multiple SQL injection vulnerabilities. WEB//NEWS versions 1.4 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/409876
  • 05.37.46 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBulletinBoard Forumdisplay.PHP Fid Parameter Cross-Site Scripting Vulnerability
  • Description: MyBulletinBoard is a web-based bulletin board system. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "fid" parameter of the "forumdisplay.php" script. MyBulletinBoard version 1.0 PR2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/14782
  • 05.37.47 - CVE: Not Available
  • Platform: Web Application
  • Title: phpCommunityCalendar Multiple SQL Injection Vulnerabilities
  • Description: phpCommunityCalendar is a calendar application written in PHP. It is prone to multiple SQL injection vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input to the "username" parameter of the "webadmin/login.php" script and the "LocationID" parameter of the "week.php" script. phpCommunityCalendar versions 4.0.3, 4.0.1 and 4.0 are vulnerable.
  • Ref: http://www.rgod.altervista.org/phpccal.html
  • 05.37.48 - CVE: Not Available
  • Platform: Web Application
  • Title: phpCommunityCalendar Multiple Remote Cross-Site Scripting Vulnerabilities
  • Description: phpCommunityCalendar is a calendar application written in PHP. It is affected by multiple remote cross-site scripting vulnerabilities that are caused by insufficient sanitization of user-supplied input to different parameters of various scripts. phpCommunityCalendar versions 4.0.3 and earlier are reported to be vulnerable.
  • Ref: http://www.rgod.altervista.org/phpccal.html
  • 05.37.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Open WebMail openwebmail-main.pl Cross-Site Scripting
  • Description: Open WebMail is a web-based mail application written in PERL/CGI. It is exploitable to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input. The "sessionid" parameter of the "openwebmail-main.pl" script is vulnerable to injection of HTML and script code. Open WebMail version 2.41 is exploitable.
  • Ref: http://www.securityfocus.com/bid/14771
  • 05.37.50 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco CSS 11500 Series SSL Authentication Bypass
  • Description: Cisco CSS (Content Services Switches) 11500 Series devices are prone to an authentication bypass vulnerability. Cisco CSS 11500/11501 devices with the CSS5-SSL-K9/CSS11501S-K9 modules installed are known to be vulnerable.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sn-20050908-css.shtml
  • 05.37.51 - CVE: Not Available
  • Platform: Network Device
  • Title: Ingate Administrative Interface Cross-Site Scripting
  • Description: Ingate Firewall and SIParator are hardware devices that use the IETF signaling protocol. They are vulnerable to a cross-site scripting issue due to a failure in sanitizing user-supplied input. Ingate SIParator versions 4.2.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/14812/info
  • 05.37.52 - CVE: Not Available
  • Platform: Network Device
  • Title: SMC SMC7904WBRA Wireless Router Remote Denial of Service
  • Description: SMC SMC7904WBRA Wireless Router is a wireless network connectivity modem, router and switch. The SMC SMC7904WBRA Wireless Router is affected by a remote denial of service vulnerability.
  • Ref: http://www.securityfocus.com/bid/14809
  • 05.37.53 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WRT54G Multiple Remote Vulnerabilities
  • Description: Linksys WRT54G is a wireless router. It is vulnerable to multiple issues, such as authentication and denial of service attacks. Linksys WRT54G versions 4.0-4.20.6 and earlier are vulnerable.
  • http://www.idefense.com/application/poi/display?id=306&type=vulnerabilities&flas
    hstatus=true
    www.idefense.com/application/poi/display?id=307&type=vulnerabilities
    www.idefense.com/application/poi/display?id=308&type=vulnerabilities
    www.idefense.com/application/poi/display?id=305&type=vulnerabilities
    www.idefense.com/application/poi/display?id=304&type=vulnerabilities

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Since I am fresh out of college this was a definite eye opener. This course was very valuable in that it gives a view of most tools available for auditing networks.
-Ryan Awai, Eisner LLP

Get an iPad or Nexus 10 with Online Training

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc