Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 4
January 27, 2005

SANS Newsletters Home

We found three new sets of vulnerabilities at the last moment, in very widely used systems, and included them in this issue: (1) BIND vulnerabilities, (2) Cisco Multiple DoS Vulnerabilities (including VOIP), and (3) Juniper JunOS DoS.

Some interesting new data on training: the six most popular courses in information security over the past six months:

  • SANS Security Essentials
  • Hacker Techniques, Exploits and Incident Handling
  • Auditing Networks, Perimeters & Systems
  • Securing Windows
  • Firewalls, Perimeter Protection & VPNs
  • Preparation Courses for the ISC2 CISSP Exam
You can find them all being taught in the next 90 days in Orlando, Sydney (Australia), Houston and San Diego. See http://www.sans.org for dates.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 1 (#5)
    • Third Party Windows Apps
    • 2 (#1)
    • Linux
    • 2
    • Unix
    • 3
    • Novell
    • 3
    • Cross Platform
    • 15 (#4, #6, #7)
    • Web Application
    • 13 (#8)
    • Network Device
    • 5 (#2, #3)

*************** Sponsored by SANS First Wednesday Webcasts **************

What is the future of spam prevention? And how has it changed over the years? Please join us on Wednesday, February 02 at 1:00 PM EST (1800 UTC) as SANS presents: Spam Prevention: Past, Present and Future Featuring: Hal Pomeranz. Hal is one of the nation's most respected security professionals and teachers, and founder and CEO of Deer Run Associates, a systems management and security consulting firm. You may register for this webcast at https://www.sans.org/webcasts/show.php?webcastid=90550

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Novell
Cross Platform
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) MODERATE: Sun Java Plug-in Security Bypass
  • Affected:
    • SDK and JRE versions 1.4.0, 1.4.2, 1.4.1_06 and prior, 1.3.1_12 and prior for Windows

  • Description: The Sun Java Plug-in technology, a part of the Java Runtime Environment (JRE), enables applets on websites to run in a user's browser. The Java Plug-in contains a vulnerability in handling JavaScript code that may be exploited to bypass an applet's access restrictions. A malicious applet, when loaded into Internet Explorer, can leverage the flaw to read and write files as well as execute applications on the user's system. Note that applets are automatically downloaded and executed in typical Internet Explorer configuration (medium security setting for Internet Zone). Hence, the flaw can be exploited by simply viewing a malicious webpage or an HTML email. The technical details required to construct a malicious applet have not yet been posted.

  • Status: Sun confirmed. Upgrade to version SDK/JRE 1.4.2_01 or 1.3.1_13. Although the flaw is fixed in 1.4.2_01, it is better to upgrade to 1.4.2_06 that fixes another non-critical vulnerability in the Sun Java SDK/JRE.

  • Council Site Actions: Most of the reporting council sites are not running the affected software. Of the sites that are running affected versions, several sites have notified their support staff and plan no further action. The remaining few sites are in the process of patching their systems.

  • References:
  • (2) MODERATE: Cisco IOS Multiple DoS Vulnerabilities
  • Affected:
    • Cisco IOS release trains 12.1YD, 12.2T, 12.3 and 12.3T configured for
    • telephony services, Cisco Call Manager Express (CME) or Survivable
    • Remote Site Telephony (SRST)
    • Cisco IOS configured to process IPv6 traffic
    • Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T (Support MPLS)

  • Description: (a) Cisco CME and SRST solutions are embedded in Cisco IOS and offer call processing for IP phones. The IP phones can be controlled by the Cisco IOS device using Skinny Call Control Protocol (SCCP). The IOS contains a vulnerability in processing SCCP packets that can be exploited via specially crafted SCCP packets to cause the IOS device to reload. Therefore, the vulnerability can be exploited to disrupt a VoIP network. If the Cisco IOS configuration contains "telephony-service" or "call-manager-feedback", the IOS device is vulnerable. A workaround is to block the port 2000/tcp depending upon the location of IP phones being controlled by the IOS device. (b) Cisco IOS devices configured to process IPv6 packets contains a vulnerability that can be triggered by specially crafted IPv6 packets. The flaw can be exploited to cause the router to reload. If the output of the command "show ipv6 interface" is non-empty, the device is vulnerable. (c) MultiProtocol Label Switching technology enables routers to process packets at higher speeds as the routing decisions are based on smaller labels generated from the packets' IP header. Cisco IOS devices that can support MultiProtocol Label Switching are vulnerable to a denial-of-service attack via the interfaces, which are not configured for MPLS. A specially crafted packet can disable the affected interface for minutes. Note that the attacks can originate only on the router's local network thereby reducing the attack avenues. A workaround for this vulnerability is to enable MPLS globally on the IOS device. Note that technical details showing how to construct malicious packets that can exploit these vulnerabilities have not been publicly posted.

  • Status: Cisco confirmed, patches available for all the denial-of service flaws.

  • Council Site Actions: Most of the reporting council sites have at least a few affected systems. One site has already patched their systems and one site does not plan to patch specifically for the Call Processing vulnerability. The remaining sites plan to patch in the near future during a regularly scheduled system update process. One site also commented they implemented a workaround but did not provide details.

  • References:
  • (3) MODERATE: Juniper JunOS DoS Vulnerability
  • Affected:
    • All versions of JunOS built prior to January 7, 2005

  • Description: Juniper routers running JunOS contain a vulnerability that can be triggered by specially crafted packets. The flaw can be exploited by an unauthenticated remote attacker to severely disrupt a Juniper router's normal functioning. No technical details about the nature of packets that can trigger this flaw are publicly available. Note that according to Juniper, firewall rules cannot be employed to protect against this vulnerability; hence, patching is necessary.

  • Status: Juniper has released updates. Refer to the Juniper Advisory PSN-2005-01-010 (available only to the registered users.)

  • Council Site Actions: Due to late breaking nature of this vulnerability, we were unable to solicit council site input for this item.

  • References:
  • (4) MODERATE: ISC BIND DoS Vulnerabilities
  • Affected:
    • BIND version 9.3.0 configured with dnssec
    • BIND version 8.4.4 and 8.4.5

  • Description: ISC BIND, a very widely deployed DNS server, contains the following vulnerabilities: (a) Versions 8.4.4 and 8.4.5 contain a buffer overflow in the array that is used to track the nameservers and addresses previously queried. An attacker can potentially overflow the array via crafted DNS packet(s) and crash the nameserver. (b) DNS Security Extensions (dnssec) provide data authentication and integrity for DNS data. Version 9.3.0 configured with dnssec (not a default configuration) contains a vulnerability in the "authvalidated" validator function. An attacker can cause the nameserver daemon to exit (stop) via crafted DNS packets. Note that although no proof-of-concept exploits have been currently posted, it is easy to obtain the technical details to create the PoC exploits by comparing the fixed and the vulnerable source code. Hence, administrators running the vulnerable BIND servers should patch these flaws on a priority basis.

  • Status: ISC has released patches for both the vulnerabilities.

  • Council Site Actions: Most of the council sites are not running Bind 8 or the vulnerable configuration of Bind9 (DNSEC validation enabled). Several sites are still investigating if they are vulnerable.

  • References:
  • (5) UPDATE: Microsoft Windows HTML Help Cross Domain Vulnerability

  • Description: It is reported that the MS05-001 patch for the HTML Help Cross Domain vulnerability (rated "HIGH") does not offer complete protection for Windows XP SP1 and Windows 2000 SP4 systems. The flaw can still be exploited on these systems patched with MS05-001. The researchers have not publicly posted technical details or proof-of-concept code yet. A workaround is to set the kill bit for the HTML Help ActiveX control. The CLSID for the affected ActiveX control: {41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}. Another possibility is upgrading XP systems to XP SP2.

  • Council Site Actions: All council sites are still waiting for a patch from Microsoft. Several sites commented they do not plan to implement the workaround. One site is investigating the impact if they do implement the workaround.

  • References:
Other Software
  • (6) HIGH: GNU OpenH323 Gatekeeper Buffer Overflow
  • Affected: OpenH323 gatekeeper version 2.2.0 and prior

  • Description: A gatekeeper in a H.323 VoIP (voice-over-ip) network controls the clients and performs various functions like symbolic name to IP translation, call authorization, call control signaling etc. OpenH323 gatekeeper, based on openH323 code, is being used worldwide (e.g. in Singapore, Germany, and Indonesia) by commercial organizations. This gatekeeper contains a buffer overflow in "socket" handling that may be exploited to cause a denial-of-service and/or possibly execute arbitrary code in certain configurations. The technical details about the flaw have been publicly posted. Taking control of the gatekeeper or causing a denial-of-service to the gatekeeper may result in disrupting an entire VoIP network.

  • Status: Vendor confirmed, upgrade to version 2.2.1. An alternative is to block port 1720/tcp at the network perimeter.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (7) MODERATE: Ethereal X11 Parsing Buffer Overflow
  • Affected: Ethereal versions 0.8.10 through 0.10.8

  • Description: Ethereal is a very popular open source network sniffer and protocol analyzer for UNIX and Windows platforms. The software contains a buffer overflow vulnerability in parsing the X11 (X windows) protocol. This buffer overflow can be exploited to execute arbitrary code with the privileges of the ethereal process (typically "root" when ethereal is being used as a sniffer). To exploit the flaw, an attacker has to either inject the malicious packets into the network traffic being sniffed by ethereal, or entice a client to open a specially crafted packet capture file. The technical details can be obtained by comparing the fixed and the vulnerable version of the ethereal code. Note that any network applications based on ethereal protocol decoder modules may also be affected.

  • Status: Vendor confirmed, upgrade to version 0.10.9. This version also fixes other denial-of-service or memory corruption vulnerabilities in parsing COPS, DLSw, Gnutella, DNP and MMSE protocols.

  • Council Site Actions: Only five of the reporting council sites are responding to this issue. All of these sites said they have either a very limited install base or the software is unsupported. Several sites plan to notify the affected users and recommend a timeframe for them to update. One site has already patched their affected systems. The final site does plan to patch in the future but has not established a concrete time scale.

  • References:
  • (8) MODERATE: Tikiwiki Remote Command Execution
  • Affected:
    • Tikiwiki all versions

  • Description: Tikiwiki, a content management system, contains a remote PHP code execution vulnerability. An authenticated attacker can load arbitrary PHP files in the "$tikiroot/temp" folder, and execute arbitrary code on the PHP server. The flaw has been exploited to take control of at least one web server.

  • Status: Vendor confirmed, patches available. A workaround is to inhibit the parsing of php files in the "temp" folder.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 4, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4036 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.4.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Golden FTP Server Remote Buffer Overflow
  • Description: Golden FTP Server is vulnerable to a remote buffer overflow issue due to a boundary error condition when handling the "RNTO" FTP command. Golden FTP Server versions 2.05b and earlier are vulnerable.
  • Ref: http://lists.netsys.com/pipermail/full-disclosure/2005-January/031098.html
  • 05.4.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: DivX Player Skin File Directory Traversal
  • Description: DivX Player is a multimedia player that plays DivX codec. It is reported to be vulnerable to a directory traversal issue. The issue presents itself when ".dps" archive files are processed. An attacker may able to save the file to an arbitrary directory.
  • Ref: http://aluigi.altervista.org/adv/divxplayer-adv.txt
  • 05.4.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: KaZaA Multiple Remote Input Validation Vulnerabilities
  • Description: The KaZaA file sharing application is reported to be vulnerable to multiple remote input validation issues. These can lead to a denial of service condition and the creation of files in arbitrary locations on the vulnerable system. All current versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/387560
  • 05.4.4 - CVE: CAN-2005-0071
  • Platform: Linux
  • Title: vdr Daemon Unspecified Remote File Access Vulnerability
  • Description: The vdr daemon is a utility that facilitates video disk recording and digital video broadcasting. It is vulnerable to a remote file access issue which may be leveraged by an attacker to overwrite arbitrary files on an affected computer. Debian has released version 1.0.0-1woody2 which resolves this issue.
  • Ref: http://www.debian.org/security/2005/dsa-656
  • 05.4.5 - CVE: Not Available
  • Platform: Linux
  • Title: Konversation IRC Client Multiple Remote Vulnerabilities
  • Description: Konversation is an IRC client. Insufficient sanitization of user-supplied input and design flaws expose the application to command execution, escape character injection and information disclosure issues. Konversation IRC Client version 0.15.1 was released to fix these issues.
  • Ref: http://www.securityfocus.com/advisories/7889
  • 05.4.6 - CVE: CAN-2005-0104, CAN-2005-0103, CAN-2005-0075
  • Platform: Unix
  • Title: SquirrelMail Multiple Remote Input Validation Vulnerabilities
  • Description: SquirrelMail is a web mail application. Insufficient sanitization of user-supplied input exposes the application to multiple cross-site scripting and file include attacks. SquirrelMail version 1.4.4 is released to address these issues.
  • Ref: http://secunia.com/advisories/13962/
  • 05.4.7 - CVE: CAN-2005-0096
  • Platform: Unix
  • Title: Squid Proxy Remote Denial of Service
  • Description: Squid proxy is reported to be vulnerable to an unspecified denial of service condition in its NTLM authentication module. Failure of NTLM authentications could result in the Squid application denying access to legitimate users of the proxy. Squid proxy version 2.5 is reported to be vulnerable.
  • Ref: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth
  • 05.4.8 - CVE: Not Available
  • Platform: Unix
  • Title: fkey Remote Arbitrary File Disclosure
  • Description: fkey is a daemon that allows remote access to text files. It is vulnerable to a remote arbitrary file disclosure issue that can allow an attacker to disclose local files on a computer. fkey versions 0.0.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/387792
  • 05.4.9 - CVE: Not Available
  • Platform: Novell
  • Title: Multiple Applications fd_set Structure Bitmap Array Buffer Overflow
  • Description: Multiple applications are vulnerable to a buffer overflow condition due to the system API not checking the descriptor passed to the "select()" function or processed by a macro code.
  • Ref: http://www.security.nnov.ru/advisories/sockets.asp
  • 05.4.10 - CVE: Not Available
  • Platform: Novell
  • Title: Novell GroupWise WebAccess Cross-Site Scripting
  • Description: Novell GroupWise WebAccess is reported to be vulnerable to multiple cross-site scripting issues due to insufficient user-input sanitization. This can be leveraged towards theft of cookie-based authentication credentials from legitimate clients. All current versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12310/
  • 05.4.11 - CVE: Not Available
  • Platform: Novell
  • Title: Novell GroupWise WebAccess Remote Authentication Bypass
  • Description: A remote authentication bypass vulnerability affects Novell GroupWise WebAccess. This issue is due to a failure of the application to properly handle access validation functionality. All current versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7881
  • 05.4.12 - CVE: CAN-2005-0034
  • Platform: Cross Platform
  • Title: BIND Validator Self Checking Remote Denial of Service
  • Description: ISC BIND is a domain name server. Due to a logical error in the "authvalidator()" function, when DNSSEC validation is enabled the application terminates under certain conditions. BIND version 9.3.0 is affected.
  • Ref: http://www.isc.org/index.pl?/sw/bind/bind-security.php
  • 05.4.13 - CVE: CAN-2005-0033
  • Platform: Cross Platform
  • Title: BIND DNS Remote Buffer Overflow
  • Description: ISC BIND is a domain name server. It is vulnerable to a remote buffer overflow issue due to failure of the application to validate the length of user-supplied input prior to copying it into static process buffers. ISC BIND versions 8.4.4 and 8.4.5 are vulnerable.
  • Ref: http://www.isc.org/index.pl?/sw/bind/
  • 05.4.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Bribble Remote Authentication Bypass
  • Description: Bribble is an Internet chat application. It is vulnerable to an authentication bypass issue in the authentication script. Bribble version 1.5.35 has been released to fix this issue.
  • Ref: http://secunia.com/advisories/13976/
  • 05.4.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenH323 Gatekeeper Multiple Sockets Buffer Overflow
  • Description: OpenH323 Gatekeeper is an open-source project that implements an H.323 Gatekeeper. The application is vulnerable due to a missing boundary check when doing "FD_SET()" operations. OpenH323 Gatekeeper versions 2.2.0 and prior are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/13936/
  • 05.4.17 - CVE: CAN-2004-1186, CAN-2004-1185, CAN-2004-1184
  • Platform: Cross Platform
  • Title: GNU Enscript Multiple Vulnerabilities
  • Description: GNU Enscript is a program for transforming ASCII files into PostScript documents. Insufficient sanitization and boundary condition checks expose the application to arbitrary command execution and buffer overflow conditions. GNU Enscript versions 1.6.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/12329/info/
  • 05.4.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Netscape Navigator Infinite Array Sort Denial of Service
  • Description: Netscape Navigator is vulnerable to an issue that may result in a browser crash. This issue is exposed when the browser performs an infinite JavaScript array sort operation and may be exploited to cause a denial of service. Netscape Navigator version 7.2 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/12331/credit/
  • 05.4.19 - CVE: CAN-2005-0006, CAN-2005-0007, CAN-2005-0008,CAN-2005-0009, CAN-2005-0010, CAN-2005-0084
  • Platform: Cross Platform
  • Title: Multiple Ethereal Dissector Vulnerabilities
  • Description: Ethereal is vulnerable to multiple security issues, in some of its dissectors, such as denial of service, remote code execution or memory corruption. Ethereal version 0.10.9 has been released to fix these issues.
  • Ref: http://www.ethereal.com/news/item_20050120_01.html
  • 05.4.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AntiGen Antivirus Multiple Vulnerabilities
  • Description: Sybari AntiGen is antivirus software for Lotus Domino. An attacker may exploit its errors in the handling of attachments with a MIME body, processing a corrupted MIME message, and scanning password protect RAR files, to cause multiple denial of service issues or bypass virus detection. Sybari AntiGen version 7.5 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12323
  • 05.4.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SUN Java Plug-in Multiple Applet Vulnerabilities
  • Description: SUN Java Plug-in is affected by two vulnerabilities that could allow an untrusted Java applet to escalate its privileges or interfere with another applet. SUN has released a new version to fix these issues.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1
  • 05.4.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealOne Player and RealPlayer Multiple Vulnerabilities
  • Description: RealNetworks RealPlayer and RealOne Player are media players. Multiple vulnerabilites are caused by boundary errors when parsing ".RP", ".RT", ".RAM" and ".SMIL" files as well as an input validation error in handling of ".SMIL" and ".RMP" files. RealNetworks RealOne Enterprise Desktop, RealOne Player versions v1 and v2, RealPlayer versions 8 and 10.x are reported to be vulnerable.
  • Ref: http://www.service.real.com/help/faq/security/040928_player/EN/
  • 05.4.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealOne Player and RealPlayer ShowPreferences Buffer Overflow
  • Description: RealNetworks RealPlayer and RealOne Player are media player applications. They are vulnerable to a buffer overflow issue which may be exploited by a remote attacker to execute arbitrary code. Most RealPlayer versions before 10.5 (build 6.0.12.1053) are vulnerable.
  • Ref: http://www.service.real.com/help/faq/security/040928_player/EN/
  • 05.4.24 - CVE: CAN-2005-0081
  • Platform: Cross Platform
  • Title: MySQL MaxDB WebAgent Remote Denial of Service
  • Description: MaxDB is a re-branded version of SAP DB. MaxDB WebAgent is reported to be vulnerable to multiple denial of service issues due to a failure in handling malformed data. MaxDB versions earlier than 7.5.0.21 are reported to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=187&type=vulnerabilities
  • 05.4.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Database Multiple Vulnerabilities
  • Description: Oracle Database 10g, Oracle9i Database Server, Oracle8i Database Server, Oracle8 Database, Oracle Collaboration Suite, Oracle Application Server, and Oracle E-Business Suite are reported prone to multiple vulnerabilities. Oracle has released a Critical Patch Update to address these issues.
  • Ref: http://www.integrigy.com/alerts/OraCPU0105.htm
  • 05.4.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Minis Remote Directory Traversal
  • Description: Minis is a web-based blogging application. Minis is affected by a remote directory traversal vulnerability. Minis versions 0.2.1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12279
  • 05.4.27 - CVE: Not Available
  • Platform: Web Application
  • Title: Comersus Cart Multiple Vulnerabilities
  • Description: Comersus Cart is a web-based shopping cart application. Comersus Cart is vulnerable to multiple security issues such as unauthorized administrator access, SQL injection and cross-site scripting. Comersus Cart versions 6.0.2 and earlier are known to be vulnerable.
  • Ref: http://www.comersus.org/forum/displayMessage.asp?mid=32753
  • 05.4.28 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPEventCalendar Remote HTML Injection
  • Description: phpEventCalendar is a web-based calendar application. It is reported to be vulnerable to a remote HTML injection issue due to insufficient sanitization of user-supplied input. phpEventCalendar versions earlier than 0.2.1 are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14000/
  • 05.4.29 - CVE: Not Available
  • Platform: Web Application
  • Title: Exponent CMS Multiple Cross-Site Scripting Vulnerabilities
  • Description: Exponent is a web-based content management system. It is reported to be vulnerable to multiple cross-site scripting issues due to improper sanitization of user-supplied input to the "module" parameter of the "index.php" and "mod.php" scripts. Exponent version 0.95 is known to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2005-01/0261.html
  • 05.4.30 - CVE: Not Available
  • Platform: Web Application
  • Title: TikiWiki Multiple Remote Code Execution Vulnerabilities
  • Description: The TikiWiki content management system is reported to be vulnerable to remote PHP script code execution issues. Due to insufficient sanitization of user-supplied input, attackers can upload arbitrary PHP scripts on the target, which can then be executed via web requests. All current versions are reported to be vulnerable.
  • Ref: http://tikiwiki.org/art102
  • 05.4.31 - CVE: CAN-2005-0015
  • Platform: Web Application
  • Title: Diatheke Script Arbitrary Command Execution
  • Description: Diatheke is a CGI application used as a front-end to SWORD's Bible software library. Insufficient sanitization of user-supplied input exposes the script to arbitrary command execution issues. Diatheke SWORD version 1.5.3 is affected.
  • Ref: http://www.securityfocus.com/bid/12320
  • 05.4.32 - CVE: Not Available
  • Platform: Web Application
  • Title: GForge Multiple Information Disclosure Vulnerabilities
  • Description: GForge is an application that among other things allows users to browse CVS repositories via the web. It is reported to be vulnerable to multiple web related security issues that allow disclosure of sensitive information. These issues are due to insufficiently sanitized user-supplied input to its web scripts. GForge versions 3.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/387850
  • 05.4.33 - CVE: Not Available
  • Platform: Web Application
  • Title: JSBoard Local File Include File Disclosure
  • Description: JSBoard is a web-based bulletin board system. Due to insufficient sanitization of user-supplied input, the application allows remote attackers to view the contents of arbitrary files readable by the web server. JSBoard versions 2.0.9 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/387852
  • 05.4.34 - CVE: Not Available
  • Platform: Web Application
  • Title: ExBB Remote Script Injection
  • Description: ExBB is a web-based bulletin board application. ExBB is vulnerable to a script injection issue due to insufficient sanitization of user-supplied data. ExBB version 1.9.1 is known to be vulnerable.
  • Ref: http://secunia.com/advisories/13877/
  • 05.4.35 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki Multiple PHP Code Execution Vulnerabilities
  • Description: MediaWiki is an editing software to run Wikipedia. The application is reported to be vulnerable to multiple PHP remote code execution issues because user-supplied data passed to the "wgLanguageCode" or the "mUserLanguage" parameter are not sanitized by the "setup.php" or the "SpecialPreferences.php" script. MediaWiki versions 1.4 beta 4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/12305/info/
  • 05.4.36 - CVE: Not Available
  • Platform: Web Application
  • Title: CMSimple Multiple Remote Input Validation Vulnerabilities
  • Description: CMSimple is a web-based content management system. It is vulnerable to multiple input validation issues due to a failure of the application to sanitize user-supplied input. CMSimple versions 2.4 Beta 5 and earlier are vulnerable.
  • Ref: http://www.securitytracker.com/alerts/2005/Jan/1012926.html
  • 05.4.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Siteman User Database Privilege Escalation Vulnerability
  • Description: Siteman is a web-based content management system implemented in PHP. It is reported to be vulnerable to a privilege escalation issue, due to improper sanitization of user-supplied data. Siteman versions 1.1.9 and 1.1.10 are known to be vulnerable.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2005-01/0239.html
  • 05.4.38 - CVE: Not Available
  • Platform: Web Application
  • Title: ITA Forum Multiple SQL Injection Vulnerabilities
  • Description: ITA Forum is a web forum application. Insufficient sanitization of user-supplied input exposes the application to various SQL injection issues. ITA Forum version 1.49 is affected.
  • Ref: http://www.rst.void.ru/papers/advisory21.txt
  • 05.4.39 - CVE: Not Available
  • Platform: Web Application
  • Title: Gallery Multiple Remote Vulnerabilities
  • Description: Gallery is a web application designed to allow users to manage images on their web site. Insufficient sanitization of user-supplied input exposes the application to various cross-site scripting and information disclosure issues. Gallery versions 2.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/12279
  • 05.4.42 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS Multi Protocol Label Switching Remote Denial of Service
  • Description: Cisco Routers running the Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a denial of service on MPLS disabled interfaces. A system that supports MPLS is vulnerable even if that system is not configured for MPLS.
  • Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a00803be77c.s
    html
  • 05.4.43 - CVE: Not Available
  • Platform: Network Device
  • Title: Xerox WorkCenter Pro ESS/ Network Controller Directory Traversal
  • Description: Xerox WorkCenter Pro is reported to be vulnerable to a directory traversal condition. Malicious PostScript files can gain access to sensitive files on the affected system. WorkCenter Pro 32/40 Color versions 01.00.060 through 01.02.083 are reported to be vulnerable.
  • Ref: http://www.xerox.com/downloads/usa/en/c/CERT_Xerox_Security_XRX05_001.pdf
  • 05.4.44 - CVE: Not Available
  • Platform: Network Device
  • Title: 3Com OfficeConnect 11g Access Point Information Disclosure
  • Description: 3Com OfficeConnect Wireless 11g Access Point 3CRWE454G72 is reported to be vulnerable to an information disclosure issue. The issue presents itself when hidden web pages are accessed through the web management interface. 3CRWE454G72 firmware versions earlier than 1.03.07A are reported to be vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=188&type=vulnerabilities

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

Valuable information to take back to work with me, as well as hands-on testing examples.
-Carol Jones, Office of Court Administration

SANS San Diego 2013

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet