Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 41
October 14, 2005

SANS Newsletters Home

This was such a huge week for critical new vulnerabilities (thanks mainly to Microsoft) that it took an extra day to gather all the data on what to do about the vulnerabilities.

And these are not new types of vulnerabilities. Here's an example from number 6 (MS05-048): "This issue is due to a failure of the library to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer."

The security community has an enormous responsibility to help persuade the application development community to learn to write safer code. Most of them really want to know how to write secure code but have never had the opportunity to learn how to do that. If you haven't let your application developers know about the Writing Secure Web Applications course for Developers, please do. The course outline is posted at http://www.sans.org/webapp_baltimore

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 11 (#1 to #8)
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 4
    • Linux
    • 4 (#9, #10, #14)
    • Unix
    • 2
    • Novell
    • 1
    • Cross Platform
    • 19 (#12)
    • Web Application
    • 16 (#11, #13)

*************************** Sponsored Links: ****************************

1) Learn from security analyst Mark Bouchard how to leverage SSL VPN to achieve the fastest and most secure remote access. Download his latest whitepaper today. http://www.sans.org/info.php?id=893

2) Don't be found non-compliant! Free white paper details compliance requirements for computer forensic capability. http://www.sans.org/info.php?id=894

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Novell
Cross Platform
Web Application
PART I Critical Vulnerabilities

Part I is compiled by Dinesh Sequeira at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: DirectShow Buffer Overflow (MS05-050)
  • Affected: Microsoft DirectX 7.0, 8.1 and 9.0 on various Windows Operating Systems

  • Description: Microsoft DirectShow is an architecture for streaming media on the Microsoft Windows platform and provides for capture and playback of multimedia streams. It supports a wide variety of formats, including MPEG, AVI, MP3 and Wav. DirectShow is integrated with DirectX technologies. A buffer overflow vulnerability exists in Microsoft Windows DirectX component when processing AVI (Audio Visual Interleave) media files. An AVI file contains multiple streams of different types of data - audio/video streams. Due to lack of validation a malformed streamname chunk 'strn' with a specifically chosen length field causes a memory modification. This could be exposed through applications that employ DirectShow to process avi files. Successful exploitation will permit execution of arbitrary code in the context of the user who opens the malicious avi file.

  • Status: Vendor has released patches.

  • Council Site Actions: All reporting council sites are responding to this item; however, their patch deployment schedules vary. Some sites have already started to update their systems or will in the next 24 hours. Other sites are still in the Q&A phase and will deploy on an expedited schedule as soon as testing is complete.

  • References:
  • (2) CRITICAL: Vulnerabilities in MSDTC AND COM+ (MS05-051)
  • Affected: Windows 2000 SP4, XP SP1 and SP2, XP Professional x64 and Server 2003

  • Description: The Microsoft Distributed Transaction Controller (MSDTC) provides a method for disparate processes to complete atomic transactions. The Transaction Internet Protocol (TIP) is a two-phase commit protocol to enable heterogeneous Transaction Managers to agree on the outcome of a distributed transaction. TIP is one the ways that the MSDTC service can be accessed. The MSDTC service is part of a standard installation on all Windows platforms. This Microsoft bulletin contains 4 vulnerabilities: (a) MSDTC Vulnerability: The MSDTC service is an RPC interface. It suffers from a buffer overflow vulnerability that can be exploited and cause remote code execution. The MIDL_user_allocate function always allocates a page of memory, but an input string larger than that size will cause a buffer overflow. MSDTC listens on port tcp/3372 and a high dynamic port and is enabled by default on Windows 2000. This issue has the potential to turn into a worm on windows 2000 systems. It has been reported that a proof of concept is available for this issue. (b) COM+ Vulnerability: COM+ is a next step after COM and MTS (Microsoft Transaction Server) and handles resource management tasks, such as thread allocation and security. A vulnerability exists in the process used to create and use memory structures. On windows 2000 an anonymous attacker could try to exploit this vulnerability. (c) MSDTC TIP DoS Vulnerability: A DoS exists because of a flaw in processing responses from foreign servers. A certain command sequence can be sent to the DTC service that causes the DTC service to throw an exception and crash, resulting in a DoS attack. (d) MSDTC Packet Relay DoS Vulnerability: A DDoS vulnerability specifically exists because the TIP protocol accepts a remote IP address and port number for a connection. The attack can be performed by connecting to the MSDTC server and providing an identifier that contains the IP address and port number to flood. The attacker can force an error after a specific sequence of commands and cause the MSDTC service to connect to the target IP and port. The MSDTC service will continue to make connections to that host and port and stall resulting in a DDoS.

  • Status: Patches are available. As a workaround, you can block port tcp/3372 at the perimeter.

  • Council Site Actions: All reporting council sites are responding to this item; however, their patch deployment schedule varies. Some sites have already started to update their system or will begin in the next 24 hours. Other sites are still in the Q&A phase and will deploy on an expedited schedule as soon as testing is complete. One council site said they were contacted by their MS sales account manager to be sure they new about the problem.

  • References: Microsoft Security Advisory
  • (3) CRITICAL: COM Object Instantiation in Internet Explorer (MS05-052)
  • Affected: Windows 2000 SP4, XP SP1 and SP2, XP Professional x64 and Server 2003.

  • Description: Internet Explorer contains a heap-based overflow when certain DLLs are instantiated as ActiveX controls. This update sets the "kill bit" for 40 similar ActiveX controls associated with DLLs. This update also includes a kill bit for the ADODB.Stream object. Multiple exploits targeting the "ADODBStream" and msdds.dll have been publicly posted.

  • Status: Vendor has released patches. As a workaround, "kill bit" can be set in the registry.

  • Council Site Actions: All reporting council sites are responding to this item; however, their patch deployment schedules vary. Some sites have already started to update their systems or will in the next 24 hours. Other sites are still in the Q&A phase and will deploy on an expedited schedule as soon as testing is complete. One site commented that much Q&A is needed before the development teams will accept a new version if IE. This site plans to implement filters for ActiveX controls.

  • References:
  • (4) HIGH: Windows Plug and Play Buffer Overflow (MS05-047)
  • Affected: Windows 2000 SP4 and XP SP1 and SP2

  • Description: Windows Plug and Play service is designed to provide device management and notification. This service is started by default on all Windows 2000/XP/2003 systems, and is reachable remotely via "ntsvcs" named pipe on ports 139/tcp or 445/tcp. This service contains a stack-based buffer overflow that can be triggered by malformed RPC messages to certain functions, resulting in arbitrary code execution with "SYSTEM" privileges. Windows 2000 systems are critically affected as any anonymous user can connect remotely to this service and trigger the overflow. Windows XP and 2003 systems require user authentication before the overflow can be leveraged.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-047. A workaround is to block ports 139/tcp and 445/tcp at the network perimeter. Note that the Zotob worm exploited a similar vulnerability in the PnP service in August 2005. Systems that are patched with MS05-039 cannot be exploited remotely by anonymous users.

  • Council Site Actions: All council sites are responding to this item and plan to deploy the patch during their next regularly scheduled system update process. A few sites have already pushed this patch. A few sites have already installed the Zotob patch on their systems as protection against the exploit.

  • References:
  • (5) HIGH: Windows Shell Vulnerability (MS05-049)
  • Affected: Windows 2000 SP4, XP SP1 and SP2, XP Professional x64 and Server 2003

  • Description: This bulletin covers three vulnerabilities. Two of them are in .lnk files and the third in Web View. (a & b) Windows Shell is prone to a remote code execution vulnerability when handling a malicious shortcut (.lnk) file. An .lnk file points to another file providing a "shortcut" to that program. These files contain properties that are passed on to the target program. The vulnerability is due to the way Windows handles certain properties associated with .lnk files. An attacker can exploit this issue by crafting a malicious .lnk file and placing it on a Web site or sending it to a user through email followed by enticing them to open or preview the file. (c) The third vulnerability is an "Web View script injection vulnerability". WebView gives the user the look-and-feel of a web-browser when viewing file and folder information. A vulnerability exists in the process used by Windows Explorer to validate HTML characters in certain document fields when in WebView.

  • Status: Vendor Patches are available

  • Council Site Actions: All council sites are responding to this item and plan to deploy the patch during their next regularly scheduled system update process. A few sites have already pushed this patch.

  • References:
  • (6) MODERATE: Windows Collaboration Data Objects Buffer Overflow (MS05-048)
  • Affected: Windows 2000 SP4, XP SP1 and SP2, XP Professional x64 and Server 2003

  • Description: Microsoft CDO is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the library to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. This issue presents itself when an attacker sends a specifically crafted email message to an email server utilizing the affected library. This issue allows remote attackers to execute arbitrary machine code in the context of the application utilizing the library.

  • Status: Vendor patches are available.

  • Council Site Actions: All council sites are responding to this item and plan to deploy the patch during their next regularly scheduled system update process. A few sites have already pushed this patch.

  • References:
  • (7)MODERATE: Client Service for Netware Buffer Overflow (MS05-046)
  • Affected: Windows 2000 SP4, XP SP1 and SP2 and Server 2003 and Server 2003 SP1.

  • Description: Client Services for Netware (CSNW) or Gateway Service for Netware provides a Windows workstation with basic file, printer and directory services to Netware. There is a buffer overflow on the RPC interface of certain functions. A remote attacker can exploit this vulnerability to execute arbitrary code and completely compromise the computer.

  • Status: Vendor Patches are available. CSNW is not enabled by default. Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-039. A workaround is to block ports 139/tcp and 445/tcp at the network perimeter. Note that last year's Sasser worm exploited a similar vulnerability in the LSASS service.

  • Council Site Actions: All reporting council sites are responding to this item. Some are deploying the patches at the same time as the other MS update. Other sites will deploy this patch during their next regularly scheduled system update process. One site said they would be uninstalling from whatever systems this might still be hanging around on.

  • References:
  • (8) MODERATE: Windows FTP Client Directory Traversal Vulnerability (MS05-044)
  • Affected: Windows 2000 SP4, XP SP2, XP Professional x64 and Server 2003.

  • Description: Microsoft Windows FTP client is reportedly prone to a directory traversal vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input. A remote attacker may place files in an arbitrary location on a vulnerable computer.

  • Status: Vendor has released patches.

  • Council Site Actions: All reporting council sites are responding to this item; however, their patch deployment schedules vary. Some sites have already started to update their systems. Other sites are still in the Q&A phase and will deploy during their next regularly schedule system update process.

  • References:
  • (9) MODERATE: Kaspersky Anti-Virus CHM File Parser Buffer Overflow
  • Affected: All products using the Kaspersky Anti-Virus Engine including
    • Kaspersky Anti-Virus On-Demand Scanner for Linux 5.0.5
    • Kaspersky Personal 5.0.227
    • F-Secure Anti-Virus for Linux 4.50

  • Description: Kaspersky Anti-Virus Engine is a virus scanning engine for Windows and Linux that is incorporated into vendor's mail gateways and host-based anti-virus products. Scanning a malformed CHM files causes a heap overflow due to a vulnerability in the CHM file parser within the KAV engine. On Linux platforms this disables anti-virus functionality and could lead to infected hosts and remote code execution. On Microsoft platforms, the anti-virus will fail to scan any files, allowing infected files to get through but remote code execution is not possible.

  • Status: Vendor has released a patch.

  • Council Site Actions: Only one of the reporting council sites is using the affected software and only then on a small number of systems. They are not attempting to identify the affected systems, but will assist the system users in converting to their supported anti-virus software if they wish. Their users are also able to obtain the Kaspersky update and install it on their own.

  • References:
Other Software
  • (10) HIGH: SUN Directory Server Vulnerability
  • Affected: Sun Directory Server 5.2 (patch 3 and below)

  • Description: Peter Winter-Smith of NGSSoftware has discovered high risk vulnerability in Sun Directory Server. This flaw can permit an unauthenticated attacker to remotely compromise the Directory server. Details will only be released by NGSSoftware after 3 months.

  • Status: Vendor has a patched version available.

  • Council Site Actions: Only one of the reporting council sites is responding to this item. They will address in an extended schedule due to the need for extensive Q&A.

  • References:
  • (11) HIGH: phpWebSite Search Module SQL Injection Vulnerability
  • Affected:

  • Description: phpWebSite is a web site content management system. It is prone to a SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. Proof of concept code and an exploit have been posted.

  • Status: Vendor patch is available. Port 13722/TCP can be blocked as a workaround.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (12) HIGH: Veritas NetBackup Java User-Interface Remote Format String Vulnerability
  • Affected: NetBackup 4.5, 5.0, 5.1 and 6.0, all versions and platforms.

  • Description: VERITAS NetBackup software, allows organizations to rapidly recover data via a broad range of backup and snapshot technologies and centrally manage all aspects of backup and recovery operations to provide consistent data protection policies across the enterprise. A remote format string vulnerability exits in the Java user-interface authentication service, bpjava-msvc, running on Veritas NetBackup servers and agents. The format string flaw is within the bpjava-msvc daemon's 'COMMAND_LOGON_TO_MSERVER command Remote attackers could compromise the server and execute arbitrary code by crafting a malformed request that contains format specifiers. No exploit or proof of concept is available.

  • Status: Patch is available from the vendor.

  • Council Site Actions: Two of the reporting council sites are using the affected software. One site plans to deploy the patch during their next regularly scheduled system update process. The second site is currently assessing whether they have the bpjava-msvc service enabled and accessible from un-trusted locations.

  • References:
  • (13) MODERATE: PHP-Fusion Multiple SQL Injection Vulnerabilities
  • Affected: PHP-Fusion version 6.00.105, 6.00.106, 6.00.107 and 6.00.109

  • Description: PHP-Fusion is a lightweight Content Management System (CMS) written in PHP. It is easily extensible via plug-ins (fusions) which makes it a flexible and versatile Web Application. Vulnerabilities exist due to improper sanitization of user supplied input to the "activate" and "cat_id" parameters in "register.php" and "faq.php" respectively. The software is vulnerable to a SQL Injection attack that may allow attackers to create, delete, insert and modify database records or execute system commands on behalf of the database user. Successful exploitation requires that "magic_quotes_gpc" is disabled.

  • Status: Patched in version 6.00.110

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (14) LOW: UW-IMAP Netmailbox Name Parsing Buffer Overflow
  • Affected: UW-IMAP version 2004f and below.

  • Description: University of Washington's IMAP Server (UW-IMAP) is a popular free IMAP/POP service for Linux and UNIX systems and is distributed with various Linux distributions. A buffer overflow vulnerability exists due to improper bounds checking on user-supplied data while parsing IMAP mailbox names. Mailbox names are copied to memory when a '"' character is encountered and continue till another '"' character is found. If only one '"' character is supplied the function will continue to copy bytes, overflowing the stack buffer. Networks that restrict IMAP access to authenticated users are at low risk, but IMAP servers used for free webmail systems could be compromised and result in remote code execution.

  • Status: Vendor patch is available.

  • Council Site Actions: Only one of the reporting council sites is using the affected software and then only on a limited number of Linux systems. Their systems will receive updates as packaged by the Linux vendor.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 41, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4517 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.41.1 - CVE: CAN-2005-1978
  • Platform: Windows
  • Title: Windows MSDTC COM+ Remote Code Execution
  • Description: Microsoft Windows is prone to a vulnerability in the COM+ functionality of the MSDTC service. It may permit remote and local attackers to execute arbitrary code in the context of the service by creating and accessing memory structures.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
  • 05.41.2 - CVE: CAN-2005-1979
  • Platform: Windows
  • Title: Windows MSDTC TIP Denial of Service
  • Description: The Microsoft Windows MSDTC (Microsoft Distribution Transaction Coordinator) service is prone to a denial of service vulnerability. The vulnerability exists in the TIP (Transaction Internet Protocol) functionality that is provided by MSDTC. This vulnerability is remotely exploitable on default configurations on Windows 2000. Please check the reference link for a list of affected systems.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
  • 05.41.3 - CVE: CAN-2005-1980
  • Platform: Windows
  • Title: Windows MSDTC TIP Distributed Denial Of Service
  • Description: The Microsoft MSDTC (Microsoft Distribution Transaction Coordinator) service is prone to a vulnerability that may permit denial of service attacks against the service or facilitate distributed denial of service attacks against other computers. The vulnerability exists in the TIP (Transaction Internet Protocol) functionality that is provided by MSDTC. This vulnerability is remotely exploitable on default configurations on Windows 2000. TIP is not enabled by default on Windows XP and Windows Server 2003 even if the MSDTC service is running. Please visit the reference link provided to get information on vulnerable versions.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
  • 05.41.4 - CVE: CAN-2005-1987
  • Platform: Windows
  • Title: Windows Collaboration Data Objects Remote Buffer Overflow
  • Description: Microsoft Collaboration Data Objects (CDO) is a library designed to send email through SMTP or Exchange servers. It is susceptible to a remote buffer overflow vulnerability due to a failure of the library to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. This issue allows remote attackers to execute arbitrary machine code in the context of the application utilizing the library. Please refer to the advisory below for the list of vulnerable software.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-048.mspx
  • 05.41.5 - CVE: CAN-2005-2120
  • Platform: Windows
  • Title: Windows Plug and Play Unspecified Buffer Overflow
  • Description: Microsoft Windows Plug and Play (PnP) service is used by the operating system to detect new hardware. It is reported to be vulnerable to a buffer overflow due to improper sanitization of user-supplied input.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS05-047.mspx
  • 05.41.6 - CVE: CAN-2005-2117
  • Platform: Windows
  • Title: Windows Explorer Web View Script Injection
  • Description: Microsoft Windows Web View is a format provided by Windows Explorer for previewing file and folder information in a thumbnail view before opening them. It is affected by an arbitrary script injection vulnerability due to insufficient sanitization of user-supplied data as Windows Explorer renders HTML characters in certain document fields. Microsoft Windows 2000 Server SP4 and earlier, Microsoft Windows 2000 Professional SP4 and earlier, Microsoft Windows 2000 Datacenter Server SP4 and earlier are affected by this issue.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx
  • 05.41.7 - CVE: CAN-2005-2122
  • Platform: Windows
  • Title: Windows Malicious Shortcut Handling Remote Code Execution
  • Description: Microsoft Windows is prone to a remote code execution vulnerability when handling a malicious shortcut (.lnk) file. This issue may allow an attacker to completely compromise a vulnerable computer. This vulnerability can facilitate arbitrary code execution with SYSTEM privileges. Please check the reference link for a list of affected systems.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx
  • 05.41.8 - CVE: CAN-2005-2118
  • Platform: Windows
  • Title: Windows Malicious Shortcut Handling Remote Code Execution Variant
  • Description: Microsoft Windows is prone to a remote code execution vulnerability when handling a malicious shortcut (.lnk) file. The vulnerability arises because Windows does not handle certain properties of an .lnk file in a secure manner. It should be noted that remote exploitation of this issue requires user interaction as a vulnerable user must follow certain steps after visiting an attacker's site before this vulnerability is triggered. If email is employed as an attack vector, the user must open the .lnk file sent as an email attachment before this issue presents itself. This vulnerability can facilitate arbitrary code execution with SYSTEM privileges. Please visit the reference link provided to get information on vulnerable versions.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx
  • 05.41.9 - CVE: CAN-2005-1985
  • Platform: Windows
  • Title: Windows Client Service for Netware Buffer Overflow
  • Description: Microsoft Client Service for Netware allows Windows client machines to access NetWare file, print, and directory services. It is affected by a buffer overflow vulnerability that could permit the execution of arbitrary code. Please check the reference link for a list of affected systems.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-046.mspx
  • 05.41.10 - CVE: CAN-2005-2128
  • Platform: Windows
  • Title: Windows DirectX DirectShow AVI Processing Buffer Overflow
  • Description: Microsoft DirectShow is used for streaming media on Windows operating systems. It is vulnerable to a buffer overflow due to the quartz.dll component which does not properly check the boundary of data within .AVI files. See the Microsoft advisory for list of vulnerable software.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx
  • 05.41.11 - CVE: CAN-2005-2119
  • Platform: Windows
  • Title: Windows MSDTC Buffer Overflow
  • Description: Microsoft Windows MSDTC (Microsoft Distribution Transaction Coordinator) service is vulnerable to a buffer overflow issue due to insufficient boundary checking of external data that is supplied to the service. See the Microsoft security bulletin for a listing of all affected software.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
  • 05.41.12 - CVE: CAN-2005-2127
  • Platform: Other Microsoft Products
  • Title: Internet Explorer COM Object Buffer Overflow
  • Description: Microsoft Internet Explorer is vulnerable to a buffer overflow issue that is related to instantiation of COM objects due to insufficient bound checking when certain COM objects are instantiated from Internet Explorer. Microsoft Internet Explorer versions 6.0 SP2 and ealier are vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx
  • 05.41.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: GFI MailSecurity for Exchange/SMTP Web Interface Remote Buffer Overflow
  • Description: GFI MailSecurity for Exchange/SMTP acts as an email firewall and protects networks from email viruses, exploits and threats. It is affected by a remote buffer overflow issue due to a failure of the application to perform boundary checks prior to copying user-supplied data into finite sized process buffers. An attacker can successfully exploit this issue to completely compromise the vulnerable computer. GFI MailSecurity for Exchange/SMTP version 8.1 is vulnerable.
  • Ref: http://kbase.gfi.com/showarticle.asp?id=KBID002451
  • 05.41.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RARLAB WinRAR Multiple Remote Vulnerabilities
  • Description: RARLAB WinRAR is a compression utility capable of reading and writing files using several different archival formats. It is prone to multiple remote vulnerabilities including a format string and a buffer overflow vulnerability. Successful exploitation may allow an attacker to execute arbitrary code on a vulnerable computer. WinRAR versions 3.50 and earlier are vulnerable to these issues.
  • Ref: http://www.rarlab.com/rarnew.htm
  • 05.41.15 - CVE: CAN-2005-2937
  • Platform: Third Party Windows Apps
  • Title: Kaspersky Anti-Virus Engine CHM File Parser Remote Buffer Overflow
  • Description: Kaspersky Anti-Virus Engine is prone to a remote buffer overflow vulnerability due to a failure in the application to perform boundary checks prior to copying user-supplied data into sensitive process buffers. Kaspersky Labs Anti-Virus for Linux Servers and Workstations version 5.0.5, Kaspersky Labs Anti-Virus Personal version 5.0.227 are affected.
  • Ref: http://www.rem0te.com/public/images/kaspersky.pdf
  • 05.41.16 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Oracle iSQL*Plus TLS Listener Remote Denial of Service
  • Description: Oracle iSQL*PLUS is a web interface to SQL*PLUS. The TNS Listener is a service that is responsible for connecting between the Oracle database server and client applications. It is susceptible to a vulnerability that allows remote attackers to stop the TNS Listener service, denying further database service to legitimate users by issuing a specific HTTP request. Oracle9i Standard/Personal/Enterprise Edition version 9.0.2.4 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/412753
  • 05.41.17 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Orinoco Driver Remote Information Disclosure
  • Description: The Orinoco driver for Linux kernels is susceptible to a remote information disclosure vulnerability due to the driver sending uninitialized kernel memory in small network packets. When the "orinoco_xmit()" function in the "drivers/net/wireless/orinoco.c" source file is called to transmit small network packets, it will attempt to pad the length to a minimum packet size of 60 bytes. Linux ORiNOCO Driver version 0.15-rc3, Linux kernel versions 2.6.13.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15085/
  • 05.41.18 - CVE: CAN-2005-3053, CAN-2005-3106, CAN-2005-3107,CAN-2005-3108, CAN-2005-3109, CAN-2005-3110
  • Platform: Linux
  • Title: Linux Kernel Multiple Security Vulnerabilities
  • Description: Linux kernel is prone to multiple vulnerabilities. These issues may allow local and remote attackers to trigger denial of service conditions and disclose sensitive kernel memory. Linux kernel version 2.6.x is affected.
  • Ref: http://www.securityfocus.com/bid/15049
  • 05.41.19 - CVE: CAN-2005-2971
  • Platform: Linux
  • Title: KDE KOffice KWord RTF Import Remote Buffer Overflow
  • Description: KWord is a frame-based word-processing and desktop publishing application shipped with the KOffice project of KDE. It is prone to a remote buffer overflow vulnerability. The issue arises when the application handles a malformed Rich Text Format (RTF) file. KOffice versions 1.2.0 to 1.4.1 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/413009
  • 05.41.20 - CVE: CAN-2005-3118
  • Platform: Linux
  • Title: Debian Linux Mason Init.d Firewall Loading Failure
  • Description: Mason is a Linux based firewall. The Debian Linux Mason package is vulnerable to an issue that may cause the firewall not to load at system startup. A startup script is missing from the installation package which performs the required startup function. A remote attacker may exploit this configuration error by connecting to ports that would otherwise be remotely unavailable. Debian Mason version 0.13.92 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15019/info
  • 05.41.21 - CVE: Not Available
  • Platform: Unix
  • Title: HAURI Anti-Virus ALZ Archive Handling Buffer Overflow
  • Description: HAURI Anti-Virus is anti-virus software. It is vulnerable to a buffer overflow issue when handling ALZ archives due to improper sanitization of input data. An attacker may exploit this vulnerability to gain unauthorized remote access in the context of the superuser. This issue is reported to affect products containing "vrAZMain.dll" version 5.8.22.137.
  • Ref: http://secunia.com/secunia_research/2005-47/advisory/
  • 05.41.22 - CVE: CAN-2005-2661
  • Platform: Unix
  • Title: Up-IMAPProxy Multiple Unspecified Remote Format String Vulnerabilities
  • Description: up-IMAPProxy is an IMAP proxy service available for Linux and Unix platforms. It is reportedly prone to multiple unspecified remote format string vulnerabilities. These issues result from insufficient sanitization of user-supplied data. Successful exploitation could result in a failure of the application or arbitrary code execution in the context of the application. up-imapproxy versions 1.2.4 and 1.2.3 are affected.
  • Ref: http://www.securityfocus.com/advisories/9459
  • 05.41.23 - CVE: Not Available
  • Platform: Novell
  • Title: Novell NetMail NMAP Agent Remote Buffer Overflow
  • Description: Novell NetMail Network Messaging Application Protocol (NMAP) agent is affected by a remote buffer overflow issue due to a lack of proper boundary checks when copying user-supplied data to insufficiently-sized memory buffers. Novell NetMail versions 3.52 C1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15080
  • 05.41.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Application Server Java Server Page Source Disclosure
  • Description: Sun Java System Application Server is an enterprise application server. It is reported to be vulnerable to a JSP source code disclosure issue. Sun Java System Application Server versions 7.0 UR6 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15084
  • 05.41.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Zope RestructuredText Unspecified Security Issue
  • Description: Zope is a Web application server. It is vulnerable to an unspecified issue in the docutils module that is related to the "RestructuredText" functionality. Zope versions 2.8.1 and earlier are reported to be vulnerable.
  • Ref: http://www.zope.org/Products/Zope/Hotfix_2005-10-09/security_alert
  • 05.41.26 - CVE: CAN-2005-2715
  • Platform: Cross Platform
  • Title: VERITAS NetBackup Java User-Interface Remote Format String
  • Description: VERITAS NetBackup is a network enabled backup solution from VERITAS. NetBackup Java user-interface is affected by a remote format string vulnerability due to improper sanitization of user-supplied input that is used by the authentication service "bpjava-msvc" listening on port 13722, which runs on VERITAS NetBackup servers and agents. This vulnerability exists in the "COMMAND_LOGON_TO_MSERVER" command. A successful attack may result in crashing the server or lead to arbitrary code execution. Veritas Software NetBackup Server versions 6.0 and earlier are vulnerable.
  • Ref: http://seer.support.veritas.com/docs/279085.htm
  • 05.41.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenVMPS Logging Function Format String
  • Description: VMPS (VLAN Management Policy Server) is a way of assigning switch ports to specific VLANs based on the MAC address of the connecting device. It is affected by a remote format string issue due to insufficient sanitization of user-supplied data in the "vmps_log()" function. OpenVMPS version 1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/15072
  • 05.41.28 - CVE: CAN-2005-2969
  • Platform: Cross Platform
  • Title: OpenSSL Insecure Protocol Negotiation Weakness
  • Description: OpenSSL is an open source implementation of the SSL protocol. It is vulnerable to a remote protocol negotiation weakness due to the implementation of the "SSL_OP_MSIE_SSLV2_RSA_PADDING" option to maintain compatibility with third party software. The attacker may then exploit various insecurities in SSL version 2 to gain access to or tamper with the cleartext communications between the targeted client and server. OpenSSL versions earlier than 0.9.7h are vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2005-800.html
  • 05.41.29 - CVE: CAN-2005-3178
  • Platform: Cross Platform
  • Title: xLoadImage Multiple Remote Buffer Overflow Vulnerabilities
  • Description: xloadimage is an image viewing utility for X11 windowing systems. It is vulnerable to multiple remote buffer overflow issues due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers. An attacker may exploit these issues to execute arbitrary code with the privileges of the user that activated the vulnerable application. xLoadImage version 4.1 is vulnerable.
  • Ref: http://www.securityfocus.com/advisories/9471
  • 05.41.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BEA WebLogic Server and WebLogic Express Multiple Vulnerabilities
  • Description: WebLogic Server and WebLogic Express are enterprise applications server that are reported to be vulnerable to multiple issues. BEA WebLogic Server version 8.1 SP5, BEA WebLogic Express for Win32 8.1 SP 5 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15052
  • 05.41.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: phpMyAdmin Local File Include
  • Description: phpMyAdmin is a MySQL administrative tool. It is vulnerable to a local file include issue due to insufficient sanitization of user-supplied input. phpMyAdmin version 2.6.4-pl1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15053/info
  • 05.41.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CA Products HTTP Request Buffer Overflow
  • Description: Multiple Computer Associates products are vulnerable to a remote HTTP/1.0 request buffer overflow issue due to insufficient boundary checks. See the advisory for listing of all Computer Associates products that are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15025/info
  • 05.41.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Antivirus Products Malformed Archives Scan Evasion Vulnerability
  • Description: Multiple antivirus products from various vendors are reported to be vulnerable to a scan evasion vulnerability. The issue arises when an affected application processes a specially altered archive file that contains a fake, misleading header.
  • Ref: http://www.securityfocus.com/bid/15046
  • 05.41.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cyphor Multiple Input Validation Vulnerabilities
  • Description: Cyphor is a Web-based forum application. It is vulnerable to multiple cross-site scripting and SQL injection issues due to insufficient sanitization of data supplied through the URI parameters. Cyphor version 0.19 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/412813
  • 05.41.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Forms Servlet TLS Listener Remote Denial of Service
  • Description: Oracle Forms is a framework for creating database applications. The TNS Listener is a service that is responsible for connecting between the Oracle database server and client applications. Oracle Forms is susceptible to a vulnerability that allows remote attackers to stop the TNS Listener service, denying further database service to legitimate users. Please check the reference link for a list of affected systems.
  • Ref: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html
  • 05.41.36 - CVE: CAN-2005-2967
  • Platform: Cross Platform
  • Title: Xine-Lib Remote CDDB Information Format String
  • Description: Xine-lib is a C library that is used to develop third party multimedia applications. It is susceptible to a remote format string vulnerability due to a failure of the application to securely implement a formatted printing function "fprintf()". Xine-lib versions 0.9.13, 1.0, 1.0.1, 1.0.2, and 1.1.0 are affected.
  • Ref: http://www.securityfocus.com/bid/15044
  • 05.41.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: W3C Libwww Multiple Unspecified Vulnerabilities
  • Description: W3C Libwww is a general-purpose client side web API written in C. It is affected by a buffer overflow vulnerability and some issues related to the handling of multipart/byteranges content. Libwww version 5.4.0 is affected.
  • Ref: http://www.securityfocus.com/bid/15022
  • 05.41.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle iSQL*Plus Cross-Site Scripting
  • Description: Oracle iSQL*Plus is a Web interface to SQL*Plus. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input when setting markup HTML TABLE. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. Please refer to the advisory below for the list of vulnerable software.
  • Ref: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html
  • 05.41.39 - CVE: Not Available
  • Platform: Cross Platform
  • Title: aeNovo Multiple Cross-Site Scripting Vulnerabilities
  • Description: aeNovo software is a collection of web site management applications. It is vulnerable to multiple unspecified cross-site scripting issues due to insufficient sanitization of user-supplied input. All versions of aeNovo, aeNovoShop and aeNovoWYSI are reported to be vulnerable.
  • Ref: http://www.kapda.ir/advisory-78.html
  • 05.41.40 - CVE: CAN-2005-3161,CAN-2005-3162
  • Platform: Cross Platform
  • Title: PHP-Fusion Multiple SQL Injection Vulnerabilities
  • Description: PHP-Fusion is an open source content management application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user supplied input to the "activate" parameter of "register.php" and the "cat_id" parameter of "faq.php". PHP-Fusion versions 6.0.109 and earlier are vulnerable.
  • Ref: http://secunia.com/secunia_research/2005-52/advisory/
  • 05.41.41 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun ONE Directory Server Unspecified Remote Vulnerability
  • Description: Sun ONE Directory Server is an LDAP directory server. It is vulnerable to an unspecified issue that can allow attackers to remotely compromise a vulnerable computer. Sun ONE Directory Server versions 5.2 patch 3 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/412650
  • 05.41.42 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox IFRAME Handling Remote Buffer Overflow
  • Description: Mozilla Firefox is reported to be vulnerable to a remote buffer overflow issue due to improper boundary checks prior to copying user-supplied data into sensitive process buffers. Mozilla Firefox versions 1.0.7 and 1.0.6 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15015
  • 05.41.43 - CVE: Not Available
  • Platform: Web Application
  • Title: versatileBulletinBoard Multiple Cross-Site Scripting Vulnerabilities
  • Description: versatileBulletinBoard is a bulletin board application. Insufficient sanitization of user-supplied input to the "url", "file" and "list" parameters of "dereferrer.php", "imagewin.php" and "userlistpre.php" scripts exposes the application to multiple cross-site scripting issues. versatileBulletinBoard version 1.0.0.RC2 is affected.
  • Ref: http://www.securityfocus.com/bid/15073
  • 05.41.44 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Advanced Transfer Manager Arbitrary File Upload
  • Description: PHP Advanced Transfer Manager is an upload and download manager. It is prone to a remote arbitrary file upload. The issue presents itself due to a lack of sanitization performed on files that are uploaded. This may allow remote attackers to upload arbitrary files including malicious scripts and possibly execute the script on the affected server. PHP Advanced Transfer Manager 1.30 is vulnerable.
  • Ref: http://phpatm.free.fr/
  • 05.41.45 - CVE: Not Available
  • Platform: Web Application
  • Title: versatileBulletinBoard Information Disclosure
  • Description: versatileBulletinBoard is a bulletin board application. It is reported to be vulnerable to an information disclosure issue. The issue exists because any remote user can use the "getversions.php" script to list all files and versions related to the application. versatileBulletinBoard version 1.0.0.RC2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15075
  • 05.41.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Accelerated E Solutions SQL Injection
  • Description: Accelerated E Solutions is content management software. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the password parameter of the administrator login screen before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/15077/exploit
  • 05.41.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Zeroblog Thread.PHP Cross-Site Scripting Vulnerability
  • Description: Zeroblog is a Web blog application written in PHP. It is prone to a cross-site scripting vulnerability. The "threadID" parameter of the "thread.php" script is not properly sanitized before being rendered in the web browser of the affected user. Zeroblog versions 1.2a and 1.1f are affected.
  • Ref: http://www.securityfocus.com/bid/15078
  • 05.41.48 - CVE: Not Available
  • Platform: Web Application
  • Title: versatileBulletinBoard Multiple SQL Injection Vulnerabilities
  • Description: versatileBulletinBoard is a bulletin board application. It is reported to be vulnerable to multiple SQL injection issues due to improper sanitization of user-supplied input to the "ph" parameter of the "index.php" script on the "lost password" page.
  • Ref: http://www.securityfocus.com/bid/15068
  • 05.41.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Utopia News Pro Multiple Cross-Site Scripting Vulnerabilities
  • Description: Utopia News Pro is a web-based newsreader application written in PHP. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "sitetitle" parameter of the "header.php" script and the "version" and "query_count" parameters of the "footer.php" script. Utopia News Pro version 1.1.3 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15027/exploit
  • 05.41.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Utopia News Pro SQL Injection
  • Description: Utopia News Pro is a web-based newsreader application written in PHP. Utopia News Pro is prone to an SQL injection vulnerability caused by improper sanitization of user-supplied input to the "newsid" parameter of the "news.php" script. Utopia News Pro versions 1.1.1, 1.1.2 and 1.1.3 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15028
  • 05.41.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Oracle HTML DB Cross-Site Scripting Vulnerabilities
  • Description: Oracle HTML DB is a web application development tool for the Oracle database. It is prone to cross-site scripting vulnerabilities caused by insufficient sanitization of user-supplied data. An attacker may be able to execute arbitrary script code or SQL statements in the context of an affected user. Please visit the reference link provided to get information on vulnerable versions.
  • Ref: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
  • 05.41.52 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki History Database Corruption
  • Description: MediaWiki is a collaborative editing application written in PHP. It is prone to a vulnerability that could result in corruption of the database. The problem exists in the submission handling routine and presents itself when an attacker uses a malformed URL. A typical attack vector to exploit this vulnerability would occur in the use of spam bots. MediaWiki version 1.4.10 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15041
  • 05.41.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Oracle XML DB Cross-Site Scripting
  • Description: Oracle XML DB is a feature of the Oracle Database. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input.
  • Ref: http://www.securityfocus.com/bid/15034
  • 05.41.54 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBloggie Search.PHP SQL Injection
  • Description: MyBloggie is a Weblog system written in PHP it is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "search.php" script before using it in an SQL query. MyBloggie version 2.1.3 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15017/exploit
  • 05.41.55 - CVE: CAN-2005-2336, CAN-2005-2803
  • Platform: Web Application
  • Title: Hiki Multiple Cross-Site Scripting Vulnerabilities
  • Description: Hiki is a Wiki clone written in Ruby. Hiki is prone to multiple cross-site scripting vulnerabilities. These issues affect the page name in a "Login" link and when a user accesses missing pages. Hiki versions 0.8, 0.8.1 and 0.8.2 are vulnerable.
  • Ref: http://hikiwiki.org/en/advisory20050804.html
  • 05.41.56 - CVE: Not Available
  • Platform: Web Application
  • Title: osCommerce Additional_Images.PHP SQL Injection
  • Description: osCommerce is a web-based ecommerce application. It is prone to an SQL injection vulnerability which is caused by improper sanitization of user-supplied input to the "products_id" parameter of the "additional_images.php" script.
  • Ref: http://www.securityfocus.com/bid/15023
  • 05.41.57 - CVE: Not Available
  • Platform: Web Application
  • Title: aspReady FAQ Manager SQL Injection
  • Description: aspReady FAQ Manager is a web-based FAQ management system. Insufficient sanitization of user-supplied input exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/15022
  • 05.41.58 - CVE: CAN-2005-3167
  • Platform: Web Application
  • Title: MediaWiki HTML Inline Style Attributes Unspecified Cross-Site Scripting
  • Description: MediaWiki is a web-based encyclopedia application. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input. MediaWiki versions 1.5 beta3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15024

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Real world people giving real world training.
-John Szyszlo, The Gem Group, Inc.

Healthcare Cyber Security Summit - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee