@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Snort Back Orifice Preprocessor Buffer Overflow
• (2) HIGH: Oracle Critical Patch Update October 2005

Other Software

• (3) HIGH: GFi MailSecurity Web Module Overflow
• (4) HIGH: Multiple CMS Software File Include Vulnerabilities
• (5) MODERATE: Novell Netmail NMAP Agent USER Overflow
• (6) MODERATE: AhnLab Antivirus Archive Processing Overflow
• (7) MODERATE: OpenWBEM Multiple Buffer Overflows

• (8) RSA WebAgent Buffer Overflow
• (9) Computer Associates CAM Unicenter Overflow
• (10) Veritas NetBackup Format String Vulnerability
• (11) MailEnable IMAP SELECT Request Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 05.42.1 - Windows Unspecified Remote Code Execution

Third Party Windows Apps

• 05.42.2 - WinRAR Command Line Buffer Overflow
• 05.42.3 - Accelerated Mortgage Manager Password Field SQL Injection
• 05.42.4 - TYPSoft FTP Server Denial of Service
• 05.42.5 - Symantec Brightmail AntiSpam Malformed MIME Message Denial Of Service
• 05.42.6 - Ahnlab V3 Antivirus Multiple Archive Format Handling Remote Buffer Overflow

Linux

• 05.42.7 - Xerver Multiple Input Validation Vulnerabilities

HP-UX

• 05.42.8 - HP-UX LPD Arbitrary Command Execution
• 05.42.9 - HP-UX FTP Server Directory Listing Vulnerability

Aix

• 05.42.10 - Hitachi OpenTP1 Denial of Service

Unix

• 05.42.11 - NetPBM PNMToPNG Buffer Overflow
• 05.42.12 - Lynx NNTP Article Header Buffer Overflow
• 05.42.13 - Multiple Vendor WGet/Curl NTLM Username Buffer Overflow Vulnerability

Cross Platform

• 05.42.14 - Oracle Workflow Multiple Unspecified Cross-Site Scripting Vulnerabilities
• 05.42.15 - Snort Back Orifice Preprocessor Remote Stack Buffer Overflow
• 05.42.16 - Opera Web Browser Multiple Denial of Service Vulnerabilities
• 05.42.17 - IBM DB2 Universal Database Multiple Vulnerabilities
• 05.42.18 - Mozilla Thunderbird Insecure SMTP Authentication
• 05.42.19 - PunBB Search.PHP SQL Injection
• 05.42.20 - AbiWord Stack-Based Buffer Overflow Vulnerabilities
• 05.42.21 - Clam Anti-Virus File Handling Denial Of Service

Web Application

• 05.42.22 - PHPNuke Modules.PHP Directory Traversal
• 05.42.23 - MySource Multiple Cross-Site Scripting Vulnerabilities
• 05.42.24 - MySource Multiple Remote File Include Vulnerabilities
• 05.42.25 - Rockliffe MailSite Express Arbitrary File Upload
• 05.42.26 - e107 Resetcore.PHP SQL Injection
• 05.42.27 - NetFlow Analyzer Cross-Site Scripting
• 05.42.28 - RTasarim WebAdmin Login SQL Injection
• 05.42.29 - W-Agora Multiple Arbitrary PHP Code Injection Vulnerabilities
• 05.42.30 - Complete PHP Counter SQL Injection
• 05.42.31 - PHP Safedir Restriction Bypass
• 05.42.32 - OpenWBEM Multiple Unspecified Remote Buffer Overflow Vulnerabilities
• 05.42.33 - Complete PHP Counter Cross-Site Scripting
• 05.42.34 - Gallery Main.PHP Directory Traversal
• 05.42.35 - Comersus BackOffice Plus Multiple Cross-Site Scripting Vulnerabilities
• 05.42.36 - WebGUI Unspecified Arbitrary Code Execution
• 05.42.37 - phpWebSite Search Module SQL Injection
• 05.42.38 - Xeobook Multiple HTML Injection Vulnerabilities
• 05.42.39 - Yapig View.PHP Cross-Site Scripting
• 05.42.40 - YaPig Homepage Form Field HTML Injection

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 42, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4587 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.42.1 - CVE: Not Available
• Platform: Windows
• Title: Windows Unspecified Remote Code Execution
• Description: Microsoft Windows is vulnerable to an unspecified remote code execution in a default installation of Media Player and Internet Explorer. Windows NT, 2000, XP SP1, SP2 and Windows 2003 SP0 and SP1 are reported to be vulnerable.
• Ref: http://www.eeye.com/html/research/upcoming/20051017.html

• 05.42.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: WinRAR Command Line Buffer Overflow
• Description: RARLAB WinRAR is a compression application. It is vulnerable to a buffer overflow issue in the command line processing functionality when processing long archive name parameter. RARLAB WinRar versions 3.50 and earlier are vulnerable.
• Ref: http://www.rarlabs.com/rarnew.htm

• 05.42.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Accelerated Mortgage Manager Password Field SQL Injection
• Description: Accelerated Mortgage Manager is a lead management application. Insufficient sanitization of the "Password" input field exposes the application to an SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/15097

• 05.42.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: TYPSoft FTP Server Denial of Service
• Description: TYPSoft FTP Server is a file transfer application. It is vulnerable to a denial of service issue when a valid user issues two consecutive "RETR" commands. TYPSoft FTP Server versions 1.11 and earlier are affetced. Ref: http://www.exploitlabs.com/files/advisories/EXPL-A-2005-016-typsoft-ftpd.txt

• 05.42.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec Brightmail AntiSpam Malformed MIME Message Denial Of Service
• Description: Symantec Brightmail AntiSpam runs at the gateway. It is vulenerable to a denial of service issue due to a failure of the application to properly handle certain malformed MIME content. A remote attacker could crash the application by exploiting this issue. Symantec Brightmail AntiSpam version 6.0 builds 1 and 2 are vulnerable to this issue.
• Ref: http://www.symantec.com/avcenter/security/Content/2005.10.12d.html

• 05.42.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ahnlab V3 Antivirus Multiple Archive Format Handling Remote Buffer Overflow
• Description: Ahnlab V3 Antivirus products provide antivirus protection. It is reported to be vulnerable to a remote buffer overflow issue due to failure to perform proper boundary checks.
• Ref: http://www.securityfocus.com/bid/15091

• 05.42.7 - CVE: Not Available
• Platform: Linux
• Title: Xerver Multiple Input Validation Vulnerabilities
• Description: Xerver is a web and FTP server. It is reported to be vulnerable to multiple input validation issues due to improper sanitization of user-supplied input. Xerver version 4.17 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15135

• 05.42.8 - CVE: Not Available
• Platform: HP-UX
• Title: HP-UX LPD Arbitrary Command Execution
• Description: HP-UX line printer daemon (lpd) allows clients to share printers over a network. It is affected by an arbitrary command execution issue that can allow remote attackers to gain unauthorized access to a vulnerable computer with superuser privileges. HP-UX version 10.20, B.11.11 and B.11.00 are affected.
• Ref: http://www.securityfocus.com/bid/15136

• 05.42.9 - CVE: Not Available
• Platform: HP-UX
• Title: HP-UX FTP Server Directory Listing Vulnerability
• Description: The FTP server included with HP-UX is prone to a vulnerability that may be leveraged by unauthenticated attackers to obtain directory listings. An attacker can issue the 'LIST' command prior to authentication to carry out this attack. A successful attack can disclose sensitive information, which may aid in the exploitation of other vulnerabilities. HP-UX versions 10.20, B.11.11 and B.11.00 are vulnerable.
• Ref: http://www.securityfocus.com/bid/15138/info

• 05.42.10 - CVE: Not Available
• Platform: Aix
• Title: Hitachi OpenTP1 Denial of Service
• Description: OpenTP1 is an online transaction processing system. It is vulnerable to a denial of service issue due to unable to the "TP1/Server Base" and "TP1/NET/Library 2" are uanble handle malformed data. See Hitachi's service advisory for a lists of all affected versions. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS05-020_e/01-e.html http://www.hitachi-support.com/security_e/vuls_e/HS05-020_e/index-e.html

• 05.42.11 - CVE: Not Available
• Platform: Unix
• Title: NetPBM PNMToPNG Buffer Overflow
• Description: Netpbm is a collection of utilities for the manipulation of graphic images. One of the utilities is PNMToPNG, which converts PNM images to PNG images. It is reported to be vulnerable to a buffer overflow issue due to improper boundary checks. PNMToPNG version 10.0 of NetPBM is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15128

• 05.42.12 - CVE: CAN-2005-3120
• Platform: Unix
• Title: Lynx NNTP Article Header Buffer Overflow
• Description: Lynx is affected by a buffer overflow issue when handling NNTP article headers. The issue exists in the "HTrjis()" function where data from NNTP article headers are copied into a finite stack-based buffer without sufficient bounds checking on the size of the source data.
• Ref: http://www.securityfocus.com/archive/1/413590

• 05.42.13 - CVE: CAN-2005-3185
• Platform: Unix
• Title: Multiple Vendor WGet/Curl NTLM Username Buffer Overflow Vulnerability
• Description: GNU wget is a software package for retrieving files using HTTP, HTTPS and FTP. CURL is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. They are reported to be vulnerable to a buffer overflow issue due to improper boundary checking on user supplied data.
• Ref: http://www.securityfocus.com/bid/15102

• 05.42.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Oracle Workflow Multiple Unspecified Cross-Site Scripting Vulnerabilities
• Description: Oracle Workflow is a business process management solution embedded in the Oracle database. It is prone to multiple unspecified cross-site scripting vulnerabilities due to insuffiecient sanitization of user-supplied input. Oracle Workflow versions 11.5.9.5 and 11.5.1 are reported to be affected.
• Ref: http://www.securityfocus.com/bid/15139

• 05.42.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Snort Back Orifice Preprocessor Remote Stack Buffer Overflow
• Description: Snort is a open source intrusion detection system. It is susceptible to a remote buffer overflow vulnerability due to a failure of the application to securely copy network-derived data into sensitive process buffers. This issue presents itself when the Back Orifice preprocessor attempts to determine the direction of network packets in relation to a server. A stack-based buffer overflow may be triggered. Snort versions 2.4.0 through 2.4.2 are affected by this issue.
• Ref: http://www.kb.cert.org/vuls/id/175500

• 05.42.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Multiple Denial of Service Vulnerabilities
• Description: Opera Web browser is vulnerable to multiple denial of service issues when the browser attempts to process malformed HTML content such as a "U" HTML tag with an overly long argument. Opera Web Browser versions 8.0 2 and ealier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15124/info

• 05.42.17 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM DB2 Universal Database Multiple Vulnerabilities
• Description: IBM DB2 Universal Database is prone to multiple vulnerabilities. These issues may allow attackers to carry out denial of service attacks and other unauthorized actions. These issues affect DB2 versions prior to 8 FixPak 10 also known as version 8.2 FixPak 3.
• Ref: http://www.securityfocus.com/bid/15126

• 05.42.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Thunderbird Insecure SMTP Authentication
• Description: Thunderbird is a cross-platform mail client. It is prone to an insecure SMTP authentication protocol negotiation weakness. The PLAIN and CRAM-MD5 authentication combined with secure SMTP over TLS for encryption is exploitable when the application uses PLAIN authentication if CRAM-MD5 or STARTTLS between a client and a server cannot be established. Thunderbird does not warn users about the failure and sends authentication credentials to a server in an insecure manner. Mozilla Thunderbird versions 1.0.7 and 1.5 Beta 2 are reported to be vulnerable.
• Ref: http://www.henlich.de/moz-smtp/

• 05.42.19 - CVE: Not Available
• Platform: Cross Platform
• Title: PunBB Search.PHP SQL Injection
• Description: PunBB is a bulletin board application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "old_searches" parameter of the "search.php" script. PunBB versions 1.2.8 and earlier are reported to be vulnerale.
• Ref: http://www.securityfocus.com/archive/1/413481 http://www.punbb.org/changelogs/1.2.8_to_1.2.9.txt

• 05.42.20 - CVE: CAN-2005-2972
• Platform: Cross Platform
• Title: AbiWord Stack-Based Buffer Overflow Vulnerabilities
• Description: AbiWord is a word processor available for multiple operating systems.It is susceptible to multiple stack-based buffer overflow vulnerabilities that are caused by failure of the application to properly do bounds check on user-supplied data when RTF (Rich Text Files) files are imported into AbiWord. For a list of vulnerable versions, please visit the reference link provided.
• Ref: http://www.securityfocus.com/bid/15096

• 05.42.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Clam Anti-Virus File Handling Denial Of Service
• Description: ClamAV is an anti-virus application. It is vulnerable to a denial of service issue due to a failure in the application to handle malformed OLE2 files. The problem presents itself when malformed OLE2 files (DOC files) are being scanned. Clam Anti-Virus ClamAV 0.87 -1 is vulnerable.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333566

• 05.42.22 - CVE: Not Available
• Platform: Web Application
• Title: PHPNuke Modules.PHP Directory Traversal
• Description: PHPNuke is a web portal application. It is vulnerable to a directory traversal issue due to insufficient sanitization of "../" in the "file" parameter of the "modules.php" script. PHPNuke versions 7.9 and 7.8 are vulnerable.
• Ref: http://securityreason.com/achievement_exploitalert/3

• 05.42.23 - CVE: Not Available
• Platform: Web Application
• Title: MySource Multiple Cross-Site Scripting Vulnerabilities
• Description: MySource is a content management system. It is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. MySource version 2.14.0 is affected.
• Ref: http://www.securityfocus.com/bid/15132

• 05.42.24 - CVE: Not Available
• Platform: Web Application
• Title: MySource Multiple Remote File Include Vulnerabilities
• Description: MySource is a content management application written in PHP. It is prone to multiple remote and local file include vulnerabilities that are caused by insufficient sanitization of user-supplied input to various scripts. MySource version 2.14.0 is vulnerable.
• Ref: http://secunia.com/secunia_research/2005-51/advisory/

• 05.42.25 - CVE: Not Available
• Platform: Web Application
• Title: Rockliffe MailSite Express Arbitrary File Upload
• Description: MailSite Express is a Web based email application. It is vulnerable to an arbitrary file upload issue due to the way the application stores uploaded attachments. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the Web server process to gain unauthorized access. MailSite Express 6.1.20 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/15129/info

• 05.42.26 - CVE: Not Available
• Platform: Web Application
• Title: e107 Resetcore.PHP SQL Injection
• Description: e107 is a Web based content management system written in PHP. It is prone to a SQL injection vulnerability due to a failure in the application to properly sanitize user-supplied input to the "resetcore.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/15125

• 05.42.27 - CVE: Not Available
• Platform: Web Application
• Title: NetFlow Analyzer Cross-Site Scripting
• Description: NetFlow Analyzer is a bandwidth monitoring tool. Insufficient sanitization of the "grDisp" parameter in the "index.jsp" script exposes the application to a cross site scripting issue. NetFlow Analyzer version 4.0 is affected.
• Ref: http://www.securityfocus.com/bid/15127/info

• 05.42.28 - CVE: Not Available
• Platform: Web Application
• Title: RTasarim WebAdmin Login SQL Injection
• Description: RTasarim WebAdmin is a Web site administration application. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "username" and "password" input fields on the main login page before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/15107/discuss

• 05.42.29 - CVE: Not Available
• Platform: Web Application
• Title: W-Agora Multiple Arbitrary PHP Code Injection Vulnerabilities
• Description: W-Agora is web publishing and forum software, written in PHP. It is prone to multiple PHP code injection vulnerabilities due to a improper sanitization of user-supplied input to the "extras/quicklist.php" script. W-Agora version 4.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15110

• 05.42.30 - CVE: Not Available
• Platform: Web Application
• Title: Complete PHP Counter SQL Injection
• Description: Complete PHP Counter is a web page counter application. Insufficient sanitization of the "c" parameter of the "list.php" script exposes the application to an SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/15111

• 05.42.31 - CVE: Not Available
• Platform: Web Application
• Title: PHP Safedir Restriction Bypass
• Description: PHP is prone to multiple vulnerabilities that permit an attacker to bypass the "safedir" directory restriction. The "imagegif()", "imagepng()" and "imagejpeg()" functions, as part of the GD extension, permit an attacker to specify a full directory path to a local file. An attacker can exploit this vulnerability to execute arbitrary files located on the vulnerable system, or retrieve the contents of arbitrary files, in the security context of the Web server process. PHP version 5.0.5 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/15119/info

• 05.42.32 - CVE: Not Available
• Platform: Web Application
• Title: OpenWBEM Multiple Unspecified Remote Buffer Overflow Vulnerabilities
• Description: OpenWBEM is a web-Based Enterprise Management standards software. It is reported to be vulnerable to multiple unspecified remote buffer overflow issues due to improper sanitization of user-supplied input. OpenWBEM versions 3.1.0 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15121

• 05.42.33 - CVE: Not Available
• Platform: Web Application
• Title: Complete PHP Counter Cross-Site Scripting
• Description: Complete PHP Counter is a Web page counter application. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "c" parameter of "list.php". An attacker may leverage this issue to steal cookie based authentication credentials as well as perform other attacks. All current versions of Complete PHP Counter are vulnerable.
• Ref: http://www.securityfocus.com/bid/15112/info

• 05.42.34 - CVE: Not Available
• Platform: Web Application
• Title: Gallery Main.PHP Directory Traversal
• Description: Gallery is a photo gallery application. It is reported to be vulnerable to a directory traversal issue due to improper sanitization of user-supplied input. Gallery versions 2.0 Beta3 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15108

• 05.42.35 - CVE: Not Available
• Platform: Web Application
• Title: Comersus BackOffice Plus Multiple Cross-Site Scripting Vulnerabilities
• Description: BackOffice Plus is a management and reporting tool for Web based shopping cart software. It is prone to multiple cross-site scripting vulnerabilities due to a improper sanitization of user-supplied input to the "forwardTo1", "forwardTo2", "nameFT1" and "nameFT2" parameters of the "comersus_backoffice_searchItemForm.asp" script. Ref: http://lostmon.blogspot.com/2005/10/comersus-backoffice-plus-cross-site.html

• 05.42.36 - CVE: CVE-2005-2837
• Platform: Web Application
• Title: WebGUI Unspecified Arbitrary Code Execution
• Description: WebGUI is a web application framework and web content management system. It is prone to an unspecified arbitrary code execution vulnerability. An unspecified error in the application may allow a malicious user to execute arbitrary code and compromise a vulnerable computer. WebGUI versions 6.3.0 through 6.7.2 are vulnerable. Ref: http://www.plainblack.com/getwebgui/advisories/security-exploit-patch-for-6.3-and-above

• 05.42.37 - CVE: Not Available
• Platform: Web Application
• Title: phpWebSite Search Module SQL Injection
• Description: phpWebSite is a content management system implemented in PHP. It is prone to an SQL injection vulnerability caused by improper sanitization of user-supplied input to the search module. The vendor has released the patch phpwebsite_security_patch_20051202.tgz addressing this issue. For a list of vulnerable versions, please visit the reference link provided.
• Ref: http://www.securityfocus.com/bid/15088

• 05.42.38 - CVE: Not Available
• Platform: Web Application
• Title: Xeobook Multiple HTML Injection Vulnerabilities
• Description: Xeobook is a guestbook script. Insufficient sanitization of user supplied input exposes the application to multiple HTML injection issues. Xeobook version 0.93 is affected.
• Ref: http://www.securityfocus.com/bid/15086/info

• 05.42.39 - CVE: Not Available
• Platform: Web Application
• Title: Yapig View.PHP Cross-Site Scripting
• Description: Yapig is an image gallery. It is prone to a cross-site scripting vulnerability due to a insufficient sanitization of user-supplied input. Insufficient sanitization of the "img_size" parameter in the "view.php" script exposes the application to cross-site scripting issue. YaPig versions 0.95b and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/413255

• 05.42.40 - CVE: CVE-2005-2736
• Platform: Web Application
• Title: YaPig Homepage Form Field HTML Injection
• Description: Yapig is a image gallery written in PHP. YaPig is prone an HTML injection vulnerability. Malicious HTML and script code can be injected into the "Homepage" form field of the application. Attacker-supplied HTML and script code would be executed in the context of the affected web site, potentially allowing for theft of cookie-based authentication credentials. YaPig versions 0.95b and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/413255

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.