@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: PHP Remote Code Execution Vulnerability
• (2) HIGH: phpBB Remote Code Execution
• (3) MODERATE: Cisco IOS System Timers Heap Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 05.44.1 - Internet Explorer Java Applet Denial of Service
• 05.44.2 - Internet Explorer Malformed HTML Parsing Denial of Service

Third Party Windows Apps

• 05.44.3 - Hyper Estraier Remote Information Disclosure
• 05.44.4 - ioFTPD Username Enumeration
• 05.44.5 - RhinoSoft Serv-U FTP Server Unspecified Denial of Service
• 05.44.6 - GraphOn GO-Global For Windows Remote Buffer Overflow

Solaris

• 05.44.7 - Solaris Management Console HTTP TRACE Information Disclosure

Cross Platform

• 05.44.8 - PHP PHPInfo Cross-Site Scripting
• 05.44.9 - OpenVPN Client Remote Format String
• 05.44.10 - Jed Wing CHM Lib _chm_find_in_PMGL Stack Buffer Overflow
• 05.44.11 - Novell ZENworks Patch Management Multiple SQL Injection Vulnerabilities
• 05.44.12 - Apache mod_auth_shadow Authentication Bypass
• 05.44.13 - Hasbani Web Server Malformed HTTP GET Request Remote Denial of Service
• 05.44.14 - GNU gnump3d Error Page Cross-Site Scripting
• 05.44.15 - GNU gnump3d Directory Traversal
• 05.44.16 - Mantis Remote and Local File Inclusion
• 05.44.17 - Ethereal IRC Protocol Dissector Denial of Service
• 05.44.18 - Jed Wing CHM Lib Stack Buffer Overflow
• 05.44.19 - PHP parse_str register_globals Activation Weakness
• 05.44.20 - PHP File Upload GLOBAL Variable Overwrite
• 05.44.21 - OpenVPN Server Remote Denial of Service
• 05.44.22 - Sun Java System Communications Express Information Disclosure

Web Application

• 05.44.23 - PHPBB Multiple Unspecified Vulnerabilities
• 05.44.24 - OaBoard Forum.PHP Multiple SQL Injection Vulnerabilities
• 05.44.25 - phpBB Global Variable Deregistration Bypass Vulnerabilities
• 05.44.26 - PHPcafe Tutorial Manager SQL Injection
• 05.44.27 - Invision Gallery Index.PHP SQL Injection
• 05.44.28 - Snitz Forum Post.ASP Cross-Site Scripting
• 05.44.29 - PHP Advanced Transfer Manager Remote Unauthorized Access
• 05.44.30 - Subdreamer Multiple Remote SQL Injection Vulnerabilities
• 05.44.31 - ASP Fast Forum Error.ASP Cross-Site Scripting
• 05.44.32 - MG2 Authentication Bypass
• 05.44.33 - PBLang Multiple Cross-Site Scripting Vulnerabilities
• 05.44.34 - Mantis Multiple Remote Vulnerabilities
• 05.44.35 - Rockliffe MailSite Express Message Body HTML Injection
• 05.44.36 - Rockliffe MailSite Express Arbitrary Script File Upload
• 05.44.37 - Rockliffe MailSite Express Information Disclosure
• 05.44.38 - PHPESP Multiple Unspecified Input Validation Vulnerabilities
• 05.44.39 - Snoopy Arbitrary Command Execution Vulnerability
• 05.44.40 - gCards News.PHP SQL Injection
• 05.44.41 - saphp Lesson Multiple Input Validation Vulnerabilities
• 05.44.42 - PHP-Nuke Modules.PHP HTML Injection
• 05.44.43 - Woltlab Info-DB Info_db.PHP Multiple SQL Injection Vulnerabilities
• 05.44.44 - ATutor Multiple Input Validation Vulnerabilities
• 05.44.45 - FlatNuke Index.PHP Cross-Site Scripting
• 05.44.46 - Comersus BackOffice Multiple Input Validation And Information Disclosure Vulnerabilities
• 05.44.47 - Belchior Foundry vCard Pro Addrbook.PHP SQL Injection
• 05.44.48 - Elite Forum HTML Injection Vulnerability
• 05.44.49 - eyeOS Desktop.PHP HTML Injection
• 05.44.50 - eyeOS User And Password Information Disclosure
• 05.44.51 - VUBB Index.PHP Cross-Site Scripting
• 05.44.52 - XMB Forum Post.PHP SQL Injection Vulnerability
• 05.44.53 - News2Net Index.PHP SQL Injection
• 05.44.54 - PHPWebThing Forum.PHP SQL Injection

Network Device

• 05.44.55 - Cisco Management Center for IPS Sensors Configuration Download Weakness
• 05.44.56 - Cisco Airespace WLAN Controller Unauthorized Network Access
• 05.44.57 - Cisco IOS System Timers Heap Buffer Overflow

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 44, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4622 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.44.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Java Applet Denial of Service
• Description: Microsoft Internet Explorer is affected by a denial of service vulnerability. This issue arises because the application fails to handle exceptional conditions in a proper manner. This issue only presents itself when the J2SE Java runtime environment is installed. An attacker may exploit this issue by enticing a user to visit a malicious site, resulting in a denial of service condition in the application.
• Ref: http://security-protocols.com/modules.php?name=News&file=article&sid=302
  7

• 05.44.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Malformed HTML Parsing Denial of Service
• Description: Microsoft Internet Explorer is vulnerable to a denial of service issue when it fails to properly handle malformed HTML content.
• Ref: http://www.securityfocus.com/bid/15268

• 05.44.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Hyper Estraier Remote Information Disclosure
• Description: Hyper Estraier is a full-text search system. It can be used as a search utility for Web sites, mail boxes, and file servers. Hyper Estraier can allow remote attackers to disclose restricted files. Information gathered through the exploitation of this vulnerability may aid in other attacks. Hyper Estraier versions 1.0.1 and earlier running on Windows are vulnerable.
• Ref: http://www.securitytracker.com/alerts/2005/Oct/1015119.html

• 05.44.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ioFTPD Username Enumeration
• Description: ioFTPD is an FTP server. It is vulnerable to a username enumeration issue due to differing error messages when authentication attempts are unsuccessful.
• Ref: http://www.critical.lt/?vulnerabilities/119

• 05.44.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: RhinoSoft Serv-U FTP Server Unspecified Denial of Service
• Description: Serv-U FTP Server is designed for use with Microsoft Windows operating systems. It is reported to be vulnerable to an unspecified denial of service issue due to improper handling of exceptional conditions. RhinoSoft Serv-U versions 6.1.0.1 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15273

• 05.44.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: GraphOn GO-Global For Windows Remote Buffer Overflow
• Description: GraphOn GO-Global For Windows is a multi-platform, remote desktop and application thin-client product. It is prone to a remote buffer overflow issue due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently-sized memory buffer. GraphOn GO-Global versions 3.1.0.3270 and prior are affected by this issue.
• Ref: http://www.securityfocus.com/bid/15285/exploit

• 05.44.7 - CVE: Not Available
• Platform: Solaris
• Title: Solaris Management Console HTTP TRACE Information Disclosure
• Description: The Solaris Management Console (SMC) facilitates administration of Solaris computers. It is prone to an information disclosure vulnerability due to improper processing of HTTP TRACE requests. Sun Solaris versions 8.0 through 10.0 are vulnerable.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102016-1

• 05.44.8 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP PHPInfo Cross-Site Scripting
• Description: PHP is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to scripts containing the phpinfo() function. PHP versions 4.4.0 and earlier are vulnerable.
• Ref: http://www.php.net/release_4_4_1.php

• 05.44.9 - CVE: CVE-2005-3393
• Platform: Cross Platform
• Title: OpenVPN Client Remote Format String
• Description: OpenVPN is an OpenSSL based tunneling application to securely tunnel IP networks over the TCP and UDP protocols. It is reportedly prone to a remote format string vulnerability as a result of insufficient sanitization of user-supplied data. Specifically, a malicious server can send command options such as "dhcp-option" including format specifiers to a client to trigger this vulnerability. This issue affects OpenVPN versions 2.0.x. OpenVPN running on Windows is not vulnerable to this issue.
• Ref: http://www.securityfocus.com/advisories/9630

• 05.44.10 - CVE: CAN-2005-2930
• Platform: Cross Platform
• Title: Jed Wing CHM Lib _chm_find_in_PMGL Stack Buffer Overflow
• Description: Jed Wing CHM Lib is susceptible to a buffer overflow vulnerability. This issue is due to a failure of the library to properly bounds check input data prior to copying it into an insufficiently sized memory buffer. CHM Lib versions 0.35 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15234

• 05.44.11 - CVE: CVE-2005-3315
• Platform: Cross Platform
• Title: Novell ZENworks Patch Management Multiple SQL Injection Vulnerabilities
• Description: Novell ZENworks Patch Management lets you manage the software update and patch process across NetWare and Windows operating systems, including the ability to apply all required updates and patches to new installations to match corporate standards. It is prone to multiple SQL injection vulnerabilities. These vulnerabilities could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
• Ref: http://www.cirt.dk/advisories/cirt-39-advisory.pdf

• 05.44.12 - CVE: CAN-2005-2963
• Platform: Cross Platform
• Title: Apache mod_auth_shadow Authentication Bypass
• Description: mod_auth_shadow is a module for the Apache HTTP Server that authenticates against the /etc/shadow file. When .htaccess files use "AuthShadow" and the "require group" directive, mod_auth_shadow is the only authentication mechanism used to authenticate valid users, bypassing other authentication modules. This may circumvent security restrictions from other modules granting an attacker access when normally denied. mod_auth_shadow versions 2.1 and 1.5 are not affected.
• Ref: http://www.securityfocus.com/advisories/9603

• 05.44.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Hasbani Web Server Malformed HTTP GET Request Remote Denial of Service
• Description: Hasbani Web Server is used to manage Ethernet routers and ADSL modems. It is vulnerable to a remote denial of service issue due to a failure in the application to handle exception conditions in a proper manner. A successful attack can allow an attacker to terminate the server and deny service to legitimate users. Hasbani Web Server version 2.0 is vulnerable.
• Ref: http://www.x0n3-h4ck.org/index.php?name=news&article=92

• 05.44.14 - CVE: CVE-2005-3122
• Platform: Cross Platform
• Title: GNU gnump3d Error Page Cross-Site Scripting
• Description: GNU gnump3d is a streaming server. It is vulnerable to cross-site scripting due to insufficient sanitization of user-supplied input to 404 error pages. GNU gnump3d versions 2.9.5 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/advisories/9607

• 05.44.15 - CVE: CVE-2005-3123
• Platform: Cross Platform
• Title: GNU gnump3d Directory Traversal
• Description: GNU gnump3d is a streaming server for MP3 and OGG vorbis files. It is prone to a directory traversal vulnerability due to insufficient sanitization of user-supplied input. GNU gnump3d versions 2.9.5 and earlier are affected.
• Ref: http://www.securityfocus.com/advisories/9607

• 05.44.16 - CVE: CVE-2005-3335
• Platform: Cross Platform
• Title: Mantis Remote and Local File Inclusion
• Description: Mantis is a bug tracking system. It is vulnerable to a remote and local file inclusion issue due to insufficient sanitization of the "t_core_path" parameter of the "bug_sponsorship_list_view_inc.php" script. Mantis versions 0.19.2 and 1.0.0rc2 are vulnerable.
• Ref: http://secunia.com/secunia_research/2005-46/advisory/

• 05.44.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Ethereal IRC Protocol Dissector Denial of Service
• Description: The Ethereal IRC protocol dissector is prone to a remotely exploitable denial of service vulnerability. When reading a malformed packet the IRC protocol dissector may enter into an infinite loop. Ethereal versions 0.10.13 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15219

• 05.44.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Jed Wing CHM Lib Stack Buffer Overflow
• Description: CHM Lib is a library for handling Microsoft CHM files. The "_chm_decompress_block()" function in the "chm_lib.c" file fails to verify the contents of the "cmpLen" variable leading to a buffer overflow issue. CHM Lib versions 0.36 and earlier are affected.
• Ref: http://www.sven-tantau.de/public_files/chmlib/chmlib_20051126.txt

• 05.44.19 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP parse_str register_globals Activation Weakness
• Description: PHP is a general-purpose scripting language for web development and can be embedded into HTML. PHP is susceptible to a weakness in the "parse_str" function that allows attackers to re-enable the "register_globals" directive. PHP version 4.4.1 is released to fix this issue.
• Ref: http://www.php.net/release_4_4_1.php

• 05.44.20 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP File Upload GLOBAL Variable Overwrite
• Description: PHP is susceptible to a vulnerability that allows attackers to overwrite the GLOBAL variable. By exploiting this issue, remote attackers may be able to overwrite the GLOBAL variable. This may allow attackers to further exploit latent vulnerabilities in PHP scripts. PHP versions earlier than 4.4.1 are vulnerable.
• Ref: http://www.php.net/release_4_4_1.php

• 05.44.21 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenVPN Server Remote Denial of Service
• Description: OpenVPN is an OpenSSL based tunneling application. Its server is prone to a remote denial of service vulnerability due to a design error in which the server, running in TCP mode, may be unable to handle exceptional conditions. If the OpenVPN server is running in TCP mode, and the "accept()" function call returns an error status, it will attempt to dereference a NULL pointer, causing the server to crash. OpenVPN versions 2.0.2 and earlier are affected.
• Ref: http://www.securityfocus.com/advisories/9630

• 05.44.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java System Communications Express Information Disclosure
• Description: Sun Java System Communications Express is a Web client for the Sun Java Communications Suite. It is prone to an information disclosure vulnerability. The cause of this issue is currently unknown. The vendor has released an advisory including fixes for Solaris 8, 9, 10 and Linux platforms.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101948-1

• 05.44.23 - CVE: Not Available
• Platform: Web Application
• Title: PHPBB Multiple Unspecified Vulnerabilities
• Description: PHPBB is a bulletin board system. It is prone to multiple unspecified vulnerabilities due to insufficient sanitization of user-supplied data, however the causes and impacts of other issues were not specified. PHPBB versions 2.0.17 and ealier are vulnerable.
• Ref: http://www.securityfocus.com/bid/15246/discuss

• 05.44.24 - CVE: CVE-2005-3394
• Platform: Web Application
• Title: OaBoard Forum.PHP Multiple SQL Injection Vulnerabilities
• Description: OaBoard is a web-based bulletin board application written in PHP. OaBoard is prone to SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "channel" and "topic" parameters of the "forum.php" script before using it in an SQL query. These vulnerabilities could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.
• Ref: http://online.securityfocus.com/bid/15245

• 05.44.25 - CVE: Not Available
• Platform: Web Application
• Title: phpBB Global Variable Deregistration Bypass Vulnerabilities
• Description: phpBB is a bulletin board system written in PHP. It is reported to be vulnerable to SQL injection, HTML injection and cross-site scripting issues due to improper deregistration of global variables. phpBB version 2.0.17 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15243

• 05.44.26 - CVE: Not Available
• Platform: Web Application
• Title: PHPcafe Tutorial Manager SQL Injection
• Description: PHPcafe Tutorial Manager is a teaching tool application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "index.php" script. All versions of PHPcafe Tutorial Manager are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15244

• 05.44.27 - CVE: Not Available
• Platform: Web Application
• Title: Invision Gallery Index.PHP SQL Injection
• Description: Invision Gallery is a gallery system that can be used as a plug-in for Invision Power Board. Insufficient sanitization of the "st" parameter in the "index.php" script exposes the application to an SQL injection issue. Invision Gallery version 2.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/15240/info

• 05.44.28 - CVE: Not Available
• Platform: Web Application
• Title: Snitz Forum Post.ASP Cross-Site Scripting
• Description: Snitz Forum is a web-based community portal written in ASP. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "type" parameter of the "post.asp" script. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. Snitz Forum version 2000 3.2.05 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15241/info

• 05.44.29 - CVE: Not Available
• Platform: Web Application
• Title: PHP Advanced Transfer Manager Remote Unauthorized Access
• Description: PHP Advanced Transfer Manager is an upload and download manager. It can allow remote attackers to gain unauthorized access. User passwords are stored in the form of MD5 hashes in flat files in the following location: /[PHPATM Location]/users/<Username Here> Access to these files is not restricted. PHP Advanced Transfer Manager version 1.30 is reported to be vulnerable. Other versions may be affected as well.
• Ref: http://www.securityfocus.com/bid/15237

• 05.44.30 - CVE: Not Available
• Platform: Web Application
• Title: Subdreamer Multiple Remote SQL Injection Vulnerabilities
• Description: Subdreamer is a content management system. The application is affected by various SQL injection vulnerabilities affecting the "subdreamer.php", "ipb2.php", "phpbb2.php", "vbulletin2.php" and "vbulletin3.php" scripts. Subdreamer version 2.2.1 is vulnerable.
• Ref: http://rst.void.ru/papers/advisory35.txt

• 05.44.31 - CVE: Not Available
• Platform: Web Application
• Title: ASP Fast Forum Error.ASP Cross-Site Scripting
• Description: ASP Fast Forum is a web-based forum application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "error" parameter of the "error.asp" script. All versions of 10-4 ASP Fast Forum is reported to be vulnerable.
• Ref: http://secunia.com/advisories/17387/

• 05.44.32 - CVE: Not Available
• Platform: Web Application
• Title: MG2 Authentication Bypass
• Description: MG2 is a web-based image gallery. It is affected by an authentication bypass vulnerability due to an access validation error. An attacker can gain access to all albums and pictures by supplying a "*" character through the "list" parameter and an "all" value through the "page" parameter of the "index.php" script. MG2 version 0.5.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15235/discuss

• 05.44.33 - CVE: Not Available
• Platform: Web Application
• Title: PBLang Multiple Cross-Site Scripting Vulnerabilities
• Description: PBLang is a bulletin board system implemented in PHP. It is prone to multiple cross-site scripting vulnerabilities caused by insufficient sanitization of user-supplied input to various scripts. These issues are reported to affect PBLang version 4.65; other versions may also be vulnerable.
• Ref: http://www.securityfocus.com/bid/15223

• 05.44.34 - CVE: Not Available
• Platform: Web Application
• Title: Mantis Multiple Remote Vulnerabilities
• Description: Mantis is a bug tracking application written in PHP. It is reported to be vulnerable to multiple cross-site scripting and SQL injection attacks due to improper sanitization of user-supplied input. Mantis versions 0.19.2 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15227

• 05.44.35 - CVE: Not Available
• Platform: Web Application
• Title: Rockliffe MailSite Express Message Body HTML Injection
• Description: MailSite Express is a web-based email application. It is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content. An attacker could exploit this issue to steal cookie-based authentication credential as well as perform other attacks.
• Ref: http://online.securityfocus.com/archive/1/415008

• 05.44.36 - CVE: Not Available
• Platform: Web Application
• Title: Rockliffe MailSite Express Arbitrary Script File Upload
• Description: MailSite Express is a web-based email application. It is prone to an arbitrary file upload vulnerability due to insufficient sanitization process of uploaded files. Rockliffe MailSite Express version 6.1.20 is affected.
• Ref: http://www.securityfocus.com/archive/1/415008

• 05.44.37 - CVE: Not Available
• Platform: Web Application
• Title: Rockliffe MailSite Express Information Disclosure
• Description: MailSite Express is prone to an information disclosure vulnerability. When storing attachments, the application uses a hidden field within the HTML of an email to store the physical file path location of attachments. All files at that physical location are considered attachments to the current email. An attacker can modify that hidden field and have the attachment point to any location normally accessible to the web server. Rockliffe MailSite Express version 6.1.22 is released to fix the issue.
• Ref: http://www.security-assessment.com/Advisories/Rockliffe_Express_Webmail_Vulnerab
  ilities.pdf

• 05.44.38 - CVE: Not Available
• Platform: Web Application
• Title: PHPESP Multiple Unspecified Input Validation Vulnerabilities
• Description: PHPESP is a set of PHP scripts to let non-technical users create surveys, administer surveys, gather results and view statistics. It is vulnerable to multiple input validation issues due to a failure in the application to properly sanitize user-supplied data. An attacker could exploit these issues to compromise the application and perform other attacks. PHPESP versions earlier than 1.8 RC1 are vulnerable.
• Ref: http://cvs.sourceforge.net/viewcvs.py/phpesp/phpESP/docs/CHANGES?rev=.&conte
  nt-type=text/plain

• 05.44.39 - CVE: Not Available
• Platform: Web Application
• Title: Snoopy Arbitrary Command Execution Vulnerability
• Description: Snoopy is a freely available, PHP class that implements a Web client for use in automating HTTP requests in PHP applications. It is reported to be vulnerable to an arbitrary command execution issue due to improper sanitization of user-supplied input. Snoopy version 1.2 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15213

• 05.44.40 - CVE: Not Available
• Platform: Web Application
• Title: gCards News.PHP SQL Injection
• Description: gCards is a free postcard creation application written in PHP. It is prone to an SQL injection vulnerability. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. gCards version 1.43 is vulnerable.
• Ref: http://online.securityfocus.com/bid/15216

• 05.44.41 - CVE: Not Available
• Platform: Web Application
• Title: saphp Lesson Multiple Input Validation Vulnerabilities
• Description: saphp Lesson is a forum application written in PHP. It is prone to multiple SQL injection vulnerabilities due to improper sanitization of user-supplied input to the "forumid" parameter of the "showcat.php" and "add.php" scripts.
• Ref: http://www.securityfocus.com/archive/1/414398

• 05.44.42 - CVE: Not Available
• Platform: Web Application
• Title: PHP-Nuke Modules.PHP HTML Injection
• Description: PHPNuke is a web portal application. Insufficient sanitization of user-supplied input to the search input field on the "modules.php" script exposes the application to a HTML injection issue.
• Ref: http://www.securityfocus.com/archive/1/414704

• 05.44.43 - CVE: Not Available
• Platform: Web Application
• Title: Woltlab Info-DB Info_db.PHP Multiple SQL Injection Vulnerabilities
• Description: Info-DB is a third party file download module for Woltlab Burning Board. It is vulnerable to multiple SQL injection issues due to a failure in the application to properly sanitize user-supplied input to the "fileid" and "subkatid" parameters of the "info_db.php" script before using it in an SQL query. Successful exploitation could result in a compromise of the application. Woltlab Burning Board versions 2.7 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/414664

• 05.44.44 - CVE: Not Available
• Platform: Web Application
• Title: ATutor Multiple Input Validation Vulnerabilities
• Description: ATutor is a web-based Learning Content Management System. It is vulnerable to multiple input validation issues due to insufficient sanitization of user supplied data. ATutor versions 1.5.1-pl1 and earlier are vulnerable.
• Ref: http://secunia.com/secunia_research/2005-55/advisory/

• 05.44.45 - CVE: Not Available
• Platform: Web Application
• Title: FlatNuke Index.PHP Cross-Site Scripting
• Description: FlatNuke is a content management system. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "nome" input field of the "index.php" script. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. FlatNuke versions earlier than 2.5.7 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/414409

• 05.44.46 - CVE: Not Available
• Platform: Web Application
• Title: Comersus BackOffice Multiple Input Validation And Information Disclosure Vulnerabilities
• Description: Comersus BackOfficePlus and BackOfficeLite are back-end management suites for Comersus Shopping Cart software. This software is reported to be vulnerable to multiple input validation and information disclosure issues due to improper sanitization of user-supplied input. Comersus Open Technologies BackOffice Plus versions 6.0.1 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15251

• 05.44.47 - CVE: Not Available
• Platform: Web Application
• Title: Belchior Foundry vCard Pro Addrbook.PHP SQL Injection
• Description: Belchior Foundry vCard PRO is a web-based greeting card application. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "addr_id" parameter of the "addrbook.php" script before using it in an SQL query. Belchior Foundry vCard PRO version 3.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15254/exploit

• 05.44.48 - CVE: Not Available
• Platform: Web Application
• Title: Elite Forum HTML Injection Vulnerability
• Description: Elite Forum is a Web forum application written in PHP. It is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "Post Reply" field in an existing forum before using it in dynamically generated content.
• Ref: http://www.h4cky0u.org/advisories/HYSA-2005-009-elite-forum.txt

• 05.44.49 - CVE: Not Available
• Platform: Web Application
• Title: eyeOS Desktop.PHP HTML Injection
• Description: eyeOS is a content management system based upon the style of a desktop operating system. It prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the "motd" parameter of the "desktop.php" script. eyeOS versions 0.8.4 and 0.8.3 are affected.
• Ref: http://www.thebillygoatcurse.com/advisories/eyeOS_0.8.4_Multiple.pdf

• 05.44.50 - CVE: Not Available
• Platform: Web Application
• Title: eyeOS User And Password Information Disclosure
• Description: eyeOS is a content management system. The application stores usernames and encrypted passwords in the file "usrinfo.xml" which is web accessible without requiring any authentication. eyeOS version 0.8.5 is released to fix this issue.
• Ref: http://www.thebillygoatcurse.com/advisories/eyeOS_0.8.4_Multiple.pdf

• 05.44.51 - CVE: Not Available
• Platform: Web Application
• Title: VUBB Index.PHP Cross-Site Scripting
• Description: VUBB is a free bulletin board application. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "t" parameter of the "index.php" script. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. All current versions of VUBB are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/415399

• 05.44.52 - CVE: Not Available
• Platform: Web Application
• Title: XMB Forum Post.PHP SQL Injection Vulnerability
• Description: XMB Nexus Forum is a bulletin board application written in PHP. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input.
• Ref: http://www.securityfocus.com/bid/15267

• 05.44.53 - CVE: Not Available
• Platform: Web Application
• Title: News2Net Index.PHP SQL Injection
• Description: News2Net is a Web content management system for publishing newspapers, magazines and newsletters. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input to the "category" parameter of the "index.php" script. News2Net version 3.0.0.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15274

• 05.44.54 - CVE: Not Available
• Platform: Web Application
• Title: PHPWebThing Forum.PHP SQL Injection
• Description: PHPWebThing is prone to an SQL injection vulnerability. This issue is due to insufficient sanitization of user-supplied input to the "forum" parameter of the "forum.php" script before using it in an SQL query. PhpWebThings version 0.4.4 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15277/exploit

• 05.44.55 - CVE: Not Available
• Platform: Network Device
• Title: Cisco Management Center for IPS Sensors Configuration Download Weakness
• Description: Cisco CiscoWorks VPN/Security Management (VMS) is a network management solution that includes Cisco Management Center for IPS Sensors (IPS MC). A weakness exists in the IPS Sensors component during the generation of Cisco configuration files. This issue may result in some signatures belonging to certain classes not being enabled during the configuration deployment process. Cisco IOS IPS devices configured by IPS MC 2.1 are prone to this issue.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml

• 05.44.56 - CVE: Not Available
• Platform: Network Device
• Title: Cisco Airespace WLAN Controller Unauthorized Network Access
• Description: Cisco Airespace WLAN is affected by an issue that may permit unauthorized access to a secure network when it is configured to run in Lightweight Access Point Protocol (LWAPP) mode. WLAN Controllers that are running the software version 3.1.59.24 are affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20051102-lwapp.shtml

• 05.44.57 - CVE: Not Available
• Platform: Network Device
• Title: Cisco IOS System Timers Heap Buffer Overflow
• Description: Cisco IOS is prone to heap-based buffer overflow exploitation. Cisco has released an advisory stating that IOS upgrades are available to address the possibility of exploitation of heap-based buffer overflow vulnerabilities. Successful exploitation of heap-based buffer overflow vulnerabilities could completely compromise devices running affected versions of Cisco IOS. Please refer to the advisory for details about affected versions.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.