Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 45
November 11, 2005

SANS Newsletters Home

It was a very bad week for vulnerabilities relating to graphics and video. Programmers' errors reported by Microsoft, Apple and Macromedia have put millions of systems at risk. Many of those vulnerable systems will not be patched because the vendors have deployed a strategy that makes it the users' responsibility to find and install patches. Many users (children, for example) do not know where to look. It's a brilliant marketing strategy - but will soon be seen as the primary cause of much of the damage created by broad based attacks.

Also Symantec (Veritas) has reported another programming error in its back up products. Our backup and security vendors should be the leaders in delivering safe code (and automatically patch it). We have seen no demonstration of leadership.

For open source fans, the PHP vulnerability we announced on July 1 now has a new worm exploiting it in the wild.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 2 (#1)
    • Third Party Windows Apps
    • 6
    • Linux
    • 1
    • HP-UX
    • 1
    • Unix
    • 1
    • Cross Platform
    • 23 (#2, #3, #4, #5)
    • Web Application
    • 40 (#6)
    • Network Device
    • 1

************************** Sponsored Link: ******************************

Is remote access jeopardizing your HIPAA compliancy? Protect PHI, download "Secure Remote Access & HIPAA Compliancy". http://www.sans.org/info.php?id=923

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Linux
HP-UX
Unix
Cross Platform
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Graphics Rendering Engine Overflow
  • Affected:
    • Windows 2000, XP SP1 and SP2, 2003 and 2003 SP1

  • Description: Windows Metafile (WMF) and Enhanced Metafile (EMF) are file formats that store images as a sequence of drawing commands and settings. These image formats are processed by the Gdi32.dll library. This library contains multiple integer overflows in handling WMF or EMF files with specially crafted "record" sizes. These overflows can be used to overwrite the heap memory with content from the metafiles resulting in arbitrary code execution. Multiple attack vectors are possible such as including the malicious metafiles in a webpage, shared folder, e-mail, Office documents or Instant Messenger communication. Hence, the flaws should be patched on a priority basis. The technical details required to exploit the flaws have been publicly posted.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-053. The patch also fixes a DoS vulnerability in EMF processing.

  • Council Site Actions: All council sites are responding to this item. Some sites have already patched their systems. A few sites have Q&A'd the patch and will deploy during their next regularly scheduled system update process. One site is relying on the public Microsoft Update site or will allow their users to obtain the patch through a local update server. One site commented that they expect this might pop up in an email worm.

  • References:
  • (3) HIGH: Macromedia Flash Player Buffer Overflow
  • Affected:
    • Macromedia Flash Player version 6 and 7 on Windows Platforms

  • Description: Macromedia Flash Player is used for viewing webpages with enhanced graphics and animation. This player is reportedly installed on 500 million systems including handhelds. The player contains vulnerability in handling SWF files that can be exploited to execute arbitrary code. The problem arises because the media player fails to check bounds for a value used as an array index which then can be used to point to heap memory. eEye researchers report that it is possible to reliably execute code when a malicious SWF file is opened in Internet Explorer using the Macromedia Flash plug-in. A proof-of-concept SWF file has been posted by Sec Consulting.

  • Status: Vendor confirmed, upgrade to version 8. Microsoft has also published extensive workarounds for this vulnerability.

  • Council Site Actions: Most of the council sites are responding to this item as well. Several sites are in the analysis phase and have not decided on their final plan. One site had already upgraded to Flash 8. Two sites plan to distribute the patch during their next regularly scheduled system update process. One site does not have a method for site-wide deployment of the update so they recommending their users get the update from the vendor site. The final site does not plan to patch since their Cisco Security Agent install will prevent the buffer overflow from executing code on their desktops.

  • References:
  • (4) HIGH: Veritas Netbackup Shared Library Overflow
  • Affected:
    • Veritas Netbackup Enterprise server and client versions 5.x

  • Description: Veritas NetBackup software offers a backup and recovery solution for mid to large size enterprises. This software contains a stack-based buffer overflow in a shared library that is used by many daemons. The buffer overflow can be exploited by an unauthenticated user to execute arbitrary code on the backup server or client. A known possible attack vector involves the volume manager daemon (vmd). The technical details about the flaw have not been posted yet.

  • Status: Vendor confirmed, updates available. Please refer to the Symantec advisory for a list of ports used by Veritas Netbackup daemons. It is advisable to block these ports at the network perimeter.

  • Council Site Actions: Only three of the reporting council sites are using the affected software. One site plans to deploy the patch during their next maintenance cycle. The second site only has a few affected systems and will rely on the administrators to obtain the updates from the vendor. The final site has already deployed the patch.

  • References:
  • (5) HIGH: ClamAV FSG File Handling Overflow
  • Affected:
    • Clam AntiVirus versions 0.80 through 0.87

  • Description: ClamAV is an open-source antivirus software designed mainly for scanning emails on UNIX mail gateways. The software includes a virus scanning library - libClamAV. This library is used by many third party email, web, FTP scanners as well as mail clients. The library contains a buffer overflow that can be triggered by specially crafted FSG (Packed Executable Format) files. The attacker can send the malicious file via email, web, FTP or a file share, and exploit the buffer overflow to execute arbitrary code on the system running the ClamAV library. The technical details can be obtained by comparing the fixed and the affected versions of the software. Note that for compromising the mail/web/FTP gateways no user interaction is required.

  • Status: Version 0.87.1 fixes this overflow. The update also fixes other DoS vulnerabilities. Please look for third party updates for the software linked to libClamAV.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 45, 2005

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities Week 45, 2005 This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4644 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.45.1 - CVE: CAN-2005-2124
  • Platform: Windows
  • Title: Windows WMF Format Code Execution
  • Description: Microsoft Windows supports the Windows Metafile (WMF) image format. It is vulnerable to a remote code execution attack due to insufficient boundary checking when a user views a malicious WMF formatted file. See the service advisory for a listing affected Windows systems.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
  • 05.45.2 - CVE: CAN-2005-2123
  • Platform: Windows
  • Title: Windows Graphics Rendering Engine WMF/EMF Format Code Execution
  • Description: Microsoft Windows supports Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats. Its rendering engine is affected by a remote code execution vulnerability due to insufficient bounds checking performed by the application. The problem presents itself when a user views a malicious WMF or EMF formatted file, causing the affected engine to attempt to parse it. Microsoft Windows versions XP, 2003 and 2000 are affected.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
  • 05.45.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Glider Collect'N Kill Remote Buffer Overflow
  • Description: Glider Connect'n Kill is a multi-player combat game. Insufficient sanitization of data passed to the "gl_playerEnter" command exposes the application to a buffer overflow issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/15280
  • 05.45.4 - CVE: CVE-2005-3468
  • Platform: Third Party Windows Apps
  • Title: F-Secure Web Console Directory Traversal
  • Description: F-Secure provides computer and network security solutions. F-Secure Anti-Virus and Internet Gatekeeper Web Console is vulnerable to a directory traversal issue due to insufficient sanitization of "../". F-Secure Internet Gatekeeper versions 6.42 and earlier and Anti-Virus for MS Exchange version 6.40 is vulnerable.
  • Ref: http://www.f-secure.com/security/fsc-2005-2.shtml
  • 05.45.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Battle Carry Remote Denial of Service
  • Description: Battle Carry is a multi-player tank game written for the Microsoft Windows platform. Battle Carry is prone to a remote denial of service vulnerability. An attacker can exploit this vulnerability by sending a packet larger than 8192 bytes to the listening UDP port to cause a socket error.
  • Ref: http://www.securityfocus.com/bid/15282
  • 05.45.6 - CVE: CVE-2005-1939
  • Platform: Third Party Windows Apps
  • Title: IPSwitch WhatsUp Small Business 2004 Directory Traversal
  • Description: IPSwitch WhatsUp Small Business 2004 is a network monitoring application. It is vulnerable to a directory traversal issue on tcp port 8022 due to insufficient sanitization of user supplied data. IPSwitch WhatsUp Small Business 2004 is vulnerable.
  • Ref: http://cirt.dk/advisories/cirt-40-advisory.pdf
  • 05.45.7 - CVE: CVE-2005-3374
  • Platform: Third Party Windows Apps
  • Title: F-Prot Antivirus ZIP Attachment Version Scan Evasion
  • Description: F-prot Antivirus is prone to a scan evasion vulnerability when dealing with ZIP archive attachments. This issue is due to a design error in the application that flags certain ZIP files as harmless when it is unable to decompress them. An attacker can exploit this vulnerability by crafting a specially designed ZIP file containing malicious code and bypass the antivirus software. Visit the reference link for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/15293
  • 05.45.8 - CVE: CVE-2005-2659
  • Platform: Third Party Windows Apps
  • Title: Jed Wing CHM Lib LZX Decompression Method Buffer Overflow
  • Description: CHM lib is an open source library for handling Microsoft CHM files. CHM lib is susceptible to a buffer overflow vulnerability due to a failure of the library to properly bounds check input data prior to copying it into an insufficiently sized memory buffer. Jed Wing CHM lib versions 0.37 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15338/discuss
  • 05.45.9 - CVE: Not Available
  • Platform: Linux
  • Title: Linux-FTPD-SSL FTP Server Remote Buffer Overflow
  • Description: Linux-FTPD-SSL FTP Server is a fork of the OpenBSD FTP server that includes SSL encryption functionality. The "lreply()" function in the "src/ftpd.c" source file improperly utilizes the "vsprintf()" function causing a remote buffer overflow issue.
  • Ref: http://freshmeat.net/projects/linux-ftpd-ssl/
  • 05.45.10 - CVE: CVE-2005-1771
  • Platform: HP-UX
  • Title: HP-UX remshd Unspecified Unauthorized Access
  • Description: remshd is the server for the rcp and remsh commands and the rcmd() function. The server provides remote execution facilities with authentication based on privileged port numbers. HP-UX remshd is prone to an unspecified unauthorized access vulnerability. When in "Trusted Mode" an error in remshd can be exploited by a remote attacker to gain unauthorized access to a system.
  • Ref: http://www.securityfocus.com/advisories/9680
  • 05.45.11 - CVE: CVE-2005-3350
  • Platform: Unix
  • Title: libungif Null Pointer Dereference Denial of Service
  • Description: libungif is a shared library of functions for loading and saving GIF format images. It is prone to a denial of service vulnerability. The library is susceptible to a null pointer dereference when handling malformed GIF images. libungif versions 4.1.3 and earlier are vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2005-828.html
  • 05.45.12 - CVE: CAN-2005-2974
  • Platform: Cross Platform
  • Title: Libungif Colormap Handling Memory Corruption
  • Description: Libungif is a library used for reading and writing gif images. It is prone to a memory corruption vulnerability. This issue results from a boundary condition error and may allow an attacker to trigger a denial of service condition or potentially execute arbitrary code. Libungif versions 4.1.3 and 4.1 are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/9660
  • 05.45.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FlatFrag Multiple Remote Buffer Overflow and Denial of Service Vulnerabilities
  • Description: FlatFrag is an open source deathmatch game. It is exposed to a buffer overflow issue due to insufficient sanitization of user-supplied data. It is also affected by a denial of service issue due to an attempt to dereference a NULL pointer. FlatFrag versions 0.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15287/info
  • 05.45.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Scorched 3D Multiple Vulnerabilities
  • Description: Scorched 3D is a multiplayer game. It is prone to multiple vulnerabilities. These issues include numerous buffer overflow, format string, denial of service and arbitrary code execution issues. Scorched 3D versions 39.1 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15292/exploit
  • 05.45.15 - CVE: CVE-2005-2753
  • Platform: Cross Platform
  • Title: Apple QuickTime Embedded Pascal Style Remote Integer Overflow
  • Description: QuickTime Player is affected by a remote integer overflow due to improper sign handling in an embedded "Pascal" style string that results in an overly large memory copy when negative values are processed. QuickTime Player version 7.0.3 has been released to fix this issue.
  • Ref: http://lists.apple.com/archives/security-announce/2005/Nov/msg00000.html
  • 05.45.16 - CVE: CVE-2005-2754
  • Platform: Cross Platform
  • Title: Apple QuickTime Movie Attributes Remote Integer Overflow
  • Description: QuickTime Player is the media player distributed by Apple for QuickTime as well as other media files. It is vulnerable to a remote integer overflow issue due to a failure of the application to properly validate integer signed-ness prior to using it to carry out critical operations. An attacker may leverage this issue to execute arbitrary code. Apple QuickTime version 7.0.3 fixes this issue.
  • Ref: http://www.securityfocus.com/advisories/9644
  • 05.45.17 - CVE: CVE-2005-2756
  • Platform: Cross Platform
  • Title: Aple QuickTime Compressed PICT Data Remote Buffer Overflow
  • Description: Apple QuickTime Player is the media player distributed by Apple for QuickTime as well as other media files. It is reported to be vulnerable to a remote buffer overflow issue due to improper boundary checks. Apple QuickTime Player version 7.0.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15309
  • 05.45.18 - CVE: CVE-2005-2755
  • Platform: Cross Platform
  • Title: Apple QuickTime Denial of Service
  • Description: Apple QuickTime Player is the media player distributed by Apple for QuickTime as well as other media files. It is vulnerable to a denial of service issue when handling malformed movie files with missing attributes and extensions which results in a derefernce of a null pointer. Apple QuickTime Player versions 7.0.2 and earlier are vulnerable.
  • Ref: http://docs.info.apple.com/article.html?artnum=302772
  • 05.45.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java Development Kit Font Serialization Remote Denial of Service
  • Description: The Sun Java Development Kit (JDK) is prone to a remote denial of service vulnerability. This issue exists due to a font deserialization error when using an API within the JDK. The vulnerability presents itself when the Java serialization API is used to invoke a malformed serialization file through a class such as "InvokerUpload". Visit reference link for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/15312
  • 05.45.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Clam Anti-Virus ClamAV TNEF File Handling Denial of Service
  • Description: ClamAV is an anti-virus application for Windows and Unix like operating systems. It is prone to a denial of service vulnerability. This is due to a failure in the application to handle malformed TNEF formatted files. ClamAV versions 0.87 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15316
  • 05.45.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Clam Anti-Virus ClamAV CAB File Handling Denial of Service
  • Description: ClamAV is an anti-virus application. ClamAV is affected by a denial of service issue. The problem presents itself when malformed CAB formatted files are being scanned. The "libclamav/mspack/cabd.c" source file contains code that may result in an infinite loop condition being triggered by attacker-supplied data. ClamAV version 0.87.1 has been released to fix this issue.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200511-04.xml
  • 05.45.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Clam Anti-Virus ClamAV FSG File Handling Buffer Overflow
  • Description: ClamAV is an anti-virus application. It is prone to a buffer overflow issue due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. An attacker could exploit this issue to execute arbitrary code on a vulnerable system. ClamAV versions earlier than 0.87.1 are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/9661
  • 05.45.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GpsDrive Friendsd Remote Format String
  • Description: GpsDrive is a Global Positioning System (GPS) navigation application available for Linux and BSD distributions. It also contains a web server called "Friendsd" to allow users to locate other users of the system on a map. It is reported to be vulnerable to a remotely exploitable format string issue.
  • Ref: http://www.securityfocus.com/bid/15319
  • 05.45.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino Multiple Vulnerabilities
  • Description: IBM Lotus Domino Server is an application framework for web-based collaborative software. It is prone to multiple vulnerabilities. Some of these issues can be exploited to trigger a crash, however some unspecified issues with unknown impacts have also been identified. Lotus Domino versions prior to 6.5.4 Fix Pack 2 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15321/references
  • 05.45.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apache Tomcat Simultaneous Directory Listing Denial of Service
  • Description: Apache Tomcat is a web-based servlet container for Java Servlet and JavaServer Pages. It is affected by a denial of service issue. The problem presents itself when an attacker submits approximately 100 simultaneous HTTP requests to an affected server. If these requests result in a large directory listing being generated, excessive CPU and memory resources may be consumed. Apache Tomcat versions 5.5.12 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15325/info
  • 05.45.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PunBB/BLOG:CMS Unspecified Information Disclosure
  • Description: PunBB is a bulletin board application. Blog:CMS utilizes PunBB. Both are vulnerable to an unspecified information disclosure issue when the "unregister_globals()" function is called after the "config.php" script PunBB version 1.2.9 and BLOG:CMS versions 4.0.0 d and earlier are vulnerable.
  • Ref: http://www.punbb.org/changelogs/1.2.9_to_1.2.10.txt
  • 05.45.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Web Browser Cookie Hostname Handling Weakness
  • Description: Multiple web browsers are susceptible to a cookie hostname handling weakness that potentially discloses sensitive information. This issue is due to a failure of the web browsers to properly ensure that cookies are properly associated to domain names. This issue presents itself when the computer running the affected web browser has the DNS resolver library configured with a search path. Multiple web browsers are affecetd. Please see the attached link for details.
  • Ref: http://www.securityfocus.com/bid/15331/info
  • 05.45.28 - CVE: CAN-2005-2628
  • Platform: Cross Platform
  • Title: Macromedia Flash Array Index Memory Access
  • Description: Macromedia Flash plug-in is vulnerable to an input validation error that can be reliably exploited to execute arbitrary code. An attacker can exploit this vulnerability to execute arbitrary code. Macromedia Flash versions 6 and 7 are reportedly affected.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html
  • 05.45.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Macromedia Flash ActionDefineFunction Memory Access
  • Description: Macromedia Flash is a dynamic content platform commonly used in Web based applications. The Flash plug-in is vulnerable to an input validation error that may be exploited to execute arbitrary code or carry out a denial of service attack. Macromedia Flash verions 6 and 7 are reported affected.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html
  • 05.45.30 - CVE: CVE-2005-3425
  • Platform: Cross Platform
  • Title: GNU gnump3d Unspecified Cross-Site Scripting
  • Description: GNU gnump3d is a streaming server for MP3 and OGG vorbis files. It is vulnerable to an unspecified cross-site scripting issue due to insufficient sanitization of user-supplied input. GNUMP3D versions 2.9.5 and ealier are vulnerable.
  • Ref: http://www.gnu.org/software/gnump3d/ChangeLog http://www.debian.org/security/2005/dsa-877
  • 05.45.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FileZilla Server Terminal Remote Client-Side Buffer Overflow
  • Description: FileZilla FTP Server contains a GUI to configure the Server Terminal. A remote, client-side buffer overflow vulnerability reportedly affects FileZilla Server Terminal. An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. FileZilla version 0.9.4 d is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/415961
  • 05.45.32 - CVE: CVE-2005-3116
  • Platform: Cross Platform
  • Title: VERITAS NetBackup Volume Manager Daemon Buffer Overflow
  • Description: VERITAS NetBackup is a network enabled backup solution. The NetBackup Volume Manager Daemon (vmd) is prone to a buffer overflow in a shared library used by the daemon. Other daemons that utilize the affected shared library may also expose this vulnerability. This issue affects NetBackup versions 5.0 and 5.1.
  • Ref: http://seer.support.veritas.com/docs/279553.htm
  • 05.45.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sylpheed LDIF Import Remote Buffer Overflow
  • Description: Sylpheed is a GTK+ based email client. It is prone to a buffer overflow vulnerability. An attacker can trigger this issue by supplying a malicious LDIF file containing a string of 2048 or more bytes. A buffer overflow condition can occur when this file is imported into an address book by a user. A successful attack may cause memory corruption facilitating arbitrary code execution.
  • Ref: http://sylpheed.good-day.net/en/#changes
  • 05.45.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SAP Web Application Server URI Redirection
  • Description: SAP Web Application Server (SAP WAS) is a platform for developing and implementing Web applications. It is vulnerable to a remote URI redirection issue due to insufficient validation of user-supplied data. A successful attack may result in various attacks including theft of cookie-based authentication credentials. SAP WAS versions 7.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15362/info
  • 05.45.35 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Handicapper Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHP Handicapper is an automated sports picks and information prediction application. It is prone to multiple cross-site scripting issues due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage these issues to steal cookie-based authentication credentials as well as perform other attacks.
  • Ref: http://www.securityfocus.com/bid/15294
  • 05.45.36 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Handicapper SQL Injection
  • Description: PHP Handicapper is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "serviceid" parameter of the "process_signup.php" script.
  • Ref: http://www.securityfocus.com/bid/15298
  • 05.45.37 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Handicapper HTTP Response Splitting
  • Description: PHP Handicapper is a sports betting application. It is vulnerable to an HTTP response splitting issue due to insufficient sanitization of user-supplied input to the "login" parameter of the "process_signup.php" script.
  • Ref: http://www.securityfocus.com/bid/15301/info
  • 05.45.38 - CVE: Not Available
  • Platform: Web Application
  • Title: phpWebThings Forum.PHP Cross-Site Scripting
  • Description: phpWebThings is a Web portal management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "forum" parameter of the "forum.php" script. phpWebThings version 1.4.4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15276/info
  • 05.45.39 - CVE: Not Available
  • Platform: Web Application
  • Title: MailWatch for MailScanner Authenticate Function SQL Injection
  • Description: MailWatch for MailScanner is a web front end for Mailscanner. Mailscanner is an email monitoring and transaction logging application. MailWatch for MailScanner is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input passed to the "authenticate()" function. MailWatch for MailScanner version 1.0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15278
  • 05.45.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Asus VideoSecurity Online Web Server Authentication Buffer Overflow
  • Description: Asus VideoSecurity Online is a video security monitoring application. It is prone to a buffer overflow issue in the authentication mechanism for the included web server. Successful exploitation of this vulnerability results in a denial of service or arbitrary code execution in the context of the application. Asus VideoSecurity Online versions 3.5.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15279/info
  • 05.45.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Asus VideoSecurity Online Web Server Directory Traversal
  • Description: Asus VideoSecurity Online is a video security monitoring application. The software also includes a web server to allow video to be streamed to a web browser. It is reported to be vulnerable to a directory traversal issue due to improper sanitization of user-supplied input. Asus VideoSecurity Online 3.5.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15281
  • 05.45.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Gallery Image Upload HTML Injection
  • Description: Invision Gallery is a gallery system that can be used as a plug-in for Invision Power Board. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input when allowing images to be uploaded from remote locations. This issue is only present when using the Microsoft Internet Explorer Web browser. Invision Gallery version 2.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/15286
  • 05.45.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple PHP Blog Multiple Input Validation Vulnerabilities
  • Description: Simple PHP Blog is a web log application. It is prone to multiple input validation issues including HTML injection and cross-site scripting. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks.
  • Ref: http://www.securityfocus.com/archive/1/415463
  • 05.45.44 - CVE: Not Available
  • Platform: Web Application
  • Title: NeroNet Limited Directory Traversal
  • Description: NeroNet is a web-based portal which allows Nero users remote access to a DVD/CDROM burner. It is reported to be vulnerable to a directory traversal issue due to improper sanitization of user-supplied input. NeroNet versions 1.2.0.2 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15288
  • 05.45.45 - CVE: Not Available
  • Platform: Web Application
  • Title: vBulletin Image Upload HTML Injection
  • Description: vBulletin is a web-based bulletin board application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input when allowing images to be uploaded from remote locations. This issue is only present when using the Microsoft Internet Explorer web browser. Visit the reference link for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/15296
  • 05.45.46 - CVE: Not Available
  • Platform: Web Application
  • Title: CutePHP CuteNews Directory Traversal
  • Description: CuteNews is a news management system. Insufficient sanitization of the "../" string in the "template" parameter of the "show_archives.php" script exposes the application to a directory traversal issue. CuteNews version 1.4.1 is affetced.
  • Ref: http://www.securityfocus.com/bid/15295/info
  • 05.45.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Movable Type Arbitrary Blog Creation Path
  • Description: Movable Type is a weblog publishing platform. It is prone to an arbitrary blog creation path vulnerability due to insufficient sanitization of user-supplied input to unspecified parameters and scripts. It should be noted that this vulnerability applies only when a validated user has sufficient permissions to create blog entries. Visit the reference link for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/15302
  • 05.45.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Movable Type Blog Entry Posting HTML Injection
  • Description: Movable Type is a Web log application. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to unspecified parameters and scripts before using it in dynamically generated content. Movable Type versions 3.17 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15305/discuss
  • 05.45.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Galerie ShowGallery.PHP SQL Injection
  • Description: Galerie is a web-based photo gallery. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "galid" parameter of the "showgallery.php" script. Galerie version 2.4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15313/info
  • 05.45.50 - CVE: CVE-2005-1963
  • Platform: Web Application
  • Title: Cerberus Helpdesk Information Disclosure
  • Description: Cerberus Helpdesk is an email management application written in PHP. It is prone to an information disclosure vulnerability. An attacker can exploit this vulnerability to retrieve arbitrary email attachments of other users in the security context of the Web server process. Cerberus Helpdesk versions 2.0 through 2.6 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15315
  • 05.45.51 - CVE: Not Available
  • Platform: Web Application
  • Title: JPortal Multiple SQL Injection Vulnerabilities
  • Description: JPortal is a portal application written in PHP. It is prone to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to various scripts. JPortal Web Portal version 2.3.1 and 2.21 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15324
  • 05.45.52 - CVE: Not Available
  • Platform: Web Application
  • Title: PunBB/Blog:CMS Image Upload HTML Injection
  • Description: PunBB is a bulletin board application and Blog:CMS is a content management system. PunBB and Blog:CMS are vulnerable to an HTML injection issue due to a failure in the application to properly sanitize user-supplied input when allowing images to be uploaded from remote locations using Microsoft Internet Explorer. PunBB versions earlier than 1.2.10 and BLOG:CMS versions earlier than 4.0.0e vulnerable.
  • Ref: http://www.securityfocus.com/bid/15322/info
  • 05.45.53 - CVE: Not Available
  • Platform: Web Application
  • Title: PunBB/BLOG:CMS Origin Spoofing Vulnerability
  • Description: PunBB is a bulletin board application written in PHP. Blog:CMS is a content management system implemented in PHP. Blog:CMS utilizes PunBB as part of the forum section. It is reported to be vulnerable to an origin spoofing issue.
  • Ref: http://www.securityfocus.com/bid/15326
  • 05.45.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Ocean12 ASP Calendar Manager Authentication Bypass
  • Description: Ocean12 ASP Calendar Manager is a web-based calendar application. It is prone to an authentication bypass vulnerability due to an access validation error in the application. Ocean12 ASP Calendar Manager versions 1.01 and 1.0 are affected.
  • Ref: http://www.securityfocus.com/bid/15329/info
  • 05.45.55 - CVE: CVE-2005-1223
  • Platform: Web Application
  • Title: Ocean12 ASP Calendar Manager SQL Injection
  • Description: Ocean12 ASP Calendar Manager is a web-based calendar application written in ASP. Ocean12 ASP Calendar Manager is prone to an SQL injection vulnerability. Versions 1.0 and 1.0.1 of the software are considered vulnerable.
  • Ref: http://www.securityfocus.com/bid/15330
  • 05.45.56 - CVE: Not Available
  • Platform: Web Application
  • Title: cPanel Chat Message Field HTML Injection
  • Description: cPanel is prone to an HTML injection vulnerability. This issue is caused by improper sanitization of user-supplied input to the chat message field of the pre-installed Entropy Chat script. It should be noted that the attacker will most likely need a cPanel account to exploit this vulnerability. cPanel versions 10.6.0 and 10.2.0 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15327
  • 05.45.57 - CVE: Not Available
  • Platform: Web Application
  • Title: ibProArcade User ID SQL Injection
  • Description: ibProArcade is a module for Invision PowerBoard/vBulletin that supports playable Flash games as a feature within a web forum. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "UserID" parameter in the "index.php" script. ibProArcade version 2.5.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15333
  • 05.45.58 - CVE: CVE-2005-3344
  • Platform: Web Application
  • Title: Debian Horde Default Administrator Password
  • Description: The Horde Application Framework is a series of Web applications. The default Horde3 installation for Debian has a blank administrator password. A local or remote attacker can exploit this vulnerability to gain administrative access to the affected application. Debian Horde 3.0.4 is vulnerable.
  • Ref: http://www.securityfocus.com/advisories/9658
  • 05.45.59 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPFM Arbitrary File Upload
  • Description: PHPFM is a file manager application written in PHP. It is reported to be vulnerable to an arbitrary file upload issue due to improper sanitization of user-supplied input.
  • Ref: http://www.securityfocus.com/bid/15335
  • 05.45.60 - CVE: Not Available
  • Platform: Web Application
  • Title: XMB U2U.PHP Cross-Site Scripting
  • Description: XMB is a free message board application written in PHP. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "username" parameter of the "u2u.php" script. XMB Forum version 1.9.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15342
  • 05.45.61 - CVE: Not Available
  • Platform: Web Application
  • Title: OSTE Remote File Include
  • Description: OSTE is a Web site ranking application written in PHP. It is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "page" parameter of the "index.php" script. OSTE version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15340
  • 05.45.62 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPList Multiple Input Validation Vulnerabilities
  • Description: PHPList is a web-based utility to manage personalized mailing and customer lists. It is reported to be vulnerable to multiple input validation issues. PHPList Mailing List Manager 2.10.1 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15350
  • 05.45.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board Multiple Cross-Site Scripting Vulnerabilities
  • Description: Invision Power Board is a bulletin board application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "adress", "name", and "description" parameters of the "admin.php" script. Invision Power Board versions 2.1 and ealier are reported to be vulnerable.
  • Ref: http://benji.redkod.org/audits/ipb.2.1.pdf http://www.securityfocus.com/archive/1/415987
  • 05.45.64 - CVE: Not Available
  • Platform: Web Application
  • Title: toendaCMS Admin.PHP Directory Traversal
  • Description: toendaCMS is a content management system. It is prone to a directory traversal vulnerability due to insuffiecient sanitization fo user input. Traversal strings "../" disclose the contents of arbitrary Web-server readable files. The vulnerability exists in the "id_user" parameter of the "admin.php" script. toendaCMS version 0.6.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/415975
  • 05.45.65 - CVE: Not Available
  • Platform: Web Application
  • Title: toendaCMS Remote File Upload
  • Description: toendaCMS is a content management application written in PHP. It is prone to an arbitrary file upload vulnerability. Input to the file upload portion of the application in "/data/images/albums" is not properly sanitized, allowing arbitrarily named files to be uploaded to the vulnerable systems. toendaCMS version 0.6.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/415975
  • 05.45.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board Multiple HTML Injection Vulnerabilities
  • Description: Invision Power Board is a bulletin board application written in PHP. It is prone to multiple HTML injection vulnerabilities caused by improper sanitization of user-supplied input to various scripts. Invision Board version 2.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/415987
  • 05.45.67 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPKit Multiple Input Validation Vulnerabilities
  • Description: PHPKIT is a web content management system. It is affected by multiple SQL injection, cross-site scripting, HTML injection, local file inclusion and arbitrary code execution issues. PHPKIT versions 1.6.1 R2 and earlier are vulnerable.
  • Ref: http://www.hardened-php.net/advisory_212005.80.html
  • 05.45.68 - CVE: Not Available
  • Platform: Web Application
  • Title: ATutor Registration.PHP SQL Injection
  • Description: ATutor is a web-based tutorial application. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "email" parameter of the "registration.php" script. A remote attacker could exploit this issue to compromise the application. ATutor version 1.5.1 Pl2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15355
  • 05.45.69 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPBB Forum Usercp_sendpasswd.PHP Cross-Site Scripting
  • Description: PHPBB Forum is a web forum application written in PHP. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of user-supplied input to the "user" parameter of the "usercp_sendpasswd.php" script.
  • Ref: http://www.securityfocus.com/bid/15357
  • 05.45.70 - CVE: CVE-2005-3353
  • Platform: Web Application
  • Title: PHP Group Exif Module Infinite Recursion Denial of Service
  • Description: PHP is prone to a denial of service vulnerability. This issue occurs when parsing EXIF image data in corrupt JPEG files. Due to an error in the parsing routines, an infinite recursion occurs, ultimately crashing the system. PHP versions 5.0.4 and 4.3.9 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15358
  • 05.45.71 - CVE: Not Available
  • Platform: Web Application
  • Title: SAP Web Application Server HTTP Response Splitting
  • Description: SAP Web Application Server (SAP WAS) is a platform for developing and implementing web applications. It is reported to be vulnerable to an HTTP response splitting issue due to improper sanitization of user-supplied input to the "sap-exiturl" parameter.
  • Ref: http://www.securityfocus.com/bid/15360
  • 05.45.72 - CVE: Not Available
  • Platform: Web Application
  • Title: SAP Web Application Server Multiple Cross-Scripting Vulnerabilities
  • Description: SAP Web Application Server is a platform to develop Web applications. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various parameters. SAP Web Application Server versions 7.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15361
  • 05.45.73 - CVE: Not Available
  • Platform: Web Application
  • Title: ASPKnowledgebase Adminlogin.ASP SQL Injection
  • Description: ASPKnowledgebase is a web-based tool for publishing faqs, knowledgebases, and content dynamically to a website. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "login" field of the "adminlogin.asp" script.
  • Ref: http://www.securityfocus.com/bid/15364/discuss
  • 05.45.74 - CVE: Not Available
  • Platform: Web Application
  • Title: YaBB Image Upload HTML Injection
  • Description: YaBB is web forum software. It is affected by an HTML injection issue due to a failure in the application to properly sanitize user-supplied input when allowing images to be uploaded from remote locations. YaBB version 2.1 has been released to address this issue.
  • Ref: http://www.securityfocus.com/bid/15368/info
  • 05.45.75 - CVE: Not Available
  • Platform: Network Device
  • Title: Asterisk Voicemail Unauthorized Access
  • Description: Asterisk is a software-based PBX system. An attacker can access the voicemail .wav files of any user due to improper sanitization of the "mailbox" parameter in the "vmail.cgi" script. Asterisk version 1.2.0-beta2 has been released to fix this issue.
  • Ref: http://www.securityfocus.com/bid/15336/info

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Excellent conference! Allows you to hit the ground running with effective skills and tools! Best security training in IT!
-Russell Morrison, AXYS

SANS Golden Gate 2013 - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc