Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 46
November 18, 2005

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 8
    • Linux
    • 1
    • Solaris
    • 2
    • Unix
    • 2
    • Cross Platform
    • 18 (#1, #2, #3)
    • Web Application
    • 33
    • Network Device
    • 7

************************** Sponsored Link: ******************************

1) ON-DEMAND SECURITY AUDITS AND VULNERABILITY MANAGEMENT - A Proactive Approach to Network Security - FREE Whitepaper http://www.sans.org/info.php?id=931

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Solaris
Unix
Cross Platform
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: RealNetworks RealPlayer Buffer Overflows
  • Affected:
    • Windows:
    • RealPlayer versions 8, 10, 10.5 (6.0.12.1040-1235) and Enterprise
    • RealOne Player v2, v1
    • Mac:
    • RealPlayer 10
    • Linux:
    • RealPlayer 10 (10.0.0 - 5)
    • Helix Player (10.0.0 - 5)

  • Description: Details for two buffer overflow vulnerabilities in RealPlayer were disclosed last week. A stack-based overflow can be triggered by setting a certain length field to be greater than 127 in a real movie (".rm") file. A heap-based overflow can be triggered by specially crafted skin file (a file with an ".rjs" extension). The skin file has the same format as a zip file, and is processed by the unzip utility included in the Real Player. The overflow occurs when the length field in the skin file does not match its actual length. It is also possible to trigger a third overflow by including malformed images in the skin file. The technical details about this attack vector will be posted in another three months. Note that both the skin and movie files are automatically downloaded and opened, if RealPlayer is set as the default media player. Hence, with minimal user interaction such as browsing a malicious webpage, an attacker can successfully execute arbitrary code on a client's system.

  • Status: Vendor confirmed, updates available.

  • Council Site Actions: Most of the reporting council sites do not officially support RealNetworks products at their site. However, they do allow users to download and use. For the most part, they presume the users will use the 'Check for Update' functionality of the software or will receive an email from RealNetworks suggesting they apply the fix. Two of the reporting council sites do plan to distribute the patch their users during the next regularly schedule system update cycle.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 46, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4662 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.46.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Google Talk Email Notification Denial of Service
  • Description: Google Talk is a voice and text messaging application for Microsoft Windows. It is vulnerable to a denial of service issue allowing an attacker to deny service to the client application user. Google Talk version 1.0.0.76 fixes this issue.
  • Ref: http://www.securityfocus.com/archive/1/416154
  • 05.46.2 - CVE: CAN-2005-2630
  • Platform: Third Party Windows Apps
  • Title: RealPlayer DUNZIP32.DLL Heap Overflow
  • Description: RealNetworks RealPlayer is a media player. It is vulnerable to a heap overflow issue. A buffer of fixed size can be overwritten when a malformed zipped skin file is processed by the "DUNZIP32.DLL". Real Networks RealPlayer Windows versions 10.5 v6.0.12.1235 and earlier are vulnerable.
  • Ref: http://www.eeye.com/html/research/advisories/AD20051110b.html
  • 05.46.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Kerio WinRoute Firewall RTSP Stream Denial of Service
  • Description: Kerio WinRoute Firewall is an enterprise level firewall that is also capable of proxying networks. Kerio WinRoute Firewall is prone to a remote denial of service vulnerability. The problem presents itself when the application improperly handles RTSP streams from RTSP servers (RTS streaming media servers). A remote attacker can exploit this vulnerability to crash the affected service. Versions of the software prior to 6.1.3 are vulnerable.
  • Ref: http://www.kerio.com/kwf_history.html
  • 05.46.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Kerio WinRoute Firewall Disabled Account Bypass
  • Description: Kerio WinRoute Firewall is an enterprise level firewall that is also capable of proxying networks. It is prone to a vulnerability that could permit disabled accounts access. Due to an unspecified error, disabled accounts can still authenticate to a vulnerable system. This may lead to a false sense of security. For a list of vulnerable versions please visit the reference link.
  • Ref: http://www.securityfocus.com/bid/15388
  • 05.46.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Oracle Database Windows XP Simple File Sharing Authentication Bypass
  • Description: Oracle Database is affected by an authentication bypass vulnerability when run on Microsoft Windows XP computers that have Simple File Sharing enabled. Due to how Simple File Sharing works when enabled with the Guest account, remote users attempting to log in will be successfully authenticated as the Guest user if they do not supply valid username and password credentials but Oracle will attempt to authenticate the user based on the username supplied instead of using the Guest account. If the username provided is a member of the ORA_DBA group, this will grant the user SYSDBA access to the database. For a list of vulnerable versions please visit the reference link.
  • Ref: http://www.securityfocus.com/bid/15450
  • 05.46.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Informix Dynamic Server Windows XP Simple File Sharing Authentication Bypass
  • Description: IBM Informix Dynamic Server (IBM Informix IDS) is affected by an authentication bypass vulnerability when run on Microsoft Windows XP computers that have Simple File Sharing enabled. The issue occurs during database authentication. If the user attempts to authenticate with the username of the "Guest" account or an invalid username, they will be successfully authenticated to the database as the Guest account.
  • Ref: http://www.securityfocus.com/bid/15451
  • 05.46.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IBM DB2 Windows XP Simple File Sharing Authentication Bypass Vulnerability
  • Description: IBM DB2 is affected by an authentication bypass vulnerability when run on Microsoft Windows XP computers that have Simple File Sharing enabled. An attacker could exploit this issue to gain unauthorized access to the database. All current versions of IMB DB2 for Windows are vulnerable.
  • Ref: http://www.ngssoftware.com/papers/database-on-xp.pdf
  • 05.46.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FreeFTPD User Command Buffer Overflow
  • Description: FreeFTPd is a free ftp/sftp server for various Microsoft Windows platforms. It is prone to a buffer overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data to the "user" command before storing it in a finite sized buffer. An attacker may also be able to exploit this vulnerability to execute arbitrary code in the context of the service. FreeFTPD versions 1.0 through 1.0.8 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15457
  • 05.46.10 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris LibIKE IKE Exchange Denial of Service
  • Description: Solaris is prone to a denial of service issue in the "libike" IKE implementation and may impact the availability of the "in.iked" daemon. This issue was discovered with the PROTOS ISAKMP Test Suite and is related to handling of malformed IKEv1 traffic. All current versions are affected.
  • Ref: http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102040-1
  • 05.46.11 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris In.Named Remote Denial of Service
  • Description: Sun Solaris in.named is the DNS server. It is vulnerable to a denial of service issue when it receives multiple requests for domains that the server is not authoritative for. Sun Solaris versions 9.0, 9.0 x86 Update 2 and 9.0 x86 are vulnerable.
  • Ref: http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102030-1
  • 05.46.12 - CVE: CVE-2005-2978
  • Platform: Unix
  • Title: pnmtopng Alphas_Of_Color Buffer Overflow
  • Description: pnmtopng is an open source application that converts PNM images to PNG images. pnmtopng is susceptible to a buffer overflow vulnerability. This issue allows attackers to create malicious PNM files that, when parsed by the affected utility, allow arbitrary machine code to be executed.
  • Ref: http://www.securityfocus.com/bid/15427/
  • 05.46.13 - CVE: CAN-2003-1232
  • Platform: Unix
  • Title: Emacs Local Variable Arbitrary Command Execution
  • Description: Emacs is susceptible to an arbitrary command execution vulnerability with local variables. By modifying a text file to include local variables containing an "eval" statement, attackers may cause arbitrary commands to be executed with the privileges of the Emacs user. GNU Emacs version 21.2 is vulnerable.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286183
  • 05.46.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: First 4 Internet CodeSupport Uninstallation ActiveX Software Remote Code Execution
  • Description: Some Sony CD-ROM media contains DRM software by First 4 Internet. The uninstallation software is an ActiveX control called CodeSupport. It is susceptible to a remote code execution vulnerability due to a failure of the application to properly verify the source and validity of executable code prior to executing it.
  • Ref: http://www.securityfocus.com/bid/15430
  • 05.46.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: phpMyAdmin HTTP Response Splitting
  • Description: phpMyAdmin is a Web application for handling MySQL administrative tasks. It is vulnerable to an HTTP response splitting issue due to insufficient sanitization of user-supplied input to the "libraries/header_http.inc.php" script. phpMyAdmin version 2.7.0-beta1 is vulnerable.
  • Ref: http://www.fitsec.com/advisories/FS-05-02.txt
  • 05.46.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Help Center Live Module.PHP Local File Include
  • Description: Help Center Live is a call center application. It is vulnerable to a local file include issue due to insufficient sanitization of user supplied input to the "file" parameter of the "module.php" script. Help Center Live versions 2.0 and earlier are vulnerable.
  • Ref: http://secunia.com/advisories/17580/
  • 05.46.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Openswan IKE Traffic Multiple Denial of Service Vulnerabilities
  • Description: Openswan is an IPSec implementation. It is vulnerable to multiple denial of service vulnerabilities such as insufficient handling of a specially crafted 3DES IKEv1 packet with an invalid key length. Openswan 2.x releases earlier than 2.4.2 are reported to be vulnerable.
  • Ref: http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en
  • 05.46.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealNetworks RealPlayer Malformed Image Skin File Buffer Overflow
  • Description: RealNetworks RealPlayer is prone to an unspecified vulnerability that may let remote attackers execute arbitrary code. This issue may be triggered by a malformed image in a skin file. Please refer to the vendor advisory link below for a list of vulnerable versions.
  • Ref: http://service.real.com/help/faq/security/051110_player/EN/
  • 05.46.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: phpWebThings File Parameter SQL Injection
  • Description: phpWebThings is a Web application. It is vulnerable to an SQL injection issue due to insufficient sanitization of the "file" URI parameter of the "download.php" script. phpWebThings version 1.4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15399
  • 05.46.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cisco IPSec Unspecified IKE Traffic Denial of Service Vulnerabilities
  • Description: Various Cisco IOS, PIX Firewall, Firewall Services Module (FWSM), VPN 3000 Series Concentrator, and MDS Series SanOS releases are prone to denial of service attacks. These issues are due to security flaws in Cisco's IPSec implementation and the vulnerabilities may be triggered by malformed IKE traffic. For a list of vulnerable products and their versions please visit the reference link provided.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20051114-ipsec.shtml
  • 05.46.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Tivoli Directory Server Unspecified Unauthorized Access
  • Description: IBM Tivoli Directory Server is a commercial, multi-platform, Lightweight Directory Access Protocol (LDAP) server. It contains a web application used to query and modify the contents of the server. It is susceptible to an unspecified flaw that allows remote unauthorized access to the directory server allowing attackers to access, alter, and delete data contained in the directory server database. For a list of affected products and versions please visit the reference link provided.
  • Ref: http://www.securityfocus.com/bid/15367
  • 05.46.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM DB2 Content Manager Multiple Denial of Service
  • Description: IBM DB2 Content Manager provides imaging, digital asset management, web content management and content integration. It is prone to multiple denial of service vulnerabilities. These issues affect versions prior to Content Manager version 8.2 Fix Pack 10.
  • Ref: http://www.securityfocus.com/bid/15376
  • 05.46.25 - CVE: CAN-2005-2629
  • Platform: Cross Platform
  • Title: RealNetworks RealOne/RealPlayer RM File Remote Stack Overflow
  • Description: RealNetworks RealPlayer and RealOne Players are vulnerable to a remote stack based buffer overflow issue due to a lack of boundary checks performed by the application when parsing RM (Real Media) files. A remote attacker may execute arbitrary code on a vulnerable computer to gain unauthorized access.
  • Ref: http://service.real.com/help/faq/security/051110_player/EN/
  • 05.46.26 - CVE: CVE-2005-2976
  • Platform: Cross Platform
  • Title: gdk-pixbuf XPM Images Integer Overflow
  • Description: gdk-pixbuf is a GNOME library that provides functions to load and display images of multiple formats. A remote integer overflow vulnerability affects gdk-pixbuf due to an error in the library when processing the width, height and colors of a malicious XPM file. An attacker could exploit this issue to execute arbitrary code with the privileges of the application utilizing the vulnerable library.
  • Ref: http://rhn.redhat.com/errata/RHSA-2005-810.html
  • 05.46.27 - CVE: CVE-2005-2975
  • Platform: Cross Platform
  • Title: gdk-pixbuf/GTK XPM Images Infinite Loop Denial of Service
  • Description: gdk-pixbuf and gtk2 are graphic libraries. They are vulnerable to a denial of service which could allow an attacker to put the application in an infinite loop. Please refer the link below for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/15429/info
  • 05.46.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Macromedia Breeze Communication Server and Live Server RTMP Data Validation
  • Description: Macromedia Breeze Communication Server and Live Server are commercial online training and communications systems. Macromedia Breeze does not sufficiently validate RTMP data, potentially leading to a denial of service condition. This issue can be triggered by an alpha build of Macromedia Flash Player 8.5 (build 127). Versions 4.0 through 5.1 of the software are vulnerable.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb05-10.html
  • 05.46.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Macromedia Flash Communication Server MX RTMP Data Validation
  • Description: Macromedia Flash Communication Server MX is a server platform that hosts streaming and interactive media. Macromedia Flash Communication Server MX does not sufficiently validate RTMP data, potentially leading to a denial of service condition. Reportedly, this issue can be triggered by an alpha build of Macromedia Flash Player version 8.5 (build 127). Macromedia Flash Communication Server MX versions 1.5 and 1.0 are affected.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb05-09.html
  • 05.46.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Antivirus Products Obscured File Name Scan Evasion
  • Description: Multiple antivirus products do not properly identify potentially malicious files when their names contain certain non-printing characters. Specifically, files with names containing characters with ASCII values 0xC0, 0xD7, 0xBA, 0xDC may evade detection.
  • Ref: http://www.securityfocus.com/bid/15423
  • 05.46.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Macromedia Contribute Publishing Server Insecure Key Encryption Weakness
  • Description: Macromedia Contribute Publishing Server is a proprietary central administration server for Macromedia Contribute users. It is vulnerable to an insecure shared connection key encryption weakness, which may allow remote attackers to decrypt the contents of network packets, gaining access to the cleartext contents of authentication credentials. Macromedia Contribute Publishing Server versions earlier than 1.11 are vulnerable to this issue.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb05-08.html
  • 05.46.32 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBulletinBoard Multiple HTML Injection Vulnerabilities
  • Description: MyBulletinBoard is a web-based bulletin board application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input. MyBulletinBoard versions 1.0 PR2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15424/info
  • 05.46.33 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBulletinBoard Unspecified Denial of Service
  • Description: MyBulletinBoard is a Web-based bulletin board system. MyBulletinBoard is prone to an unspecified denial of service vulnerability. This issue is most likely due to improper sanitization of user-supplied input. MyBulletinBoard versions 1.0 PR2, RC4 and prior are affected.
  • Ref: http://community.mybboard.net/showthread.php?tid=4507
  • 05.46.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Walla TeleSite Multiple Input Validation Vulnerabilities
  • Description: Walla Telesite is an object oriented environment for dynamic site development and management written in PERL. It is prone to multiple input validation vulnerabilities. Cross-site scripting and SQL injection attacks are possible through the "sug" parameter of the "ts.exe" application. Information disclosure, unspecified path disclosure and local file enumeration vulnerabilities also exist. Walla Telesite version 3.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15419
  • 05.46.35 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPNuke Search Module SQL Injection Vulnerability
  • Description: PHPNuke is a web-based content management system. It is vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "query" parameter of "index.php" script. PHPNuke versions 7.0 to 7.8 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15421/info
  • 05.46.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Peel rubid Parameter SQL Injection
  • Description: Peel is a shopping cart system. It is vulnerable to an SQL injection issue due to a lack of proper sanitization of the "rubid" parameter in the "index.php" script. Peel versions 2.6 and 2.7 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15415/info
  • 05.46.37 - CVE: CVE-2005-3347, CVE-2005-3348, CVE-2003-0536
  • Platform: Web Application
  • Title: PHPsysInfo Multiple Input Validation Vulnerabilities
  • Description: PHPSysinfo is a PHP script that displays information about the host being accessed. It is prone to multiple input validation vulnerabilities due to improper sanitization of user-supplied input. PHPSysInfo versions 2.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/416543
  • 05.46.38 - CVE: CVE-2005-3236
  • Platform: Web Application
  • Title: Cyphor Show.PHP SQL Injection
  • Description: Cyphor is a Web forum application written in PHP. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "id" parameter of the "show.php" script before using it in an SQL query. Cyphor version 0.19 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/416562
  • 05.46.39 - CVE: CVE-2005-1322
  • Platform: Web Application
  • Title: Horde Unspecified Error Message Cross-Site Scripting
  • Description: The Horde Application Framework is a series of Web applications. It is prone to an unspecified cross-site scripting vulnerability. This could allow for theft of cookie-based authentication credentials or other attacks. Versions 2.2.1 through 2.2.9 are vulnerable.
  • Ref: http://lists.horde.org/archives/announce/2005/000231.html
  • 05.46.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Wizz Forum Multiple SQL Injection Vulnerabilities
  • Description: Wizz Forum is a web-based forum application written in PHP. It is prone to multiple SQL injection vulnerabilities as a result of insufficient sanitization of user-supplied input to various scripts.
  • Ref: http://www.securityfocus.com/archive/1/416582
  • 05.46.41 - CVE: Not Available
  • Platform: Web Application
  • Title: XOOPS Multiple Input Validation Vulnerabilities
  • Description: XOOPS is a web content management system. It is affected by multiple directory traversal and SQL injection issues due to insufficient sanitization of user-supplied input. Xoops versions 2.2.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15406/info
  • 05.46.42 - CVE: Not Available
  • Platform: Web Application
  • Title: ActiveCampaign 1-2-All Broadcast SQL Injection
  • Description: ActiveCampaign 1-2-All Broadcast Email is a web-based email marketing application. It is vulnerable to an SQL injection issue due to insufficient sanitazation of the "Username" parameter of the "admin/index.php" script. ActiveCampaign 1-2-All Broadcast Email version 4.0 7 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15400
  • 05.46.44 - CVE: CVE-2005-3530
  • Platform: Web Application
  • Title: Antville Cross-Site Scripting
  • Description: Antville is a web application server. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to an unspecified parameter. Antville versions 1.1 and earlier are reported to be vulnerable.
  • Ref: http://moritz-naumann.com/adv/0004/antvxss/0004.txt
  • 05.46.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Moodle Multiple SQL Injection Vulnerabilities
  • Description: Moodle is a web-based course management system. Insufficient sanitization of user supplied input exposes the application to multiple SQL injection issues. Moodle version 1.6 dev and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/416306
  • 05.46.46 - CVE: Not Available
  • Platform: Web Application
  • Title: phpAdsNew Lib-sessions.inc.PHP SQL Injection
  • Description: phpAdsNew is an ad server with an integrated banner management interface and tracking system. phpAdsNew is prone to an SQL injection vulnerability due to insufficient sanitization of the "sessionID" parameter in the "lib-sessions.inc.php" script before using it in an SQL query. phpAdsNew versions 2.0.7 rc1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15385/exploit
  • 05.46.47 - CVE: Not Available
  • Platform: Web Application
  • Title: OcoMon Multiple SQL Injection Vulnerabilities
  • Description: OcoMon is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to script parameters before using it in an SQL query. Ocomon versions 1.x are affected.
  • Ref: http://www.securityfocus.com/bid/15386/info
  • 05.46.48 - CVE: CVE-2005-1925
  • Platform: Web Application
  • Title: TikiWiki Tiki-Editpage.PHP Directory Traversal
  • Description: TikiWiki is a web wiki application. Insufficient sanitization of the "../" directory traversal string exposes the application to a directory traversal issue. TikiWiki version 1.9.1 has been released to fix this issue.
  • Ref: http://www.securityfocus.com/bid/15390
  • 05.46.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Exponent CMS Multiple SQL Injection Vulnerabilities
  • Description: Exponent CMS is a content management application. It is vulnerable to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "parent" parameter in the navigation module and the "id" parameter in the resource module. Exponent version 0.96.1 is vulnerable.
  • Ref: http://secunia.com/advisories/17505/
  • 05.46.50 - CVE: CVE-2005-1925
  • Platform: Web Application
  • Title: TikiWiki Tiki-User_Preferences.PHP Directory Traversal
  • Description: TikiWiki is a web wiki application. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input to the "prefs" parameter of the "tiki-user_preferences.php" script. TikiWiki version 1.8.5 and 1.8.4 are vulnerable.
  • Ref: http://www.idefense.com/application/poi/display?id=335&type=vulnerabilities
  • 05.46.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Exponent CMS Image Upload Arbitrary Script Execution
  • Description: Exponent CMS is a content management application. It is prone to an arbitrary script execution vulnerability due to improper sanitization of user-supplied input to the image upload portion of the application. An error in the image upload portion of the application will allow an attacker to upload arbitrary script code in image files. Versions 0.96.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15391/discuss
  • 05.46.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Dev-Editor Virtual Directory Security Bypass
  • Description: Dev-Editor is a set of CGI Perl scripts for manipulating Web directory structures remotely. It is prone to a vulnerability regarding the unauthorized access to directories outside the root virtual directory. Successful exploitation will result in information disclosure. Versions of Dev-Editor prior to 3.0.1 are vulnerable.
  • Ref: http://devedit.sourceforge.net/changelog.shtml
  • 05.46.53 - CVE: Not Available
  • Platform: Web Application
  • Title: phpSysInfo Multiple Input Validation Vulnerabilities
  • Description: phpSysInfo is a PHP Script that parses the Linux "/proc" filesystem and displays information about system information in a web browser. It is prone to multiple input validation vulnerabilities due to improper sanitization of user-supplied input. phpSysInfo versions 2.3 and earlier are vulnerable.
  • Ref: http://www.hardened-php.net/advisory_222005.81.html
  • 05.46.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Pearl Forums Index.PHP Multiple SQL Injection Vulnerabilities
  • Description: Pearl Forums is prone to multiple SQL injection issues due to a failure in the application to properly sanitize user-supplied input to the "forumID" and "topicID" parameters of the "index.php" script. Pearl Forums version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/15425/info
  • 05.46.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Pearl Forums Index.PHP Local File Include
  • Description: Pearl Forums is a web-based forums application. It is prone to a local file include vulnerability due to insufficient sanitization of user-supplied input. The "mode" parameter of the "index.php" script is not properly sanitized. Pearl Forums version 2.0 is reported to be vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/416675
  • 05.46.56 - CVE: Not Available
  • Platform: Web Application
  • Title: phpwcms Multiple Remote File Include Vulnerabilities
  • Description: phpwcms is a content management system. It is vulnerable to multiple remote file include issues due to a lack of proper sanitization of user supplied input. An attacker may leverage these issues to disclose sensitive information and perform other attacks. phpwcms version 1.2.5 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/416675
  • 05.46.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Pollvote File Include Issue
  • Description: Pollvote is Web based poll taking application. It is vulnerable to a file include issue due to insufficient sanitization of user-supplied input to the "pollname" parameter of the "pollvote.php" script. All versions of Pollvote are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15439
  • 05.46.58 - CVE: Not Available
  • Platform: Web Application
  • Title: phpwcms Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpwcms is prone to multiple cross-site scripting vulnerabilities due to improper sanitization of user-supplied input to the "i" and "text" parameters of the "act_newsletter.php" script. phpwcms version 1.2.5-DEV is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/416675
  • 05.46.59 - CVE: CVE-2005-3062
  • Platform: Web Application
  • Title: AlstraSoft Template Seller Pro Remote File Include
  • Description: AlstraSoft Template Seller Pro is a Web site for selling Web page templates. It is prone to a remote file include vulnerability. The "basepath" parameter of the "payment_paypal.php" script is not properly sanitized, allowing attackers to specify remotely-hosted script files to be executed in the context of the Web server hosting the vulnerable software. AlstraSoft Template Seller Pro version 3.25 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/416725
  • 05.46.60 - CVE: Not Available
  • Platform: Web Application
  • Title: AlstraSoft Template Seller Pro SQL Injection
  • Description: AlstraSoft Template Seller Pro is a Web site for selling Web page templates. It is prone to an SQL injection vulnerability caused by improper sanitization of user-supplied input to the "user_name" parameter of the "admin/index.php" script. AlstraSoft Template Seller Pro version 3.25 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/416725
  • 05.46.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Ekinboard Title Post HTML Injection
  • Description: Ekinboard is a Web forum application written in PHP. It is vulnerable to an HTML injection issue due to a failure in the application to properly sanitize user-supplied input to the post titles before using it in dynamically generated content. An attacker could also exploit this issue to steal cookie-based authentication credentials and perform other attacks. Ekinboard version 1.0.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15443/info
  • 05.46.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Ekinboard Profile.PHP Cross-Site Scripting
  • Description: Ekinboard is a web-based forum application written in PHP. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "id" parameter of the "profile.php" script. Ekinboard version 1.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/15447
  • 05.46.63 - CVE: Not Available
  • Platform: Web Application
  • Title: AudienceView Error.ASP Cross-Site Scripting
  • Description: AudienceView is an integrated ticketing and customer relationship management application, written in ASP. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "TSerrorMessage" parameter of the "error.asp" script.
  • Ref: http://www.securityfocus.com/bid/15459
  • 05.46.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Antharia OnContent CMS Index.PHP SQL Injection
  • Description: Antharia OnContent CMS is a content management application. Insufficient sanitization of the "pid" parameter of the "index.php" script exposes the application to an SQL injection issue.
  • Ref: http://www.securityfocus.com/bid/15464/info
  • 05.46.65 - CVE: Not Available
  • Platform: Network Device
  • Title: Juniper Networks Routers ISAKMP IKE Traffic Multiple Vulnerabilities
  • Description: Juniper Networks M, T, J, and E Series routers are affected by multiple vulnerabilities. The reported issues include buffer overflows, format strings, and denial of service vulnerabilities. These issues were discovered with the PROTOS ISAKMP Test Suite and are related to handling of malformed IKEv1 traffic.
  • Ref: http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en
  • 05.46.66 - CVE: Not Available
  • Platform: Network Device
  • Title: Secgo Software Crypto IP Gateway/Client IKEv1 Traffic Multiple Unspecified Vulnerabilities
  • Description: Secgo Software Crypto IP Gateway and Crypto IP Client provide VPN access infrastructure. They are vulnerable to multiple unspecified vulnerabilities in their IKEv1 implementation. The reported issues include buffer overflows and denial of service vulnerabilities. An attacker could exploit these issues to gain complete control of a vulnerable system. Please refer the following link for a list of vulnerable versions.
  • Ref: http://www.secgo.com/newsletter/20051114/CIP517_description.txt
  • 05.46.68 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco Adaptive Security Appliance Failover Testing Denial of Service
  • Description: Cisco Adaptive Security Appliance (ASA) is a device that provides firewall, IPS, antivirus, and VPN services. A denial of service condition may occur in Cisco ASA. This issue is triggered when the device is configured to provide failover service for a LAN. This issue affects Cisco ASA devices running versions 7.0(0), 7.0(2), and 7.0(4). Other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/15407/discuss
  • 05.46.69 - CVE: Not Available
  • Platform: Network Device
  • Title: Belkin Wireless Routers Remote Authentication Bypass
  • Description: Belkin wireless routers are affeceted by a remote authentication bypass issue due to a flaw in the web administration interface authentication process. Belkin F5D7232-4 and F5D7230-4 routers with firmware versions 4.05.03 and 4.03.03 are affected by this issue.
  • Ref: http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102040-1
  • 05.46.70 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco 7920 Wireless IP Phone Fixed SNMP Community String
  • Description: Cisco 7920 Wireless IP Phones provide Voice Over IP (VOIP) service. It is prone to a fixed default SNMP community string vulnerability. The device has a fixed read-only community string of "public" and a fixed read-write community string of "private". Cisco 7920 Wireless IP Phones running firmware versions 1.0(8) and earlier are affected.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml
  • 05.46.71 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco 7920 Wireless IP Phone VxWorks Remote Debugger Access
  • Description: Cisco 7920 Wireless IP Phones provide Voice Over IP (VOIP) service through 802.11b wireless networks. It listens for connections from a remote VxWorks debugger on UDP port 17185. This could allow a remote attacker to connect to a device and obtain debugging information. Cisco 7920 Wireless IP Phones running firmware version 2.0 and earlier are vulnerable to this issue.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20051116-7920.shtml

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

The SANS class stands out above the rest because of the subject matter experts who teach the classes and labs.
-Shirlee Eitel-Bingham, State of Nevada

Forensics 572

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee