@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Microsoft Internet Explorer Cumulative Security Update (MS05-054)

Other Software

• (2) HIGH: Lyris ListManager Multiple Vulnerabilities

Exploit Code

• (3) HP Openview Network Node Manager Remote Code Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 05.50.1 - Microsoft Internet Explorer Dialog Manipulation
• 05.50.2 - Microsoft Internet Explorer HTTPS Proxy Information Disclosure

Third Party Windows Apps

• 05.50.3 - Soti Pocket Controller-Professional Remote Command Execution
• 05.50.4 - Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow

Mac Os

• 05.50.5 - Apple Mac OS X Perl Insecure Privilege Dropping Weakness

Cross Platform

• 05.50.6 - Ethereal OSPF Protocol Dissection Stack Buffer Overflow
• 05.50.7 - APANI Networks EpiForce Agent Denial of Service
• 05.50.8 - Courier Mail Server Unauthorized Access
• 05.50.9 - ACME Perl-Cal Cal_make.PL Cross-Site Scripting
• 05.50.10 - Lyris ListManager Command Execution
• 05.50.11 - Contenido CMS Unspecified Remote Command Execution
• 05.50.12 - Horde Turba Multiple HTML Injection Vulnerabilities
• 05.50.13 - Horde Application Framework Multiple Input Vulnerabilities
• 05.50.14 - Horde Mnemo Remote HTML Injection Vulnerabilities
• 05.50.15 - LogiSphere Multiple Directory Traversal Vulnerabilities
• 05.50.16 - Horde Application Framework CSV File Upload Code Execution
• 05.50.17 - Horde Kronolith Multiple HTML Injection Vulnerabilities
• 05.50.18 - Opera Web Browser Long Title Element Bookmark Denial of Service
• 05.50.19 - UseBB PHP_SELF X-Site Scripting
• 05.50.20 - Alt-N MDaemon WorldClient Denial of Service
• 05.50.21 - Macromedia Flash Media Server 2 Administration Service Denial of Service
• 05.50.22 - EveryAuction Cross-Site Scripting
• 05.50.23 - PHPCoin Coin_CFG.PHP SQL Injection
• 05.50.24 - Opera Download Dialog File Execution
• 05.50.25 - Snipe Gallery Multiple Validation Vulnerabilities
• 05.50.26 - McGallery PRO Multiple Validation Vulnerabilities

Web Application

• 05.50.27 - MyBB Multiple Unspecified Vulnerabilities
• 05.50.28 - MilliScripts Register.PHP Cross-Site Scripting
• 05.50.29 - FlatNuke Index.PHP Directory Traversal
• 05.50.30 - ThWboard Multiple Input Validation Vulnerabilities
• 05.50.31 - DRZES HMS Login.PHP Cross-Site Scripting
• 05.50.32 - ASPMForum Multiple SQL Injection Vulnerabilities
• 05.50.33 - Website Baker SQL Injection
• 05.50.34 - CFMagic Multiple Products Input Validation Vulnerabilities
• 05.50.35 - CF_Nuke Index.CFM Local File Include
• 05.50.36 - CF_Nuke Index.CFM Cross-Site Scripting
• 05.50.37 - CleverPath Portal Login Page Cross-Site Scripting
• 05.50.38 - Lyris ListManager Multiple SQL Injection Vulnerabilities
• 05.50.39 - Lyris Listmanager TCLHTTPd Service Multiple Information Disclosure Vulnerabilities
• 05.50.40 - Lyris ListManager Hidden Variable Information Disclosure
• 05.50.41 - Positive Software Corporation CP+ Unspecified Perl Security
• 05.50.42 - My Album Online Unspecified Directory Traversal
• 05.50.43 - Magic Book Professional Book.CFM Cross-Site Scripting
• 05.50.44 - Netref Index.php SQL Injection Scripting
• 05.50.45 - Horde Nag Remote HTML Injection
• 05.50.46 - Blackboard Academic Suite Frameset.JSP Cross-Domain Frameset Loading
• 05.50.47 - LocazoList Classifieds SearchDB.ASP Input Validation
• 05.50.48 - Scout Portal Toolkit Multiple Input Validation Vulnerabilities
• 05.50.49 - BTGrup Admin WebController SQL Injection
• 05.50.50 - Guestserver GuestServer.CGI HTML Injection
• 05.50.51 - Arab Portal Link.PHP SQL Injection
• 05.50.52 - PHPCoin Config.PHP File Include
• 05.50.53 - Apache Mod_IMAP Referer Cross-Site Scripting
• 05.50.54 - PHPWebGallery Multiple SQL Injection Vulnerabilities
• 05.50.55 - EncapsGallery Gallery.PHP SQL Injection
• 05.50.56 - VCD-db Multiple Input Validation Vulnerabilities
• 05.50.57 - Link Up Gold Multiple Input Validation Vulnerabilities
• 05.50.58 - PHP JackKnife Cross-Site Scripting
• 05.50.59 - Plogger Index.PHP Multiple Input Validation Vulnerabilities
• 05.50.60 - Mantis View_filters_page.PHP Cross-Site Scripting
• 05.50.61 - PHP Web Scripts Ad Manager Pro Advertiser_statistic.PHP SQL Injection
• 05.50.62 - Jamit Job Board Index.PHP SQL Injection
• 05.50.63 - DreamLevels Dream Poll View_Results.PHP SQL Injection
• 05.50.64 - CourseForum Technologies ProjectForum Multiple Cross-Site Scripting Vulnerabilities
• 05.50.65 - PHPNuke Content Filtering Bypass
• 05.50.66 - MySQL Auction Search Module Cross-Site Scripting
• 05.50.67 - Netref Index.PHP SQL Injection

Network Device

• 05.50.68 - Motorola SB5100E Cable Modem LanD Packet Denial Of Service
• 05.50.69 - Dell TrueMobile 2300 Remote Credential Reset
• 05.50.70 - Nortel SSL VPN Web Interface Input Validation
• 05.50.71 - NetGear RP114 SYN Flood Denial Of Service

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 50, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4734 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.50.1 - CVE: CAN-2005-2829
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Dialog Manipulation
• Description: Microsoft Internet Explorer is prone to a remote code execution vulnerability through manipulation of custom dialog boxes. This issue arises when a user visits a malicious web site designed to exploit this flaw. A custom dialog box can be displayed that asks a user to enter certain keystrokes. The custom dialog is then able to pass the keystrokes to a download dialog, potentially allowing a remote file to be executed on the computer. The flaw exists because the download dialog accepts keystrokes passed to it from the custom dialog. Internet Explorer versions 6.0 SP1 and earlier are reported to be vulnerable.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx

• 05.50.2 - CVE: CAN-2005-2830
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer HTTPS Proxy Information Disclosure
• Description: Microsoft Internet Explorer is prone to an information disclosure vulnerability when using an authenticating proxy server for HTTPS communications. If the authenticating proxy server uses Basic Authentication, an attacker on the same network could potentially access the user's authentication credentials. In order to exploit this vulnerability, the attacker would have to be able to capture traffic between the user and the authenticating proxy server during HTTPS communications.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx

• 05.50.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Soti Pocket Controller-Professional Remote Command Execution
• Description: Soti Pocket Controller-Professional is a remote control application that allows a user to control their PDA from a computer. Pocket Controller-Professional is prone to a remote command execution vulnerability. This issue exists because the device accepts remote commands without requiring authentication credentials from the remote user.
• Ref: http://www.securityfocus.com/archive/1/418963

• 05.50.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow
• Description: Sights 'N Sounds Streaming Media Server is a streaming media application. It is prone to a buffer overflow vulnerability. The web server process of the application, "MediaServerListing.exe", does not properly sanitize user-supplied input. Successful exploitation of this issue will likely result in a crash of the "SWS.exe" application, denying service to legitimate users. Sights 'N Sounds Streaming Media Server version 2.0.3.b is affected.
• Ref: http://www.securityfocus.com/bid/15809/exploit

• 05.50.5 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X Perl Insecure Privilege Dropping Weakness
• Description: Apple Mac OS X's Perl is susceptible to an insecure privilege dropping weakness. The issue presents itself when Perl scripts utilize the "$<" global variable to alter the real user ID of the current process. Mac OS X version 10.3.9 is affected.
• Ref: http://www.securityfocus.com/bid/15820

• 05.50.6 - CVE: CVE-2005-3651
• Platform: Cross Platform
• Title: Ethereal OSPF Protocol Dissection Stack Buffer Overflow
• Description: Ethereal is a multi-platform network protocol sniffer and analyzer. A remote buffer overflow vulnerability reportedly affects Ethereal. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the OSPF (Open Shortest Path First) protocol dissector. Ethereal versions 0.10.13 and prior are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/419076

• 05.50.7 - CVE: Not Available
• Platform: Cross Platform
• Title: APANI Networks EpiForce Agent Denial of Service
• Description: EpiForce Agent is a network data encryption application. It is vulnerable to a denial of service issue due to a flaw in APANI Network Corporation's IPSec implementation for the Epiforce product. Apani Networks Corporation EpiForce Agent versions earlier than 2.0 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/419104

• 05.50.8 - CVE: CVE-2005-3532
• Platform: Cross Platform
• Title: Courier Mail Server Unauthorized Access
• Description: Courier Mail Server is a mail transfer agent. It is vulnerable to an unauthorized access issue which allows accounts that have been deactivated to access the server. This could allow an unauthorized user to access email messages and send messages from a deactivated account. Please refer to the following link for a list of affected software.
• Ref: http://www.securityfocus.com/bid/15771/info

• 05.50.9 - CVE: Not Available
• Platform: Cross Platform
• Title: ACME Perl-Cal Cal_make.PL Cross-Site Scripting
• Description: Perl-Cal is a Web based calendar application. It is prone to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "p0" parameter of the "cal_make.pl" script. An attacker may exploit this issue to steal cookie-based authentication credentials as well as perform other attacks. ACME Software PerlCal versions 2.99.xx are reported vulnerable.
• Ref: http://www.perlcal.com/calendar/docs/bugs.txt

• 05.50.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Lyris ListManager Command Execution
• Description: Lyris ListManager is a mailing list manager application. It is prone to a CRLF injection vulnerability when using the web interface to subscribe a new user to a mailing list. The "pw" parameter is not properly sanitized; arbitrary mailing list administration commands may be executed using CRLF sequences appended to this parameter. Lyris ListManager versions 5.0 through 8.8a are vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/15786/discuss

• 05.50.11 - CVE: CAN-2005-4132
• Platform: Cross Platform
• Title: Contenido CMS Unspecified Remote Command Execution
• Description: Contenido CMS is a content management application. It is prone to an unspecified remote command execution issue due to a lack of proper sanitization of user-supplied input. An attacker may exploit this vulnerability to execute arbitrary commands in the context of the Web server process. Contenido versions earlier than 4.6.4 are vulnerable.
• Ref: http://sourceforge.net/forum/forum.php?forum_id=518356

• 05.50.12 - CVE: CVE-2005-1315
• Platform: Cross Platform
• Title: Horde Turba Multiple HTML Injection Vulnerabilities
• Description: Turba is a web-based contact management application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input to the address book name and unspecified contact data fields.
• Ref: http://lists.horde.org/archives/announce/2005/000235.html

• 05.50.13 - CVE: CVE-2005-3759
• Platform: Cross Platform
• Title: Horde Application Framework Multiple Input Vulnerabilities
• Description: The Horde Application Framework is a series of web applications. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to the identity, category/labels, mobile phone, and file import fields. Horde Application Framework versions 3.0.7 and earlier are vulnerable.
• Ref: http://www.sec-consult.com/245.html

• 05.50.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Horde Mnemo Remote HTML Injection Vulnerabilities
• Description: The Horde Application Framework is a series of web applications. Mnemo is the Horde notes and memos application. It is prone to multiple HTML injection vulnerabilities due to insufficient sanitization of user-supplied input to a notepad's name when creating a notepad and a shared notepad's name fields. Mnemo version 2.0.2 and prior are affected by these issues.
• Ref: http://www.sec-consult.com/245.html

• 05.50.15 - CVE: Not Available
• Platform: Cross Platform
• Title: LogiSphere Multiple Directory Traversal Vulnerabilities
• Description: LogiSphere is a web server that permits remote control of any Microsoft Windows compatible video device and the ability to stream video content. It is prone to multiple directory traversal vulnerabilities due to insufficient sanitization of user-supplied input to the "source" parameter of "viewsource.jsp", the "NS-query-pat" parameter of the search function and the document path. Other scripts and parameters may also be vulnerable. LogiSphere version 0.9.9j is vulnerable.
• Ref: http://www.securityfocus.com/bid/15807/exploit

• 05.50.16 - CVE: CVE-2005-4190
• Platform: Cross Platform
• Title: Horde Application Framework CSV File Upload Code Execution
• Description: The Horde Application Framework is a series of web applications. It is vulnerable to an arbitrary script code execution issue due to insufficient sanitization of user-supplied input to the "Date" and "Time" fields of the CSV upload script. Horde Application Framework versions 3.0.7 and earlier are vulnerable.
• Ref: http://lists.horde.org/archives/announce/2005/000238.html

• 05.50.17 - CVE: CVE-2005-1314
• Platform: Cross Platform
• Title: Horde Kronolith Multiple HTML Injection Vulnerabilities
• Description: Kronolith is a Horde calendar application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user supplied input to such fields as "CalendarName", "title", "category", "location" and "attendee". Horde Kronolith versions 2.0.5 and earlier are vulnerable.
• Ref: http://secunia.com/advisories/15080

• 05.50.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Long Title Element Bookmark Denial of Service
• Description: Opera is a web browser available for a number of platforms. It is prone to a denial of service vulnerability when a web page with a long title element is bookmarked. This issue occurs if the Input Method Editor (IME) is installed. Opera Web Browser versions 8.50 and earlier are reported to be vulnerable.
• Ref: http://www.opera.com/support/search/supsearch.dml?index=821

• 05.50.19 - CVE: CVE-2005-4193
• Platform: Cross Platform
• Title: UseBB PHP_SELF X-Site Scripting
• Description: UseBB is a web forum application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "$_SERVER" variable. UseBB versions 0.6a and earlier are vulnerable.
• Ref: http://sourceforge.net/project/shownotes.php?release_id=377496&group_id=9310
  3 http://www.frsirt.com/english/advisories/2005/2843

• 05.50.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Alt-N MDaemon WorldClient Denial of Service
• Description: MDaemon is an email application. It is vulnerable to a denial of service issue due to insufficient sanitization of user-supplied input in the "Subject" header field. Alt-N MDaemon version 8.1.3 is vulnerable.
• Ref: http://www.ipomonis.com/advisories.htm

• 05.50.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Macromedia Flash Media Server 2 Administration Service Denial of Service
• Description: Macromedia Flash Media Server 2 provides streaming media capabilities and a development environment for creating and delivering media applications. It includes an administration service which is prone to a remote denial of service vulnerability due to improper handling of exceptional conditions. Successful exploitation may trigger a crash or hang, denying service to legitimate users. Micromedia Flash Media Server version 2.0 is vulnerable.
• Ref: http://www.ipomonis.com/advisories/Flash_media_server_2.txt

• 05.50.22 - CVE: CVE-2005-4229
• Platform: Cross Platform
• Title: EveryAuction Cross-Site Scripting
• Description: EveryAuction is an online auction application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "searchstring" parameter of the "auction.pl" script. EveryAuction version 1.53 is vulnerable.
• Ref: http://www.frsirt.com/english/advisories/2005/2857

• 05.50.23 - CVE: CVE-2005-4213
• Platform: Cross Platform
• Title: PHPCoin Coin_CFG.PHP SQL Injection
• Description: PhpCOIN is a Web hosting reseller application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "coin_cfg.php" script. PhpCOIN version 1.2.2 is vulnerable.
• Ref: http://rgod.altervista.org/phpcoin_122_sql_xpl.html

• 05.50.24 - CVE: CAN-2005-2407
• Platform: Cross Platform
• Title: Opera Download Dialog File Execution
• Description: Opera Web Browser is vulnerable to remote code execution issue through manipulation of download dialog boxes. Opera Web Browser versions 8.01 and earlier are reported to be vulnerable.
• Ref: http://www.opera.com/docs/changelogs/linux/802/

• 05.50.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Snipe Gallery Multiple Validation Vulnerabilities
• Description: Snipe Gallery is an image gallery application. It is vulnerable to multiple input validation issues due to insufficient sanitization to user-supplied input to "gallery_id" and "image_id" parameters of the "index.php" script. Snipe Gallery versions 3.1.4 and earlier are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/snipe-gallery-sqlxss-vuln.htm l

• 05.50.26 - CVE: Not Available
• Platform: Cross Platform
• Title: McGallery PRO Multiple Validation Vulnerabilities
• Description: McGallery PRO is an image gallery application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input such as the index.php script and the search module. McGallery versions 2.2 and earlier are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/mcgallery-pro-vuln.html

• 05.50.27 - CVE: CVE-2005-4200
• Platform: Web Application
• Title: MyBB Multiple Unspecified Vulnerabilities
• Description: MyBB is a web forum application. It is vulnerable to multiple unspecified issues due to insufficient sanitization of user-supplied input and unclean variables. MyBulletinBoard versions 1.0 PR2 and earlier are vulnerable.
• Ref: http://www.trapkit.de/advisories/TKPN2005-12-001.txt http://community.mybboard.net/showthread.php?tid=5184

• 05.50.28 - CVE: Not Available
• Platform: Web Application
• Title: MilliScripts Register.PHP Cross-Site Scripting
• Description: MilliScripts is a free site redirection script. It is prone to a cross-site scripting vulnerability due to a lack of proper input validation. This issue is due to a failure in the application to properly sanitize user-supplied input to the "domainname" parameter of the "register.php" script. MilliScripts version 1.4 is affected.
• Ref: http://www.securityfocus.com/bid/15792/exploit

• 05.50.29 - CVE: Not Available
• Platform: Web Application
• Title: FlatNuke Index.PHP Directory Traversal
• Description: FlatNuke is a content management system. Insufficient sanitization of the "../" strings can allow a remote attacker to read sensitive files containing MD5 password hashes and create malicious cookie data which may be used to log in as an administrative user. FlatNuke version 2.5.6 is affected.
• Ref: http://www.securityfocus.com/bid/15796

• 05.50.30 - CVE: Not Available
• Platform: Web Application
• Title: ThWboard Multiple Input Validation Vulnerabilities
• Description: ThWboard is a message board application. It is prone to multiple input validation vulnerabilities. The application is vulnerable to HTML injection, cross-site scripting, and SQL injection due to improper sanitization of user-supplied input. The "Wohnort" and "Beruf" input fields in the "editprofile.php" script are not properly sanitized. ThWboard version 3 beta 2.8 is affected.
• Ref: http://www.securityfocus.com/bid/15763/exploit

• 05.50.31 - CVE: CVE-2005-4136
• Platform: Web Application
• Title: DRZES HMS Login.PHP Cross-Site Scripting
• Description: DRZES HMS is a content management system written in PHP. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "customerEmailAddress" parameter of the "login.php" script. DRZES HMS version 3.2 is affected.
• Ref: http://www.securityfocus.com/archive/1/418851

• 05.50.32 - CVE: Not Available
• Platform: Web Application
• Title: ASPMForum Multiple SQL Injection Vulnerabilities
• Description: ASPMForum is a web-based forum application. It is prone to multiple SQL injection vulnerabilities due to improper sanitization of user-supplied input to the "Search" field of the "aramaya.asp" script, the "harf" parameter of the "kullanicilistesi.asp" script and the "baslik" parameter of the "forum.asp" script.
• Ref: http://www.securityfocus.com/bid/15767/exploit

• 05.50.33 - CVE: CVE-2005-4140
• Platform: Web Application
• Title: Website Baker SQL Injection
• Description: Website Baker is a content management application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "user" field of the administrator login script. Website Baker versions 2.6.0 and earlier are vulnerable.
• Ref: http://rgod.altervista.org/wbaker_260_xpl.html

• 05.50.34 - CVE: Not Available
• Platform: Web Application
• Title: CFMagic Multiple Products Input Validation Vulnerabilities
• Description: Magic Forum Personal is a forum application, Magic List Pro is a mailing list application and Magic Book Professional is a guestbook application. These CFMagic Products are prone to multiple input validation vulnerabilities. These are due to a lack of proper sanitization of user-supplied input. Magic Forum Personal versions 2.5 and prior, Magic List Professional version 2.5 and prior and Magic Book Professional version 2.0 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/15774/exploit

• 05.50.35 - CVE: Not Available
• Platform: Web Application
• Title: CF_Nuke Index.CFM Local File Include
• Description: CF_Nuke is a web-portal application. It is prone to a local file include vulnerability due to insufficient sanitization of user-supplied input. The "sector" and "page" parameters of the "index.cfm" script are not properly sanitized, allowing an attacker to include and execute local files in the context of the affected Web server process. CF_Nuke versions 4.6 and prior are reported to be vulnerable; other versions may also be affected.
• Ref: http://pridels.blogspot.com/2005/12/cfnuke-v46-multiple-vuln.html

• 05.50.36 - CVE: Not Available
• Platform: Web Application
• Title: CF_Nuke Index.CFM Cross-Site Scripting
• Description: CF_Nuke is a content management application. Insufficient sanitization of the "cat", "topic" and "newsid" parameters of the "index.cfm" script exposes the application to a cross-site scripting issue.
• Ref: http://www.securityfocus.com/bid/15770/info

• 05.50.37 - CVE: CVE-2005-4150
• Platform: Web Application
• Title: CleverPath Portal Login Page Cross-Site Scripting
• Description: Computer Associates CleverPath Portal is a business portal. It is vulnerable to a cross-site scripting issue due to insufficient sanitization user-supplied input to a parameter of the login page. Computer Associates CleverPath Portal version 4.7 is vulnerable.
• Ref: http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QI70871

• 05.50.38 - CVE: CVE-2005-4149
• Platform: Web Application
• Title: Lyris ListManager Multiple SQL Injection Vulnerabilities
• Description: Lyris ListManager is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.
• Ref: http://metasploit.com/research/vulns/lyris_listmanager/

• 05.50.39 - CVE: Not Available
• Platform: Web Application
• Title: Lyris Listmanager TCLHTTPd Service Multiple Information Disclosure Vulnerabilities
• Description: Lyris Listmanager is a web-based mailing list management application. It is prone to multiple vulnerabilities due to unathorized access allowed to the "status" module of the TCLHTTPd service. This can be exploited to obtain sensitive information with regards to the configuration of the server. Lyris Listmanager versions 5.0 through 8.8a are affected; other versions may also be vulnerable.
• Ref: http://metasploit.com/research/vulns/lyris_listmanager/

• 05.50.40 - CVE: Not Available
• Platform: Web Application
• Title: Lyris ListManager Hidden Variable Information Disclosure
• Description: Lyris ListManager is a web-based mailing list manager application. A hidden HTML variable contains information regarding the CGI environment for the application. An attacker may retrieve this information by simply requesting a non-existent web page. ListManager versions 5.0 through 8.8a are affected.
• Ref: http://www.securityfocus.com/bid/15789

• 05.50.41 - CVE: Not Available
• Platform: Web Application
• Title: Positive Software Corporation CP+ Unspecified Perl Security
• Description: CP+ is a web-based server management application. It is prone to an unspecified security vulnerability caused by a vulnerability in Perl. The cause and impact of this issue was not reported. Due to a lack of information, further details cannot be provided at the moment. CP+ versions 2.5.4 and prior are reported to be vulnerable.
• Ref: http://www.securityfocus.com/advisories/9842

• 05.50.42 - CVE: Not Available
• Platform: Web Application
• Title: My Album Online Unspecified Directory Traversal
• Description: My Album Online is a web-based photo album application for the Microsoft Windows platform. It is vulnerable to an unspecified directory traversal issue due to a failure in the application to properly sanitize user-supplied input. An attacker could exploit this issue to retrieve arbitrary files from the vulnerable system in the context of the web server process. My Album Online version 1.0 is vulnerable.
• Ref: http://www.ipomonis.com/advisories/myAlbumOnline.txt

• 05.50.43 - CVE: CVE-2005-4177
• Platform: Web Application
• Title: Magic Book Professional Book.CFM Cross-Site Scripting
• Description: Magic Book Professional is a guestbook application written in ColdFusion. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "StartRow" parameter of the "book.cfm" script. Versions 2.0 and prior are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/magic-book-v20-professional-vuln.html

• 05.50.44 - CVE: Not Available
• Platform: Web Application
• Title: Netref Index.php SQL Injection Scripting
• Description: Netref is a link management application. Insufficient sanitization of the "cat" parameter in the "index.php" script exposes the application to an SQL injection issue. Netref version 3 is affetced.
• Ref: http://www.securityfocus.com/bid/15801

• 05.50.45 - CVE: Not Available
• Platform: Web Application
• Title: Horde Nag Remote HTML Injection
• Description: The Horde Application Framework is a series of Web applications and includes Nag which is a task list manager application. It is vulnerable to multiple HTML injection issues due to a failure in the application to properly sanitize user-supplied input. An authenticated attacker could exploit this issue to compromise the application. Nag versions 2.0.3 and earlier are affected.
• Ref: http://www.sec-consult.com/245.html

• 05.50.46 - CVE: CVE-2005-4206
• Platform: Web Application
• Title: Blackboard Academic Suite Frameset.JSP Cross-Domain Frameset Loading
• Description: Blackboard Academic Suite is composed of various Web based applications including the Blackboard Learning System, the Blackboard Community System and the Blackboard Content System. It is prone to a cross-domain frameset loading vulnerability. This issue results from a design error and may allow remote attackers to carry out phishing attacks. Blackboard Academic Suite version 6.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15814/info

• 05.50.47 - CVE: Not Available
• Platform: Web Application
• Title: LocazoList Classifieds SearchDB.ASP Input Validation
• Description: LocazoList Classifieds is a fan appreciation website application. Insufficient sanitization of the "q" parameter in the "searchdb.asp" script exposes the application to an input validation issue. LocazoList Classifieds version 1.0 3c is affected.
• Ref: http://www.securityfocus.com/bid/15812

• 05.50.48 - CVE: Not Available
• Platform: Web Application
• Title: Scout Portal Toolkit Multiple Input Validation Vulnerabilities
• Description: Scout Portal Toolkit is prone to multiple input validation vulnerabilities due to improper validation of user-supplied input. It is prone to SQL injection attacks and cross-site scripting attacks. Scout Portal Toolkit version 1.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/15818/exploit

• 05.50.49 - CVE: CVE-2005-4207
• Platform: Web Application
• Title: BTGrup Admin WebController SQL Injection
• Description: BTGrup Admin WebController is a web administration application. BTGrup Admin WebController is prone to an SQL injection vulnerability. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
• Ref: http://www.securityfocus.com/archive/1/419237

• 05.50.50 - CVE: Not Available
• Platform: Web Application
• Title: Guestserver GuestServer.CGI HTML Injection
• Description: Guestserver is a guestbook application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the "message" field of the "guestserver.cgi" script before using it in dynamically generated content. Guestserver version 5.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/419241

• 05.50.51 - CVE: Not Available
• Platform: Web Application
• Title: Arab Portal Link.PHP SQL Injection
• Description: Arab Portal is a web portal application. Insufficient sanitization of the session id variable "PHPSESSID" and the "REQUEST_URI" PHP variable in the "link.php" script exposes the application to an SQL injection issue. Arab Portal System version 2.0 beta 2 is affected.
• Ref: http://www.securityfocus.com/bid/15820

• 05.50.52 - CVE: Not Available
• Platform: Web Application
• Title: PHPCoin Config.PHP File Include
• Description: PHPCoin is a web hosting reseller application. It is prone to a file include vulnerability due to improper sanitization of user-supplied input. The "_CCFG[_PKG_PATH_DBSE]" global parameter of the "config.php" script can facilitate remote and local file include attacks. PHPCoin version 1.2.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15831/exploit

• 05.50.53 - CVE: CVE-2005-3352
• Platform: Web Application
• Title: Apache Mod_IMAP Referer Cross-Site Scripting
• Description: Mod_IMAP is an Apache module for server-side imagemap processing. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input. This issue occurs when using the "Referer" directive with image maps. Apache versions 2.0.55 and earlier are vulnerable.
• Ref: http://httpd.apache.org/security/vulnerabilities_20.html

• 05.50.54 - CVE: CVE-2005-4228
• Platform: Web Application
• Title: PHPWebGallery Multiple SQL Injection Vulnerabilities
• Description: PhpWebGallery is a web-based photo gallery application implemented in PHP. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "since", "sort_by", and "items_number" parameters to the "comments.php" script. PhpWebGallery versions 1.5.1 and earlier are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/phpwebgallery-multiple-sql-inj.html

• 05.50.55 - CVE: Not Available
• Platform: Web Application
• Title: EncapsGallery Gallery.PHP SQL Injection
• Description: EncapsGallery is a web-based photo gallery application. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "id" parameter of the "gallery.php" script before using it in an SQL query. EncapsGallery version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/15836/exploit

• 05.50.56 - CVE: Not Available
• Platform: Web Application
• Title: VCD-db Multiple Input Validation Vulnerabilities
• Description: VCD-db is a freely available, open source media content management web application. It is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
• Ref: http://pridels.blogspot.com/2005/12/vcd-db-vuln.html

• 05.50.57 - CVE: Not Available
• Platform: Web Application
• Title: Link Up Gold Multiple Input Validation Vulnerabilities
• Description: Link Up Gold is a commercial web search engine application. It is prone to multiple input validation vulnerabilities due to improper validation of user-supplied input. An SQL injection attack is possible through the "number" parameter of the "poll.php" script. Cross-site scripting attacks are possible through the "link" parameter of the "tell_friend.php" script, the "phrase" parameter of the "search.php" script, and the "direction" and "sort" parameters of the "articles.php" script. Link Up Gold version 2.5 is affected.
• Ref: http://pridels.blogspot.com/2005/12/link-up-gold-vuln.html

• 05.50.58 - CVE: Not Available
• Platform: Web Application
• Title: PHP JackKnife Cross-Site Scripting
• Description: PHP JackKnife is an image gallery. Insufficient sanitization of the "sKeywords" parameter in the "DisplayResults.php" script exposes the application to a cross-site scripting issue. PHP JackKnife versions 2.21 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/15841

• 05.50.59 - CVE: Not Available
• Platform: Web Application
• Title: Plogger Index.PHP Multiple Input Validation Vulnerabilities
• Description: Plogger is a photo gallery application. It is vulnerable to multiple input validation issues due to a failure in the application to properly sanitize user-supplied input. Successful exploitation of these issues could result in a compromise of the application. Plogger version Beta 2 is vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/plogger-sqlxss-vuln.html

• 05.50.60 - CVE: Not Available
• Platform: Web Application
• Title: Mantis View_filters_page.PHP Cross-Site Scripting
• Description: Mantis is a web-based bugtracking system. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "target_field" parameter of the "view_filters_page.php" script. Mantis versions 1.0.0-RC3 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/15842/exploit

• 05.50.61 - CVE: Not Available
• Platform: Web Application
• Title: PHP Web Scripts Ad Manager Pro Advertiser_statistic.PHP SQL Injection
• Description: Ad Manager Pro is a web-based software for managing graphical and textual ads. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "ad_number" parameter of the "advertiser_statistic.php" script before using it in an SQL query.
• Ref: http://pridels.blogspot.com/2005/12/ad-manager-pro-sql-vuln.html

• 05.50.62 - CVE: Not Available
• Platform: Web Application
• Title: Jamit Job Board Index.PHP SQL Injection
• Description: Job Board is a web application for running and managing a Job Board. It is prone to an SQL injection vulnerability. due to improper sanitization of user-supplied input to the "cat" parameter of the "index.php" script before using it in an SQL query. Job Board version 2.4.1 is affeced.
• Ref: http://www.securityfocus.com/bid/15848/exploit

• 05.50.63 - CVE: Not Available
• Platform: Web Application
• Title: DreamLevels Dream Poll View_Results.PHP SQL Injection
• Description: Dream Poll is web-based polling software. Insufficient sanitization of the "id" parameter in the "view_results.php" script exposes the application to an SQL injection issue. Dream Poll version 3.0 is affected.
• Ref: http://www.securityfocus.com/bid/15849

• 05.50.64 - CVE: Not Available
• Platform: Web Application
• Title: CourseForum Technologies ProjectForum Multiple Cross-Site Scripting Vulnerabilities
• Description: ProjectForum is web-based forum software. It is vulnerable to multiple cross-site scripting issues due to a failure in the application to properly sanitize user-supplied input to the "fwd" parameter of "adminsignin.html" and the "originalpageid" parameter of "newpage.html". An attacker may leverage these issues to steal cookie based authentication credentials as well as perform other attacks.
• Ref: http://pridels.blogspot.com/2005/12/projectforum-470-vuln.html

• 05.50.65 - CVE: Not Available
• Platform: Web Application
• Title: PHPNuke Content Filtering Bypass
• Description: PHPNuke is a web-based content management system. It is prone to a content filtering bypass vulnerability. This issue can allow an attacker to bypass content filters and potentially carry out cross-site scripting, HTML injection and other attacks. PHPNuke versions 7.9 and prior are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/15855/exploit

• 05.50.66 - CVE: Not Available
• Platform: Web Application
• Title: MySQL Auction Search Module Cross-Site Scripting
• Description: MySQL Auction is an online auction application written in Perl. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "search" module of the application. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. Versions 3.0 and prior are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/mysql-auction-xss-vuln.html

• 05.50.67 - CVE: CVE-2005-4198
• Platform: Web Application
• Title: Netref Index.PHP SQL Injection
• Description: Netref is a link management application written in PHP. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "cat" parameter of the "index.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/15862

• 05.50.68 - CVE: CVE-2005-4215
• Platform: Network Device
• Title: Motorola SB5100E Cable Modem LanD Packet Denial Of Service
• Description: Motorola SB5100E Cable Modems are physical devices which provide internet connectivity over cable television connections. These devices are susceptible to a remote denial of service vulnerability when handling TCP "LanD" packets. Motorola Cable Modem model SB5100E is vulnerble.
• Ref: http://www.securityfocus.com/bid/15795

• 05.50.69 - CVE: CVE-2005-3661
• Platform: Network Device
• Title: Dell TrueMobile 2300 Remote Credential Reset
• Description: Dell TrueMobile 2300 is a wireless access point and Internet router. It is possible for remote attackers to gain control of a target TrueMobile 2300 running firmware versions 3.0.0.8 and 5.1.1.6. The issue is in an administrative component accessed through the web-based control interface. Unauthenticated attackers can force the device to reset the administrative credentials without authorization.
• Ref: http://www.securityfocus.com/bid/15770/info

• 05.50.70 - CVE: Not Available
• Platform: Network Device
• Title: Nortel SSL VPN Web Interface Input Validation
• Description: Nortel SSL VPN is affected by an input validation issue which could be exploited to cause arbitrary commands to be executed through the web browser of a user of the system. Nortel SSL VPN version 4.2.1.6 is affetced.
• Ref: http://www.securityfocus.com/bid/15798

• 05.50.71 - CVE: Not Available
• Platform: Network Device
• Title: NetGear RP114 SYN Flood Denial Of Service
• Description: The Netgear RP114 is a hub device with additional routing, packet and simple content filtering functionality. It is vulnerable to a denial of service issue which may allow attackers to block network traffic to arbitrary network services. NetGear RP114 version 3.26 is vulnerable.
• Ref: http://www.securityfocus.com/bid/15816/info

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.