Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 50
December 15, 2005

SANS Newsletters Home

Another Internet Explorer (IE) from Microsoft patch that really needs to be installed on every Windows computer at work and at home. One of the flaws is being actively exploited. Even people who don't use IE most of the time are forced to fire it up to use Microsoft Update to patch Windows and Office.

Note for end of year planning. Courses at SANS 2006 in Orlando are filling faster than at any conference in the past 3 years, and SANS has limited the size of classes to enable more hands-on exercises. Try to register by the end of the year to ensure you get into the classes you want. http://www.sans.org/sans2006

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 2 (#1)
    • Third Party Windows Apps
    • 2
    • Mac Os
    • 1
    • Cross Platform
    • 21 (#3)
    • Web Application
    • 41 (#2)
    • Network Device
    • 4

*********** Sponsored by SANS Technology Institute ********************

Earn your Master's degree from a program that challenges you, but makes you proud to be one of the information security elite. http://www.sans.edu

************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Mac Os
Cross Platform
Web Application
Network Device

********************** WhatWorks Webcasts *****************************

SANS WhatWorks in Intrusion Prevention and Detection: Law Firm Lays Down the Law on VoIP Security Tuesday, December 20 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=966

No other vendor assessment system asks the users which products actually work and for proof. Visit www.sans.org/whatworks to find the security tools that have made it through the WhatWorks process. And don't miss Tuesday's webcast

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Internet Explorer Cumulative Security Update (MS05-054)
  • Affected:
    • Internet Explorer versions 5.01, 5.5 and 6.0

  • Description: Microsoft released a cumulative security update for Internet Explorer that fixes the following vulnerabilities. (a) Internet Explorer contains a remote code execution flaw in handling the JavaScript "window()" function invoked via the "onload" event. Exploit code for this flaw has been posted since November 21, 2005. The vulnerability has also been exploited in the wild by Trojans Clunky-B and Delf.DH. (b) Internet Explorer contains a heap memory corruption issue in instantiating COM objects as ActiveX controls. Microsoft has been identifying and setting kill bits for many COM objects since the past few Internet Explorer updates. (c) Internet Explorer contains vulnerability while displaying "file download" dialogue box that can be exploited to execute arbitrary code on a client system. The problem arises because a malicious webpage can hide the "file download" dialogue box behind another browser window. When the user clicks on the other browser window, the clicks could be interpreted by the file download dialogue box to download and run the malware on the user's system. Note that a fair amount of user interaction would be required to exploit the flaw. (d) The update has also set the kill bit for Microsoft MciWndx and First4Internet XCP (Sony BMG) ActiveX controls.

  • Status: Apply the update referenced in the Microsoft Security Bulletin MS05-054 on an expedited basis as one of the flaws is being actively exploited. A general workaround to prevent complete compromise of systems running Internet Explorer is to run Internet Explorer with limited privileges. Microsoft "DropMyRights" tool can be used for such purposes.

  • Council Site Actions: All of the reporting council sites are responding to this issue. Some are treating this as a high priority update and pushing out as soon as the QA process is finished. Other sites plan to deploy during their next regularly scheduled maintenance window (after QA). One site has already completed their deployment of the update.

  • References:
Other Software
  • (2) HIGH: Lyris ListManager Multiple Vulnerabilities
  • Affected:
    • ListManager versions 5.0 through 8.8a

  • Description: Lyris ListManager software, which can run on Windows/Linux/Solaris platforms, is designed for managing e-mail lists, newsletters and discussion groups. The software is used by a wide range of companies from industrial, finance, IT and education sectors. The software contains following vulnerabilities: (a) The "/read/attachment" scripts contains a SQL injection flaw that can be used to execute arbitrary SQL commands against the back-end database. If the backend database is MS-SQL, it may be possible to invoke xp_cmdshell command and obtain a complete control over the system running the database. (b) By appending the SQL queries with an "ORDER BY" column, with MS-SQL as the backend database it is possible to invoke xp_cmdshell and obtain a complete control over the database host. (c) The "/subscribe/subscribe" script contains a SQL injection flaw that can be exploited to execute arbitrary list administration commands. (d) The ListManager configures a weak password for the "sa" account when MS-SQL is used as a backend database. Hence, it is possible to brute-force this password, and obtain a complete control over the database. Exploit code has been included in the Metasploit tool.

  • Status: Some flaws have been fixed in the new version 8.9b. The discoverer reports that the weak "sa" password flaw and the SQL injection in the "subscribe" fixed are not yet fixed. Note that although the flaws require "user" privileges for exploitation obtaining those is trivial in many cases.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 50, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4734 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.50.1 - CVE: CAN-2005-2829
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Dialog Manipulation
  • Description: Microsoft Internet Explorer is prone to a remote code execution vulnerability through manipulation of custom dialog boxes. This issue arises when a user visits a malicious web site designed to exploit this flaw. A custom dialog box can be displayed that asks a user to enter certain keystrokes. The custom dialog is then able to pass the keystrokes to a download dialog, potentially allowing a remote file to be executed on the computer. The flaw exists because the download dialog accepts keystrokes passed to it from the custom dialog. Internet Explorer versions 6.0 SP1 and earlier are reported to be vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx
  • 05.50.2 - CVE: CAN-2005-2830
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer HTTPS Proxy Information Disclosure
  • Description: Microsoft Internet Explorer is prone to an information disclosure vulnerability when using an authenticating proxy server for HTTPS communications. If the authenticating proxy server uses Basic Authentication, an attacker on the same network could potentially access the user's authentication credentials. In order to exploit this vulnerability, the attacker would have to be able to capture traffic between the user and the authenticating proxy server during HTTPS communications.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx
  • 05.50.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Soti Pocket Controller-Professional Remote Command Execution
  • Description: Soti Pocket Controller-Professional is a remote control application that allows a user to control their PDA from a computer. Pocket Controller-Professional is prone to a remote command execution vulnerability. This issue exists because the device accepts remote commands without requiring authentication credentials from the remote user.
  • Ref: http://www.securityfocus.com/archive/1/418963
  • 05.50.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Sights 'N Sounds Streaming Media Server SWS.EXE Buffer Overflow
  • Description: Sights 'N Sounds Streaming Media Server is a streaming media application. It is prone to a buffer overflow vulnerability. The web server process of the application, "MediaServerListing.exe", does not properly sanitize user-supplied input. Successful exploitation of this issue will likely result in a crash of the "SWS.exe" application, denying service to legitimate users. Sights 'N Sounds Streaming Media Server version 2.0.3.b is affected.
  • Ref: http://www.securityfocus.com/bid/15809/exploit
  • 05.50.5 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X Perl Insecure Privilege Dropping Weakness
  • Description: Apple Mac OS X's Perl is susceptible to an insecure privilege dropping weakness. The issue presents itself when Perl scripts utilize the "$<" global variable to alter the real user ID of the current process. Mac OS X version 10.3.9 is affected.
  • Ref: http://www.securityfocus.com/bid/15820
  • 05.50.6 - CVE: CVE-2005-3651
  • Platform: Cross Platform
  • Title: Ethereal OSPF Protocol Dissection Stack Buffer Overflow
  • Description: Ethereal is a multi-platform network protocol sniffer and analyzer. A remote buffer overflow vulnerability reportedly affects Ethereal. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers. The specific issue exists in the OSPF (Open Shortest Path First) protocol dissector. Ethereal versions 0.10.13 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/419076
  • 05.50.7 - CVE: Not Available
  • Platform: Cross Platform
  • Title: APANI Networks EpiForce Agent Denial of Service
  • Description: EpiForce Agent is a network data encryption application. It is vulnerable to a denial of service issue due to a flaw in APANI Network Corporation's IPSec implementation for the Epiforce product. Apani Networks Corporation EpiForce Agent versions earlier than 2.0 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/419104
  • 05.50.8 - CVE: CVE-2005-3532
  • Platform: Cross Platform
  • Title: Courier Mail Server Unauthorized Access
  • Description: Courier Mail Server is a mail transfer agent. It is vulnerable to an unauthorized access issue which allows accounts that have been deactivated to access the server. This could allow an unauthorized user to access email messages and send messages from a deactivated account. Please refer to the following link for a list of affected software.
  • Ref: http://www.securityfocus.com/bid/15771/info
  • 05.50.9 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ACME Perl-Cal Cal_make.PL Cross-Site Scripting
  • Description: Perl-Cal is a Web based calendar application. It is prone to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "p0" parameter of the "cal_make.pl" script. An attacker may exploit this issue to steal cookie-based authentication credentials as well as perform other attacks. ACME Software PerlCal versions 2.99.xx are reported vulnerable.
  • Ref: http://www.perlcal.com/calendar/docs/bugs.txt
  • 05.50.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Lyris ListManager Command Execution
  • Description: Lyris ListManager is a mailing list manager application. It is prone to a CRLF injection vulnerability when using the web interface to subscribe a new user to a mailing list. The "pw" parameter is not properly sanitized; arbitrary mailing list administration commands may be executed using CRLF sequences appended to this parameter. Lyris ListManager versions 5.0 through 8.8a are vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/15786/discuss
  • 05.50.11 - CVE: CAN-2005-4132
  • Platform: Cross Platform
  • Title: Contenido CMS Unspecified Remote Command Execution
  • Description: Contenido CMS is a content management application. It is prone to an unspecified remote command execution issue due to a lack of proper sanitization of user-supplied input. An attacker may exploit this vulnerability to execute arbitrary commands in the context of the Web server process. Contenido versions earlier than 4.6.4 are vulnerable.
  • Ref: http://sourceforge.net/forum/forum.php?forum_id=518356
  • 05.50.12 - CVE: CVE-2005-1315
  • Platform: Cross Platform
  • Title: Horde Turba Multiple HTML Injection Vulnerabilities
  • Description: Turba is a web-based contact management application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input to the address book name and unspecified contact data fields.
  • Ref: http://lists.horde.org/archives/announce/2005/000235.html
  • 05.50.13 - CVE: CVE-2005-3759
  • Platform: Cross Platform
  • Title: Horde Application Framework Multiple Input Vulnerabilities
  • Description: The Horde Application Framework is a series of web applications. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to the identity, category/labels, mobile phone, and file import fields. Horde Application Framework versions 3.0.7 and earlier are vulnerable.
  • Ref: http://www.sec-consult.com/245.html
  • 05.50.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Horde Mnemo Remote HTML Injection Vulnerabilities
  • Description: The Horde Application Framework is a series of web applications. Mnemo is the Horde notes and memos application. It is prone to multiple HTML injection vulnerabilities due to insufficient sanitization of user-supplied input to a notepad's name when creating a notepad and a shared notepad's name fields. Mnemo version 2.0.2 and prior are affected by these issues.
  • Ref: http://www.sec-consult.com/245.html
  • 05.50.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: LogiSphere Multiple Directory Traversal Vulnerabilities
  • Description: LogiSphere is a web server that permits remote control of any Microsoft Windows compatible video device and the ability to stream video content. It is prone to multiple directory traversal vulnerabilities due to insufficient sanitization of user-supplied input to the "source" parameter of "viewsource.jsp", the "NS-query-pat" parameter of the search function and the document path. Other scripts and parameters may also be vulnerable. LogiSphere version 0.9.9j is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15807/exploit
  • 05.50.16 - CVE: CVE-2005-4190
  • Platform: Cross Platform
  • Title: Horde Application Framework CSV File Upload Code Execution
  • Description: The Horde Application Framework is a series of web applications. It is vulnerable to an arbitrary script code execution issue due to insufficient sanitization of user-supplied input to the "Date" and "Time" fields of the CSV upload script. Horde Application Framework versions 3.0.7 and earlier are vulnerable.
  • Ref: http://lists.horde.org/archives/announce/2005/000238.html
  • 05.50.17 - CVE: CVE-2005-1314
  • Platform: Cross Platform
  • Title: Horde Kronolith Multiple HTML Injection Vulnerabilities
  • Description: Kronolith is a Horde calendar application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user supplied input to such fields as "CalendarName", "title", "category", "location" and "attendee". Horde Kronolith versions 2.0.5 and earlier are vulnerable.
  • Ref: http://secunia.com/advisories/15080
  • 05.50.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Long Title Element Bookmark Denial of Service
  • Description: Opera is a web browser available for a number of platforms. It is prone to a denial of service vulnerability when a web page with a long title element is bookmarked. This issue occurs if the Input Method Editor (IME) is installed. Opera Web Browser versions 8.50 and earlier are reported to be vulnerable.
  • Ref: http://www.opera.com/support/search/supsearch.dml?index=821
  • 05.50.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Alt-N MDaemon WorldClient Denial of Service
  • Description: MDaemon is an email application. It is vulnerable to a denial of service issue due to insufficient sanitization of user-supplied input in the "Subject" header field. Alt-N MDaemon version 8.1.3 is vulnerable.
  • Ref: http://www.ipomonis.com/advisories.htm
  • 05.50.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Macromedia Flash Media Server 2 Administration Service Denial of Service
  • Description: Macromedia Flash Media Server 2 provides streaming media capabilities and a development environment for creating and delivering media applications. It includes an administration service which is prone to a remote denial of service vulnerability due to improper handling of exceptional conditions. Successful exploitation may trigger a crash or hang, denying service to legitimate users. Micromedia Flash Media Server version 2.0 is vulnerable.
  • Ref: http://www.ipomonis.com/advisories/Flash_media_server_2.txt
  • 05.50.22 - CVE: CVE-2005-4229
  • Platform: Cross Platform
  • Title: EveryAuction Cross-Site Scripting
  • Description: EveryAuction is an online auction application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "searchstring" parameter of the "auction.pl" script. EveryAuction version 1.53 is vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2005/2857
  • 05.50.23 - CVE: CVE-2005-4213
  • Platform: Cross Platform
  • Title: PHPCoin Coin_CFG.PHP SQL Injection
  • Description: PhpCOIN is a Web hosting reseller application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "coin_cfg.php" script. PhpCOIN version 1.2.2 is vulnerable.
  • Ref: http://rgod.altervista.org/phpcoin_122_sql_xpl.html
  • 05.50.24 - CVE: CAN-2005-2407
  • Platform: Cross Platform
  • Title: Opera Download Dialog File Execution
  • Description: Opera Web Browser is vulnerable to remote code execution issue through manipulation of download dialog boxes. Opera Web Browser versions 8.01 and earlier are reported to be vulnerable.
  • Ref: http://www.opera.com/docs/changelogs/linux/802/
  • 05.50.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Snipe Gallery Multiple Validation Vulnerabilities
  • Description: Snipe Gallery is an image gallery application. It is vulnerable to multiple input validation issues due to insufficient sanitization to user-supplied input to "gallery_id" and "image_id" parameters of the "index.php" script. Snipe Gallery versions 3.1.4 and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2005/12/snipe-gallery-sqlxss-vuln.htm l
  • 05.50.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: McGallery PRO Multiple Validation Vulnerabilities
  • Description: McGallery PRO is an image gallery application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input such as the index.php script and the search module. McGallery versions 2.2 and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2005/12/mcgallery-pro-vuln.html
  • 05.50.28 - CVE: Not Available
  • Platform: Web Application
  • Title: MilliScripts Register.PHP Cross-Site Scripting
  • Description: MilliScripts is a free site redirection script. It is prone to a cross-site scripting vulnerability due to a lack of proper input validation. This issue is due to a failure in the application to properly sanitize user-supplied input to the "domainname" parameter of the "register.php" script. MilliScripts version 1.4 is affected.
  • Ref: http://www.securityfocus.com/bid/15792/exploit
  • 05.50.29 - CVE: Not Available
  • Platform: Web Application
  • Title: FlatNuke Index.PHP Directory Traversal
  • Description: FlatNuke is a content management system. Insufficient sanitization of the "../" strings can allow a remote attacker to read sensitive files containing MD5 password hashes and create malicious cookie data which may be used to log in as an administrative user. FlatNuke version 2.5.6 is affected.
  • Ref: http://www.securityfocus.com/bid/15796
  • 05.50.30 - CVE: Not Available
  • Platform: Web Application
  • Title: ThWboard Multiple Input Validation Vulnerabilities
  • Description: ThWboard is a message board application. It is prone to multiple input validation vulnerabilities. The application is vulnerable to HTML injection, cross-site scripting, and SQL injection due to improper sanitization of user-supplied input. The "Wohnort" and "Beruf" input fields in the "editprofile.php" script are not properly sanitized. ThWboard version 3 beta 2.8 is affected.
  • Ref: http://www.securityfocus.com/bid/15763/exploit
  • 05.50.31 - CVE: CVE-2005-4136
  • Platform: Web Application
  • Title: DRZES HMS Login.PHP Cross-Site Scripting
  • Description: DRZES HMS is a content management system written in PHP. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "customerEmailAddress" parameter of the "login.php" script. DRZES HMS version 3.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/418851
  • 05.50.32 - CVE: Not Available
  • Platform: Web Application
  • Title: ASPMForum Multiple SQL Injection Vulnerabilities
  • Description: ASPMForum is a web-based forum application. It is prone to multiple SQL injection vulnerabilities due to improper sanitization of user-supplied input to the "Search" field of the "aramaya.asp" script, the "harf" parameter of the "kullanicilistesi.asp" script and the "baslik" parameter of the "forum.asp" script.
  • Ref: http://www.securityfocus.com/bid/15767/exploit
  • 05.50.33 - CVE: CVE-2005-4140
  • Platform: Web Application
  • Title: Website Baker SQL Injection
  • Description: Website Baker is a content management application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "user" field of the administrator login script. Website Baker versions 2.6.0 and earlier are vulnerable.
  • Ref: http://rgod.altervista.org/wbaker_260_xpl.html
  • 05.50.34 - CVE: Not Available
  • Platform: Web Application
  • Title: CFMagic Multiple Products Input Validation Vulnerabilities
  • Description: Magic Forum Personal is a forum application, Magic List Pro is a mailing list application and Magic Book Professional is a guestbook application. These CFMagic Products are prone to multiple input validation vulnerabilities. These are due to a lack of proper sanitization of user-supplied input. Magic Forum Personal versions 2.5 and prior, Magic List Professional version 2.5 and prior and Magic Book Professional version 2.0 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15774/exploit
  • 05.50.35 - CVE: Not Available
  • Platform: Web Application
  • Title: CF_Nuke Index.CFM Local File Include
  • Description: CF_Nuke is a web-portal application. It is prone to a local file include vulnerability due to insufficient sanitization of user-supplied input. The "sector" and "page" parameters of the "index.cfm" script are not properly sanitized, allowing an attacker to include and execute local files in the context of the affected Web server process. CF_Nuke versions 4.6 and prior are reported to be vulnerable; other versions may also be affected.
  • Ref: http://pridels.blogspot.com/2005/12/cfnuke-v46-multiple-vuln.html
  • 05.50.36 - CVE: Not Available
  • Platform: Web Application
  • Title: CF_Nuke Index.CFM Cross-Site Scripting
  • Description: CF_Nuke is a content management application. Insufficient sanitization of the "cat", "topic" and "newsid" parameters of the "index.cfm" script exposes the application to a cross-site scripting issue.
  • Ref: http://www.securityfocus.com/bid/15770/info
  • 05.50.37 - CVE: CVE-2005-4150
  • Platform: Web Application
  • Title: CleverPath Portal Login Page Cross-Site Scripting
  • Description: Computer Associates CleverPath Portal is a business portal. It is vulnerable to a cross-site scripting issue due to insufficient sanitization user-supplied input to a parameter of the login page. Computer Associates CleverPath Portal version 4.7 is vulnerable.
  • Ref: http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QI70871
  • 05.50.38 - CVE: CVE-2005-4149
  • Platform: Web Application
  • Title: Lyris ListManager Multiple SQL Injection Vulnerabilities
  • Description: Lyris ListManager is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.
  • Ref: http://metasploit.com/research/vulns/lyris_listmanager/
  • 05.50.39 - CVE: Not Available
  • Platform: Web Application
  • Title: Lyris Listmanager TCLHTTPd Service Multiple Information Disclosure Vulnerabilities
  • Description: Lyris Listmanager is a web-based mailing list management application. It is prone to multiple vulnerabilities due to unathorized access allowed to the "status" module of the TCLHTTPd service. This can be exploited to obtain sensitive information with regards to the configuration of the server. Lyris Listmanager versions 5.0 through 8.8a are affected; other versions may also be vulnerable.
  • Ref: http://metasploit.com/research/vulns/lyris_listmanager/
  • 05.50.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Lyris ListManager Hidden Variable Information Disclosure
  • Description: Lyris ListManager is a web-based mailing list manager application. A hidden HTML variable contains information regarding the CGI environment for the application. An attacker may retrieve this information by simply requesting a non-existent web page. ListManager versions 5.0 through 8.8a are affected.
  • Ref: http://www.securityfocus.com/bid/15789
  • 05.50.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Positive Software Corporation CP+ Unspecified Perl Security
  • Description: CP+ is a web-based server management application. It is prone to an unspecified security vulnerability caused by a vulnerability in Perl. The cause and impact of this issue was not reported. Due to a lack of information, further details cannot be provided at the moment. CP+ versions 2.5.4 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/9842
  • 05.50.42 - CVE: Not Available
  • Platform: Web Application
  • Title: My Album Online Unspecified Directory Traversal
  • Description: My Album Online is a web-based photo album application for the Microsoft Windows platform. It is vulnerable to an unspecified directory traversal issue due to a failure in the application to properly sanitize user-supplied input. An attacker could exploit this issue to retrieve arbitrary files from the vulnerable system in the context of the web server process. My Album Online version 1.0 is vulnerable.
  • Ref: http://www.ipomonis.com/advisories/myAlbumOnline.txt
  • 05.50.43 - CVE: CVE-2005-4177
  • Platform: Web Application
  • Title: Magic Book Professional Book.CFM Cross-Site Scripting
  • Description: Magic Book Professional is a guestbook application written in ColdFusion. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "StartRow" parameter of the "book.cfm" script. Versions 2.0 and prior are vulnerable.
  • Ref: http://pridels.blogspot.com/2005/12/magic-book-v20-professional-vuln.html
  • 05.50.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Netref Index.php SQL Injection Scripting
  • Description: Netref is a link management application. Insufficient sanitization of the "cat" parameter in the "index.php" script exposes the application to an SQL injection issue. Netref version 3 is affetced.
  • Ref: http://www.securityfocus.com/bid/15801
  • 05.50.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Horde Nag Remote HTML Injection
  • Description: The Horde Application Framework is a series of Web applications and includes Nag which is a task list manager application. It is vulnerable to multiple HTML injection issues due to a failure in the application to properly sanitize user-supplied input. An authenticated attacker could exploit this issue to compromise the application. Nag versions 2.0.3 and earlier are affected.
  • Ref: http://www.sec-consult.com/245.html
  • 05.50.46 - CVE: CVE-2005-4206
  • Platform: Web Application
  • Title: Blackboard Academic Suite Frameset.JSP Cross-Domain Frameset Loading
  • Description: Blackboard Academic Suite is composed of various Web based applications including the Blackboard Learning System, the Blackboard Community System and the Blackboard Content System. It is prone to a cross-domain frameset loading vulnerability. This issue results from a design error and may allow remote attackers to carry out phishing attacks. Blackboard Academic Suite version 6.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15814/info
  • 05.50.47 - CVE: Not Available
  • Platform: Web Application
  • Title: LocazoList Classifieds SearchDB.ASP Input Validation
  • Description: LocazoList Classifieds is a fan appreciation website application. Insufficient sanitization of the "q" parameter in the "searchdb.asp" script exposes the application to an input validation issue. LocazoList Classifieds version 1.0 3c is affected.
  • Ref: http://www.securityfocus.com/bid/15812
  • 05.50.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Scout Portal Toolkit Multiple Input Validation Vulnerabilities
  • Description: Scout Portal Toolkit is prone to multiple input validation vulnerabilities due to improper validation of user-supplied input. It is prone to SQL injection attacks and cross-site scripting attacks. Scout Portal Toolkit version 1.3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/15818/exploit
  • 05.50.49 - CVE: CVE-2005-4207
  • Platform: Web Application
  • Title: BTGrup Admin WebController SQL Injection
  • Description: BTGrup Admin WebController is a web administration application. BTGrup Admin WebController is prone to an SQL injection vulnerability. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
  • Ref: http://www.securityfocus.com/archive/1/419237
  • 05.50.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Guestserver GuestServer.CGI HTML Injection
  • Description: Guestserver is a guestbook application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the "message" field of the "guestserver.cgi" script before using it in dynamically generated content. Guestserver version 5.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/419241
  • 05.50.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Arab Portal Link.PHP SQL Injection
  • Description: Arab Portal is a web portal application. Insufficient sanitization of the session id variable "PHPSESSID" and the "REQUEST_URI" PHP variable in the "link.php" script exposes the application to an SQL injection issue. Arab Portal System version 2.0 beta 2 is affected.
  • Ref: http://www.securityfocus.com/bid/15820
  • 05.50.52 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPCoin Config.PHP File Include
  • Description: PHPCoin is a web hosting reseller application. It is prone to a file include vulnerability due to improper sanitization of user-supplied input. The "_CCFG[_PKG_PATH_DBSE]" global parameter of the "config.php" script can facilitate remote and local file include attacks. PHPCoin version 1.2.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15831/exploit
  • 05.50.53 - CVE: CVE-2005-3352
  • Platform: Web Application
  • Title: Apache Mod_IMAP Referer Cross-Site Scripting
  • Description: Mod_IMAP is an Apache module for server-side imagemap processing. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input. This issue occurs when using the "Referer" directive with image maps. Apache versions 2.0.55 and earlier are vulnerable.
  • Ref: http://httpd.apache.org/security/vulnerabilities_20.html
  • 05.50.54 - CVE: CVE-2005-4228
  • Platform: Web Application
  • Title: PHPWebGallery Multiple SQL Injection Vulnerabilities
  • Description: PhpWebGallery is a web-based photo gallery application implemented in PHP. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "since", "sort_by", and "items_number" parameters to the "comments.php" script. PhpWebGallery versions 1.5.1 and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2005/12/phpwebgallery-multiple-sql-inj.html
  • 05.50.55 - CVE: Not Available
  • Platform: Web Application
  • Title: EncapsGallery Gallery.PHP SQL Injection
  • Description: EncapsGallery is a web-based photo gallery application. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "id" parameter of the "gallery.php" script before using it in an SQL query. EncapsGallery version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/15836/exploit
  • 05.50.56 - CVE: Not Available
  • Platform: Web Application
  • Title: VCD-db Multiple Input Validation Vulnerabilities
  • Description: VCD-db is a freely available, open source media content management web application. It is prone to multiple input validation vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input.
  • Ref: http://pridels.blogspot.com/2005/12/vcd-db-vuln.html
  • 05.50.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Link Up Gold Multiple Input Validation Vulnerabilities
  • Description: Link Up Gold is a commercial web search engine application. It is prone to multiple input validation vulnerabilities due to improper validation of user-supplied input. An SQL injection attack is possible through the "number" parameter of the "poll.php" script. Cross-site scripting attacks are possible through the "link" parameter of the "tell_friend.php" script, the "phrase" parameter of the "search.php" script, and the "direction" and "sort" parameters of the "articles.php" script. Link Up Gold version 2.5 is affected.
  • Ref: http://pridels.blogspot.com/2005/12/link-up-gold-vuln.html
  • 05.50.58 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP JackKnife Cross-Site Scripting
  • Description: PHP JackKnife is an image gallery. Insufficient sanitization of the "sKeywords" parameter in the "DisplayResults.php" script exposes the application to a cross-site scripting issue. PHP JackKnife versions 2.21 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/15841
  • 05.50.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Plogger Index.PHP Multiple Input Validation Vulnerabilities
  • Description: Plogger is a photo gallery application. It is vulnerable to multiple input validation issues due to a failure in the application to properly sanitize user-supplied input. Successful exploitation of these issues could result in a compromise of the application. Plogger version Beta 2 is vulnerable.
  • Ref: http://pridels.blogspot.com/2005/12/plogger-sqlxss-vuln.html
  • 05.50.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Mantis View_filters_page.PHP Cross-Site Scripting
  • Description: Mantis is a web-based bugtracking system. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "target_field" parameter of the "view_filters_page.php" script. Mantis versions 1.0.0-RC3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/15842/exploit
  • 05.50.61 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Web Scripts Ad Manager Pro Advertiser_statistic.PHP SQL Injection
  • Description: Ad Manager Pro is a web-based software for managing graphical and textual ads. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "ad_number" parameter of the "advertiser_statistic.php" script before using it in an SQL query.
  • Ref: http://pridels.blogspot.com/2005/12/ad-manager-pro-sql-vuln.html
  • 05.50.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Jamit Job Board Index.PHP SQL Injection
  • Description: Job Board is a web application for running and managing a Job Board. It is prone to an SQL injection vulnerability. due to improper sanitization of user-supplied input to the "cat" parameter of the "index.php" script before using it in an SQL query. Job Board version 2.4.1 is affeced.
  • Ref: http://www.securityfocus.com/bid/15848/exploit
  • 05.50.63 - CVE: Not Available
  • Platform: Web Application
  • Title: DreamLevels Dream Poll View_Results.PHP SQL Injection
  • Description: Dream Poll is web-based polling software. Insufficient sanitization of the "id" parameter in the "view_results.php" script exposes the application to an SQL injection issue. Dream Poll version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/15849
  • 05.50.64 - CVE: Not Available
  • Platform: Web Application
  • Title: CourseForum Technologies ProjectForum Multiple Cross-Site Scripting Vulnerabilities
  • Description: ProjectForum is web-based forum software. It is vulnerable to multiple cross-site scripting issues due to a failure in the application to properly sanitize user-supplied input to the "fwd" parameter of "adminsignin.html" and the "originalpageid" parameter of "newpage.html". An attacker may leverage these issues to steal cookie based authentication credentials as well as perform other attacks.
  • Ref: http://pridels.blogspot.com/2005/12/projectforum-470-vuln.html
  • 05.50.65 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPNuke Content Filtering Bypass
  • Description: PHPNuke is a web-based content management system. It is prone to a content filtering bypass vulnerability. This issue can allow an attacker to bypass content filters and potentially carry out cross-site scripting, HTML injection and other attacks. PHPNuke versions 7.9 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/15855/exploit
  • 05.50.66 - CVE: Not Available
  • Platform: Web Application
  • Title: MySQL Auction Search Module Cross-Site Scripting
  • Description: MySQL Auction is an online auction application written in Perl. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "search" module of the application. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. Versions 3.0 and prior are vulnerable.
  • Ref: http://pridels.blogspot.com/2005/12/mysql-auction-xss-vuln.html
  • 05.50.67 - CVE: CVE-2005-4198
  • Platform: Web Application
  • Title: Netref Index.PHP SQL Injection
  • Description: Netref is a link management application written in PHP. It is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "cat" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/15862
  • 05.50.68 - CVE: CVE-2005-4215
  • Platform: Network Device
  • Title: Motorola SB5100E Cable Modem LanD Packet Denial Of Service
  • Description: Motorola SB5100E Cable Modems are physical devices which provide internet connectivity over cable television connections. These devices are susceptible to a remote denial of service vulnerability when handling TCP "LanD" packets. Motorola Cable Modem model SB5100E is vulnerble.
  • Ref: http://www.securityfocus.com/bid/15795
  • 05.50.69 - CVE: CVE-2005-3661
  • Platform: Network Device
  • Title: Dell TrueMobile 2300 Remote Credential Reset
  • Description: Dell TrueMobile 2300 is a wireless access point and Internet router. It is possible for remote attackers to gain control of a target TrueMobile 2300 running firmware versions 3.0.0.8 and 5.1.1.6. The issue is in an administrative component accessed through the web-based control interface. Unauthenticated attackers can force the device to reset the administrative credentials without authorization.
  • Ref: http://www.securityfocus.com/bid/15770/info
  • 05.50.70 - CVE: Not Available
  • Platform: Network Device
  • Title: Nortel SSL VPN Web Interface Input Validation
  • Description: Nortel SSL VPN is affected by an input validation issue which could be exploited to cause arbitrary commands to be executed through the web browser of a user of the system. Nortel SSL VPN version 4.2.1.6 is affetced.
  • Ref: http://www.securityfocus.com/bid/15798
  • 05.50.71 - CVE: Not Available
  • Platform: Network Device
  • Title: NetGear RP114 SYN Flood Denial Of Service
  • Description: The Netgear RP114 is a hub device with additional routing, packet and simple content filtering functionality. It is vulnerable to a denial of service issue which may allow attackers to block network traffic to arbitrary network services. NetGear RP114 version 3.26 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/15816/info

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

The instructor changed the way I, a network engineer, thought about questions.
-Mike Dye, PTG

Forensics 585

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc