@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Microsoft Windows Metafile Processing Buffer Overflow

Exploit Code

• (2) phpBB Remote Command Execution Exploit code has been released for the widely deployed bulletin board phpBB targeting versions 2.0.17 and prior.

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 05.52.1 - Microsoft Internet Explorer HTML Parsing Denial of Service Vulnerabilities
• 05.52.2 - Windows Graphics Rendering Engine Unspecified Code Execution

Third Party Windows Apps

• 05.52.3 - RARLAB WinRAR File Name Potential Buffer Overflow
• 05.52.4 - Interaction SIP Proxy Denial Of Service
• 05.52.5 - Avaya Modular Messaging POP3 Remote Denial of Service
• 05.52.6 - Golden FTP Server APPE Command Buffer Overflow

Mac Os

• 05.52.7 - Mac OS X KHTMLParser Remote Denial of Service

Linux

• 05.52.8 - Linux Kernel IP6_Input_Finish Remote Denial Of Service
• 05.52.9 - Linux Kernel ICMP_Push_Reply Remote Denial of Service

Unix

• 05.52.10 - Network Block Device Server Buffer Overflow
• 05.52.11 - cpio Potential Buffer Overflow

Cross Platform

• 05.52.12 - WebWasher Malicious Script Filter Bypass
• 05.52.13 - Httprint HTTP Response Handling Multiple Vulnerabilities
• 05.52.14 - Macromedia JRun URL Parsing Remote Buffer Overflow
• 05.52.15 - BZFlag Unterminated Callsign Denial Of Service
• 05.52.16 - Hitachi Business Logic Multiple Input Validation Vulnerabilities
• 05.52.17 - Juniper NetScreen-Security Manager Remote Denial of Service
• 05.52.18 - Ethereal GTP Protocol Dissector Denial of Service

Web Application

• 05.52.19 - Lois Software WebDB Search Module SQL Injection
• 05.52.20 - WandSoft E-Search Cross-Site Scripting
• 05.52.21 - SpireMedia CMS Index.cfm SQL Injection
• 05.52.22 - WAXTRAPP Search Module Cross-Site Scripting
• 05.52.23 - Nexus Concepts Dev Hound Multiple Vulnerabilities
• 05.52.24 - Mantis Multiple Unspecified Remote Vulnerabilities
• 05.52.25 - MediaWiki Inline Style Attribute Security Check Bypass
• 05.52.26 - SyntaxCMS Search Query Cross-Site Scripting
• 05.52.27 - Tangora Portal CMS Action Parameter Cross-Site Scripting
• 05.52.28 - Text-e Search Module Cross-Site Scripting
• 05.52.29 - myEZshop Shopping Cart Multiple Input Validation Vulnerabilities
• 05.52.30 - OpenEdit Results.HTML Cross-Site Scripting
• 05.52.31 - Papaya CMS Cross-Site Scripting
• 05.52.32 - SpearTek Search Module Cross-Site Scripting
• 05.52.33 - PHPSlash Article.PHP SQL Injection
• 05.52.34 - Quantum Art QP7.Enterprise Multiple SQL Injection Vulnerabilities
• 05.52.35 - SiteEnable Login.ASP Cross-Site Scripting
• 05.52.36 - IntranetApp Multiple Cross-Site Scripting Vulnerabilities
• 05.52.37 - RAMSite R1CMS Multiple Cross-Site Scripting Vulnerabilities
• 05.52.38 - ComputerOil Redakto CMS Multiple Cross-Site Scripting Vulnerabilities
• 05.52.39 - Scoop Multiple Cross-Site Scripting Vulnerabilities
• 05.52.40 - Commercial Interactive Media SCOOP! Multiple Cross-Site Scripting Vulnerabilities
• 05.52.41 - Sitekit CMS Multiple Cross-Site Scripting Vulnerabilities
• 05.52.42 - SiteSage Cross-Site Scripting
• 05.52.43 - MusicBox Type Parameter SQL Injection
• 05.52.44 - Oracle Application Server Discussion Forum Portlet Multiple Remote Vulnerabilities
• 05.52.45 - SimpBook Messages HTML Injection
• 05.52.46 - Real Web Solution Statistics Counter Service SQL Injection
• 05.52.47 - ShopCentrik ShopEngine EXPS Parameter Cross-Site Scripting
• 05.52.48 - EPay Enterprise Multiple HTML Injection Vulnerabilities
• 05.52.49 - Epic Designs Eggblog Search.PHP Cross-Site Scripting
• 05.52.50 - SimpBook Guestbook HTML Injection
• 05.52.51 - Cerberus Helpdesk Multiple Input Validation Vulnerabilities
• 05.52.52 - Dev Web Management System Multiple Input Validation Vulnerabilities
• 05.52.53 - IceWarp Universal WebMail Multiple Input Validation Vulnerabilities
• 05.52.54 - PaperThin CommonSpot Content Server Cross-Site Scripting
• 05.52.55 - FatWire UpdateEngine Multiple Cross-Site Scripting Vulnerabilities
• 05.52.56 - Day Communique Search Cross-Site Scripting

Network Device

• 05.52.57 - Ingate Firewall and SIParator Denial Of Service
• 05.52.58 - Cisco Downloadable RADIUS Policies Information Disclosure
• 05.52.59 - NEC UNIVERGE IX1000/IX2000/IX3000 IKE Exchange Denial Of Service
• 05.52.60 - ADTRAN NetVanta Products IKE Traffic Multiple Unspecified Vulnerabilities

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 52, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4750 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 05.52.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Internet Explorer HTML Parsing Denial of Service Vulnerabilities
• Description: Microsoft Internet Explorer is affected by multiple denial of service vulnerabilities. These issues arise because the application fails to properly parse certain malformed HTML content. It is conjectured that these issues are triggered due to null pointer dereference errors. Microsoft Internet Explorer versions 6.0 SP2 and earlier are reported to be affected.
• Ref: http://www.securityfocus.com/bid/16070/exploit

• 05.52.2 - CVE: Not Available
• Platform: Windows
• Title: Windows Graphics Rendering Engine Unspecified Code Execution
• Description: Microsoft Windows WMF graphics rendering engine is vulnerable to a remote code execution issue when a user views a crafted WMF formatted file. Microsoft Windows XP and earlier versions are vulnerable.
• Ref: http://www.securityfocus.com/bid/16074/info

• 05.52.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: RARLAB WinRAR File Name Potential Buffer Overflow
• Description: RARLAB WinRAR is a compression utility capable of reading and writing files using several different archival formats. A client-side buffer overflow vulnerability has been reported in the file name processing functionality of WinRAR, due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers. WinRAR version 3.51 is reportedly vulnerable.
• Ref: http://www.securityfocus.com/archive/1/420006

• 05.52.4 - CVE: CVE-2005-4466
• Platform: Third Party Windows Apps
• Title: Interaction SIP Proxy Denial Of Service
• Description: Interaction SIP (Session Initiation Protocol) Proxy is vulnerable to a remote denial of service issue due to insufficient boundry check of the "SIPParser" function. Interaction SIP version 3.0.010 is vulnerable.
• Ref: http://www.hat-squad.com/en/000171.html

• 05.52.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Avaya Modular Messaging POP3 Remote Denial of Service
• Description: Avaya Modular Messaging is an application server. It includes the Avaya Message Storage Server (MSS) POP3 service as well. This is prone to a remote denial of service vulnerability. An attacker can send specially crafted packets to the service to trigger an infinite loop that eventually leads to a crash or hang. Avaya Modular Messaging 2.0 SP4 and earlier versions are vulnerable.
• Ref: http://support.avaya.com/elmodocs2/security/ASA-2005-235.pdf

• 05.52.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Golden FTP Server APPE Command Buffer Overflow
• Description: Golden FTP Server is affected by a buffer overflow issue due to improper handling of the "APPE" command. Golden FTP Server version 1.92 is affected.
• Ref: http://www.securityfocus.com/bid/16060/info

• 05.52.7 - CVE: Not Available
• Platform: Mac Os
• Title: Mac OS X KHTMLParser Remote Denial of Service
• Description: Apple Mac OS X KHTMLParser is vulnerable to a denial of service issue when the application fails to properly handle HTML files containing a large ROWSPAN value. Mac OS X versions 10.4.3 and earlier are vulnerable. TextEdit and Safari are also vulnerable.
• Ref: http://www.security-protocols.com/advisory/sp-x22-advisory.txt

• 05.52.8 - CVE: CVE-2005-3858
• Platform: Linux
• Title: Linux Kernel IP6_Input_Finish Remote Denial Of Service
• Description: Linux kernel is prone to a remote denial of service vulnerability. This issue presents itself when certain unspecified, malformed IPv6 packets are processed by the "ip6_input_finish()" function. In certain circumstances, SKB network buffers will not be freed, resulting in leaked kernel memory. Successful exploitation will result in a crash of the kernel, effectively denying service to legitimate users. Linux kernel versions 2.6.12.5 and prior in the 2.6 series are vulnerable to this issue.
• Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.6

• 05.52.9 - CVE: CVE-2005-3848
• Platform: Linux
• Title: Linux Kernel ICMP_Push_Reply Remote Denial of Service
• Description: Linux kernel is prone to a remote denial of service vulnerability. This issue presents itself when certain unspecified, malformed ICMP packets are processed by the "imcp_push_reply()" function. Linux kernel versions 2.6.12.5 and prior in the 2.6 series are vulnerable to this issue.
• Ref: http://www.securityfocus.com/advisories/9913

• 05.52.10 - CVE: Not Available
• Platform: Unix
• Title: Network Block Device Server Buffer Overflow
• Description: Network Block Device (NBD) is a client/server for using remote computers as block devices over TCP/IP. The server component is affected by a buffer overflow issue due to insufficient sanitization of user-supplied input. Please refer to attached advisories for a list of affected versions.
• Ref: http://www.securityfocus.com/advisories/9918 http://www.securityfocus.com/advisories/9905

• 05.52.11 - CVE: CVE-2005-4268
• Platform: Unix
• Title: cpio Potential Buffer Overflow
• Description: cpio is an open-source file compression/decompression utility. cpio is vulnerable to a potential buffer overflow issue. This issue exists in the file name processing functionality of the application and arises when the affected application processes a specially-crafted file name of a file to be compressed.
• Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172669

• 05.52.12 - CVE: Not Available
• Platform: Cross Platform
• Title: WebWasher Malicious Script Filter Bypass
• Description: WebWasher is free internet filtering software. It is prone to a filter bypass vulnerability due to a design error. Reports indicate that the application detects and filters malicious scripts by identifying specific tokens in the scripts such as the ".Run" method. Webwasher CSM Appliance and CSM Suite version 5.0 are vulnerable to this issue.
• Ref: http://www.securityfocus.com/archive/1/420158

• 05.52.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Httprint HTTP Response Handling Multiple Vulnerabilities
• Description: Httprint is a Web server fingerprinting tool. It is vulnerable to multiple remote issues. These issues can allow attackers to carry out HTML injection and denial of service attacks. Httprint version 202 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16031

• 05.52.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Macromedia JRun URL Parsing Remote Buffer Overflow
• Description: Macromedia JRun is a J2EE application server. It is prone to a remote buffer overflow vulnerability due to a failure in the application to perform proper bounds checks on user supplied data before using it in a finite sized buffer. Macromedia JRun versions 4.0 SP1a and earlier are vulnerable. Ref: http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=360

• 05.52.15 - CVE: Not Available
• Platform: Cross Platform
• Title: BZFlag Unterminated Callsign Denial Of Service
• Description: BZFlag is a multi-player action game. It is vulnerable to a denial of service issue triggered by a malformed callsign message. An attacker could exploit this issue to deny service to legitimate users.
• Ref: http://aluigi.altervista.org/adv/bzflagboom-adv.txt

• 05.52.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Business Logic Multiple Input Validation Vulnerabilities
• Description: Hitachi Business Logic is an application that performs business logic. The Business Logic Containers (BLC) are vulnerable to multiple input validation vulnerabilities such as SQL injection, cross-site scripting and HTTP response splitting attacks. Hitachi Business Logic versions 2.0.6 and earlier are vulnerable.
• Ref: http://www.hitachi-support.com/security_e/vuls_e/HS05-025_e/01-e.html

• 05.52.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Juniper NetScreen-Security Manager Remote Denial of Service
• Description: Juniper NetScreen-Security Manager (NSM) is used to centrally manage a Juniper Networks NetScreen security environment. It is prone to a remote denial of service vulnerability. This issue arises because the application fails to handle exceptional conditions in a proper manner. Juniper NetScreen-Security Manager versions 2004 FP2 and FP3 are reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/16075/discuss

• 05.52.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Ethereal GTP Protocol Dissector Denial of Service
• Description: The Ethereal GTP protocol dissector is prone to a remotely exploitable denial of service vulnerability. Due to an unspecified error, the GTP protocol dissector may enter into an infinite loop. The issue may be exploited by causing Ethereal to process a malformed packet. Successful exploitation will cause a denial of service condition in the Ethereal application.
• Ref: http://www.ethereal.com/appnotes/enpa-sa-00022.html

• 05.52.19 - CVE: Not Available
• Platform: Web Application
• Title: Lois Software WebDB Search Module SQL Injection
• Description: Lois Software WebDB is an online database application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the search parameter of the search module. WebDB versions 1.1 and earlier are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/webdb-sql-inj-vuln.html

• 05.52.20 - CVE: Not Available
• Platform: Web Application
• Title: WandSoft E-Search Cross-Site Scripting
• Description: WandSoft e-Search is a web-based content indexing and search module. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "search" parameter.
• Ref: http://pridels.blogspot.com/2005/12/wandsoft-e-search-xss-vuln.html

• 05.52.21 - CVE: Not Available
• Platform: Web Application
• Title: SpireMedia CMS Index.cfm SQL Injection
• Description: SpireMedia CMS is an enterprise content management system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "cid" parameter of the "index.cfm" script. SpireMedia CMS mx7 is vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/spiremedia-cms-sql-inj-vuln.html

• 05.52.22 - CVE: Not Available
• Platform: Web Application
• Title: WAXTRAPP Search Module Cross-Site Scripting
• Description: WAXTRAPP is a web-based content management system. WAXTRAPP is prone to a cross-site scripting vulnerability. WAXTRAPP version 3.0.1 is vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/waxtrapp-xss-vuln.html

• 05.52.23 - CVE: Not Available
• Platform: Web Application
• Title: Nexus Concepts Dev Hound Multiple Vulnerabilities
• Description: Dev Hound is a web-based project management system. It is affected by multiple HTML injection vulnerablities as well as path and information disclosure issues. Dev Hound versions 2.24 and earlier are affected.
• Ref: http://www.exploitlabs.com/files/advisories/EXPL-A-2005-017-devhound.txt

• 05.52.24 - CVE: Not Available
• Platform: Web Application
• Title: Mantis Multiple Unspecified Remote Vulnerabilities
• Description: Mantis is a bug tracking application. These issues can allow attackers to disclose sensitive information as well as carry out cross-site scripting, HTML injection and SQL injection attacks. These issues arise in Mantis versions prior to 0.19.4, and 1.0.0rc4.
• Ref: http://www.securityfocus.com/advisories/9914

• 05.52.25 - CVE: Not Available
• Platform: Web Application
• Title: MediaWiki Inline Style Attribute Security Check Bypass
• Description: MediaWiki is affected by an issue which may allow attackers to execute script code in a user's browser. The issues are exposed due the presence of a hard coded internal placeholder string that allows security checks related to inline style attributes to be bypassed. MediaWiki version 1.5.3 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16032

• 05.52.26 - CVE: Not Available
• Platform: Web Application
• Title: SyntaxCMS Search Query Cross-Site Scripting
• Description: SyntaxCMS is a web-based content management system. Insufficient sanitization of the "search_query" parameter of the "search" feature exposes the application to a cross-site scripting issue. SyntaxCMS versions 1.2.1 and earlier are affected.
• Ref: http://pridels.blogspot.com/2005/12/syntaxcms-xss-vuln.html

• 05.52.27 - CVE: Not Available
• Platform: Web Application
• Title: Tangora Portal CMS Action Parameter Cross-Site Scripting
• Description: Tangora Portal CMS is a content management system. It is prone to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "action" parameter. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks.
• Ref: http://pridels.blogspot.com/2005/12/tangora-portal-cms-xss-vuln.html

• 05.52.28 - CVE: Not Available
• Platform: Web Application
• Title: Text-e Search Module Cross-Site Scripting
• Description: Text-e is a web-based content management system. Text-e is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the unspecified parameters in the search module.
• Ref: http://pridels.blogspot.com/2005/12/text-e-xss-vuln.html

• 05.52.29 - CVE: Not Available
• Platform: Web Application
• Title: myEZshop Shopping Cart Multiple Input Validation Vulnerabilities
• Description: myEZshop Shopping Cart is an online purchasing application. It is vulnerable to multiple input validation issues. SQL injection attacks are possible through the "GroupsId" and "ItemsId" parameters in "admin.php". Cross-site scripting attacks are possible through the "Keyword" parameter when performing a search.
• Ref: http://www.securityfocus.com/bid/15965

• 05.52.30 - CVE: Not Available
• Platform: Web Application
• Title: OpenEdit Results.HTML Cross-Site Scripting
• Description: OpenEdit is affected by a cross-site scripting issue due to insufficient sanitization of the "oe-action" and "page" parameters of the "/store/search/results.html" script. OpenEdit version 4.0 is affected.
• Ref: http://pridels.blogspot.com/2005/12/openedit-xss-vuln.html

• 05.52.31 - CVE: Not Available
• Platform: Web Application
• Title: Papaya CMS Cross-Site Scripting
• Description: Papaya CMS is a web-based content management system. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "bab[searchfor]" parameter of the "suche.153.html" script. Papaya CMS version 4.0.4 is affected.
• Ref: http://pridels.blogspot.com/2005/12/papaya-cms-xss-vuln.html

• 05.52.32 - CVE: Not Available
• Platform: Web Application
• Title: SpearTek Search Module Cross-Site Scripting
• Description: SpearTek is a web-based content management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "search" module. SpearTek version 6.0 is vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/speartek-xss-vuln.html

• 05.52.33 - CVE: Not Available
• Platform: Web Application
• Title: PHPSlash Article.PHP SQL Injection
• Description: PHPSlash is a web-based content management system. Insufficient sanitization of the "story_id" parameter in the "article.php" script exposes the application to an SQL injection issue. PHPSlash version 0.8.1 is affected.
• Ref: http://pridels.blogspot.com/2005/12/phpslash-sql-vuln.html

• 05.52.34 - CVE: Not Available
• Platform: Web Application
• Title: Quantum Art QP7.Enterprise Multiple SQL Injection Vulnerabilities
• Description: Quantum Art QP7.Enterprise is a web-based content management system. It is vulnerable to multiple SQL injection issues due to a failure in the application to properly sanitize user-supplied input to the "p_news_id" parameter of the "news_and_events_new.asp" and "news.asp" scripts.
• Ref: http://pridels.blogspot.com/2005/12/qp7enterprise-sql-vuln.html

• 05.52.35 - CVE: CVE-2005-1012
• Platform: Web Application
• Title: SiteEnable Login.ASP Cross-Site Scripting
• Description: SiteEnable is a content management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "ret_page" parameter of the "index.asp" script. SiteEnable versions 3.3 and earlier are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/siteenable-xss-vuln.html

• 05.52.36 - CVE: Not Available
• Platform: Web Application
• Title: IntranetApp Multiple Cross-Site Scripting Vulnerabilities
• Description: IntranetApp is a collaboration and communication application. Insufficeint sanitization of the "ret_page" parameter in the "login.asp", the "do_search" and "search" parameters of the "content.asp" script exposes the application to multiple cross-site scripting issues. IntranetApp version 3.3 is affected.
• Ref: http://pridels.blogspot.com/2005/12/intranetapp-xss-vuln.html

• 05.52.37 - CVE: Not Available
• Platform: Web Application
• Title: RAMSite R1CMS Multiple Cross-Site Scripting Vulnerabilities
• Description: RAMSite R1 CMS is a content management application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to unspecified parameters in the search module. RAMSite R1 CMS 1.0 is vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/ramsite-r1-cms-xss-vuln.html

• 05.52.38 - CVE: Not Available
• Platform: Web Application
• Title: ComputerOil Redakto CMS Multiple Cross-Site Scripting Vulnerabilities
• Description: ComputerOil Redakto CMS is a web content management application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "iid", "iid2", "lang", "r", "cart", "str", "nf", and "a" parameters of the "index.tpl" script. Redakto version 3.2 is reported to be vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/redakto-wcms-multiple-xss-vuln.html

• 05.52.39 - CVE: Not Available
• Platform: Web Application
• Title: Scoop Multiple Cross-Site Scripting Vulnerabilities
• Description: Scoop is affecetd by a cross-site scripting issue due to insufficient sanitization of the "type" and "count" parameters. Scoop version 1.1 RC1 is affected.
• Ref: http://pridels.blogspot.com/2005/12/scoop-xss-vuln.html

• 05.52.40 - CVE: Not Available
• Platform: Web Application
• Title: Commercial Interactive Media SCOOP! Multiple Cross-Site Scripting Vulnerabilities
• Description: Commercial Interactive Media SCOOP! is a web content management system. It is vulnerable to multiple cross-site scripting vulnerabilities due to a failure in the application to properly sanitize user-supplied input. Commercial Interactive Media SCOOP! version 2.3 is vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/scoop-multiple-xss-vuln.html

• 05.52.41 - CVE: Not Available
• Platform: Web Application
• Title: Sitekit CMS Multiple Cross-Site Scripting Vulnerabilities
• Description: Sitekit CMS is a commercial Web content management product by Sitekit Solutions. Sitekit CMS is prone to multiple cross-site scripting vulnerabilities. Version 6.6 of Sitekit is reportedly vulnerable to these issues.
• Ref: http://pridels.blogspot.com/2005/12/sitekit-cms-multiple-xss-vuln.html

• 05.52.42 - CVE: Not Available
• Platform: Web Application
• Title: SiteSage Cross-Site Scripting
• Description: Starphire Technologies SiteSage is a web content management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the parameters of the search module. Starphire Technologies versions SiteSage-SE, SiteSage-SB, SiteSage-LE, SiteSage-EE, SiteSage 5.0.18 and earlier are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/sitesage-xss-vuln.html

• 05.52.43 - CVE: Not Available
• Platform: Web Application
• Title: MusicBox Type Parameter SQL Injection
• Description: MusicBox is a web-based application used to create and maintain music websites. It is prone to an SQL injection vulnerability due to a failure in the application to properly sanitize user-supplied input to the "type" parameter before using it in an SQL query. This issue affects MusicBox version 2.3 Beta 2; other versions may also be vulnerable.
• Ref: http://www.securityfocus.com/bid/16030/exploit

• 05.52.44 - CVE: Not Available
• Platform: Web Application
• Title: Oracle Application Server Discussion Forum Portlet Multiple Remote Vulnerabilities
• Description: Oracle Application Server Discussion Forum Portlet is a web-based application. It is affected by multiple remote vulnerabilities due to insufficient sanitization of user-supplied data. All versions of Oracle Application Server Discussion Forum Portlet are considered to be vulnerable.
• Ref: http://www.securityfocus.com/bid/16048/exploit

• 05.52.45 - CVE: Not Available
• Platform: Web Application
• Title: SimpBook Messages HTML Injection
• Description: SimpBook is a web-based application. Insufficient sanitization of user-supplied input exposes the application to an HTML injection issue. All versions are affected.
• Ref: http://www.securityfocus.com/bid/16053/info

• 05.52.46 - CVE: Not Available
• Platform: Web Application
• Title: Real Web Solution Statistics Counter Service SQL Injection
• Description: Statistics Counter Service is a web-based application. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the user area before using it in an SQL query. Statistics Counter Service versions prior to 2.4.1 are affected.
• Ref: http://www.rws.com.ua/counter_service.php

• 05.52.47 - CVE: Not Available
• Platform: Web Application
• Title: ShopCentrik ShopEngine EXPS Parameter Cross-Site Scripting
• Description: ShopEngine is a web-based application. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "EXPS" parameter of the "search.asp" script. An attacker could exploit this issue to steal cookie based authentication credentials as well as perform other attacks.
• Ref: http://www.securityfocus.com/bid/16054/info

• 05.52.48 - CVE: CVE-2005-0981
• Platform: Web Application
• Title: EPay Enterprise Multiple HTML Injection Vulnerabilities
• Description: AlstraSoft EPay is an ecommerce application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input to such scripts as "profile.htm", "card.htm", "bank.htm", and "subscriptions.htm". AlstraSoft EPay Enterprise versions 3.0 and earlier are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/alstrasoft-epay-enterprise-v30-xss.html

• 05.52.49 - CVE: Not Available
• Platform: Web Application
• Title: Epic Designs Eggblog Search.PHP Cross-Site Scripting
• Description: Eggblog is a weblog application. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "q" parameter of the "search.php" script. eggblog version 2.0 is affected.
• Ref: http://pridels.blogspot.com/2005/12/eggblog-vuln.html

• 05.52.50 - CVE: Not Available
• Platform: Web Application
• Title: SimpBook Guestbook HTML Injection
• Description: SimpBook is a guest book application. It is prone to an HTML injection vulnerability due to a failure in the application to properly sanitize user-supplied input to the "message" field of the guestbook entry page before using it in dynamically generated content. SimpBook version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/16058/discuss

• 05.52.51 - CVE: Not Available
• Platform: Web Application
• Title: Cerberus Helpdesk Multiple Input Validation Vulnerabilities
• Description: Cerberus Helpdesk is an email management application. It is vulnerable to multiple cross-site scripting and SQL injection issues due to improper validation of user supplied input. Cerberus Helpdesk version 2.649 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16062/info

• 05.52.52 - CVE: Not Available
• Platform: Web Application
• Title: Dev Web Management System Multiple Input Validation Vulnerabilities
• Description: Dev Web Management System is a content management system for web portals. It is prone to multiple input validation vulnerabilities due to insufficient sanitization of user-supplied input. There exists an SQL injection vulnerability to the "cat" parameter of the "index.php" script and the "target" parameter of the "download_now.php" script. There is also a cross-site scripting vulnerability to the "language" parameter of the "add.php" script. Dev Web Management System versions 1.5 and earlier are prone to these issues.
• Ref: http://www.securityfocus.com/bid/16063/exploit

• 05.52.53 - CVE: Not Available
• Platform: Web Application
• Title: IceWarp Universal WebMail Multiple Input Validation Vulnerabilities
• Description: IceWarp Universal WebMail is a web-based interface to allow users to send and receive email messages using a third-party mail server. IceWarp Universal WebMail is prone to multiple input validation vulnerabilities. Merak Mail Server 8.3.0.r and VisNetic Mail Server 8.3.0 build 1 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/420255

• 05.52.54 - CVE: Not Available
• Platform: Web Application
• Title: PaperThin CommonSpot Content Server Cross-Site Scripting
• Description: PaperThin CommonSpot Content Server is a web-based content management system that runs on ColdFusion. Insufficient sanitization of the "bNewWindow" parameter of the "loader.cfm" page exposes the application to a cross-site scripting issue. CommonSpot Content Server version 4.5 is affetced.
• Ref: http://pridels.blogspot.com/2005/12/commonspot-content-server-vuln.html

• 05.52.55 - CVE: Not Available
• Platform: Web Application
• Title: FatWire UpdateEngine Multiple Cross-Site Scripting Vulnerabilities
• Description: FatWire UpdateEngine is a content management system. It is vulnerable to multiple cross-site scripting issues due to a failure in the application to properly sanitize user-supplied input to the "FUELAP_TEMPLATENAME", "EMAIL" and "COUNTRYNAME" parameters. An attacker may leverage these issues to steal cookie-based authentication credentials as well as perform other attacks. FatWire UpdateEngine versions 6.2 and prior are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/fatwire-updateengine-62-multiple-xss.html

• 05.52.56 - CVE: Not Available
• Platform: Web Application
• Title: Day Communique Search Cross-Site Scripting
• Description: Day Communique is a native JCR standard compliant enterprise content management solution. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "query" parameter of the search component. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. Day Communique versions 4.0 and earlier are affected.
• Ref: http://pridels.blogspot.com/2005/12/communiqu-4-xss-vuln.html

• 05.52.57 - CVE: CVE-2005-4464
• Platform: Network Device
• Title: Ingate Firewall and SIParator Denial Of Service
• Description: Ingate Firewall is a hardware based firewall and SIParator is a device that allows for SIP-based communications. Both are vulnerable to a remote kernel deadlock denial of service issue when handling unspecified TCP packets. Ingate Firewall and SIParator versions 4.3.4 and earlier are vulnerable.
• Ref: http://www.ingate.com/relnote-434.php

• 05.52.58 - CVE: Not Available
• Platform: Network Device
• Title: Cisco Downloadable RADIUS Policies Information Disclosure
• Description: Cisco PIX and VPN 3000 concentrators are commercial network security devices. These devices, when managed by Cisco Secure Access Control Servers, are vulnerable to an information disclosure vulnerability due to a design flaw that communicates sensitive information over an unencrypted communications channel.
• Ref: http://www.cisco.com/warp/public/707/advisory.html

• 05.52.59 - CVE: Not Available
• Platform: Network Device
• Title: NEC UNIVERGE IX1000/IX2000/IX3000 IKE Exchange Denial Of Service
• Description: NEC UNIVERGE IX1000/IX2000/IX3000 are commercially available router devices. They are vulnerable to a denial of service vulnerabily due to security flaws in NEC's IPSec implementation. An attacker could leverage this issue to deny service to other users.
• Ref: http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en

• 05.52.60 - CVE: Not Available
• Platform: Network Device
• Title: ADTRAN NetVanta Products IKE Traffic Multiple Unspecified Vulnerabilities
• Description: Certain ADTRAN NetVanta products are prone to multiple unspecified vulnerabilities in IKEv1. The reported issues include buffer overflows, format strings, and denial of service vulnerabilities. Some of the issues could potentially allow for remote code execution and complete compromise of affected devices. This has not been confirmed. ADTRAN OS 10.03.03.E is available to address these issues.
• Ref: http://www2.adtran.com/support/isakmp/

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.