Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 7
February 17, 2005

SANS Newsletters Home

Trouble this week with multiple browsers, Apple Macs, and DB2, as well as Computer Associates BrightStor.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 3
    • Linux
    • 2
    • Mac OS X
    • 0 (#2)
    • HP-UX
    • 1
    • Solaris
    • 1
    • Unix
    • 6 (#4)
    • Cross Platform
    • 14 (#1, #3, #5)
    • Web Application
    • 13
    • Network Device
    • 1
    • Hardware
    • 1

***************** This Issue Sponsored by Radware **********************

Radware Intrusion Prevention Switch protects against worms, viruses, malicious intrusions, Denial of Service attacks and Trojans - securing networked applications at 3-Gbps. Learn more about Radware at the SANS Lone Star 2005 Tabletop Vendor Expo, Houston, TX, March 11, 2005. Download DefensePro whitepaper http://www.radware.com/content/products/dp/whtpaper/_download-20040204b/form.asp

******************* Featured Training Program *************************

Join more than 1,200 security technology professionals in San Diego in early April for one of eighteen tracks of wonderful hands-on, immersion security training. Here's an example of what hundreds of students have written, "SANS is hands-down the best IT Security training in the world. The knowledge and experience of the instructors is second to none." That's why serious security professionals come to SANS - because the instructors are active practitioners -- fully up to date -- and they are the best teachers of security in the United States. For security technologists, auditors, and security managers. Early registration deadline on the 25th of February. Details about SANS2005: http://www.sans.org/sans2005 Or for smaller classes, meet in Houston http://www.sans.org/lonestar05

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
HP-UX
Solaris
Unix
Cross Platform
Web Application
Network Device
Hardware

************************** SPONSORED LINKS ******************************

Privacy notice: Sponsored links redirect to non-SANS web pages. (1) Top Layer - 2005 NSS Group "Double Approval" for Rate & Content-based Intrusion Prevention. Report: http://www.sans.org/info.php?id=725

************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Dinesh Sequeira (dinesh_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) MODERATE: Multiple Browsers International Domain Name Spoofing
  • Affected:
    • Firefox version 1.0 and prior
    • Mozilla version 1.7.5 and prior
    • Safari version 1.2.5 and prior
    • Thunderbird version 1.0 and prior
    • Netscape version 7.x

  • Description: The Domain Name System (DNS) specification, as described in the RFC 1034, does not permit the use of any non-ASCII characters for constructing a domain name. International Domain Name (IDN) scheme was specifically developed to support domain names in various languages. Multiple browsers such as Mozilla, Firefox, and Safari have implemented the IDN feature. This feature could be exploited by an attacker to conduct phishing attacks. The problem occurs because a URL with a domain name containing Unicode characters is displayed as an all-ASCII URL (by replacing the Unicode characters with the closest resembling ASCII characters). However, when such a URL is clicked, the content is rendered from the correct international domain name possibly under the attacker's control. For instance, the URL "pаypal.com" is displayed as "www.paypal.com" in the browser. Upon clicking this URL, the content is rendered from "www.xn--pypal-4ve.com" domain name. Note that this trick can also be performed for sites that use secure HTTP. The attacker can obtain a valid certificate for the international domain name so that when a victim visits a spoofed secure site, the victim's browser will still display the secure "lock" icon. Thus, a specially crafted webpage or an HTML email may exploit the IDN feature to conduct phishing attacks i.e. gather sensitive personal information from the users.

  • Status: Vendors have been contacted. Mozilla has provided the steps for disabling the IDN support. An unofficial Safari plug-in has also been posted that will alert the Safari user when an IDN URL is clicked. A general counter measure is to train the users to not enter any personal information on a webpage visited via clicking a link in an email or another webpage.

  • Council Site Actions: Only three of the reporting council sites are using the affected software. One site has notified their system support group and will allow them to decide the action. The second site does not plan any immediate action. The third site only supports Mozilla on UNIX system and will update the central version in late February.

  • References:
  • (2) MODERATE: Apple Mac OS X AppleFileServer Remote Integer Overflow
  • Affected:
    • Apple Mac OS X and Apple Mac OS X Server versions 10.x

  • Description: Apple Filing Protocol (AFP) enables file sharing across networked Mac OS computers. The protocol serves functions similar to SMB, which is the file sharing protocol in Windows environment. An AppleFileServer, which provides AFP services, contains an integer buffer overflow. The overflow can be triggered by a specially crafted "FPLoginExt" (authentication) request that declares a negative length for the "User Authentication Method" string. An unauthenticated attacker can exploit this flaw to crash the AFP server. Code execution (with root privileges) may be possible but has not been confirmed at this time. Note that the AFP service is not enabled by default.

  • Status: Apple contacted, no patch available. A workaround is to block traffic destined to the AFP ports 548/tcp and 548/udp at the network perimeter.

  • Council Site Actions: Only two of the reporting council sites are responding to this item. Both sites plan to distribute the patch or make it available via Software Update once that patch has been released.

  • References:
Other Software
  • (4) CRITICAL: CA BrightStor ARCserve Backup UniversalAgent Backdoor
  • Affected:
    • BrightStor ARCserve Backup version 11.1 and earlier for Linux and UNIX
    • (Sun Solaris, IBM AIX and HP-UX).
    • BrightStor Enterprise Backup version 10.5 and earlier for Linux and UNIX
    • (Sun Solaris, IBM AIX and HP-UX).

  • Description: Computer Associates BrightStor ARCserve/Enterprise Backup products provide backup services for Windows, NetWare, Linux and UNIX systems. The backup operation on a system is performed by the "universal agent" on the system, which listens on ports 6051/tcp and 6051/udp by default. The "universal agent" for UNIX platforms contains a hard coded username "\x20root\x03" and a password "\x02<%j8U]'~+Ri\x03". Using these credentials an attacker can execute arbitrary commands on the system with the privileges of the agent service, typically root.

  • Status: Vendor confirmed. Patches are available. A workaround to block attacks originating from the Internet is to block the ports 6051/tcp and 6051/udp at the network perimeter.

  • Council Site Actions: Two of the reporting sites responded to this item. The first site has a very limited use of the affected application and is in the process of decommissioning it. They are evaluating if action needs to be taken before the affected systems are decommissioned. The second site is not 100% sure they don't have any installations so they plan to scan their network to look for active applications running on the affected port (6051).

  • References:
  • (5) CRITICAL: CA BrightStor ARCserve Discovery Service Overflow
  • Affected:
    • Multiple versions of BrightStor ARCserve/Enterprise Backup.

  • Description: A buffer overflow vulnerability has been discovered in the BrightStor ARCserve/Enterprise backup server's "discovery" service. The overflow can be triggered by sending a specially crafted packet over 2048 bytes. The flaw can be exploited to execute arbitrary code on the server with administrative privileges. Note that this issue is distinct from the buffer overflow (on port 41524/udp) discussed in the previous issue of the @RISK newsletter.

  • Status: Vendor confirmed, patches available. A workaround is to block the port 41523/tcp at the network perimeter. SANS incidents.org reports that scanning for port 41523/tcp is on a rise.

  • Council Site Actions: Three of the reporting council sites are using the affected software. One site plans to address once a patch is available. The second site has a very limited use of the affected application and is in the process of decommissioning it. They are evaluating if action needs to be taken before the affected systems are decommissioned. The third site is investigating whether the Discovery Service is either enabled by default, or was manually enabled on any system.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 7, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4068 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.7.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Malformed File URL Denial of Service
  • Description: Microsoft Internet Explorer is reported to be vulnerable to a remote denial of service issue, due to improper sanitization of a user-supplied URL. The issue presents itself when a "file://%0xA0%:" URL is opened with Internet Explorer. Internet Explorer version 6 Service Pack 1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12565
  • 05.7.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: HP HTTP Server Remote Unspecified Buffer Overflow
  • Description: HP HTTP Server is a component of HP web-enabled management software. HP HTTP Server is affected by a remote buffer overflow vulnerability. HP HTTP Server versions 5.94 and earlier are known to be vulnerable.
  • Ref: http://h18023.www1.hp.com/support/files/Server/us/download/22192.html
  • 05.7.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: KarjaSoft Sami HTTP Server Multiple Remote Vulnerabilities
  • Description: KarjaSoft Sami HTTP Server is a web server. There are multiple vulnerabilities, including a directory traversal vulnerability and a denial of service issue. This is due to poor user input validation and a failure to handle malformed network-based requests. KarjaSoft Sami HTTP Server version 1.0.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/12559/info/
  • 05.7.4 - CVE: CAN-2005-0425
  • Platform: Third Party Windows Apps
  • Title: IBM WebSphere Application Server JSP Engine Source Code Disclosure
  • Description: IBM WebSphere Application Server for Microsoft Windows is vulnerable to a source code disclosure issue in the JSP engine due to an input validation error. This could allow a remote attacker to gain access to sensitive information which can lead to further attacks. WebSphere Application Server versions 5.0 and 5.1 running on Microsoft Windows platforms are vulnerable to this issue.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg24008814
  • 05.7.5 - CVE: Not Available
  • Platform: Linux
  • Title: Gentoo Portage Webmin Root Password Disclosure Vulnerability
  • Description: Portage is the package management system that is used by Gentoo Linux. It is vulnerable to a information disclosure issue that gives access to the build host's root password to remote users. Gentoo Portage packages prior to 1.170-r3 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/advisories/8064
  • 05.7.6 - CVE: CAN-2004-1180
  • Platform: Linux
  • Title: Netkit rwho Packet Size Denial of Service
  • Description: The Netkit rwho daemon and client are networking tools for Linux. The Netkit rwho daemon is affected by a denial of service vulnerability. Little endian architectures are known to be vulnerable.
  • Ref: http://www.debian.org/security/2005/dsa-678
  • 05.7.7 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX BIND Unspecified Remote Denial of Service
  • Description: HP-UX BIND is reported to be vulnerable to an unspecified denial of service issue. The issue exists due to a failure of the application to handle malformed network data.
  • Ref: http://www.securityfocus.com/bid/12497
  • 05.7.8 - CVE: CAN-2005-0447
  • Platform: Solaris
  • Title: Sun Solaris ARP Handling Remote Denial of Service
  • Description: Sun Solaris is reported to be vulnerable to a remote denial of service issue. The issue exists due to a failure in properly handling a flood of ARP packets.
  • Ref: http://www.securityfocus.com/bid/12553
  • 05.7.9 - CVE: CAN-2005-0011
  • Platform: Unix
  • Title: KDE KStars FLICCD Utility Multiple Buffer Overflow Vulnerabilities
  • Description: KDE KStars is a desktop planetarium for KDE. It is vulnerable to a buffer overflow issue due to a failure in copying user-supplied data into process memory. An attacker may leverage these issues to gain escalated privileges locally and, if the affected utility is run as a daemon, may carry out remote code execution with superuser privileges. KDE versions 3.3.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8094
  • 05.7.10 - CVE: CAN-2005-0446
  • Platform: Unix
  • Title: Squid Proxy DNS Name Resolver Remote Denial of Service
  • Description: Squid Proxy is vulnerable to a remote denial of service issue. This issue occurs when Squid performs a Fully-Qualified Domain Name (FQDN) lookup and receives an unexpected response. Squid versions 2.5.STABLE5 to 2.5.STABLE8 are known to be vulnerable.
  • Ref: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE8-dns_assert
  • 05.7.11 - CVE: CAN-2005-0372
  • Platform: Unix
  • Title: gFTP Remote Directory Traversal
  • Description: gFTP is a freely available graphical file transfer client. It is reported to be vulnerable to a remote directory traversal issue, due to a failure of the application to sanitize input supplied by malicious FTP servers. gFTP versions 2.0.17 and earlier are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14147/
  • 05.7.12 - CVE: CAN-2005-0073
  • Platform: Unix
  • Title: Sympa Buffer Overflow
  • Description: Sympa is a mailing list manager. Sympa is vulnerable to buffer overflow due to a boundary error in the queue utility when processing command line arguments. Sympa versions 4.1.3 or later resolves this issue.
  • Ref: http://www.debian.org/security/2005/dsa-677
  • 05.7.13 - CVE: CAN-2005-0349
  • Platform: Unix
  • Title: BrightStor ARCserve/Enterprise Backup Backdoor Account
  • Description: Computer Associates BrightStor ARCserve/Enterprise Backup products provide backup and restore solutions. The product contains a hardcoded backdoor account and password. Computer Associates BrightStor ARCServe Backup for Unix versions 11.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/12522/info/
  • 05.7.14 - CVE: CAN-2005-0202
  • Platform: Unix
  • Title: GNU Mailman Remote Directory Traversal
  • Description: GNU Mailman is software to manage email discussion lists. It is vulnerable to a remote directory traversal issue due to insufficient sanitization performed on user-supplied data in the "Mailman/Cgi/private.py" source file, which can allow a remote attacker to disclose the contents of web server readable files. Mailman versions 2.1.5 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8034
  • 05.7.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: lighttpd Remote CGI Script Disclosure
  • Description: lighttpd is a web server. lighttpd is vulnerable to an information disclosure issue. lighttpd versions 1.3.7 and earlier are known to be vulnerable.
  • Ref: http://article.gmane.org/gmane.comp.web.lighttpd/1171
  • 05.7.16 - CVE: CAN-2005-0305
  • Platform: Cross Platform
  • Title: Siteman Security Restriction Bypass
  • Description: Siteman is a web-based content management system. It is reported that there is an unspecified security restriction bypass vulnerability in the "users.php" script. Siteman versions 1.1.0 to 1.1.10 are vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=304281
  • 05.7.17 - CVE: CAN-2005-0434
  • Platform: Cross Platform
  • Title: PHP-Nuke Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHP-Nuke is a freeware content management system. PHP-Nuke is affected by various cross-site scripting vulnerabilities. PHP-Nuke versions 7.6 and earlier are known to be vulnerable.
  • Ref: http://www.waraxe.us/advisory-40.html
  • 05.7.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Multiple Remote Vulnerabilities
  • Description: Opera Web Browser is vulnerable to multiple issues, such as failing to properly validate Content-Type, filename and "data" URIs. Opera Web Browser versions 7.54-r3 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8077
  • 05.7.19 - CVE: CAN-2005-0429
  • Platform: Cross Platform
  • Title: VBulletin Forumdisplay.php Remote Command Execution
  • Description: VBulletin is a web-based bulletin board application. VBulletin is affected by a remote arbitrary command execution vulnerability. VBulletin versions 3.0 to 3.0.4 are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390380
  • 05.7.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Quake III Engine Remote Denial of Service
  • Description: Id Software Quake III Engine is a 3D graphics server. It is reported that the server is vulnerable to a denial of service attack. The attack is carried out when a client issues a query with a parameter of excessive length. Call of Duty games with patch 1.5b and 1.51b are not vulnerable. Other games that use the engine are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390286
  • 05.7.21 - CVE: CAN-2005-0260
  • Platform: Cross Platform
  • Title: BrightStor ARCserve/Enterprise Discovery Service Remote Buffer Overflow
  • Description: The Computer Associates BrightStor ARCserve/Enterprise Backup products provide backup and restore protection across various platforms. The ServicePC functionality of their discovery service is reported vulnerable to a buffer overflow. Attackers could leverage this to execute arbitrary code on a vulnerable system by sending malicious network data to TCP port 41523 on which the service listens.
  • Ref: http://www3.ca.com/Solutions/Product.asp?ID=4536
  • 05.7.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Firefox Remote SMB Document Local File Disclosure
  • Description: Firefox is a browser. It is reported to be vulnerable to disclosure of attacker-specified files on the client users filesystem. The issue exists due to inability of Firefox to differentiate between content from the local filesystem and remote filesystem. Firefox versions 1.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12533/info/
  • 05.7.23 - CVE: CAN-2005-0366
  • Platform: Cross Platform
  • Title: OpenPGP Chosen-Ciphertext Attacks in Cipher Feedback Mode
  • Description: There is a vulnerability in OpenPGP that can be used by attackers to recover partial plaintext content from messages employing symmetric encryption.
  • Ref: http://www.kb.cert.org/vuls/id/303094
  • 05.7.24 - CVE: CAN-2005-0088
  • Platform: Cross Platform
  • Title: Apache mod_python Module Publisher Handler Information Disclosure
  • Description: Apache's mod_python module is reported to be vulnerable to an information disclosure issue. A remote attacker could visit a carefully crafted URL that would gain access to objects that should not be visible, leading to an information leak. All versions of mod_python are considered vulnerable at the moment.
  • Ref: http://www.securityfocus.com/advisories/8044
  • 05.7.25 - CVE: CAN-2005-0371
  • Platform: Cross Platform
  • Title: Armagetron Advanced Multiple Remote Denial of Service Vulnerabilities
  • Description: Armagetron Advanced is a multiplayer game emulating the popular Tron light cycle routine. It is vulnerable to multiple denial of service vulnerabilities due to a failure of the application to handle malformed network data. An attacker may leverage these issues to cause a remote denial of service condition in affected applications. Armagetron versions 0.2.7 and before are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390113
  • 05.7.26 - CVE: CAN-2005-0350
  • Platform: Cross Platform
  • Title: F-Secure ARJ Handling Buffer Overflow
  • Description: F-Secure's ARJ file handling functionality is reported to be vulnerable to a buffer overflow condition. Maliciously crafted ARJ archives can be used to execute arbitrary code on a vulnerable F-Secure installation.
  • Ref: http://xforce.iss.net/xforce/alerts/id/188
  • 05.7.28 - CVE: CAN-2005-0415
  • Platform: Cross Platform
  • Title: Emdros Database Engine Denial of Service
  • Description: Ulrik Petersen Emdros is a text database engine. It is vulnerable to a denial of service due to failing to manage memory when parsing excessively long, malformed SQL queries. Ulrik Petersen Emdros Database Engine versions 1.1.21 and earlier are reported to be vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=303465
  • 05.7.29 - CVE: Not Available
  • Platform: Web Application
  • Title: osCommerce contact_us.php Cross-Site Scripting
  • Description: osCommerce is reported vulnerable to a cross-site scripting issue. Attackers could leverage this towards theft of cookie-based authentication credentials. osCommerce version 2.2-MS2 is reported vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390540
  • 05.7.30 - CVE: Not Available
  • Platform: Web Application
  • Title: DCP-Portal Multiple SQL Injection Vulnerabilities
  • Description: DCP-Portal is a content management system. It is reported to be vulnerable to multiple SQL injection issues due to improper sanitization of the "uid", "lcat" and "dcat" variables of the "index.php" script and the "bid" and "mid" variables of the "forums.php" script. DCP-Portal version 6.1.1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12565
  • 05.7.31 - CVE: CAN-2005-0409, CAN-2005-0410
  • Platform: Web Application
  • Title: CitrusDB CSV File Upload Access Validation Vulnerability
  • Description: CitrusDB is an open source customer database application using PHP and MySQL. It is vulnerable to an access validation issue that could result in an SQL injection attack. CitrusDB versions 0.3.6 and earlier are vulnerable.
  • Ref: http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-004
  • 05.7.32 - CVE: CAN-2005-0407
  • Platform: Web Application
  • Title: OpenConf Paper Submission HTML Injection Vulnerability
  • Description: OpenConf is a web-based conferencing system. It is vulnerable to an HTML injection issue due to insufficient validation of data supplied through paper submissions within the OpenConf system which may permit an attacker to inject hostile HTML and script code into the session of a user who is reviewing the submitted paper. OpenConf version 1.0 4 is vulnerable to this issue.
  • Ref: http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-007
  • 05.7.33 - CVE: CAN-2005-0408
  • Platform: Web Application
  • Title: CitrusDB Remote Authentication Bypass Vulnerability
  • Description: CitrusDB is a database application. CitrusDB is vulnerable to an authentication bypass issue because it is using a static value to create the authentication cookie. CitrusDB version 0.3.6 is known to be vulnerable.
  • Ref: http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005-002
  • 05.7.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Brooky CubeCart Multiple Vulnerabilities
  • Description: Brooky CubeCart is a web-based storefront application. It is reported to be vulnerable to multiple security issues including cross-site scripting and directory traversal attacks. These can be used towards theft of cookie-based authentication credentials and sensitive information disclosure. CubeCart versions 2.0.4 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390415
  • 05.7.35 - CVE: CAN-2005-0432
  • Platform: Web Application
  • Title: WebLogic Server and Express Authentication Failure Information Disclosure
  • Description: BEA WebLogic Server and WebLogic Express are enterprise application server products. They are reported to be vulnerable to an information disclosure issue due to a failure of the application to present authentication failures securely.
  • Ref: http://secunia.com/advisories/14298/
  • 05.7.36 - CVE: Not Available
  • Platform: Web Application
  • Title: AWStats Plugin Multiple Remote Command Execution
  • Description: AWStats is a CGI log analyzer that generates statistic reports based on HTTP, SMTP or FTP logs. Multiple remote command execution issues were reported for AWStats. Attackers could leverage these issues to execute arbitrary commands on the vulnerable web application.
  • Ref: http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf
  • 05.7.37 - CVE: Not Available
  • Platform: Web Application
  • Title: ASPJar Guestbook Multiple Vulnerabilities
  • Description: ASPJar Guestbook is a web-based forum application. It is reported to be vulnerable to an SQL injection issue due to improper sanitization of user-supplied input to the "admin/login.asp" script. It is also reported to be vulnerable to unauthorized access to the "delete.asp" script. ASPJar version 1.0 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14225/
  • 05.7.38 - CVE: Not Available
  • Platform: Web Application
  • Title: MercuryBoard SQL Injection
  • Description: MercuryBoard is a web-based message board application. It is reported to be vulnerable to a SQL injection issue. This can be leveraged by attackers to compromise the remote backend database. MercuryBoard versions 1.1.1 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/389881
  • 05.7.39 - CVE: CAN-2005-0412
  • Platform: Web Application
  • Title: PostWrap Module Cross-Site Scripting Vulnerability
  • Description: PostWrap is a module for PostNuke. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of the "page" parameter. PostWrap versions 2.1 and 2.5 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12505/info/
  • 05.7.40 - CVE: CAN-2005-0413
  • Platform: Web Application
  • Title: MyPHP Forum Multiple SQL Injection Vulnerabilities
  • Description: MyPHP Forum is a web-based forum. MyPHP Forum is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied data. MyPHP Forum 1.0 is known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/389864
  • 05.7.41 - CVE: Not Available
  • Platform: Web Application
  • Title: xGB Authentication Bypass Vulnerability
  • Description: xGB is guestbook software. It is vulnerable to unauthorized administrative access. xGB version 2.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12489/
  • 05.7.42 - CVE: Not Available
  • Platform: Network Device
  • Title: F5 BIG-IP HTTP Pipelining OneConnect Information Leakage
  • Description: F5 BIG-IP is an appliance that provides a high-availability load balancing service. It is reported to be vulnerable to an information leakage. Under certain circumstances, if pipelined HTTP requests are being made my web clients, the appliance can serve session data to the wrong clients. This vulnerability is reported to affect BIG-IP versions 4.0 through 4.6.2 and BIG-IP Blade Controller versions 4.2.1 through 4.6.2 that have "OneConnect/Web Aggregation" functionality enabled.
  • Ref: http://www.securityfocus.com/bid/12464/
  • 05.7.43 - CVE: Not Available
  • Platform: Hardware
  • Title: Conexant AccessRunner DSL Console Default Backdoor Account Vulnerability
  • Description: Conexant AccessRunner DSL Console is the interface for administering and configuring DSL devices. It is vulnerable to a weak authentication issue which allows anyone connecting to TCP port 254, and entering "conexant" as a password, administrative access and may allow remote attackers to modify router settings. Conexant AccessRunner DSL Console version 3.27 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/389994

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

Attending a SANS conference provides attendees with a great opportunity to learn from and share with world class IS Security professionals at a reasonable cost.
-Theresa Wahl, USAF

NetWars - Cyber Range

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc