Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 8
February 24, 2005

SANS Newsletters Home

Good News 1: A very light week for vulnerabilities (that we can all use after the extreme volume of critical vulnerabilities over the past few weeks.)

Good news 2: The early registration deadline for SANS2005 has been extended to March 7. See details of the nation's largest security training program (San Diego, April 5- 13) at http://www.sans.org/sans2005

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 8 (#3)
    • Linux
    • 1
    • Unix
    • 4 (#5)
    • Mac OS
    • 0 (#6)
    • Cross Platform
    • 12 (#1, #2)
    • Web Application
    • 17 (#4)
    • Network Device
    • 2

***************** This Issue Sponsored by Sourcefire ********************

Sourcefire, the creators of Snort, offers a comprehensive training curriculum that provides the Open Source Snort community with vendor neutral training on Building and Operating Snort and Snort Rules. Learn to use Snort effectively - understand the powerful technology and the rules that make it work. Register before March 31st and receive a 10% discount. http://www.snort.org and http://www.sourcefire.com

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Unix
Cross Platform
Web Application
Network Device

************************* Sponsored Links *******************************

(1) ALERT: Google Hacking/Web Application Worms- Are You Vulnerable?- WebInspect Product Trial http://www.sans.org /info.php?id=727"> http://www.sans.org /info.php?id=727 (2) From SANS: Turbo charge your security technology expertise with a SANS immersion training program. Program scheduled locally in more than 40 cities: See http://www.sans.org for cities and schedule and course list.

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Arkeia Network Backup Software Multiple Vulnerabilities
  • Affected:
    • Arkeia Network Backup Software versions prior to 5.3.5

  • Description: Arkeia is a commercial network backup software that runs on a variety of platforms including AIX, FreeBSD, HP-UX, IRIX, Debian, Mandrake, RedHat, SuSE, SCO, MacOS, NetWare, OpenBSD, Solaris, Tru64 Unix, and Windows NT/2000. The backup software is being used by many enterprises around the world in US, Australia, Germany, France, UK etc. The software contains the following vulnerabilities: (a) The Arkeia backup client, which runs on port 617/tcp by default, contains a stack-based buffer overflow in processing request number 77. An unauthenticated attacker can exploit the overflow to execute arbitrary code with "root"/"SYSTEM" privileges. Exploit code has been posted for various platforms including RedHat Linux, Windows 2000/XP/2003 and Mac OS. Note that by exploiting this vulnerability an attacker can potentially compromise all the machines in a network being backed up. (b) In the client's default configuration, any user, who can initiate a connection to the backup client, can read/write arbitrary files. The problem occurs because the default username/password for connecting to the client is "root". Overwriting critical files (such as "/etc/shadow" or "/etc/passwd" on a Unix hosts) can lead to a complete compromise of the system running the Arkeia software. Exploit code for this flaw has been included in the Metasploit project.

  • Status: Vendor confirmed, patches available. Note that Appendix B in the Arkeia network backup user manual describes the steps to configure restricted access to the client and the server. A workaround is to block access to the port 617/tcp at the network perimeter to prevent attacks originating from the Internet. According to SANS incidents.org, scanning activity has been increasing to locate the vulnerable Arkeia backup systems.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (2) HIGH: Trend Micro Products ARJ Handling Overflow
  • Affected:
    • Trend Micro Client/Server/Messaging Suite for SMB for Windows
    • Trend Micro InterScan eManager
    • Trend Micro InterScan Messaging Security Suite Linux/Windows/Solaris
    • Trend Micro InterScan VirusWall for Linux/Windows/HP-UX/AIX/Solaris
    • Trend Micro InterScan VirusWall for SMB
    • Trend Micro InterScan Web Security Suite for Linux/Windows/Solaris
    • Trend Micro InterScan WebManager
    • Trend Micro InterScan WebProtect for ISA
    • Trend Micro OfficeScan Corporate Edition
    • Trend Micro PC-cillin Internet Security
    • Trend Micro PortalProtect for SharePoint
    • Trend Micro ScanMail eManager
    • Trend Micro ScanMail for Lotus Domino on Windows/AS400/S390/AIX/Solaris
    • Trend Micro ScanMail for Microsoft Exchange
    • Trend Micro ServerProtect for Linux
    • Trend Micro ServerProtect for Windows/Novell Netware

  • Description: A large number of Trend Micro anti-virus products contain a heap-based buffer overflow vulnerability. The overflow can be triggered by a malicious ARJ (a compression format) archive. An unauthenticated attacker can compromise any client or server running the vulnerable Trend Micro product by delivering a malicious ARJ archive via email or web. The technical details regarding how to craft a malicious archive file can be found in the vendor's advisory.

  • Status: Vendor confirmed, upgrade to scan engine VSAPI 7.510 or higher. As an interim measure prior to patching, ARJ scanning can be disabled.

  • Council Site Actions: Due to the late breaking nature of the problem, we were unable to solicit any council site input.

  • References:
  • (3) MODERATE: HP Web Enabled Management Software Buffer Overflow
  • Affected:
    • HP HTTP Server version 5.95 and prior
    • HP Insight Management Agents for Servers
    • HP Version Control Repository Agent
    • HP Version Control Agent
    • HP Insight Manager 7
    • HP Array Configuration Utility
    • HP Performance Management Pack
    • HP Performance Management Pack Tools
    • ProLiant Performance Analyzer

  • Description: HP HTTP Server, a component of HP's web-enabled management software for Windows NT/2000/2003, contains a buffer overflow. The flaw can be triggered by a specially crafted input parameter in an HTTP request, and potentially exploited to execute arbitrary code. The technical details regarding how to craft HTTP requests to exploit this overflow are not available yet.

  • Status: HP has provided a fixed version 5.96. A workaround is to block traffic to the HP's web server (default port 2301/tcp).

  • Council Site Actions: Only two of the reporting council sites are running the affected software. One is staging the new version on affected severs and still evaluating whether this update should go sooner than the next scheduled system update process. The other believes it has 10 or fewer installations of this software if it is enabled by default on some types of equipment (e.g., PC servers) purchased from HP. They are investigating whether this software was shipped to them, and left enabled by any system administrator at their site.

  • References:
Other Software
  • (4) HIGH: pMachine Remote PHP File Include Vulnerability
  • Affected:
    • All versions of pMachine Free/Pro

  • Description: pMachine, a web hosting software, reportedly contains PHP remote file include vulnerability. The flaw can be triggered by passing arbitrary input to the "pm_path" parameter used by pMachine's "mail_autocheck.php" script. An attacker can exploit this flaw to execute arbitrary PHP code on the web server running pMachine. The posted advisory shows how to construct a malicious HTTP request.

  • Status: Patch not available yet. A workaround is to turn the PHP "register_globals" directive off.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
  • (5) CRITICAL: GNU Cfengine RSA Authentication Heap Corruption

  • Description: Exploit code has been released for the heap overflow flaw (discovered in August 2004) in the Cfengine's RSA authentication module. Note that an unauthenticated attacker can exploit the flaw to obtain root privileges. A workaround is to block the port 5308/tcp at the network perimeter.

  • Council Site Actions: The affected software is in use at one Council site. They believe the software was patched months ago.

  • References:
Patches
  • (6) HIGH: Sun Java Plug-in Security Bypass

  • Description: Apple has released a security update for the security bypass vulnerability reported in Sun J2SE/JRE version 1.4.2 in November 2004. A malicious applet may exploit the flaw to execute arbitrary code on the client system with the privileges of the logged-on user.

  • Council Site Actions: Five of the reporting council sites provided updates for this item. Three of them will be distributing the patch during their next regularly scheduled system update process. The fourth site does not plan to take action. The fifth believes the Software Update facility already patched the software.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 8, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4080 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.8.1 - CVE: CAN-2005-0510
  • Platform: Third Party Windows Apps
  • Title: fallback-reboot Remote Denial of Service
  • Description: fallback-reboot is a daemon that allows users to remotely restart a computer. It is reported to be vulnerable to a remote denial of service condition. fallback-reboot versions 0.96 and prior are reported to be vulnerable.
  • Ref: http://dcs.nac.uci.edu/~strombrg/fallback-reboot/
  • 05.8.2 - CVE: CAN-2004-0466, CAN-2004-0465
  • Platform: Third Party Windows Apps
  • Title: WebConnect Multiple Remote Vulnerabilities
  • Description: OpenConnect WebConnect is a client-server application that provides secure browser-based emulation to mainframe, mid-range and Unix systems. The application is reported to have multiple vulnerabilities such as remote denial of service and directory traversal. OpenConnect WebConnect versions 6.4.4 and 6.5 are reported to be vulnerable.
  • Ref: http://cirt.dk/advisories/cirt-29-advisory.pdf
  • 05.8.3 - CVE: CAN-2005-0507
  • Platform: Third Party Windows Apps
  • Title: SD Server Directory Traversal Vulnerability
  • Description: The SD Server web server is reported to be vulnerable to directory traversal issues. Attackers could gain access to sensitive files outside the server root directory. This vulnerability is reported to affect SD Server versions 4.0.70 and earlier.
  • Ref: http://www.securityfocus.com/bid/12609/
  • 05.8.4 - CVE: CAN-2005-0501
  • Platform: Third Party Windows Apps
  • Title: Bontago Game Server Remote Nickname Buffer Overrun
  • Description: Bontago is a network enabled computer game. It is reported to be vulnerable to a buffer overflow issue due to improper boundary checks of the "nickname" parameter. Bontago versions 1.1 and earlier are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14350/
  • 05.8.5 - CVE: CAN-2005-0502
  • Platform: Third Party Windows Apps
  • Title: Xinkaa WEB Station Directory Traversal
  • Description: Xinkaa is a web server. It is vulnerable to a directory traversal issue exploitable using URL requests containing "../.." or "...." sequences. Xinkaa WEB Station versions 1.0.3 and earlier are vulnerable.
  • Ref: http://aluigi.altervista.org/adv/xinkaa-adv.txt
  • 05.8.6 - CVE: CAN-2005-0491
  • Platform: Third Party Windows Apps
  • Title: Arkeia Network Backup Agent Remote Unauthorized Access
  • Description: Knox Arkeia Network Backup is an enterprise-based backup software solution distributed and maintained by Knox Software. It is reported to be vulnerable to a remote unauthorized access issue. A remote attacker may connect to the affected service to initiate backup and restore requests in order to read and write arbitrary files.
  • Ref: http://metasploit.com/research/arkeia_agent/
  • 05.8.7 - CVE: CAN-2005-0467
  • Platform: Third Party Windows Apps
  • Title: PuTTY, PSFTP and PSCP Multiple Remote Integer Overflow Vulnerabilities
  • Description: PuTTY, PSFTP and PSCP are clients built for secure remote access. They are affected by multiple integer overflow issues. PuTTY, PSFTP and PSCP versions 0.56 and earlier are affected.
  • Ref: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.htm
    l
  • 05.8.8 - CVE:CAN-2005-0478,CAN-2005-0479,CAN-2005-0480,CAN-2005-0481,CAN-2005-0482
  • Platform: Third Party Windows Apps
  • Title: TrackerCam Multiple Remote Vulnerabilities
  • Description: TrackerCam is HTTP server software that comes with PHP scripts to allow a webcam user to publish webcam content. TrackerCam is affected by multiple vulnerabilities. TrackerCam version 5.12 is known to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/tcambof-adv.txt
  • 05.8.9 - CVE: Not Available
  • Platform: Linux
  • Title: OpenLDAP SlapD Remote Denial of Service
  • Description: OpenLDAP is an open-source implementation of the LDAP protocol. OpenLDAP is affected by multiple unspecified remotely exploitable denial of service vulnerabilities. OpenLDAP versions 2.2.6 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8112
  • 05.8.10 - CVE: CAN-2005-0505
  • Platform: Unix
  • Title: Information Resource Manager Authentication Unspecified Vulnerability
  • Description: IRM (Information Resource Manager) is a web-based ticket system built for IT HelpDesks. IRM is affected by an unspecified vulnerability in the LDAP login code of the software. IRM versions 1.5.1.4 and earlier are known to be vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=306629
  • 05.8.11 - CVE: CAN-2005-0491
  • Platform: Unix
  • Title: Arkeia Type 77 Request Remote Buffer Overrun
  • Description: Knox Arkeia Server is a backup software solution. Arkeia Server Backup is vulnerable to a remote buffer overrun issue due to insufficient boundary checking when handling data contained within a type 77 request packet. Arkeia Server versions 5.3 and earlier are known to be vulnerable.
  • Ref: http://www.knox-software.com/securityfix/
  • 05.8.12 - CVE: CAN-2005-0484
  • Platform: Unix
  • Title: GProFTPD GProstats Remote Format String Vulnerability
  • Description: GProftpd is an administration tool for the Proftpd standalone server. The gprostats utility that ships with GProftpd is vulnerable to a remote format handling issue due to an improper format string usage which can be exploited by an attacker to execute arbitrary code in the context of this utility. GProftpd versions 8.1.7 and earlier are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/advisories/8110
  • 05.8.13 - CVE: CAN-2005-0483
  • Platform: Unix
  • Title: glFTPD ZIP Plugins Directory Traversal
  • Description: glFTPD is reported to be vulnerable to directory traversal issues. Attackers can leverage these issues to enumerate files or gain unauthorized access to files present outside the server's root directory. glFTPD versions 1.26 to 2.00 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390924
  • 05.8.14 - CVE: CAN-2005-0161
  • Platform: Cross Platform
  • Title: UnAce Archive Directory Traversal
  • Description: Winace UnAce is an ACE file compression utility. It is vulnerable to a directory traversal issue due to insufficient sanitization of file and directory names contained within the ACE format archives. Winace UnAce versions 1.x are vulnerable.
  • Ref: http://www.securityfocus.com/bid/12628/info/
  • 05.8.15 - CVE: CAN-2005-0509
  • Platform: Cross Platform
  • Title: Mono Multiple Cross-Site Scripting Vulnerabilities
  • Description: Mono is a development platform based on the .NET framework. Insufficient sanitization of unicode characters exposes Mono to multiple cross-site scripting issues when the "responseEncoding" parameter is specified to "windows-1251" or "koi-8". Mono versions 1.0.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/12626/info/
  • 05.8.16 - CVE: CAN-2005-0259
  • Platform: Cross Platform
  • Title: PHPBB Arbitrary File Disclosure Vulnerability
  • Description: phpBB is a web forum application. It is affected by an arbitrary file disclosure vulnerability. phpBB versions 2.0.11 and earlier are affected by this issue.
  • Ref: http://www.phpbb.com/phpBB/viewtopic.php?t=265423
  • 05.8.17 - CVE: CAN-2005-0490
  • Platform: Cross Platform
  • Title: cURL/libcURL NTLM Authentication Buffer Overflow
  • Description: cURL is a utility for retrieving remote content from servers over a number of protocols. It is vulnerable to a remotely exploitable stack-based buffer overflow. curl versions 7.13 and earlier are known to be vulnerable.
  • Ref: http://curl.haxx.se/
  • 05.8.18 - CVE: CAN-2005-0490
  • Platform: Cross Platform
  • Title: cURL/libcURL Kerberos Authentication Buffer Overflow
  • Description: cURL is a utility for retrieving remote content from servers over a number of protocols. It has been reported that cURL and libcURL are vulnerable to a remotely exploitable stack-based buffer overflow issue. Attackers could leverage this to cause a denial of service condition or execute arbitrary code on the vulnerable system.
  • Ref: http://www.securityfocus.com/archive/1/391041
  • 05.8.19 - CVE: CAN-2005-0495
  • Platform: Cross Platform
  • Title: ZeroBoard Multiple Cross-Site Scripting Vulnerabilities
  • Description: ZeroBoard is affected by multiple cross-site scripting issues. Insufficient sanitization of user-supplied input in the "zboard.php" and "view_image.php" script exposes various cross-site scripting issues. Zeroboard versions 4.1 pl6 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/390933
  • 05.8.20 - CVE: CAN-2005-0486
  • Platform: Cross Platform
  • Title: Tarantella Enterprise/Secure Global Information Disclosure
  • Description: Tarantella Enterprise 3 and Secure Global Deskop are system administration packages. When the products are used in combination with RSA SecurID, multiple users with the same username can disclose sensitive data upon failed login attempts. Tarantella Enterprise 3 versions 3.30, 3.40 and Tarantella Secure Global Desktop Enterprise Edition versions 3.42 and 4.0 are vulnerable.
  • Ref: http://www.tarantella.com/security/bulletin-11.html
  • 05.8.21 - CVE: CAN-2005-0158
  • Platform: Cross Platform
  • Title: Bidwatcher Remote Format String Vulnerability
  • Description: Bidwatcher is a tool for monitoring eBay auctions. It is vulnerable to a remote format string issue. Bidwatcher versions 1.3.16 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12590
  • 05.8.22 - CVE: CAN-2005-0243
  • Platform: Cross Platform
  • Title: Yahoo! Messenger Download Dialogue Box File Name Spoofing
  • Description: Yahoo! Messenger is a jabber tool. It is vulnerable to a remote dialogue box spoofing issue due to a design error. Yahoo! Messenger version 6.0.0.1750 is known to be vulnerable.
  • Ref: http://secunia.com/secunia_research/2005-2/advisory/
  • 05.8.23 - CVE: CAN-2005-0472, CAN-2005-0473
  • Platform: Cross Platform
  • Title: Gaim Multiple Remote Denial of Service Vulnerabilities
  • Description: Gaim is an instant messaging client. It is reported to be vulnerable to multiple remote denial of service issues. Remote AIM or ICQ users may trigger a crash in a client by sending malformed SNAC packets. The second issue arises during the parsing of malformed HTML data which results in a crash. Gaim versions 1.1.3 and earlier are affected.
  • Ref: http://gaim.sourceforge.net/security/index.php?id=11
  • 05.8.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: WebCalendar SQL Injection
  • Description: WebCalendar is a web-based calendar application. It is vulnerable to an SQL injection issue when decoded cookie data is inserted directly into an SQL query. WebCalendar versions 0.9.45 and earlier are reported to be vulnerable.
  • Ref: http://www.scovettalabs.com/advisory/SCL-2005.001.txt
  • 05.8.25 - CVE: CAN-2005-0485
  • Platform: Cross Platform
  • Title: PaNews Cross-Site Scripting
  • Description: PaNews is a PHP news management script. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of the "showpost" parameter in the "comment.php" script. PaNews version 2.0b4 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390700
  • 05.8.26 - CVE: Not Available
  • Platform: Web Application
  • Title: MediaWiki Multiple Unspecified Remote Vulnerabilities
  • Description: MediaWiki is an open source portal application. It is vulnerable to multiple unspecified cross-site scripting and directory traversal issues. MediaWiki versions prior to 1.3.11 are vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=307067
  • 05.8.27 - CVE: Not Available
  • Platform: Web Application
  • Title: iGeneric iG Shop Multiple SQL Injection Vulnerabilities
  • Description: iGeneric iG Shop is a shopping cart application. It is reported to be vulnerable to multiple SQL injection issues due to improper sanitization of user-supplied input. iG Shop version 1.2 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14369/
  • 05.8.29 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPBB Multiple Vulnerabilities
  • Description: PhpBB is a web forum application. It is affected by multiple remote path disclosure vulnerabilities due to insufficient sanitization of the user-supplied input. PhpBB version 2.0.12 fixes these issues.
  • Ref: http://www.securityfocus.com/bid/12618/info/
  • 05.8.30 - CVE: CAN-2005-0493
  • Platform: Web Application
  • Title: Biz Mail Form Unauthorized Mail Relay Vulnerability
  • Description: Biz Mail Form is a CGI application that sends delimited form data to email addresses. It is vulnerable to an issue that allows the application to be abused as a mail relay due to an input validation error in the "email" parameter of the "bizmail.cgi" script. This can be exploited by an attacker to send emails to arbitrary computers through the affected machine. Biz Mail Form versions prior to 2.2 are vulnerable to this issue.
  • Ref: http://www.bizmailform.com/
  • 05.8.31 - CVE: Not Available
  • Platform: Web Application
  • Title: vBulletin Arbitrary PHP Script Code Execution
  • Description: vBulletin is a web-based bulletin board application. It is reported to be vulnerable to an arbitrary script code execution issue, due to improper sanitization of user-supplied input to the "template" URL parameter in the "misc.php" script. vBulletin versions 3.0.6 and earlier are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14326/
  • 05.8.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Verity Ultraseek Cross-Site Scripting
  • Description: Verity Ultraseek is a web-based search application. Insufficient sanitization of user-supplied input exposes a cross-site scripting issue in the application. Ultraseek versions 5.3.2 and earlier are affected.
  • Ref: http://www.kb.cert.org/vuls/id/716144
  • 05.8.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Open Source Remote File Include
  • Description: Mambo Open Source is a web-based content management application. Mambo is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied data to the "mosConfig_absolute_path" variable of the "tar.php" script. Mambo Open Source versions 4.5.2.0 and earlier are known to be vulnerable.
  • Ref: http://secunia.com/advisories/14337/
  • 05.8.34 - CVE: CAN-2005-0463
  • Platform: Web Application
  • Title: INL Ulog-php Multiple SQL Injection Vulnerabilities
  • Description: INL Ulog-php is a firewall log analysis web interface. Insufficient sanitization of user-supplied input in the "port.php", "host.php" and "index.php" scripts exposes the application to multiple SQL injection issues. INL Ulog-php versions 0.8.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/12610/info/
  • 05.8.35 - CVE: Not Available
  • Platform: Web Application
  • Title: paNews Remote PHP Script Code Execution
  • Description: paNews is a news management script. It is vulnerable to a remote PHP script code execution issue due to improper validation of the "shadowcopy" parameter in the "admin-setup.php" script. paNews version 2.0b4 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/391198
  • 05.8.36 - CVE: Not Available
  • Platform: Web Application
  • Title: PMachine Pro Remote File Include Vulnerability
  • Description: pMachine Pro is a web content management system implemented in PHP. It is vulnerable to a remote file include issue due to a failure of the application to properly sanitize user-supplied input before using the "include()" function which may be leveraged by an attacker to execute arbitrary server side script code in the context of the web server process. pMachine Pro 2.4 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/12597/discussion/
  • 05.8.37 - CVE: CAN-2005-0461
  • Platform: Web Application
  • Title: NewsBruiser Comment System Security Restrictions Bypass
  • Description: NewsBruiser is a weblog application. Reportedly, attackers can bypass security restrictions and delete or approve weblogs. NewsBruiser versions 2.6.0 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12579/
  • 05.8.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Skull-Splitter Guestbook HTML Injection
  • Description: Skull-Splitter Guestbook is affected by an HTML injection issue due to insufficient sanitization of user-supplied input. Skull-Splitter Guestbook version 2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/12580/info/
  • 05.8.39 - CVE: CAN-2005-0251, CAN-2005-0252, CAN-2005-0253,CAN-2005-0254
  • Platform: Web Application
  • Title: BibORB Multiple Input Validation Vulnerabilities
  • Description: BibORB is a web interface for BibTeX bibliographies. It is vulnerable to multiple cross-site scripting, SQL injection and directory traversal issues which may enable an attacker to execute script in the user's browser or arbitrary SQL commands on the server. BibORB versions 1.3.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390771
  • 05.8.40 - CVE: CAN-2005-0475
  • Platform: Web Application
  • Title: paFaq SQL Injection Vulnerability
  • Description: paFaq is a web-based FAQ management application. It is reported to be vulnerable to an SQL injection issue, due to improper sanitization of user-supplied input to multiple script files. paFaq beta4 is reported to be vulnerable.
  • Ref: http://www.security-focus.com/bid/12582/info/
  • 05.8.41 - CVE: CAN-2005-0462
  • Platform: Web Application
  • Title: MercuryBoard Forum Cross-Site Scripting
  • Description: MercuryBoard is a web-based message board application. MercuryBoard is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied data in the "f" parameter of the "forum.php" script. MercuryBoard versions 1.x are known to be vulnerable.
  • Ref: http://lostmon.blogspot.com/2005/02/mercuryboard-forumphp-f-variable-xss.html
  • 05.8.42 - CVE: CAN-2005-0439, CAN-2005-0440
  • Platform: Web Application
  • Title: ELOG Web Logbook Multiple Remote Vulnerabilities
  • Description: ELOG Web Logbook is a web-based logbook. It is reported to be vulnerable to buffer overflow and unauthorized access issues. These issues present themselves due to insufficient boundary checks and improper sanitization of user-supplied input. ELOG versions 2.5.6 and earlier are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14268/
  • 05.8.43 - CVE: CAN-2005-0498, CAN-2005-0499
  • Platform: Network Device
  • Title: Gigafast EE400-R Router Multiple Remote Vulnerabilities
  • Description: Gigafast EE400-R is a hardware router appliance. It is reported to be vulnerable to an unauthorized access issue, allowing the "backup.cfg" file to be accessed without any authorization. A denial of service issue is also reported with the "DNS proxy" functionality.
  • Ref: http://secunia.com/advisories/14366/
  • 05.8.44 - CVE: CAN-2005-0494
  • Platform: Network Device
  • Title: Thomson TCW690 Cable Modem Multiple Vulnerabilities
  • Description: Thomson TCW690 cable modem is reported to be vulnerable to multiple remote issues, which may allow an attacker to cause a denial of service condition and/or gain unauthorized access to the device. Thomson TCW690 with firmware version ST42.03.0a is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/390940

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

Best IT Security return on Investment.
-Mario Chiock, Schlumberger

GIAC GMOB Certification

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County