Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: IV, Issue: 9
March 3, 2005

SANS Newsletters Home

Everyone who uses Computer Associates software should evaluate the critical buffer overflows (Item 1 below).

We hope to see you at SANS 2005 in San Diego, or at the conferences in Denver or Atlanta.  Extraordinary courses for security professionals, auditors, and managers. See details at http://www.sans.org

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 7
    • Linux
    • 5
    • HP-UX
    • 1
    • Unix
    • 3
    • Cross Platform
    • 14 (#1, #2, #3)
    • Web Application
    • 22 (#5)
    • Network Device
    • 2 (#4)

**************** This Issue Sponsored By Sourcefire *********************

Sourcefire, the creators of Snort, offers a comprehensive training curriculum that provides the Open Source Snort community with vendor neutral training on Building and Operating Snort and Snort Rules. Learn to use Snort effectively - understand the powerful technology and the rules that make it work. Register before March 31st and receive a 10% discount. http://www.snort.org and http://www.sourcefire.com

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
HP-UX
Unix
Cross Platform
Web Application
Network Device

************************ Sponsored Link *********************************

Visit Radware at the SANS Lone Star 2005 Tabletop Vendor Expo, Houston, TX, March 11, 2005. Download DefensePro whitepaper http://www.sans.org/info.php?id=732

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: RealNetworks RealPlayer SMIL Processing Buffer Overflow
  • Affected:
    • Windows OS
    • RealPlayer version 10.5 Builds 6.0.12.1040-1056
    • RealPlayer version 10
    • RealOne Player v2 Builds 6.0.11.853 - 872
    • RealOne Player v2 Builds 6.0.11.818 - 840
    • RealOne Player v1
    • RealPlayer 8
    • RealPlayer Enterprise
    • Mac OS
    • Mac RealPlayer 10 Builds 10.0.0.305 - 325
    • Mac RealOne Player
    • Linux OS
    • Linux RealPlayer 10
    • Helix Player

  • Description: RealPlayer, a media player installed on millions of systems, contains a stack-based buffer overflow vulnerability. The overflow can be triggered by a specially crafted Synchronized Multimedia Integration Language (SMIL) file. An SMIL file defines the lay out of a video presentation. The problem arises because the length of the "system-Screen-size" parameter in a SMIL file is not checked prior to copying it in a fixed size buffer. Hence, a "system-screen-size" longer than 256 bytes can trigger the overflow, which can be exploited to execute arbitrary code. Note that browsers such as Internet Explorer automatically open a SMIL file without user interaction. Hence, browsing a webpage or opening an email is sufficient for exploiting the vulnerability.

  • Status: Vendor confirmed, updates available. The RealNetwork's advisory also mentions fixing another buffer overflow in WAV file processing reported by NGSSoftware. The details of this vulnerability are not posted to the public mailing lists yet.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at most of the council sites. One site plans to patch during their next regularly scheduled system maintenance process. Another site commented that they were not worried about this item since the RealPlayer software auto-updates. A few other sites notified their system support staff of the issue, but do not plan any further action.

  • References:
Other Software
  • (3) HIGH: Mozilla Browsers Multiple Vulnerabilities
  • Affected:
    • Mozilla version 1.7.5 and prior
    • Firefox version 1.0 and prior

  • Description: Mozilla and Firefox browsers contain multiple vulnerabilities that may be exploited by a malicious webpage to execute arbitrary code on a client system. A proof-of-concept exploit was posted last week that combines Mozilla's insufficient validation of dragging "javascript" URLs and access to restricted URLs like "about:config" via plug-in flaws to execute arbitrary code. Successful exploitation requires user interaction i.e., the user needs to drag the scrollbar twice while viewing the attacker's webpage. A heap corruption vulnerability, in Mozilla and Firefox browsers, that can be possibly exploited to execute arbitrary code has also been reported. This problem occurs because the return value of certain string functions is not properly checked. However, in order to exploit this flaw, a malicious web server would need to send a large amount of data to the client browser.

  • Status: Vendor confirmed. Upgrade to Firefox 1.0.1 and Mozilla 1.7.6. The updates fix a number of other issues.

  • Council Site Actions: Most of the council sites either do not use Firefox and Mozilla or do not support it in an official manner. Thus, they are not taking any action. One site does plan to distribute patches during their next regularly scheduled system update process. A few other sites have notified either their system support staff or the small number of users who use the applications. However, no further action is planned.

  • References:
  • (4) MODERATE: Cisco ACNS DoS and Default Administrator Password
  • Affected:
    • ACNS Software versions 4.x, 5.0, 5.1 and 5.2

  • Description: Cisco Application and Content Networking Software (ACNS) runs on Cisco devices like Content Engines, Content Routers and Content Distribution Manager, and provides support for web caching. This software contains multiple denial of service vulnerabilities that may be triggered by specially crafted packets. In addition, the software has a default administrative password if the ACNS set up has not been run. A remote attacker can take a complete control of the device running ACNS software using the default password. The technical details about the DoS flaws are not available at this time.

  • Status: Cisco confirmed, fixes available. A workaround is to manually change the administrator password on devices running ACNS by issuing "username admin password <password>" command.

  • Council Site Actions: Only two of the reporting council sites are using the affected software. One site has already implemented the fix for this issue, and the second site plans to address the issue in their next regularly schedule system update process.

  • References:
  • (5) MODERATE: TWiki Remote Command Execution Vulnerabilities
  • Affected:
    • Possibly all current versions

  • Description: TWiki, a Perl-based CGI software, allows multiple users to manage a web site's content through a web browser. TWiki is popularly used for intranet content management by many companies. The software's "imagegalleryplugin" contains a remote command injection vulnerability. The flaw can be reportedly exploited by any attacker, who can create or edit topics with image galleries, to execute arbitrary commands on the TWiki server. In addition, an unofficial patch has been released that claims to fix all command injection vulnerabilities. According to the discoverer's posting, there may be yet undisclosed vulnerabilities in TWiki, which are fixed via this patch.

  • Status: TWiki has not confirmed.

  • Council Site Actions: The affected software is not in production or widespread use, or is not officially supported at any of the council sites. They reported that no action was necessary. One site did send notification to their system support group.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 9, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4086 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 05.9.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft SharePoint Portal Remote Arbitrary File Creation
  • Description: Microsoft SharePoint Portal Client is reported to be vulnerable to an arbitrary file creation issue. Certain functions of the ActiveX control installed with this application can be used to create arbitrary files on the vulnerable host. Attackers could leverage this to compromise the remote vulnerable system.
  • Ref: http://support.microsoft.com/default.aspx?scid=kb;en-us;321780
  • 05.9.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Golden FTP Server Username Remote Buffer Overflow
  • Description: Golden FTP Server is a commercial FTP server application. It is reported to be vulnerable to a buffer overflow issue due to insufficient bounds checking when processing the "USER" command. Golden FTP server version 1.92 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12704
  • 05.9.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Trillian PNG Image Buffer Overflow
  • Description: Cerulean Studios Trillian is an instant messaging client. There is a remote buffer overflow vulnerability due to the failure of the application to handle malformed PNG image files. Cerulean Studios Trillian versions 3.0 and PRO 3.0 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/12703
  • 05.9.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RaidenHTTPD Multiple Remote Vulnerabilities
  • Description: RaidenHTTPD is web server software. RaidenHTTPD is affected by multiple remote vulnerabilities. RaidenHTTPD versions 1.1.32 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/391800
  • 05.9.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MercurySteam Scrapland Game Server Remote Denial of Service
  • Description: Scrapland is a network enabled client server game. Scrapland game server is affected by various denial of service vulnerabilities. Scrapland versions 1.0 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12680
  • 05.9.7 - CVE: CAN-2005-0575
  • Platform: Third Party Windows Apps
  • Title: Stormy Studios KNet Remote Buffer Overflow
  • Description: Stormy Studios KNet is an HTTP server. It is reported to be vulnerable to a remote buffer overflow issue, due to improper boundary checks. Stormy Studios KNet versions 1.4b and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12657
  • 05.9.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BadBlue MFCISAPICommand Remote Buffer Overflow
  • Description: Working Resources BadBlue Web server is intended to facilitate the sharing of various resources over a network. Working Resources BadBlue is affected by a remote buffer overflow vulnerability. Working Resources BadBlue version 2.55 is known to be affected.
  • Ref: http://www.securityfocus.com/bid/12673
  • 05.9.9 - CVE: CAN-2005-0520
  • Platform: Third Party Windows Apps
  • Title: ArGoSoft FTP Server Site Copy Shortcut File Upload Vulnerability
  • Description: ArGoSoft FTP server is an FTP server. The FTP "SITE COPY" command may be used to upload a malicious shortcut file to the server. ArGoSoft FTP server versions 1.4.2.7 and earlier are known to be vulnerable.
  • Ref: http://www.argosoft.com/ftpserver/changelist.aspx
  • 05.9.10 - CVE: Not Available
  • Platform: Linux
  • Title: Debian Reportbug Multiple Information Disclosure Vulnerabilities
  • Description: Debian reportbug is a utility designed to facilitate bug reporting. It is reported to be affected by multiple information disclosure issues. Attackers could leverage this issue to fetch the email smarthost passwords for legitimate users, or other sensitive information.
  • Ref: http://www.securityfocus.com/advisories/8154
  • 05.9.11 - CVE: CAN-2005-0470
  • Platform: Linux
  • Title: WPA_Supplicant Remote Buffer Overflow Vulnerability
  • Description: wpa_supplicant is a daemon designed to support Wi-Fi Protected Access (WPA). It is reported to be vulnerable to a buffer overflow issue while handling malicious EAPOL-key frames. Attackers could leverage this to execute arbitrary code on the system or cause a denial of service condition.
  • Ref: http://www.securityfocus.com/advisories/8148
  • 05.9.12 - CVE: CAN-2005-0577
  • Platform: Linux
  • Title: DNA MKBold-MKItalic Remote Format String Vulnerability
  • Description: DNA mkbold-mkitalic is a utility designed to convert standard font X BDF format font files to bold or italic fonts. It is reported to be vulnerable to a format string issue. DNA mkbold-mkitalic versions 0.6 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12657
  • 05.9.13 - CVE: CAN-2005-0546
  • Platform: Linux
  • Title: Cyrus IMAPD Multiple Remote Buffer Overflow Vulnerabilities
  • Description: Cyrus IMAPD is an IMAP daemon. It is reported to be vulnerable to multiple buffer overflow issues, due to improper santiziation of network input. Cyrus IMAPD versions 2.0.11 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12636
  • 05.9.14 - CVE: CAN-2005-0160
  • Platform: Linux
  • Title: Winace UnAce ACE Archive Multiple Remote Buffer Overflow Vulnerabilities
  • Description: Winace UnAce is an ACE file format archiver and unarchiver for the Linux platform. UnAce is affected by multiple remotely exploitable client-side buffer overflow vulnerabilities. UnAce versions 1.x and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8161
  • 05.9.15 - CVE: CAN-2005-0547
  • Platform: HP-UX
  • Title: HP-UX FTP Server Unspecified Restricted File Access
  • Description: The FTP server included with HP-UX is reported to be vulnerable to an unspecified issue. An authenticated remote attacker may exploit the issue to access restricted files.
  • Ref: http://www.securityfocus.com/bid/12651
  • 05.9.16 - CVE: CAN-2005-0107
  • Platform: Unix
  • Title: bsmtpd Remote Command Execution
  • Description: bsmtpd is a batched SMTP mailer for sendmail and postfix. It is vulnerable to a remote command execution due to insufficient sanitization of email addresses during mail delivery. bsmtpd versions 2.3 and earlier are vulnerable.
  • Ref: http://www.debian.org/security/2005/dsa-690
  • 05.9.17 - CVE: CAN-2005-0439
  • Platform: Unix
  • Title: ELOG Web Logbook Attached Filename Remote Buffer Overflow
  • Description: ELOG Web Logbook is an open source package designed to provide a logbook capable of being used through a web interface. ELOG Web Logbook is affected by a remote buffer overflow vulnerability. ELOG versions 2.5.6 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12639
  • 05.9.18 - CVE: CAN-2004-1120
  • Platform: Unix
  • Title: ProZilla Client-Side Format String Vulnerability
  • Description: ProZilla is a download accelerator for Unix like operating systems. It is vulnerable to a remote client-side format string issue due to an improper format string function and may be leveraged to execute arbitrary code on the affected system. ProZilla versions 1.3.7.3 and before are vulnerable.
  • Ref: http://secunia.com/advisories/13294/
  • 05.9.1 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Computer Associates Unicenter Multiple Vulnerabilities
  • Description: Computer Associates Unicenter is an enterprise asset management solution. It is vulnerable to multiple issues that may allow attackers to disclose sensitive information and carry out HTML injection and SQL injection attacks. Unicenter Asset Management 4.0 for Windows is vulnerable.
  • Ref: http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo64323
  • 05.9.19 - CVE: CAN-2005-0581, CAN-2005-0582, CAN-2005-0583
  • Platform: Cross Platform
  • Title: Computer Associates License Application Multiple Vulnerabilities
  • Description: Computer Associates License application is a remote license registration program for Computer Associates products. Computer Associates License client and server are vulnerable to multiple buffer overflow issues. Computer Associates License application versions 1.53 to 1.61.8 are known to be vulnerable.
  • Ref: http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp
  • 05.9.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHPNews Auth.PHP Remote File Include Vulnerability
  • Description: PHPNews is an open source PHP news application. PHPNews is affected by a remote PHP file include vulnerability. PHPNews versions 1.2.4 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/391896
  • 05.9.21 - CVE: CAN-2005-0455
  • Platform: Cross Platform
  • Title: RealOne/RealPlayer SMIL File Remote Buffer Overflow
  • Description: RealNetworks RealPlayer and RealOne Player are reported vulnerable to a remote stack based buffer overflow issue. The issue exists due to a lack of boundary checks performed by the application when parsing Synchronized Multimedia Integration Language (SMIL) files. A remote attacker may execute arbitrary code on a vulnerable computer to gain unauthorized access.
  • Ref: http://service.real.com/help/faq/security/050224_player/EN/
  • 05.9.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: 427BB Multiple Cross-Site Scripting Vulnerabilities
  • Description: 427BB is a bulletin board system. It is vulnerable to multiple cross-site scripting vulnerablites due to the application failing to properly sanitize user-supplied input before using it in dynamically generated content. All versions of 427BB are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/391848
  • 05.9.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PostNuke SHOW Parameter Remote SQL Injection
  • Description: PostNuke is a Content Management System (CMS) available on Windows and Unix. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input in the "dl-search.php" script and may allow a remote attacker to access unauthorized data. PostNuke versions 0.760-RC2 and earlier are vulnerable.
  • Ref: http://news.postnuke.com/Article2669.html
  • 05.9.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PaNews Multiple Input Validation Vulnerabilities
  • Description: PaNews is a news management script. There are multiple input validation vulnerabilities due to the failure of the application to properly sanitize user-supplied input. PaNews version 2.0b4 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12687
  • 05.9.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: WebMod Content-Length Remote Heap Overflow
  • Description: WebMod is a multi-threaded HTTP web server. It is reported to be vulnerable to a remote heap overflow issue, due to improper boundary checks in the "server.cpp" file. WebMod versions 0.47 and earlier are reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14302/
  • 05.9.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Suite Multiple Remote Vulnerabilities
  • Description: Mozilla Suite is vulnerable to multiple remote vulnerabilities including buffer overflow, temporary directory creation, information disclosure and arbitrary file overwrite. Mozilla Firefox versions earlier than 1.0.1 and Mozilla Thunderbird versions earlier than 1.0.1 are vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8160
  • 05.9.27 - CVE: CAN-2005-0208
  • Platform: Cross Platform
  • Title: Gaim Remote Denial of Service Vulnerability
  • Description: Gaim is an instant messaging client that supports numerous protocols. Gaim is affected by a remote denial of service vulnerability. Gaim versions 1.1.4 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/8167
  • 05.9.28 - CVE: CAN-2005-0540, CAN-2005-0541, CAN-2005-0542
  • Platform: Cross Platform
  • Title: AlterPath Manager Multiple Remote Vulnerabilities
  • Description: Cyclades AlterPath Manager is a web-based remote network administration tool. There are multiple remote vulnerabilities such as information disclosure and bypassing access validation through the "consolename" parameter of the "consoleConnect.jsp" script. Cyclades AlterPath Manager version 1.x is reported to be vulnerable.
  • Ref: http:// www.cirt.net/advisories/alterpath_disclosure.shtml"> http:// www.cirt.net/advisories/alterpath_disclosure.shtml http:// www.cirt.net/advisories/alterpath_console.shtml http:// www.cirt.net/advisories/alterpath_privesc.shtml
  • 05.9.29 - CVE: CAN-2005-0544, CAN-2005-0567
  • Platform: Cross Platform
  • Title: phpMyAdmin Multiple File Include Vulnerabilities
  • Description: phpMyAdmin is a tool that provides a web interface for handling MySQL administrative tasks. It is vulnerable to multiple file include vulnerabilities due to failing to properly sanitize user-supplied input prior to using it in a PHP "include()" or similar function call. phpMyAdmin versions 2.6.1 -rc1 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/391590
  • 05.9.30 - CVE: CAN-2005-0543
  • Platform: Cross Platform
  • Title: phpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpMyAdmin is a tool that provides a web interface for handling MySQL administrative tasks. phpMyAdmin is affected by multiple remote cross-site scripting vulnerabilities. phpMyAdmin versions prior to 2.6.1 pl1 are known to be vulnerable.
  • Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1149383&group_i
    d=23067&atid=377408
  • 05.9.32 - CVE: Not Available
  • Platform: Web Application
  • Title: MercuryBoard Index.PHP SQL Injection
  • Description: MercuryBoard is a web-based message board application. It is reported vulnerable to an SQL injection issue. Attackers could leverage this to compromise the remote backend database. MecuryBoard version 1.1.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12707/
  • 05.9.33 - CVE: Not Available
  • Platform: Web Application
  • Title: ProjectBB Multiple Cross-Site Scripting Vulnerabilities
  • Description: ProjectBB is a bulletin board system. Insufficient sanitization of the "pages" parameter of the "drivers.php" script exposes the application to a cross-site scripting issue. Similar attacks are also possible using the text areas of the forum name, site name, maximum avatar size, category and forum fields. ProjectBB version 0.4.5.1 is affected.
  • Ref: http://www.securityfocus.com/bid/12709/info/
  • 05.9.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Forumwa Multiple Remote Input Validation Vulnerabilities
  • Description: Forumwa is a web-based discussion forum. It is reported to be vulnerable to multiple cross-site scripting and HTML injection issues due to improper sanitization of user-supplied input. Forumwa version 1 is reported to be vulnerable.
  • Ref: http://secunia.com/advisories/14418/
  • 05.9.35 - CVE: Not Available
  • Platform: Web Application
  • Title: CutePHP CuteNews X-Forwarded-For Script Injection
  • Description: CutePHP CuteNews is a news and web log management system. It is reported to be vulnerable to a remote script injection issue in the "X-Forwarded-For" POST parameter. An attacker may leverage this issue to inject arbitrary server-side scripts locally and client-side scripts remotely. CutePHP version 1.3.6 is reported to be affected.
  • Ref: http://www.securityfocus.com/archive/1/391807
  • 05.9.36 - CVE: Not Available
  • Platform: Web Application
  • Title: SafeHTML Multiple HTML Bypass Vulnerabilities
  • Description: SafeHTML is an HTML parser designed to strip potentially malicious content in HTML files. Insufficient sanitization of malicious HTML content in conjunction with x00 symbols exposes the application to an HTML bypass issue. SafeHTML versions 1.2.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/12692/info/
  • 05.9.37 - CVE: Not Available
  • Platform: Web Application
  • Title: PBLang Bulletin Board Personal Message Deletion Vulnerability
  • Description: PBLang is a PHP based bulletin board system. It is vulnerable to a design issue that can allow a registered user to delete arbitrary personal messages. PBLang versions 4.63 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/391858
  • 05.9.38 - CVE: CAN-2005-0526
  • Platform: Web Application
  • Title: PBLang Directory Traversal
  • Description: PBLang is a web-based bulletin board application. PBLang is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied data in the "orig" parameter of the "sendpm.php" script.
  • Ref: http://www.securityfocus.com/archive/1/391867
  • 05.9.39 - CVE: Not Available
  • Platform: Web Application
  • Title: PostNuke Pheonix SQL Injection
  • Description: PostNuke is a weblog and content management System. Insufficient sanitization of the "catid" parameter of the "index.php" script exposes the application to an SQL injection issue. PostNuke versions 0.760-RC2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/12676/info/
  • 05.9.40 - CVE: Not Available
  • Platform: Web Application
  • Title: phpCOIN Multiple Remote Input Validation Vulnerabilities
  • Description: phpCOIN is a web-based customer information and shopping application. It is reported to be vulnerable to multiple SQL injection and cross-site scripting issues. The issues exist due to improper sanitization of user-supplied input.
  • Ref: http://secunia.com/advisories/14439/
  • 05.9.41 - CVE: CAN-2004-0944
  • Platform: Web Application
  • Title: Mitel 3300 Web Interface Authentication Bypass
  • Description: Mitel 3300 Integrated Communications Platform is a LAN PBX. It is vulnerable to an authentication bypass issue in its web interface. Mitel 3300 Integrated Communication Platform is known to be vulnerable.
  • Ref: http://www.corsaire.com/advisories/c040817-002.txt
  • 05.9.42 - CVE: Not Available
  • Platform: Web Application
  • Title: PostNuke Phoenix Download Module Cross-Site Scripting
  • Description: PostNuke is affected by multiple cross-site scripting vulnerabilities. PostNuke Phoenix versions prior to version 0.760 RC3 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/391700
  • 05.9.43 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Authentication Bypass Vulnerability
  • Description: phpBB is a web forum application. It is vulnerable to an authentication bypass issue due to improper sanitization of user input during login and may be exploited by an attacker to authenticate as administrator. phpBB versions prior to 2.0.13 are vulnerable.
  • Ref: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
  • 05.9.44 - CVE: Not Available
  • Platform: Web Application
  • Title: FCKeditor For PHP-Nuke Arbitrary File Upload
  • Description: FCKeditor is an online text and DHTML editor. Insufficient sanitization of filename extensions allows remote attackers to upload arbitrary files to a computer when it is used with PHP-Nuke. FCKeditor version 2.0 RC2 is affected.
  • Ref: http://www.securityfocus.com/bid/12676/info/
  • 05.9.45 - CVE: CAN-2005-0574
  • Platform: Web Application
  • Title: CIS WebServer Directory Traversal
  • Description: CIS WebServer is vulnerable to a directory traversal attack. CIS WebServer version 3.5.13 is known to be vulnerable.
  • Ref: http://secunia.com/advisories/14392/
  • 05.9.46 - CVE: Not Available
  • Platform: Web Application
  • Title: CubeCart Multiple Cross-Site Scripting Vulnerabilities
  • Description: CubeCart is an online storefront application. Insufficient sanitization of user-supplied input in various scripts exposes the application to multiple cross-site scripting issues. CubeCart versions 2.0.5 and earlier are affected.
  • Ref: http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.html
  • 05.9.47 - CVE: CAN-2005-0565
  • Platform: Web Application
  • Title: phpWebSite Remote Arbitrary PHP File Upload
  • Description: phpWebSite is a portal content management system. It is vulnerable to a remote arbitrary PHP file upload issue due to insufficient sanitization of uploaded image files. phpWebSite versions 0.10.0 and earlier are known to be vulnerable.
  • Ref: http://phpwebsite.appstate.edu/index.php?module=announce&ANN_id=922&ANN_
    user_op=view
  • 05.9.48 - CVE: CAN-2005-0569, CAN-2005-0570, CAN-2005-0571
  • Platform: Web Application
  • Title: PunBB Multiple Remote Input Validation Vulnerabilities
  • Description: PunBB is a web-based bulletin board application implemented in PHP with an SQL database back-end. PunBB is affected by multiple remote input validation vulnerabilities. PunBB versions 1.2.1 and earlier are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/391463
  • 05.9.49 - CVE: Not Available
  • Platform: Web Application
  • Title: OOApp Guestbook Multiple HTML Injection Vulnerabilities
  • Description: OOApp Guestbook is affected by multiple HTML injection issues. Insufficient sanitization of the "id" and the "page" parameter of the "home.php" script exposes these issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/12647/info/
  • 05.9.50 - CVE: CAN-2005-0538
  • Platform: Web Application
  • Title: ginp File Disclosure Vulnerability
  • Description: ginp is a web-based photo gallery. It is reported to be vulnerable to a file disclosure issue, due to improper sanitization of user-supplied input. ginp versions 0.21 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/12642
  • 05.9.51 - CVE: CAN-2005-0516
  • Platform: Web Application
  • Title: TWiki ImageGalleryPlugin Shell Command Injection
  • Description: TWiki is a web-based application that allows for creation and maintenance of web sites. The ImageGalleryPlugin can be exploited to inject arbitrary shell commands due to some configuration options used in ImageMagick. TWiki ImageGalleryPlugin version 1.x is vulnerable.
  • Ref: http://www.enyo.de/fw/security/notes/twiki-robustness.html
  • 05.9.52 - CVE: CAN-2005-0526
  • Platform: Web Application
  • Title: PBLang Bulletin Board System Cross-Site Scripting
  • Description: PBLang Bulletin Board System is vulnerable to a cross-site scripting issue. Attackers could leverage this towards theft of authentication credentials from legitimate clients. Version 4.65 of the application is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/391270
  • 05.9.53 - CVE: CAN-2005-0526
  • Platform: Web Application
  • Title: PBLang Bulletin Board HTML Injection Vulnerability
  • Description: PBLang is a bulletin board system. Insufficient sanitization of special characters in the body of the message by the "pmpshow.php" script exposes the application to an HTML injection issue. PBLang versions 4.65 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/391271
  • 05.9.54 - CVE: Not Available
  • Platform: Network Device
  • Title: Symantec Gateway Security SMTP Data Leak
  • Description: Symantec Gateway Security is a firewall appliance. It has been reported that this appliance leaks sensitive SMTP data when configured to load-balance two WAN network connections. The versions are vulnerable: Symantec Firewall/VPN Appliance 200/200R with firmware builds prior to build 1.68 and later than 1.5Z, Symantec Gateway Security 360/360R with firmware builds prior to build 858, Symantec Gateway Security 460/460R with firmware builds prior to build 858 and Nexland Pro800turbo with firmware builds earlier than build 1.6X and later than 1.5Z.
  • Ref: http://securityresponse.symantec.com/avcenter/security/Content/2005.02.28.html
  • 05.9.55 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco Application and Content Networking Systems Multiple Remote Vulnerabilities
  • Description: Cisco Application and Content Networking Systems (ACNS) are vulnerable to multiple denial of service conditions due to improper handling of malformed network data.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20050224-acnsdos.shtml

(c) 2005. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2005. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

I have attended many conferences/training sessions, and SANS by far has been the best. The instructors are the top in the industry, examples are from real life experiences - terrific!
-Chris Bush, Novartis Pharmaceuticals

Healthcare Cyber Security Summit - San Francisco

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU