@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) UPDATE: Microsoft WMF Handling Remote Code Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Web Application

• 06.01.1 - PHPSurveyor SID Parameter SQL Injection PHPSurveyor is a web-based application for performing online surveys. Insufficient sanitization of the "sid" parameter exposes the application to an SQL injection issue. PHPSurveyor version 0.99
• 06.01.2 - Koobi BBCode URL Tag Script Injection

Other Microsoft Products

• 06.01.3 - Microsoft Internet Explorer MSHTML.DLL HTML Parsing Denial of Service
• 06.01.4 - phpDocumentor Remote and Local File Include Vulnerabilities
• 06.01.5 - GMailSite Cross-Site Scripting
• 06.01.6 - MyBB Globa.PHP Cookie Data SQL Injection
• 06.01.7 - TinyMCE Compressor Multiple Vulnerabilities

Third Party Windows Apps

• 06.01.8 - ARJ Archive Filename Handling Buffer Overflow
• 06.01.9 - Web Wiz Multiple Products SQL Injection Vulnerabilities

Cross Platform

• 06.01.10 - VMWare ESX Server Management Interface Code Execution
• 06.01.11 - PHPBB Multiple Unspecified Input Validation Vulnerabilities

Linux

• 06.01.12 - PTnet IRCD Remote Denial of Service
• 06.01.13 - ImageMagick Image Filename Remote Command Execution
• 06.01.14 - Kayako SupportSuite Multiple Cross-Site Scripting Vulnerabilities
• 06.01.15 - OOApp Guestbook Home Script Cross-Site Scripting
• 06.01.16 - Ades Design AdesGuestbook Read Script Cross-Site Scripting.
• 06.01.17 - iPei Guestbook Index.PHP Cross-Site Scripting
• 06.01.18 - MyBB Print Thread Script HTML Injection
• 06.01.19 - MyBB File Upload SQL Injection

Hardware

• 06.01.20 - Blackberry Enterprise Server TIFF Attachment Denial of Service
• 06.01.21 - Blackberry Handheld JAD File Browser Denial of Service
• 06.01.22 - Blackberry Enterprise Server Router SRP Packet Denial of Service
• 06.01.23 - phpDocumentor Forum Lib Variable Cross-Site Scripting

• 06.01.24 - Windows Graphics Rendering Engine WMF Format Code Execution

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 1, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4750 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.01.1 - CVE: Not Available
• Platform: Web Application
• Title: PHPSurveyor SID Parameter SQL Injection PHPSurveyor is a web-based application for performing online surveys. Insufficient sanitization of the "sid" parameter exposes the application to an SQL injection issue. PHPSurveyor version 0.99
• Ref: http://www.securityfocus.com/bid/16077

• 06.01.2 - CVE: Not Available
• Platform: Web Application
• Title: Koobi BBCode URL Tag Script Injection
• Description: Koobi is prone to a script injection issue due to insufficient sanitization of user supplied input. Attacker-supplied HTML and script code would be able to access properties of the site, potentially allowing for theft of cookie-based authentication credentials. Koobi version 5 is affected.
• Ref: http://www.securityfocus.com/bid/16078

• 06.01.3 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer MSHTML.DLL HTML Parsing Denial of Service
• Description: Microsoft Internet Explorer is affected by a denial of service vulnerability issue because the application fails to properly parse certain malformed HTML content. An attacker may exploit this issue by enticing a user to visit a malicious site resulting in a denial of service condition in the application. Internet Explorer versions 6.0 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/16079/info

• 06.01.4 - CVE: CVE-2005-4593
• Platform: Web Application
• Title: phpDocumentor Remote and Local File Include Vulnerabilities
• Description: phpDocumentor is a web-based application that is used to create professional documentation from php source code. It is vulnerable to multiple remote and local file include issues due to insufficient sanitization of user-supplied data. phpDocumentor versions 1.3.0 RC4 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/16080

• 06.01.5 - CVE: Not Available
• Platform: Web Application
• Title: GMailSite Cross-Site Scripting
• Description: GMailSite is a web-based application that archives messages from users' GMail accounts. GFHost is a similar script. Both are vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "lng" parameter of the "index.php" script. GMailSite versions 1.0.4 and earlier are vulnerable. GFHost version 0.4.2 is vulnerable.
• Ref: http://lostmon.blogspot.com/2005/12/gmailsite-variable-cross-site.html

• 06.01.6 - CVE: Not Available
• Platform: Web Application
• Title: MyBB Globa.PHP Cookie Data SQL Injection
• Description: MyBB is web forum software. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input. The vulnerability presents itself when user-supplied input via cookie data is passed to the "logon" parameter of the "admin/globa.php" script. MyBB version 1.0 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/16082/exploit

• 06.01.7 - CVE: CVE-2005-4599, CVE-2005-4600
• Platform: Web Application
• Title: TinyMCE Compressor Multiple Vulnerabilities
• Description: TinyMCE is a platform independent Web-based JavaScript HTML WYSIWYG editor control. TinyMCE Compressor is a script that may be optionally used with the application for compression of generated JavaScript output. TinyMCE Compressor is prone to a file disclosure vulnerability and also affected by multiple cross-site scripting and HTML injection vulnerabilities. TinyMCE Compressor versions 1.0.5 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/16083

• 06.01.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ARJ Archive Filename Handling Buffer Overflow
• Description: TUGZip is prone to a buffer overflow issue which is exposed when the application extracts an ARJ archive that contains a file with a long name. The cause of the vulnerability is insufficient bounds checking on the length of the externally supplied file name before it is copied into a finite process buffer. TUGZip version 3.4.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/16084

• 06.01.9 - CVE: Not Available
• Platform: Web Application
• Title: Web Wiz Multiple Products SQL Injection Vulnerabilities
• Description: Web Wiz is affected by multiple SQL injection issues due to insufficient sanitization of the "txtUserName" parameter in the "check_user.asp" script. Web Wiz Site News 3.06 for Access 2000 and Access 97, Web Wiz Journal 1.0 for Access 2000 and Access 97, Web Wiz Polls 3.06 for Access 2000 and Access 97, Web Wiz Database Login 1.71 for Access 2000 and Access 97 are affetced.
• Ref: http://www.securityfocus.com/bid/16085

• 06.01.10 - CVE: Not Available
• Platform: Cross Platform
• Title: VMWare ESX Server Management Interface Code Execution
• Description: VMWare ESX Server is a virtual machine server that allows for multiple virtual servers to be deployed and managed. VMWare ESX Server is prone to an unspecified remote code execution vulnerability. Please refer to the following advisory for a list of vulnerable versions.
• Ref: http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2001

• 06.01.11 - CVE: CVE-2005-3417
• Platform: Web Application
• Title: PHPBB Multiple Unspecified Input Validation Vulnerabilities
• Description: PHPBB is a bulletin board application. It is vulnerable to multiple unspecified vulnerabilities due to insufficient sanitization of user-supplied data. PHPBB versions 2.0.19 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/420537

• 06.01.12 - CVE: Not Available
• Platform: Linux
• Title: PTnet IRCD Remote Denial of Service
• Description: PTnet IRCD is an IRC server. It is vulnerable to a denial of service issue when a remote unprivileged user attempts to open a "#*.log" channel. PTnet IRCD versions 1.5 and 1.6 are vulnerable.
• Ref: http://www.securityfocus.com/bid/16089/info

• 06.01.13 - CVE: Not Available
• Platform: Cross Platform
• Title: ImageMagick Image Filename Remote Command Execution
• Description: ImageMagick is an image editing application that supports numerous image formats, including the PNM image format. It is prone to a remote shell command execution vulnerability due to insufficient sanitization of user-supplied data. ImageMagick 6.2.4.5 is reported to be vulnerable; other versions may be affected as well.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345238

• 06.01.14 - CVE: CVE-2005-0842
• Platform: Web Application
• Title: Kayako SupportSuite Multiple Cross-Site Scripting Vulnerabilities
• Description: Kayako SupportSuite is a web-based customer service application. It is prone to multiple cross-site scripting vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "nav" parameter of the "index.php" script and the "Full Name", "Email", "Subject", and "Registered Email" parameters of the "register", "submit" and "lostpassword" modules. These issues affect versions 3.00.26 and prior.
• Ref: http://pridels.blogspot.com/2005/12/kayako-supportsuite-multiple-vuln.html

• 06.01.15 - CVE: Not Available
• Platform: Web Application
• Title: OOApp Guestbook Home Script Cross-Site Scripting
• Description: OOApp Guestbook is a web-based guestbook application. It is affected by a cross-site scripting issue due to insufficient sanitization of the "page" parameter of the "home.php" script. OOApp Guestbook version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/16091

• 06.01.16 - CVE: Not Available
• Platform: Web Application
• Title: Ades Design AdesGuestbook Read Script Cross-Site Scripting.
• Description: Ades Design AdesGuestbook is a web-based guestbook application. Insufficient sanitization of the "read" parameter of the "read.php" script exposes the application to a cross-site scripting issue. AdesGuestbook version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/16090

• 06.01.17 - CVE: Not Available
• Platform: Web Application
• Title: iPei Guestbook Index.PHP Cross-Site Scripting
• Description: iPei Guestbook is a web site guestbook application implemented in PHP. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the email field parameters of "index.php" script. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. iPei Guestbook versions 1.7 and earlier are vulnerable.
• Ref: http://pridels.blogspot.com/2005/12/ipei-guestbook-xss-vuln.html

• 06.01.18 - CVE: CVE-2005-4603
• Platform: Web Application
• Title: MyBB Print Thread Script HTML Injection
• Description: MyBulletinBoard (MYBB)is a web forum application. It is vulnerable to an HTML injection vulnerability due to insufficient sanitization of user-supplied input containing HTML and script code that is viewed through the "print view of thread" feature in the "printthread.php" script. MyBulletinBoard versions 1.0.1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/420569

• 06.01.19 - CVE: CVE-2005-4602
• Platform: Web Application
• Title: MyBB File Upload SQL Injection
• Description: MyBulletinBoard(MYBB) is Web forum application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the inc/function_upload.php script. MyBulletinBoard versions 1.0 PR2 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/420573

• 06.01.20 - CVE: CVE-2005-2341
• Platform: Hardware
• Title: Blackberry Enterprise Server TIFF Attachment Denial of Service
• Description: Blackberry Enterprise Server is communications middleware for Blackberry devices. It is prone to denial of service attacks. This issue affects the Attachment Service and may be triggered by a malformed TIFF attachment. Blackberry Enterprise Server for Exchange versions 4.0 SP1 and 4.0 are vulnerable.
• Ref: http://blogs.washingtonpost.com/securityfix/2006/01/security_hole_e.html

• 06.01.21 - CVE: CVE-2005-2343
• Platform: Hardware
• Title: Blackberry Handheld JAD File Browser Denial of Service
• Description: Blackberry Handheld devices are prone to a denial of service attack. The embedded Web browser will stop responding due to a dialog box that has not been properly dismissed when handling a malformed JAD (Java Application Description) file. The vulnerability is caused when the user of the device downloads a malformed JAD file from a Web site. The JAD file will specify a long application name and vendor string of 256 bytes or more. This issue affects devices running Blackberry Device Software versions prior to 4.0.2. Ref: http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/725/8142/?nodeid=1167791

• 06.01.22 - CVE: CVE-2005-2342
• Platform: Hardware
• Title: Blackberry Enterprise Server Router SRP Packet Denial of Service
• Description: The Blackberry Enterprise Server Router component is prone to a denial of service issue. This issue is triggered by sending malformed SRP (Server Routing Protocol) packets to the Router. The issue could only be exploited by an attacker who is in a position to impersonate the Blackberry Infrastructure or possibly has access to the internal network that the server is deployed on. The component accepts messages on TCP port 3101.
• Ref: http://www.securityfocus.com/bid/16100

• 06.01.23 - CVE: Not Available
• Platform: Web Application
• Title: phpDocumentor Forum Lib Variable Cross-Site Scripting
• Description: phpDocumentor is affected by a web documentation application. Insufficient sanitization of the "FORUM[LIB]" parameter in the "bug-559668.php" script exposes the application to a cross-site scripting issue. phpDocumentor versions 1.3 RC4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16101

• 06.01.24 - CVE: Not Available
• Title: Windows Graphics Rendering Engine WMF Format Code Execution
• Description: Microsoft Windows supports the Windows Metafile (WMF) image format. A remote code execution issue presents itself when a user views a malicious WMF formatted file. The vulnerability is triggered when the engine attempts to parse the file. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Please see the attached link for a list of affected systems.
• Ref: http://www.microsoft.com/technet/security/advisory/912840.mspx

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.