@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Other Software

• (1) HIGH: Peercast Streaming Server HTTP Processing Overflow
• (2) MODERATE: L-Soft Listserv Remote Code Execution
• (3) MODERATE: Microsoft Visual Studio Overflow
• (4) MODERATE: Micromuse Netcool/Neusecure Remote Database Access

Exploits

• (5) LibTIFF TIFFOpen Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 06.10.1 - Microsoft Visual Studio Buffer Overflow
• 06.10.2 - Internet Explorer Java Applet Handling Denial of Service

Third Party Windows Apps

• 06.10.3 - AVG Anti-Virus Local Insecure Permissions
• 06.10.4 - RevilloC MailServer Remote Buffer Overflow
• 06.10.5 - Magic Winmail Server Multiple Unspecified Vulnerabilities
• 06.10.6 - Symantec Ghost SQLAnywhere Local Administrative Authentication Credentials Disclosure
• 06.10.7 - Novell BorderManager Remote Denial Of Service
• 06.10.8 - ZoneAlarm Security Suite Local Privilege Escalation

Mac Os

• 06.10.9 - Mac OS X Kernel MACH_MSG_SEND Local Heap Overflow

Linux

• 06.10.10 - Kaspersky Anti-Virus Unspecified Denial Of Service
• 06.10.11 - Debian-Specific Amaya Arbitrary Local Code Execution
• 06.10.12 - Linux Kernel die_if_kernel Local Denial of Service

HP-UX

• 06.10.13 - HP Tru64 IKE Exchange Denial Of Service Vulnerabilities

Solaris

• 06.10.14 - Sun Solaris Proc Filesystem Pagedata Subsystem Local Denial Of Service

Unix

• 06.10.15 - Oreka RTP Packet Handling Remote Denial of Service
• 06.10.16 - Acme Labs thttpd htpasswd Multiple Vulnerabilities

Cross Platform

• 06.10.17 - Comvigo IM Lock 2006 Insecure Password Storage
• 06.10.18 - L-Soft Listserv 14.3 and 14.4 Multiple Unspecified Vulnerabilities
• 06.10.19 - Freeciv Remote Denial of Service
• 06.10.20 - Monopd Remote Denial Of Service
• 06.10.21 - Ravenous Unauthorized Access
• 06.10.22 - nCipher Insecure CBC-MAC API Vulnerability
• 06.10.23 - nCipher Testing Options Insecure Key Generation Vulnerabilities
• 06.10.24 - Symantec Ghost SQLAnywhere Local Information Disclosure and Data Corruption
• 06.10.25 - Dropbear Remote Denial Of Service
• 06.10.26 - Micromuse Netcool/NeuSecure Website NS Account Password Disclosure
• 06.10.27 - Red Hat Initscripts Local Privilege Escalation
• 06.10.28 - Peercast.org PeerCast Remote Buffer Overflow
• 06.10.29 - Kerio MailServer Remote Denial of Service
• 06.10.30 - UnrealIRCd Remote Denial Of Service
• 06.10.31 - GnuPG Incorrect Non-Detached Signature Verification

Web Application - Cross Site Scripting

• 06.10.32 - VBZooM Forum Multiple Cross-Site Scripting Vulnerabilities
• 06.10.33 - phpArcadeScript Multiple Cross-Site Scripting Vulnerabilities
• 06.10.34 - Woltlab Burning Board Misc.PHP Cross-Site Scripting
• 06.10.35 - CutePHP CuteNews Index.PHP Cross-Site Scripting
• 06.10.36 - DVGuestbook Multiple Cross-Site Scripting
• 06.10.37 - VBZoom Profile.PHP Cross-Site Scripting
• 06.10.38 - RunCMS Bigshow.PHP Cross-Site Scripting
• 06.10.39 - Game-Panel Login.PHP Cross-Site Scripting
• 06.10.40 - Link Bank Iframe.PHP Cross-Site Scripting
• 06.10.41 - Daverave HitHost Multiple Cross-Site Scripting Vulnerabilities
• 06.10.42 - textfileBB Multiple Cross-Site Scripting Vulnerabilities
• 06.10.43 - myBloggie Multiple Cross-Site Scripting Vulnerabilities
• 06.10.44 - DCP Portal Multiple Cross-Site Scripting Vulnerabilities
• 06.10.45 - txtForum Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 06.10.46 - D2-Shoutbox SQL Injection
• 06.10.47 - CyBoards PHP Lite Process_post.PHP SQL Injection
• 06.10.48 - Akarru Social BookMarking Engine Users.PHP SQL Injection
• 06.10.49 - WordPress User-Agent SQL Injection
• 06.10.50 - VBZoom Forum Show.PHP MainID SQL Injection
• 06.10.51 - TotalECommerce SQL Injection
• 06.10.52 - Redblog RSS.PHP SQL Injection

Web Application

• 06.10.53 - Evo-Dev evoBlog Comment Post HTML Injection
• 06.10.54 - Fantastic News Archive.PHP Remote Code Execution
• 06.10.55 - Skate Board Multiple Input Validation Vulnerabilities
• 06.10.56 - Aztek Forum New Message HTML Injection
• 06.10.57 - Gregarius Multiple Input Validation Vulnerabilities
• 06.10.58 - Gallery Album Comments HTML Injection
• 06.10.59 - Gallery Arbitrary File Deletion
• 06.10.60 - Easy Forum New User Image File HTML Injection
• 06.10.61 - PHP-Stats Multiple Input Validation and Information Disclosure Vulnerabilities
• 06.10.62 - Pixelpost Multiple Input Validation Vulnerabilities
• 06.10.63 - Simplog Information Disclosure
• 06.10.64 - Bitweaver Title Field HTML Injection
• 06.10.65 - M-Phorum Remote File Include
• 06.10.66 - Inter7 QmailAdmin PATH_INFO Buffer Overflow
• 06.10.67 - Eschew.Net PHPBannerExchange ResetPW.PHP Directory Traversal
• 06.10.68 - Lurker Multiple Input Validation Vulnerabilities
• 06.10.69 - Link Bank Remote PHP Script Code Injection
• 06.10.70 - Geeklog Lib-sessions.PHP Authorization Bypass
• 06.10.71 - NMDeluxe News.PHP Multiple Input Validation Vulnerabilities
• 06.10.72 - SquirrelMail Redirect.PHP Cookie Theft
• 06.10.73 - Invision Power Board Multiple Input Validation Vulnerabilities
• 06.10.74 - Owl Intranet Engine Remote File Include
• 06.10.75 - Loudblog Multiple Input Validation Vulnerabilities
• 06.10.76 - CAPI4HylaFAX Insecure Temporary File Creation
• 06.10.77 - D2KBlog Multiple Input Validation Vulnerabilities
• 06.10.78 - sBlog HTML Injection
• 06.10.79 - Manas Tungare Site Membership Script Multiple Input Validation Vulnerabilities
• 06.10.80 - Easy File Sharing Web Server Multiple Input Validation Vulnerabilities
• 06.10.81 - ADP Forum Subject Field HTML Injection
• 06.10.82 - Gallery Multiple Local File Include Vulnerabilities
• 06.10.83 - Light Weight Calendar Index.PHP Remote Command Execution
• 06.10.84 - Jiros Banner Experience Pro Addadmin.ASP Authorization Bypass
• 06.10.85 - txtForum Remote PHP Script Code Injection

Network Device

• 06.10.86 - Multiple Router Vendor Remote IRC Denial Of Service
• 06.10.87 - nCipher Insecure Diffie-Hellman Key Generation
• 06.10.88 - Xerox WorkCentre / CopyCentre Multiple Vulnerabilities

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohit Dhamankar and Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 10, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4928 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.10.1 - CVE: CVE-2006-1043
• Platform: Other Microsoft Products
• Title: Microsoft Visual Studio Buffer Overflow
• Description: Microsoft Visual Studio is a development tool. It is vulnerable to a buffer overflow when a malicious file contains a "DataProject" field of 384 bytes. Microsoft Visual Studio version 6 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426767

• 06.10.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Java Applet Handling Denial of Service
• Description: Microsoft Internet Explorer is affected by a denial of service with the "mshtml.dll" library when dereferencing a NULL pointer. This issue occurs when Sun's Java runtime environment is installed and configured to be the default handler for Java applets. Microsoft Internet Explorer versions 6.0 SP2 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426817

• 06.10.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: AVG Anti-Virus Local Insecure Permissions
• Description: AVG Anti-Virus is prone to a local insecure permissions issue because the application incorrectly resets the permissions on critical files during its periodic update process. AVG version 7 is affected.
• Ref: http://www.securityfocus.com/bid/16952

• 06.10.4 - CVE: CVE-2006-1124
• Platform: Third Party Windows Apps
• Title: RevilloC MailServer Remote Buffer Overflow
• Description: RevilloC MailServer is vulnerable to a remote buffer overflow vulnerability due to insufficient boundary checks to the "USER" command. RevilloC MailServer version 1.21 is vulnerable.
• Ref: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0910.html

• 06.10.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Magic Winmail Server Multiple Unspecified Vulnerabilities
• Description: Magic Winmail Server is an email server designed for use on Microsoft Windows. It is reportedly prone to multiple unspecified security vulnerabilities affecting the "Webmail" component. Magic Winmail Server versions 4.0 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17009

• 06.10.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec Ghost SQLAnywhere Local Administrative Authentication Credentials Disclosure
• Description: Symantec Ghost is an application used for enterprise wide remote PC deployment, recovery, cloning, and migration. It is prone to a vulnerability that may allow a local attacker to gain elevated privileges. The vulnerability presents itself in the Symantec SQLAnywhere database installed with Symantec Ghost and the Central Management Console in Symantec Ghost Solutions Suite (SGSS). The application stores the default administrator authentication credentials in the SQLAnywhere database on the local computer during installation. All builds of Symantec Ghost 8.0 (EOL / EOS 11/15/2005) and Ghost 8.2 (shipped as a part of SGSS 1.0) are vulnerable.
• Ref: http://www.symantec.com/avcenter/security/Content/2006.03.07.html

• 06.10.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Novell BorderManager Remote Denial Of Service
• Description: Novell BorderManager is a network security tool providing firewall and VPN functionality. It is affected by a remote denial of service vulnerability due to improper handling of exceptional network input in the form of streaming media over HTTP 1.1. Novell BorderManager versions 3.8 and 3.8 SP4 are vulnerable.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?2972993.htm

• 06.10.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ZoneAlarm Security Suite Local Privilege Escalation
• Description: Zone Labs ZoneAlarm Internet Security Suite is security software package. It is vulnerable to a local privilege escalation issue because of not specifying the full path of DLL libraries when it executes. Zone Labs ZoneAlarm Security Suite version 6.1.744.000 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/427122

• 06.10.9 - CVE: Not Available
• Platform: Mac Os
• Title: Mac OS X Kernel MACH_MSG_SEND Local Heap Overflow
• Description: Apple Mac OS X kernel is vulnerable to a local heap overflow due to insufficient boundary checking with the "mach_msg_send()" function. All versions of the Apple Mac OS X are vulnerable.
• Ref: http://www.felinemenace.org/~nemo/

• 06.10.10 - CVE: CVE-2006-1091
• Platform: Linux
• Title: Kaspersky Anti-Virus Unspecified Denial Of Service
• Description: Kaspersky Anti-Virus is vulnerable to a denial of service issue when the application scans a file of 1.6 MB in size that does not contain suspicious or obviously malicious content. Kaspersky Anti-Virus versions 5.0.5 and 5.5.3 for Unix are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426699

• 06.10.11 - CVE: Not Available
• Platform: Linux
• Title: Debian-Specific Amaya Arbitrary Local Code Execution
• Description: Amaya is an HTML editor and viewer. It is vulnerable to an insecure RPATH due to a flaw in the build process. Amaya version 9.2.1-6 for Debian is vulnerable.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341424

• 06.10.12 - CVE: CVE-2006-0742
• Platform: Linux
• Title: Linux Kernel die_if_kernel Local Denial of Service
• Description: The Linux kernel is prone to a local denial of service vulnerability. This issue is due to a design error in the "die_if_kernel()" function. This issue affects Linux kernel versions prior to 2.6.15.6 running on Itanium systems.
• Ref: http://www.securityfocus.com/bid/16993

• 06.10.13 - CVE: CVE-2005-3670
• Platform: HP-UX
• Title: HP Tru64 IKE Exchange Denial Of Service Vulnerabilities
• Description: HP Tru64 is prone to denial of service vulnerabilities. These issues are due to security flaws in HP's IPSec implementation. These vulnerabilities may be triggered by malformed IKE traffic. HP Tru64 versions 5.1 B-2 PK4 and 5.1 B-3 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/427071

• 06.10.14 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Proc Filesystem Pagedata Subsystem Local Denial Of Service
• Description: Sun Solaris is prone to a local denial of service vulnerability. A local unauthorized user can cause a system panic or hang the system by exploiting an unspecified vulnerability in the pagedata subsystem of the Process File System. Sun Solaris versions 10.0 and earlier are vulnerable.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102159-1

• 06.10.15 - CVE: CVE-2006-0912
• Platform: Unix
• Title: Oreka RTP Packet Handling Remote Denial of Service
• Description: Oreka is a freely available, open-source audio recording application. Oreka is susceptible to a remote denial of service vulnerability. This issue is due to the application's failure to properly handle unspecified sequences of RTP packets. Oreka versions prior to 0.5 are affected by this issue.
• Ref: http://oreka.sourceforge.net/about/news?id=2006-02-16/0.5-release

• 06.10.16 - CVE: Not Available
• Platform: Unix
• Title: Acme Labs thttpd htpasswd Multiple Vulnerabilities
• Description: thttpd is a web server. The htpasswd utility is affected by buffer overflow and command-execution issue. Acme Labs thttpd htpasswd version 2.25b is affected.
• Ref: http://www.securityfocus.com/bid/16972

• 06.10.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Comvigo IM Lock 2006 Insecure Password Storage
• Description: Comvigo IM Lock 2006 is a security application designed to allow administrators to enforce policy on computers such as disallowing instant messages, peer to peer applications, streaming media, and other network services. A local insecure password storage vulnerability affects Comvigo IM Lock 2006 due to a failure of the application to store passwords with secure permissions by default. Comvigo IM Lock 2006 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426935

• 06.10.18 - CVE: Not Available
• Platform: Cross Platform
• Title: L-Soft Listserv 14.3 and 14.4 Multiple Unspecified Vulnerabilities
• Description: Listserv is a multi-platform application used to manage mailing lists. It is affected by multiple unspecified vulnerabilities. Listserv versions 14.3 and 14.4 are affected.
• Ref: http://www.securityfocus.com/bid/16951

• 06.10.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Freeciv Remote Denial of Service
• Description: Freeciv is a free turn-based multiplayer strategy game. It is affected by a remote denial of service issue to a design error in "common/packets.c" when handling the packet length. Freeciv versions 2.0.7 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16975

• 06.10.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Monopd Remote Denial Of Service
• Description: The Monopd game server is prone to a remote denial of service vulnerability. This issue is due to a design error in the application when doing string replacements to avoid manipulation of XML data. The problem occurs in "server.cpp" when an overly long string of 15000 chars or more is processed, causing the application to consume all available CPU and memory resources. monopd version 0.9.3 is affected.
• Ref: http://www.securityfocus.com/bid/16981

• 06.10.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Ravenous Unauthorized Access
• Description: Ravenous is a web server implemented in Java. It is prone to an unauthorized access vulnerability due to a failure in the application to properly secure sensitive information. The problem is due to the application failing to properly secure access to ".rvplg" files. Ravenous version 0.7 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17013

• 06.10.22 - CVE: Not Available
• Platform: Cross Platform
• Title: nCipher Insecure CBC-MAC API Vulnerability
• Description: nCipher products utilize cryptography to protect data and communications. nCipher products are vulnerable to an insecure CBC-MAC (Cipher Block Chaining-Message Authentication Code) API issue because of a flaw in the API that allows users to utilize insecure CBC-MAC IVs (Initialization Vector). nCipher Software CD version 9.0 resolves the issue.
• Ref: http://www.ncipher.com/resources/96/sa13_cbcmac_iv_misleading_programming_interf
  ace

• 06.10.23 - CVE: Not Available
• Platform: Cross Platform
• Title: nCipher Testing Options Insecure Key Generation Vulnerabilities
• Description: nCipher products utilize strong cryptography to protect sensitive data and communications. Certain nCipher products are susceptible to insecure key generation vulnerabilities due to the unintended inclusion of testing functionality in the affected software.
• Ref: http://www.ncipher.com/support/advisories/keysigs/advis14.txt.asc

• 06.10.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Symantec Ghost SQLAnywhere Local Information Disclosure and Data Corruption
• Description: Symantec Ghost is an application used for enterprise wide remote PC deployment, recovery, cloning, and migration. It is affected by an issue that may allow a local unauthorized attacker to disclose or modify stored data. This issue arises from an access validation error. All builds of Symantec Ghost version 8.0 (EOL / EOS 11/15/2005) and Ghost version 8.2 (shipped as a part of SGSS 1.0) are affected.
• Ref: http://www.securityfocus.com/bid/17019

• 06.10.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Dropbear Remote Denial Of Service
• Description: Dropbear is an SSH client and server application. It is prone to a remote denial of service vulnerability due to a design error in "svr-main.c" when handling authorization pending connections to the server. Dropbear SSH Server versions 0.47 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17024

• 06.10.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Micromuse Netcool/NeuSecure Website NS Account Password Disclosure
• Description: Micromuse Netcool/NeuSecure is a security information management (SIM) platform that stores security data in a MySQL database. It is affected by a password-disclosure issue because the NS password is included in the source code of "body.phtml" on the NeuSecure Server website. Neusecure version 3.0.236-1 is affected.
• Ref: http://www.securityfocus.com/bid/17032

• 06.10.27 - CVE: CVE-2005-3629
• Platform: Cross Platform
• Title: Red Hat Initscripts Local Privilege Escalation
• Description: The initscripts package contains the basic system scripts used to boot a system, change run levels, and shut down the system. It is prone to a local privilege escalation vulnerability due to insufficient sanitization of user-supplied data. The problem occurs when handling various environment variables when "/sbin/service" is run.
• Ref: http://www.securityfocus.com/bid/17038

• 06.10.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Peercast.org PeerCast Remote Buffer Overflow
• Description: PeerCast is a streaming audio server. It is prone to a remote buffer overflow vulnerability because of improper boundary checks in the "procConnectArgs" function of the "servmgr.cpp". PeerCast versions 0.1215 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17040

• 06.10.29 - CVE: CVE-2006-0742
• Platform: Cross Platform
• Title: Kerio MailServer Remote Denial of Service
• Description: Kerio MailServer is vulnerable to a denial of service issue when the server handles specially crafted IMAP LOGIN commands. Kerio MailServer versions 6.1.3 and earlier are vulnerable.
• Ref: http://www.kerio.com/kms_history.html

• 06.10.30 - CVE: Not Available
• Platform: Cross Platform
• Title: UnrealIRCd Remote Denial Of Service
• Description: UnrealIRCd is an Internet Relay Chat (IRC) server. It is vulnerable to a remote denial of service issue due to a design error when handling malformed "TKL" commands from authenticated connections. UnrealIRCd versions 3.2.3 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/427213

• 06.10.31 - CVE: CVE-2006-0049
• Platform: Cross Platform
• Title: GnuPG Incorrect Non-Detached Signature Verification
• Description: GnuPG is prone to a vulnerability involving incorrect verification of non-detached signatures. This issue can allow attackers to inject arbitrary data into a signed message. It should be noted that this issue also affects verification of signatures embedded in encrypted messages. Scripts and applications using gpg are affected as well as applications using the GPGME library. GnuPG versions prior to 1.4.2.2 are vulnerable.
• Ref: http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html

• 06.10.32 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: VBZooM Forum Multiple Cross-Site Scripting Vulnerabilities
• Description: VBZooM Forum is web forum software. It is prone to multiple cross site scripting vulnerabilities due to improper sanitization of user supplied input to the "UserID" parameter of the "comment.php" and "contact.php" scripts. VBZoom version 1.11 is affected.
• Ref: http://www.securityfocus.com/bid/16956/exploit

• 06.10.33 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: phpArcadeScript Multiple Cross-Site Scripting Vulnerabilities
• Description: phpArcadeScript is a web application. Insufficeint sanitization of user supplied input exposes the application to multiple cross site scripting issues. phpArcadeScript version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/16950

• 06.10.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Woltlab Burning Board Misc.PHP Cross-Site Scripting
• Description: Woltlab Burning Board is a free web-based bulletin-board package. Insufficient sanitization of the "percent" parameter in the "acp/misc.php" script exposes the application to a cross site scripting issue. Woltlab Burning Board version 2.3.4 is affected.
• Ref: http://www.securityfocus.com/bid/16959

• 06.10.35 - CVE: CVE-2006-1121
• Platform: Web Application - Cross Site Scripting
• Title: CutePHP CuteNews Index.PHP Cross-Site Scripting
• Description: CuteNews is a news-management system. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "ucat" URI parameter of the "index.php" script. CuteNews version 1.4.1 is vulnerable.
• Ref: http://www.kapda.ir/advisory-277.html

• 06.10.36 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: DVGuestbook Multiple Cross-Site Scripting
• Description: DVGuestbook is a web-based guestbook application. It is prone to multiple cross site scripting vulnerabilities due to improper sanitization of user supplied input to the "page" parameter of "index.php" and the "f" parameter of "dv_gbook.php". DVGuestbook versions 1.2.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16968/exploit

• 06.10.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: VBZoom Profile.PHP Cross-Site Scripting
• Description: VBZoom is a forum application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "UserID" parameter of the "profile.php" script. VBZoom version 1.11 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16969

• 06.10.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: RunCMS Bigshow.PHP Cross-Site Scripting
• Description: RunCMS is a content management system. RunCMS is prone to a cross site scripting vulnerability due to improper sanitization of user supplied input. This issue affects the "id" URI parameter of the "bigshow.php" script.
• Ref: http://www.securityfocus.com/bid/16970/exploit

• 06.10.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Game-Panel Login.PHP Cross-Site Scripting
• Description: Game-Panel is a game management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "message" URI parameter of the "login.php" script. Game-Panel versions 2.6.1 and earlier are vulnerable.
• Ref: http://notlegal.ws/gamepanel.txt

• 06.10.40 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Link Bank Iframe.PHP Cross-Site Scripting
• Description: Link Bank is a web link management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "site" URI parameter of the "iframe.php" script. All versions of Link Bank are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426932

• 06.10.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Daverave HitHost Multiple Cross-Site Scripting Vulnerabilities
• Description: HitHost is a web-based hit counter. Insufficeint sanitization of the "user" parameter in the "deleteuser.php" script and the "hits" parameter of the "viewuser.php" script exposes the application to multiple cross site scripting vulnerabilities.
• Ref: http://www.securityfocus.com/bid/17025

• 06.10.42 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: textfileBB Multiple Cross-Site Scripting Vulnerabilities
• Description: textfileBB is a bulletin board application. It is prone to multiple cross site scripting vulnerabilities due to insufficient sanitization of user supplied input to the "mess" and "user" parameters of the "messanger.php" script. textfileBB version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/17029/exploit

• 06.10.43 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: myBloggie Multiple Cross-Site Scripting Vulnerabilities
• Description: myBloggie is a web log application. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to various scripts. myBloggie versions 2.1.3 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17048

• 06.10.44 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: DCP Portal Multiple Cross-Site Scripting Vulnerabilities
• Description: DCP Portal is a web portal application. Insufficeint sanitization of user-supplied input exposes the application to multiple cross-site scripting issues. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/17050

• 06.10.45 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: txtForum Multiple Cross-Site Scripting Vulnerabilities
• Description: txtForum is web-based forum software implemented in PHP. txtForum is prone to multiple cross site scripting vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input. txtForum versions 1.0.4-dev and 1.0.3-dev are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/17054/exploit

• 06.10.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: D2-Shoutbox SQL Injection
• Description: D2-Shoutbox is a shoutbox module for Invision Power Board (IPB). Insufficient sanitization of the "load" parameter exposes the application to an SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/16984

• 06.10.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CyBoards PHP Lite Process_post.PHP SQL Injection
• Description: CyBoards PHP Lite is a forum application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "parent" parameter of the "process_post.php" script. CyBoards PHP Lite versions 1.25 and earlier are vulnerable.
• Ref: http://evuln.com/vulns/91/summary.html

• 06.10.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Akarru Social BookMarking Engine Users.PHP SQL Injection
• Description: Akarru Social BookMarking Engine is a bookmark management application. Insufficient sanitization of the "User Name" parameter of the "users.php" script exposes the application to an SQL injection issue. Akarru Social BookMarking versions prior to 0.4.3.4 are affected.
• Ref: http://www.securityfocus.com/bid/16989

• 06.10.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WordPress User-Agent SQL Injection
• Description: WordPress is a web-based publishing application. Insufficeint sanitization of the "User-Agent" HTTP request header exposes the application to an SQL injection issue. WordPress version 1.5.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16950

• 06.10.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: VBZoom Forum Show.PHP MainID SQL Injection
• Description: VBZooM Forum is a web forum application. The application is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "MainID" parameter of the "show.php" script. VBZoom version 1.11 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16955/info

• 06.10.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: TotalECommerce SQL Injection
• Description: TotalECommerce is a web e-commerce application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "index.asp" script. TotalECommerce version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16960

• 06.10.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Redblog RSS.PHP SQL Injection
• Description: RedBLoG is affected by an SQL injection issue due to insufficient sanitization of the "cat_id" parameter in the "rss.php" script. RedBLoG version 0.5 is affected.
• Ref: http://www.securityfocus.com/bid/17041

• 06.10.53 - CVE: Not Available
• Platform: Web Application
• Title: Evo-Dev evoBlog Comment Post HTML Injection
• Description: Evo-Dev evoBlog is a web log application. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the "Name" and possibly other comment fields. All versions of Evo-Dev evoBlog are vulnerable.
• Ref: http://www.securityfocus.com/bid/16983

• 06.10.54 - CVE: Not Available
• Platform: Web Application
• Title: Fantastic News Archive.PHP Remote Code Execution
• Description: Fantastic News is a news reader application. It is prone to a PHP code execution vulnerability. The input to the "archive.php" script through the "script_path" parameter is not properly sanitized before being passed to a PHP "require()" statement. Fantastic News versions 2.1.2 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/16985

• 06.10.55 - CVE: CVE-2006-0809, CVE-2006-0810, CVE-2006-0811
• Platform: Web Application
• Title: Skate Board Multiple Input Validation Vulnerabilities
• Description: Skate Board is web-based forum software. It is prone to multiple input validation vulnerabilities due to improper sanitization of user supplied input. These vulnerabilities include SQL injection vulnerabilities and a cross site scripting vulnerability. Skate Board version 0.9 is affected.
• Ref: http://www.securityfocus.com/archive/1/426658

• 06.10.56 - CVE: Not Available
• Platform: Web Application
• Title: Aztek Forum New Message HTML Injection
• Description: Aztek Forum is a web based forum application. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input when posting a new forum message. Aztek Forum version 4.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16938

• 06.10.57 - CVE: Not Available
• Platform: Web Application
• Title: Gregarius Multiple Input Validation Vulnerabilities
• Description: Gregarius is web-based RSS feed agrigator. Insufficient sanitization of user-supplied input exposes the application to multiple cross site scripting and SQL injection issues. Gregarius version 0.5.2 is affected.
• Ref: http://www.securityfocus.com/bid/16939

• 06.10.58 - CVE: CVE-2006-1127
• Platform: Web Application
• Title: Gallery Album Comments HTML Injection
• Description: Gallery Album is an image gallery application. It is vulnerable to an HTML injection issue due to insufficient sanitization of the X_FORWARDED_FOR HTTP header. Gallery Album versions 2.0.0 through 2.0.2 are vulnerable
• Ref: http://www.securityfocus.com/bid/16940

• 06.10.59 - CVE: Not Available
• Platform: Web Application
• Title: Gallery Arbitrary File Deletion
• Description: Gallery is prone to an arbitrary file deletion vulnerability due to improper sanitization of user supplied session cookie data. Gallery versions 2.0.0 through 2.0.2 are vulnerable to this issue.
• Ref: http://www.securityfocus.com/archive/1/426655

• 06.10.60 - CVE: CVE-2006-0877
• Platform: Web Application
• Title: Easy Forum New User Image File HTML Injection
• Description: Easy Forum is a web discussion forum application. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the "Image File" field when creating new users. Easy Forum version 2.5 is affected.
• Ref: http://www.securityfocus.com/bid/16958

• 06.10.61 - CVE: Not Available
• Platform: Web Application
• Title: PHP-Stats Multiple Input Validation and Information Disclosure Vulnerabilities
• Description: PHP-Stats is a statistics package. It is vulnerable to multiple input validation and information disclosure issues due to insufficient sanitization of user-supplied input. PHP-Stats version 0.1.9.1 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426762

• 06.10.62 - CVE: Not Available
• Platform: Web Application
• Title: Pixelpost Multiple Input Validation Vulnerabilities
• Description: Pixelpost is photoblog web application. It is prone to multiple input validation vulnerabilities due to improper sanitization of user supplied input. It is vulnerable to SQL injection vulnerabilities and HTML injection vulnerabilities. Pixelpost versions 1.4.3 and 1.5 beta 1 are vulnberable to these issues; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/16964

• 06.10.63 - CVE: Not Available
• Platform: Web Application
• Title: Simplog Information Disclosure
• Description: Simplog is a web log application. Insufficient sanitization of the "act" and "blogid" parameter in the "index.php" script exposes the application to a directory traversal and information disclosure issues. Simplog version 1.0.2 is affected.
• Ref: http://www.securityfocus.com/bid/16965

• 06.10.64 - CVE: Not Available
• Platform: Web Application
• Title: Bitweaver Title Field HTML Injection
• Description: Bitweaver is a web application framework. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the "title" field. Bitweaver version 1.2.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16973

• 06.10.65 - CVE: Not Available
• Platform: Web Application
• Title: M-Phorum Remote File Include
• Description: M-phorum is a web-based forum application. It is prone to a remote file include vulnerability due to improper sanitization of user supplied input to the "go" parameter of "index.php". M-phorum versions 0.2 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/16977

• 06.10.66 - CVE: Not Available
• Platform: Web Application
• Title: Inter7 QmailAdmin PATH_INFO Buffer Overflow
• Description: Inter7 QmailAdmin provides a web management interface for qmail systems with virtual domains. Insufficient sanitization of the "PATH_INFO" variable in the "qmailadmin.c" file exposes the application to a buffer overflow issue. QmailAdmin versions 1.2.9 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16994

• 06.10.67 - CVE: Not Available
• Platform: Web Application
• Title: Eschew.Net PHPBannerExchange ResetPW.PHP Directory Traversal
• Description: phpBannerExchange is a web-based banner exchange application. It is prone to a directory traversal vulnerability due to improper sanitization of user supplied input to the email address field of the "resetpw.php" script. phpBannerExchange versions 2.0 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426940

• 06.10.68 - CVE: Not Available
• Platform: Web Application
• Title: Lurker Multiple Input Validation Vulnerabilities
• Description: Lurker is a web-based email archive and search tool. It is prone to multiple input validation vulnerabilities due to improper sanitization of user-supplied input. The following specific issues have been discovered: Cross site scripting vulnerability, Information disclosure vulnerability, Arbitrary file overwrite vulnerability. Lurker versions 2.0 and 0.1a are vulnerable.
• Ref: http://www.securityfocus.com/bid/17003

• 06.10.69 - CVE: Not Available
• Platform: Web Application
• Title: Link Bank Remote PHP Script Code Injection
• Description: Link Bank is a web link management application. It is prone to a remote PHP script code injection vulnerability due to insufficient sanitization of user-supplied input to message posts. All versions of Link Bank are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426932

• 06.10.70 - CVE: Not Available
• Platform: Web Application
• Title: Geeklog Lib-sessions.PHP Authorization Bypass
• Description: Geeklog is affected by an authorization-bypass issue due to insufficient sanitization in the "system/lib-sessions.php" script. Please see the refrence link for a list of vulnerable versions.
• Ref: http://www.securityfocus.com/bid/17010

• 06.10.71 - CVE: Not Available
• Platform: Web Application
• Title: NMDeluxe News.PHP Multiple Input Validation Vulnerabilities
• Description: NMDeluxe is a shopping cart application. It is prone to multiple input validation vulnerabilities because it fails to properly sanitize user-supplied input. NMDeluxe version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17017

• 06.10.72 - CVE: CAN-2005-3128
• Platform: Web Application
• Title: SquirrelMail Redirect.PHP Cookie Theft
• Description: SquirrelMail is a web based mail application. It is prone to a cookie theft vulnerability. This issue affects the "src/redirect.php" script when "register_globals" is enabled and the malicious site resides in the same domain. SquirrelMail versions 1.4.6 - -rc1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17005

• 06.10.73 - CVE: CAN-2006-0750
• Platform: Web Application
• Title: Invision Power Board Multiple Input Validation Vulnerabilities
• Description: Invision Power Board (IPB) is a web-based bulletin board application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input. Invision Power Services Invision Board versions 2.1.5 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/16971

• 06.10.74 - CVE: Not Available
• Platform: Web Application
• Title: Owl Intranet Engine Remote File Include
• Description: Owl Intranet Engine is a web-based multiuser document repository. It is prone to a remote file include vulnerability due to insufficient sanitization of user supplied input to the "xrms_file_root" parameter of "lib/OWL_API.php". Owl Intranet Engine version 0.82 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17021/exploit

• 06.10.75 - CVE: Not Available
• Platform: Web Application
• Title: Loudblog Multiple Input Validation Vulnerabilities
• Description: Loudblog is a content management application. It is prone to multiple input validation vulnerabilities due to insufficient sanitization of user-supplied input to various scripts. Loudblog version 0.41 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17023

• 06.10.76 - CVE: Not Available
• Platform: Web Application
• Title: CAPI4HylaFAX Insecure Temporary File Creation
• Description: CAPI4HylaFAX is an add on module for the HylaFAX faxing and paging application. It creates temporary files in an insecure manner. This may allow a local attacker to perform symbolic link attacks. CAPI4HylaFAX version 1.3 is vulenrable.
• Ref: http://www.securityfocus.com/bid/17034

• 06.10.77 - CVE: CVE-2006-1122, CVE-2006-1123
• Platform: Web Application
• Title: D2KBlog Multiple Input Validation Vulnerabilities
• Description: D2KBlog is web blog application. It is vulnerable to multiple input validation issues such as SQL and HTML injection. This is due to insufficient sanitization of user-supplied input. D2KBlog versions 1.0.3 and earlier are vulnberable.
• Ref: http://www.frsirt.com/english/advisories/2006/0896

• 06.10.78 - CVE: Not Available
• Platform: Web Application
• Title: sBlog HTML Injection
• Description: sBlog is a web log application. It is prone to HTML injection vulnerabilities due to improper sanitization of user supplied input before using it in dynamically generated content. Specifically, the "title" field of user post comment page and the "keyword" parameter of the "search.php" script are not properly sanitized. sBlog version 0.7.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17044/exploit

• 06.10.79 - CVE: Not Available
• Platform: Web Application
• Title: Manas Tungare Site Membership Script Multiple Input Validation Vulnerabilities
• Description: Manas Tungare Site Membership Script is a web-based script. It is vulnerable to multiple input validation issues such as SQL injection and cross-site scripting due to insufficient sanitization of user-supplied input. All versions of Manas Tungare Site Membership script are vulnerable.
• Ref: http://secunia.com/advisories/19156/

• 06.10.80 - CVE: Not Available
• Platform: Web Application
• Title: Easy File Sharing Web Server Multiple Input Validation Vulnerabilities
• Description: Easy File Sharing Web Server is a commercially available web server software package distributed by EFS Software. It is available for the Microsoft Windows platform. It is prone to the following vulnerabilities: HTML injection vulnerability, denial of service vulnerability, and an arbitrary file upload vulnerability. Easy File Sharing Web Server version 3.2 is affected.
• Ref: http://www.securityfocus.com/bid/17046/exploit

• 06.10.81 - CVE: Not Available
• Platform: Web Application
• Title: ADP Forum Subject Field HTML Injection
• Description: ADP Forum is prone to an HTML injection vulnerability due to improper sanitization of user supplied input before using it in dynamically generated content. Specifically, input to the "Subject" field of a message post is not properly sanitized. ADP Forum versions 2.0.3 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17047/exploit

• 06.10.82 - CVE: Not Available
• Platform: Web Application
• Title: Gallery Multiple Local File Include Vulnerabilities
• Description: Gallery is a web-based classified ads application. It is vulnerable to multiple local file include issues due to insufficient sanitization of user-supplied input to the "stepOrder[]" parameter in both the "upgrade/index.php" and "install/index.php" scripts. Gallery versions 2.0.3 and earlier are vulnerable.
• Ref: http://milw0rm.com/exploits/1566

• 06.10.83 - CVE: Not Available
• Platform: Web Application
• Title: Light Weight Calendar Index.PHP Remote Command Execution
• Description: Light Weight Calendar is affected by a remote command execution issue. The problem presents itself when attacker-supplied data to the "date" parameter of the "index.php" script is not properly sanitized before being used in an "eval()" call.
• Ref: http://www.securityfocus.com/bid/17059

• 06.10.84 - CVE: Not Available
• Platform: Web Application
• Title: Jiros Banner Experience Pro Addadmin.ASP Authorization Bypass
• Description: Jiros Banner Experience Pro is an advertising banner management application. It is prone to an authorization bypass vulnerability. The application fails to properly perform authentication before granting access. The "addadmin.asp" script doesn't properly validate session data when authenticating a user. Jiros Banner Experience Pro version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/17060

• 06.10.85 - CVE: Not Available
• Platform: Web Application
• Title: txtForum Remote PHP Script Code Injection
• Description: txtForum is a forum application. It is vulnerable to a remote PHP code injection issue due to insufficient sanitization of the "application skins". txtForum versions 1.0.4 -dev and earlier are vulnerable.
• Ref: http://www.seclab.tuwien.ac.at/advisories/TUVSA-0603-004.txt

• 06.10.86 - CVE: CVE-2006-1067, CVE-2006-1068
• Platform: Network Device
• Title: Multiple Router Vendor Remote IRC Denial Of Service
• Description: Linksys and Netgear routers are vulnerable to a remote IRC denial of service issue due to insufficient handling a malformed "DCC SEND" string command to an IRC channel. Routers such as Linksys WRT54G, Netgear 614 and 624 running the vxWorks-based operating system are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/426756

• 06.10.87 - CVE: CVE-2006-1115
• Platform: Network Device
• Title: nCipher Insecure Diffie-Hellman Key Generation
• Description: nCipher products utilize cryptography to protect sensitive data and communications. Some are vulnerable to an insecure Diffie-Hellman (DH) key generation weakness when DH private/public key pairs are created without passing the "DiscreteLogGroup" parameter. nCipher Software CD version 9.0 resolves the issue.
• Ref: http://www.ncipher.com/resources/95/sa12_insecure_generation_of_d iffiehellman_keys

• 06.10.88 - CVE: Not Available
• Platform: Network Device
• Title: Xerox WorkCentre / CopyCentre Multiple Vulnerabilities
• Description: Xerox WorkCentre / CopyCentre are web enabled printers and copiers. They are vulnerable to multiple issues such as a denial of service. Xerox WorkCentre / CopyCentre software versions 1.001.02.074 and 1.001.02.716 resolves the issue.
• Ref: http://www.xerox.com/downloads/usa/en/c/cert_XRX06_002.pdf

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.