The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 11
March 20, 2006

SANS Newsletters Home

Microsoft Office documents suddenly stopped being "safe to open" last week.(#1) Apple Mac users got another demonstration that they, too, are vulnerable to remote attacks.(#2) Adobe Macromedia Flash and Shockwave users can be infected just by visiting an infected web site or receiving an html email, with minimal user interaction.(#3)

Would you like to make a substantial difference in making the Web safer? If you know how to write Firefox toolbars, please email us. We are building a Firefox toolbar, that people could install to monitor what web sites they go to, and to classify "bad websites" by various categories (e.g. "adults", "exploit", "phishing"). This would complement Storm Centers "honey monkey farm" which is a set of automated systems that browse suspect websites. We will feed the user- supplies URLs to the "honey monkeys" in order to have the sites characterized by his systems. We are looking for a (paid) volunteer to write the Firefox (and maybe later Internet Explorer) toolbar to do the reporting. Email info@sans.org with subject Browser Toolbar if you can help.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Microsoft Office
    • 5 (#1)
    • Other Microsoft Products
    • 2 (#4, #9)
    • Third Party Windows Apps
    • 7 (#5, #6, #7)
    • Mac Os
    • 2 (#2)
    • Linux
    • 6
    • Aix
    • 1
    • Unix
    • 1
    • Novell
    • 1
    • Cross Platform
    • 7 (#3, #8)
    • Web Application - Cross Site Scripting
    • 10
    • Web Application - SQL Injection
    • 7
    • Web Application
    • 15
    • Network Device
    • 1

****** Sponsored by SANS Training in San Diego, Munich, London and Washington DC ******

Turbo charge your security career or the careers of any of your coworkers this spring in San Diego in early May: a dozen of SANS most popular courses and a vendor exposition right on the harbor. http://www.sans.org/security06/

Or in London at the end of June: http://www.sans.org/london06

Or Munich in early April: http://www.sans.org/munich06

Or Washington in July right after July 4 for the biggest SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen special courses, a big exposition, and an inside look at how the Internets Early Warning System (Internet Storm Center) actually works Bring your family for the national fireworks show.

http://www.sans.org/sansfire06

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Aix
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

****************************** Sponsored Links: ********************************

1) Blue Coat (formerly Permeo Technologies)

Need help selecting an SSL VPN solution? Read security analyst Mark Bouchard's (CISSP) latest buyer's guide.

http://www.sans.org/info.php?id=1076

2) Audit 522: SANS® +S™ Training for the CISA® Certification Exam via SANS@Home starts March 23!

http://www.sans.org/athome/ details.php?id=1419"> http://www.sans.org/athome/ details.php?id=1419

See http://www.sans.org/athome/ for complete SANS@Home listings.

********************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: Apple Mac OS X Security Update 2006-002
  • Affected:
    • Mac OS X and server version 10.4.5

  • Description: Apple has released another security update for Mac OS X this month. The security update 2006-002 addresses important vulnerabilities in Mail and Safari browser. Mail, an e-mail client built into Mac OS X, contains a buffer overflow on Mac OS X systems that have been patched with the Apple security update 2006-001. The overflow can be triggered by an e-mail attachment in the MIME-encapsulated Apple Double format (documented in RFC1740) with a long "Real Name" entry. When a Mail user double clicks such an attachment arbitrary code can be executed on the users system. Exploit code has been publicly posted. The security update also provides additional checks to identify malicious files downloaded via Safari browser before the files are automatically opened.

  • Status: Apple confirmed. Apply Apple Security Update 2006-002 on a priority basis.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • Reference:
  • Apple Security Update 2006-002
  • http://docs.info.apple.com/article.html?artnum=303453
  • Digitalmunition Advisory and Exploit Code
  • http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt
  • http://www.milw0rm.com/exploits/1583
  • Mail Homepage
  • http://www.apple.com/macosx/features/mail/
  • SecurityFocus BIDs
  • http://www.securityfocus.com/bid/17081
  • (3) HIGH: Adobe Macromedia Players SWF Remote Code Execution
  • Affected:
    • Flash Player versions 8.0.22.0 and prior
    • Breeze Meeting Add-In version 5.1 and prior
    • Shockwave Player version 10.1.0.11 and prior
    • Flash Debug Player version 7.0.14.0 and prior

  • Description: Adobe has released a security advisory indicating that multiple Macromedia players contain a critical vulnerability in handling SWF files. According to Adobe the flaw can be exploited to execute arbitrary code. A malicious webpage or an HTML email can leverage the flaw to compromise a users system with minimal user interaction. No technical details have been released at this time. Note that several versions of Windows ship with a vulnerable version of Flash player by default; these systems should be updated on a priority basis.

  • Status: Adobe confirmed. Upgrade to the latest version of the players as described in the Adobe advisory.

  • Council Site Actions: All reporting council sites are planning to address in their next regularly scheduled system maintenance cycle.

  • References:
Other Software
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 11, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4938 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.11.1 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Excel Malformed Formula Size Remote Code Execution
  • Description: Microsoft Excel is prone to a remote code execution vulnerability. This issue may be triggered when a malformed Excel document is opened. This is due to an error in Excel that is related to how the program parses data fields within the document. Specifically, this vulnerability is a buffer overflow that occurs when handling malformed formula size data in an Excel file.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
  • 06.11.2 - CVE: CVE-2006-0028
  • Platform: Microsoft Office
  • Title: Microsoft Excel Malformed Parsing Format File Remote Code Execution
  • Description: Microsoft Excel is prone to a remote code execution vulnerability. This issue may be triggered when a malformed Excel document is opened. This is due to an error in Excel that is related to how the program parses data fields within the document. Successful exploitation may result in execution of arbitrary code in the context of the currently logged in user.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS06-012.mspx
  • 06.11.3 - CVE: CVE-2006-0029
  • Platform: Microsoft Office
  • Title: Microsoft Excel Malformed Description Remote Code Execution
  • Description: Microsoft Excel is prone to a remote code execution vulnerability that may be triggered when a malformed Excel document is opened. This is due to an error in Excel that is related to how the program parses data fields within the document.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS06-012.mspx
  • 06.11.4 - CVE: CVE-2006-0009
  • Platform: Microsoft Office
  • Title: Microsoft Office Routing Slip Processing Remote Buffer Overflow
  • Description: Microsoft Office supports routing slips, which are embedded in Word, Excel, or PowerPoint documents to aid in collaborative working. Microsoft Office is prone to a remote buffer overflow vulnerability. Specifically, the issue arises when the application handles a specially crafted document containing a malicious routing slip. A successful attack can result in a remote compromise in the context of an affected user.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
  • 06.11.5 - CVE: CVE-2006-0031
  • Platform: Microsoft Office
  • Title: Excel Malformed Record Remote Code Execution Vulnerability
  • Description: Microsoft Excel is prone to a remote code execution issue which may be triggered when a malformed Excel document is opened. The issue is due to an error in Excel that is related to how the program parses data fields within the document.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
  • 06.11.6 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Script Action Handler Buffer Overflow
  • Description: Microsoft Internet Explorer is prone to a remote buffer overflow vulnerability in "MSHTML.DLL" due to improper boundary checking of user supplied input data prior to copying it into an insufficiently sized memory buffer. This issue is triggered by having several thousand script action handlers, such as "onLoad", "onMouseOver", in a single HTML tag. Internet Explorer 6 is reported to be vulnerable to this issue; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/17131/exploit
  • 06.11.7 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Commerce Server 2002 Authentication Bypass
  • Description: Microsoft Commerce Server 2002 is a web server product geared towards building e-commerce websites. It is prone to an authentication bypass vulnerability because of improper authentication of users due to the possible existence of sample files. Microsoft Commerce Server 2002 versions prior to Service Pack 2 are affected by this issue.
  • Ref: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/csvr2002/htm/cs
    _se_securityconcepts_cbgw.asp
  • 06.11.8 - CVE: CVE-2006-0950
  • Platform: Third Party Windows Apps
  • Title: Unalz Hostile Destination Path
  • Description: Unalz is a file compression and decompression application written for Microsoft Windows. It contains a vulnerability in the handling of pathnames in archived files. By specifying a path for an archived item that points outside the expected destination directory, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. Unalz version 0.53 is vulnerable.
  • Ref: http://secunia.com/advisories/19063/
  • 06.11.9 - CVE: CVE-2006-1182
  • Platform: Third Party Windows Apps
  • Title: Adobe Graphics Server / Document Server Remote Command Execution
  • Description: Adobe Graphics Server is used to automate the creation of graphics for print and web. Adobe Document Server is used to automatically generate PDF documents. Adobe Graphics Server and Document Server are prone to a vulnerability that may allow remote attackers to disclose arbitrary graphics or PDF files, place arbitrary graphics or PDF files on a server, and potentially execute arbitrary code and gain unauthorized access to a computer. Adobe Graphics Server versions 2.0 and 2.1 are affected. Adobe Document Server versions 5.0 and 6.0 running on Windows are affected.
  • Ref: http://www.securityfocus.com/bid/17113
  • 06.11.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ipswitch IMail Server / Collaboration Suite IMAP FETCH Remote Buffer Overflow
  • Description: Ipswitch IMail is an email server that serves clients their mail via a web interface. It runs on Microsoft Windows operating systems. Ipswitch Collaboration Suite (ICS) is an application suite that includes IMail Server and IMail Anti-Virus. Ipswitch IMail Server/Collaboration Suite are prone to a remote buffer overflow vulnerability. This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers.
  • Ref: http://www.securityfocus.com/bid/17063
  • 06.11.11 - CVE: CVE-2006-1197
  • Platform: Third Party Windows Apps
  • Title: SafeDisc Secdrv.sys Local Privilege Escalation
  • Description: Macrovision SafeDisc is a copy protection application written. It is vulnerable to a local privilege escalation issue due to an incorrect setting of the "SERVICE_CHANGE_CONFIG" flag applied to the Safedisc's version of the "secdrv.sys" driver. All versions of Macrovision Safedisc are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/427410
  • 06.11.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Free-AV AntiVir Personal Edition Classic Local Privilege Escalation
  • Description: AntiVir Personal Edition Classic is a virus, worm and malware detection application, written for the Microsoft Windows operating system. It is prone to a local privilege escalation vulnerability due to a failure in the application to drop privileges before invoking other applications. AntiVir Personal Edition Classic version 7 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/427412
  • 06.11.13 - CVE: CVE-2006-0743
  • Platform: Third Party Windows Apps
  • Title: Apache Log4Net Denial of Service
  • Description: Apache Log4net is a port of log4j for the .NET runtime. It is prone to a remote denial of service vulnerability due to a design error in the application. The problem occurs due to an unspecified error in "LocalSyslogAppender". Log4net version 1.2.9 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17095
  • 06.11.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MERCUR Messaging 2005 IMAP Remote Buffer Overflow
  • Description: MERCUR Messaging 2005 is a mail server. It is vulnerable to a remote buffer overflow issue when the server handles crafted IMAP LOGIN and SELECT commands containing excessive data. MERCUR Messaging 2005 version 5.0 SP3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17138/info
  • 06.11.15 - CVE: CVE-2006-03962006-002 to resolve this issue.
  • Platform: Mac Os
  • Title: Mac OS X Mail Message Attachment Remote Buffer Overflow
  • Description: Mac OS X Mail is vulnerable to a remote buffer overflow issue due to insufficient boundry checking when handling specially malformed email with attachments. Apple released Security Update
  • Ref: http://docs.info.apple.com/article.html?artnum=303453
  • 06.11.16 - CVE: CVE-2006-0400
  • Platform: Mac Os
  • Title: Safari Archive JavaScript Same Origin Policy Violation
  • Description: Apple Safari is susceptible to a same origin policy violation vulnerability due to a failure of the application to properly enforce same origin policy for JavaScript remote data access. This issue is the result of the same origin policy not being enforced for archives that originate from remote sources.
  • Ref: http://www.securityfocus.com/bid/17082
  • 06.11.17 - CVE: Not Available
  • Platform: Linux
  • Title: Zoo Parse.c Local Buffer Overflow
  • Description: Zoo is an archiving tool for various Linux platforms. It is prone to a local buffer overflow vulnerability in "parse.c" when an archive is created using a long filename. An attacker would have to entice a user to add a directory created by an attacker with a long name to an archive. Zoo version 2.10 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17126
  • 06.11.19 - CVE: CVE-2006-1242
  • Platform: Linux
  • Title: Linux Kernel IP ID Information Disclosure
  • Description: The Linux kernel is vulnerable to a remote information disclosure weakness. The kernel increments the IP ID field after receiving unsolicited TCP SYN-ACK packets, which allows attackers to conduct idle scans or stealth scans. The Linux kernel 2.6 series as well as some kernels in the 2.4 series are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/427622
  • 06.11.20 - CVE: Not Available
  • Platform: Linux
  • Title: sa-exim Unauthorized File Access
  • Description: sa-exim is a SpamAssassin module for Exim. It is vulnerable to an unauthorized file access vulnerability. This issue is due to insufficient sanitization of the "greylistclean.cron" file. sa-exim versions 4.2 and earlier are vulnerable.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345071
  • 06.11.21 - CVE: CVE-2005-3359
  • Platform: Linux
  • Title: Linux Kernel ATM Module Inconsistent Reference Counts Denial of Service
  • Description: The Linux kernel is prone to a local denial of service issue which presents itself because the ATM module can allow attackers to create inconsistent reference counts for loadable protocol modules of netfilter. Linux kernel versions 2.6.14 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17078
  • 06.11.22 - CVE: CVE-2006-0457
  • Platform: Linux
  • Title: Linux Kernel Security Key Functions Local Copy_To_User Race Condition
  • Description: The Linux kernel contains a keyring module that is designed to allow for the storage and maintenance of local key data for operations such as storing Kerberos credentials. The Linux kernel is susceptible to a local race condition vulnerability in its security key functionality. This allows local attackers to crash the kernel.
  • Ref: http://www.ubuntu.com/usn/usn-263-1
  • 06.11.23 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX MKLVCopy Unspecified Security Vulnerability
  • Description: The MKLVCopy command is an administrative command used to modify Logical Volumes. IBM AIX is vulnerable to an unspecified security issue in the mklvcopy command. IBM AIX version 5.3 is vulnerable.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY82739
  • 06.11.24 - CVE: Not Available
  • Platform: Unix
  • Title: glFTPd IP Check Security Bypass
  • Description: glFTPd is an FTP server for Unix based systems. It is prone to a security bypass vulnerability due to a design error in the application when validating the IP address of an incoming connection. A specially crafted DNS hostname could trick the application and bypass IP address restrictions. GlFtpd versions 2.0.1 RC4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17118
  • 06.11.25 - CVE: Not Available
  • Platform: Novell
  • Title: Novell Netware FTP Server Denial of Service
  • Description: Netware FTP Server is vulnerable to a remote denial of service issue. The cause is with the "NWFTPD.NLM" when setting the time with the "MDTM" command. Novell Netware FTP Server version 5.07 and Novell Netware version 6.5 SP4 are vulnerable.
  • Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973435.htm
  • 06.11.26 - CVE: CVE-2006-0819, CVE-2006-0820
  • Platform: Cross Platform
  • Title: Dwarf HTTP Server Multiple Input Validation Vulnerabilities
  • Description: Dwarf HTTP Server is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input. Dwarf HTTP Server versions 1.3.2 and earlier are vulnerable.
  • Ref: http://secunia.com/secunia_research/2006-13/advisory/
  • 06.11.27 - CVE: CVE-2006-0024
  • Platform: Cross Platform
  • Title: Macromedia Flash Multiple Unspecified Security Vulnerabilities
  • Description: Macromedia Flash is a dynamic content platform commonly used in web based applications. Its plug-in is susceptible to multiple unspecified vulnerabilities. Macromedia Flash versions prior to 7.0.63.0 and 8.0.24.0 are vulnerable.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html
  • 06.11.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apple QuickTime/iTunes Integer And Heap Overflow Vulnerabilities
  • Description: An integer overflow and heap-based buffer overflow vulnerability have been reported in Apple QuickTime and iTunes. These issues affect both Mac OS X and Microsoft Windows releases of the software. Please visit the reference link provided for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/17074
  • 06.11.29 - CVE: CVE-2006-1240
  • Platform: Cross Platform
  • Title: Firebird Local Inet_Server Buffer Overflow
  • Description: Firebird is a database. It is vulnerable to a local buffer overflow issue due to insufficient boundry checks of user-supplied data when the "-p" command line argument is used. Firebird versions 1.5.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/427480
  • 06.11.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Tivoli Lightweight Client Framework Information Disclosure
  • Description: Tivoli Lightweight Client Framework (LCF) is prone to an information disclosure vulnerability. The problem occurs in the HTTP interface of LCF. An authenticated attacker can manipulate the configuration of the log files and gain read access to files with superuser privileges. IBM Tivoli Lightweight Client Framework version 3.7.1 is affected.
  • Ref: http://www.securityfocus.com/bid/17085
  • 06.11.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ENet Multiple Denial of Service Vulnerabilities
  • Description: ENet is an open source library for handling UDP connections. It is affected by multiple denial of service issues. An attacker may create a command packet containing one or more negative 32-bit numbers causing the application to point to invalid memory buffers. The next command packet received by the application will cause a denial of service condition. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17087
  • 06.11.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CGI::Session Multiple Information Disclosure Vulnerabilities
  • Description: CGI::Session is a Perl/CGI session library. It is prone to multiple information disclosure vulnerabilities because the application fails to properly set file permissions on files in the "/tmp: directory which contain sensitive data. CGI::Session version 4.03 is affected.
  • Ref: http://www.securityfocus.com/bid/17099
  • 06.11.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SPIP Research Module Cross-Site Scripting
  • Description: SPIP is a web publishing application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to some unspecified parameters of the "research" module. SPIP version 1.8.2-e is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17130/info
  • 06.11.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Contrexx CMS Index.PHP Cross-Site Scripting
  • Description: Contrexx CMS is a web-based content management system (CMS) implemented in PHP. It is prone to a cross-site scripting vulnerability due to improper sanitizstion of user supplied input to "index.php". Contrexx version 1.0.8 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17128/exploit
  • 06.11.35 - CVE: CVE-2006-1196, CVE-2006-0983
  • Platform: Web Application - Cross Site Scripting
  • Title: QwikiWiki Multiple Cross-Site Scripting Vulnerabilities
  • Description: QwikiWiki is a web-based wiki application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to such scripts as index.php, login.php, pageindex.php and recentchanges.php. QwikiWiki 1.4 and 1.5 are vulnerable.
  • Ref: http://www.osvdb.org/23700
  • 06.11.36 - CVE: CVE-2006-11652005-9-22 and earlier are vulnerable.
  • Platform: Web Application - Cross Site Scripting
  • Title: DokuWiki Mediamanager Cross-Site Scripting
  • Description: DokuWiki is a web wiki application implemented in PHP. DokuWiki is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input. DokuWiki versions
  • Ref: http://www.securityfocus.com/bid/17065
  • 06.11.37 - CVE: CVE-2006-0985
  • Platform: Web Application - Cross Site Scripting
  • Title: WordPress Multiple Cross-Site Scripting Vulnerabilities
  • Description: WordPress is a web-based publishing application. It is vulnerable to multiple unspecified cross-site scripting issues due to insufficient sanitization of user-supplied input. WordPress versions 2.0.1 and earlier are vulnerable.
  • Ref: http://wordpress.org/development/2006/03/security-202/
  • 06.11.38 - CVE: CVE-2006-1223
  • Platform: Web Application - Cross Site Scripting
  • Title: Jupiter CMS BBCode HTML Injection
  • Description: Jupiter CMS is a content management application written in PHP. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the BBCode system in "img" tags. Jupiter CMS versions 1.1.5 and 1.1.4 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/427406
  • 06.11.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: vCard Create.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: vCard is electronic greeting card software. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to various scripts. vCard versions 2.9 and 2.8 are affected.
  • Ref: http://www.securityfocus.com/bid/17073
  • 06.11.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WMNews Multiple Cross-Site Scripting Vulnerabilities
  • Description: WMNews is web-based news software implemented in PHP. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to various scripts.
  • Ref: http://www.securityfocus.com/bid/17076
  • 06.11.41 - CVE: CVE-2006-1239
  • Platform: Web Application - Cross Site Scripting
  • Title: Gemini Createissue.ASPX Cross-Site Scripting
  • Description: CounterSoft Gemini is a web-based project management application. It is vulnerable to a cross site scripting issue due to insufficient sanitization of user-supplied input to the "rtcDescription$RadEditor1" field of "issue/createissue.aspx" script. CounterSoft Gemini version 2.0 is vulnerable.
  • Ref: http://www.osvdb.org/23907
  • 06.11.42 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Inprotect Zones.PHP Cross-Site Scripting
  • Description: Inprotect is a web interface for the Nessus security scanner. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "Name" and "Description" parameters of the "zones.php" script. Inprotect versions 0.21 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17141
  • 06.11.43 - CVE: CVE-2006-1217
  • Platform: Web Application - SQL Injection
  • Title: DSPoll PollID SQL Injection
  • Description: DSPoll is a web-based polling application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "pollid" parameter of the "results.php", "pollit.php" and "topoll.php" scripts. DSPoll version 1.1 is vulnerable.
  • Ref: http://evuln.com/vulns/96/summary.html
  • 06.11.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Oxynews Index.PHP SQL Injection
  • Description: Oxynews is a web-based news application implemented in PHP. Oxynews is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "oxynews_comment_id" parameter of the "index.php" script.
  • Ref: http://www.securityfocus.com/bid/17132
  • 06.11.45 - CVE: CVE-2006-1134
  • Platform: Web Application - SQL Injection
  • Title: CyBoards PHP Lite Post.PHP SQL Injection
  • Description: CyBoards PHP Lite is bulletin board software. Insufficient sanitization of the "parent" parameter in the "post.php" script exposes the application to an SQL injection issue. Cyboards PHP Lite version 1.25 is affected.
  • Ref: http://www.securityfocus.com/bid/17107
  • 06.11.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DSNewsletter Multiple SQL Injection Vulnerabilities
  • Description: DSNewsletter is web-based newsletter software. It is prone to multiple SQL injection vulnerabilities due to improper sanitization of user supplied input before using it in an SQL query. Specifically, input to the "email" parameter of the "include/sub.php", "include/confirm.php" and "include/unconfirm.php" scripts is not properly sanitized. DSNewsletter version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17111
  • 06.11.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DSCounter Index.PHP SQL Injection
  • Description: DSCounter is bulletin board software. Insufficient sanitization of the "X-Forwarded-For" HTTP header in the "index.php" script exposes the application to an SQL injection issue. Cyboards PHP Lite versions 1.25 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17112
  • 06.11.48 - CVE: CVE-2006-1232
  • Platform: Web Application - SQL Injection
  • Title: DSDownload Multiple SQL-Injection Vulnerabilities
  • Description: DSDownload is a file download tracking application, written in PHP. It is prone to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "category" parameter of the 'downloads.php" script, and the "key" parameter of the "search.php" script. DSDownload version 1.0 is affected.
  • Ref: http://evuln.com/vulns/99/summary.html
  • 06.11.49 - CVE: CVE-2006-1020
  • Platform: Web Application - SQL Injection
  • Title: Vegas Forum Forumlib.PHP SQL Injection
  • Description: Vegas Forum is forum software implemented in PHP. It is prone to an SQL injection vulnerability. The application fails to properly sanitize user supplied input before using it in an SQL query. Specifically, input to the "postid" parameter of the "forumlib.php" library is not properly sanitized. Vegas Forum version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17079/exploit
  • 06.11.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple PHP Blog Install05.PHP Local File Include
  • Description: Simple PHP Blog is a web blog application implemented in PHP. It is prone to a local file include vulnerability due to a lack of sanitization of user supplied input. The "blog_language" parameter of the "install05.php" script is not properly sanitized. Simple PHP Blog version 0.4.7.1 and prior are vulnerable; other versions may be affected as well.
  • Ref: http://www.securityfocus.com/bid/17102/exploit
  • 06.11.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Multiple Input Validation Vulnerabilities
  • Description: Drupal is an open-source content management system. It is prone to multiple input validation vulnerabilities due to improper sanitization of user supplied input. The following specific issues have been disclosed: Mail header injection vulnerability, Session hijacking vulnerability, Cross-site scripting vulnerability, Information disclosure vulnerability.
  • Ref: http://www.securityfocus.com/bid/17104/references
  • 06.11.52 - CVE: Not Available
  • Platform: Web Application
  • Title: php iCalendar Arbitrary File Upload
  • Description: php iCalendar is a web-based calendar application. It is vulnerable to an arbitrary file upload issue due to insufficient sanitization of user-supplied input to the "calendar/publish.ical.php" script. php iCalendar versions 2.2.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17129/info
  • 06.11.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Skull-Splitter PHP Guestbook HTML Injection
  • Description: PHP Guestbook is a web-based guestbook application. Insufficient sanitization of the "url" parameter of the "guestbook.php" script exposes the applicaiton to an HTML injection issue. Skull-Splitter Guestbook version 2.6 is affected.
  • Ref: http://www.securityfocus.com/bid/17136
  • 06.11.54 - CVE: CVE-2006-0648
  • Platform: Web Application
  • Title: php iCalendar Local File Include
  • Description: php iCalendar is a web log application implemented in PHP. It is prone to a local file-include vulnerability due to insufficient sanitization of user-supplied input in cookie data. An attacker may modify file paths in this cookie data using directory traversal sequences "../" and include and execute local files in the context of the affected webserver process. php iCalendar versions 2.21 and prior are vulnerable.
  • Ref: http://www.milw0rm.com/exploits/1585
  • 06.11.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Milkeyway Captive Portal Multiple Input Validation Vulnerabilities
  • Description: Milkeyway Captive Portal is a web-based portal application. Insufficient sanitization of user-supplied data exposes the applicaiton to various cross-site scripting and SQL injection issues. Milkeyway Captive Portal versions 0.1.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17127
  • 06.11.56 - CVE: Not Available
  • Platform: Web Application
  • Title: Xhawk.net Discussion BBCode IMG Tag Script Injection
  • Description: xhawk.net discussion is a web-based bulletin board. Insufficient sanitization of BBCode IMG tags exposes the application to a script injection issue. Discussion version 2.0 beta2 is affected.
  • Ref: http://www.securityfocus.com/bid/17119
  • 06.11.57 - CVE: Not Available
  • Platform: Web Application
  • Title: KnowledgebasePublisher PageController.PHP Remote File Include
  • Description: KnowledgebasePublisher is an opensource web based knowledgebase/FAQ implemented in PHP. It is prone to a remote file include vulnerability due to improper sanitization of user supplied input to the "dir" parameter of "PageController.PHP". KnowledgebasePublisher version 1.2 is reported to be vulnerable; other versions may also be vulnerable.
  • Ref: http://www.securityfocus.com/bid/17120/exploit
  • 06.11.58 - CVE: Not Available
  • Platform: Web Application
  • Title: ASP Portal Multiple Input Validation Vulnerabilities
  • Description: ASP Portal is a web-based portal application. It is vulnerable to numerous input validation issues due to insufficient sanitization of user-supplied input. ASP Portal version 3.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/427701
  • 06.11.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Horde Application Framework Go.PHP Information Disclosure
  • Description: The Horde Application Framework is a suite of applications implemented in PHP. It is prone to an information disclosure vulnerability due to improper sanitization of user supplied input. The problem presents itself in the "/services/go.php" script. The application does not properly sanitize the "url" parameter before processing it in a "readfile()" function call. An attacker can insert a NULL character and control the input passed to that function.
  • Ref: http://www.securityfocus.com/archive/1/427710
  • 06.11.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Nodez Multiple Input Validation Vulnerabilities
  • Description: Nodez is a content management system implemented in PHP. It is prone to multiple input validation vulnerabilities due to insufficient sanitization of user-supplied input to various scripts. Nodez version 4.6.1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17066
  • 06.11.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Core News Index.PHP Remote Code Execution
  • Description: Core News is a news reader application. Insufficient sanitization of the "page" parameter in the "index.php" script exposes the application to a remote code execution issue. Core News version 2.0.1 is affetced.
  • Ref: http://www.securityfocus.com/bid/17067
  • 06.11.62 - CVE: Not Available
  • Platform: Web Application
  • Title: GuppY Dwnld.PHP Remote Directory Traversal
  • Description: GuppY is a web based portal application implemented in PHP. It is prone to a directory traversal vulnerability due to improper sanitization user supplied input. The problem presents itself in the "pg" parameter of the "dwnld.php" script. The current directory traversal filter does not properly sanitize "%2E" from attacker supplied data. GuppY versions 4.5.11 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17068/exploit
  • 06.11.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Zeroboard Multiple HTML Injection Vulnerabilities
  • Description: Zeroboard is a web based bulletin board application implemented in PHP. It is prone to HTML injection vulnerabilities due to improper sanitization of user supplied input before using it in dynamically generated content. Specifically, the "memo" box title and "user email" input fields of the homepage information page is not properly sanitized. An attacker may take advantage of a flaw in the "bbs/lib.php" script which prevents IP address spoofing, and conduct HTML injection attacks on the administrative user. Zeroboard version 4.1-pl7 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17075
  • 06.11.64 - CVE: Not Available
  • Platform: Web Application
  • Title: @1 File Store Multiple Input Validation Vulnerabilities
  • Description: @1 File Store is a file archiving and member management application. It is prone to multiple input validation vulnerabilities due to improper sanitization of user supplied input. SQL injection attacks are possible through the "email" parameter of the "password.php" script. The "id" parameter in the following scripts is also vulnerable. Cross-site scripting attacks are possible through the "real_name", "email" and "login" parameters of the "signup.php" script.
  • Ref: http://www.securityfocus.com/bid/17090
  • 06.11.65 - CVE: Not Available
  • Platform: Network Device
  • Title: BorderWare MXtreme Web Administration Remote Vulnerability
  • Description: BorderWare MXtreme is an email firewall. BorderWare MXtreme web administration interface is prone to an unspecified vulnerability. The cause and impact of this issue are currently unknown. BorderWare MXtreme versions 5.0 and 6.0 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17140

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

There are many places to get Security Training, but SANS is premium training.
-Carl Ness, University of Iowa

SANSFIRE 2010

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT