@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Internet Explorer createTextRange Method Remote Code Execution
• (2) HIGH: Sendmail Signal Handling Memory Corruption
• (3) HIGH: RealNetworks RealPlayer Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 06.12.1 - Microsoft Internet Explorer Unspecified Remote HTA Execution
• 06.12.2 - Microsoft Internet Explorer CreateTextRange Remote Code Execution

Third Party Windows Apps

• 06.12.3 - Veritas Backup Exec Media Server BEngine Service Format String Vulnerability
• 06.12.4 - WinHKI Remote Directory Traversal
• 06.12.5 - avast! Antivirus Local Insecure Permissions
• 06.12.6 - MailEnable Enterprise/Professional Editions Webmail Denial of Service
• 06.12.7 - MailEnable Unspecified POP Authentication Bypass
• 06.12.8 - Microsoft ASP.NET COM Components W3WP Remote Denial of Service
• 06.12.9 - Counterpane Password Safe Insecure Random Number Generation
• 06.12.10 - Baby FTP Server Information Disclosure Weakness

Linux

• 06.12.11 - X.Org X Window Server Local Privilege Escalation
• 06.12.12 - Libcgi-session-perl Multiple Insecure Temporary File Creation Vulnerabilities
• 06.12.13 - Linux Kernel Netfilter Do_Replace Remote Buffer Overflow
• 06.12.14 - util-vserver Unknown Linux Capabilities
• 06.12.15 - Linux Kernel sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities

HP-UX

• 06.12.16 - HP-UX Usermod Local Unauthorized Access
• 06.12.17 - HP-UX Swagentd Remote Denial Of Service

BSD

• 06.12.18 - FreeBSD IPsec Replay Vulnerability
• 06.12.19 - OPIE Arbitrary Account Password Change

Unix

• 06.12.20 - Jabber Studio JabberD Remote Denial of Service
• 06.12.21 - FreeRADIUS EAP-MSCHAPv2 Authentication Bypass
• 06.12.22 - runit CHPST Privilege Escalation

Novell

• 06.12.23 - Novell SSL Server Multiple Vulnerabilities

Cross Platform

• 06.12.24 - Monotone MT File Arbitrary Code Execution
• 06.12.25 - Veritas Backup Exec Multiple Remote Denial of Service Vulnerabilities
• 06.12.26 - phpMyAdmin Set_Theme Cross-Site Scripting
• 06.12.27 - BEA WebLogic Server and WebLogic Express HTTP Response Splitting
• 06.12.28 - BEA WebLogic Server Remote Filesystem Access
• 06.12.29 - BEA WebLogic Server Remote Denial of Service
• 06.12.30 - WebLogic Server and WebLogic Express Invalid Login Attempts Weakness
• 06.12.31 - snmptrapfmt Insecure Temporary File Creation
• 06.12.32 - Sendmail Asynchronous Signal Handling Remote Code Execution
• 06.12.33 - RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities
• 06.12.34 - Orion Application Server JSP Source Disclosure
• 06.12.35 - Sendmail SM_SysLog Remote Memory Leak Denial Of Service
• 06.12.36 - IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting
• 06.12.37 - Internet Security Systems BlackICE and RealSecure Desktop Local Privilege Escalation

Web Application - Cross Site Scripting

• 06.12.38 - Invision Power Board Multiple Cross-Site Scripting Vulnerabilities
• 06.12.39 - ExtCalendar Cross-Site Scripting Vulnerabilities
• 06.12.40 - Woltlab Burning Board Class_DB_MySQL.PHP Cross-Site Scripting
• 06.12.41 - Noah's Classifieds Index.PHP Multiple Cross-Site Scripting
• 06.12.42 - Streber Unspecified HTML Injection
• 06.12.43 - Verisign MPKI 6.0 Haydn.EXE Cross-Site Scripting
• 06.12.44 - Virtual Communication Services VPMi Service_Requests.ASP Cross-Site Scripting
• 06.12.45 - PHP Live! Status_Image.PHP Cross-Site Scripting
• 06.12.46 - Invision Power Board PM Cross-Site Scripting
• 06.12.47 - EasyMoblog Img.PHP Cross-Site Scripting
• 06.12.48 - CoMoblog Img.PHP Cross-Site Scripting
• 06.12.49 - Webcheck Username HTML Injection
• 06.12.50 - Pubcookie Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 06.12.51 - xhawk.net Discussion Discussion.Class.PHP SQL Injection
• 06.12.52 - BetaParticle Blog Multiple SQL Injection Vulnerabilities
• 06.12.53 - phpWebsite Multiple SQL Injection Vulnerabilities
• 06.12.54 - Skull-Splitter Download Counter for Wallpapers Count.PHP SQL Injection
• 06.12.55 - Maian Weblog Multiple SQL Injection Vulnerabilities
• 06.12.56 - SoftBB Reg.PHP SQL Injection
• 06.12.57 - ASP Portal Download_click.ASP SQL Injection
• 06.12.58 - 1WebCalendar Multiple SQL Injection Vulnerabilities
• 06.12.59 - AdMan ViewStatement.PHP SQL Injection

Web Application

• 06.12.60 - MusicBox Multiple Input Validation Vulnerabilities
• 06.12.61 - CutePHP CuteNews Function.PHP Local File Include
• 06.12.62 - BEA WebLogic Portal JSR-168 Portlets Information Disclosure
• 06.12.63 - gCards Multiple Input Validation Vulnerabilities
• 06.12.64 - Free Articles Directory Remote File Include Vulnerability
• 06.12.65 - PHP SimpleNEWS Authentication Bypass
• 06.12.66 - OSWiki Username HTML Injection
• 06.12.67 - AnyPortal(PHP) Siteman.PHP3 Directory Traversal
• 06.12.68 - Beagle Insecure Application Path
• 06.12.69 - VBulletin ImpEx Remote File Include
• 06.12.70 - eXpandable Home Page CMS Multiple Access Validation Vulnerabilities
• 06.12.71 - Pablo Software Solutions Baby Web/Quick 'n Easy Web ASP Source Disclosure

Network Device

• 06.12.72 - F5 Firepass 4100 SSL VPN Cross-Site Scripting
• 06.12.73 - Motorola PEBL U6 OBEX Setpath Buffer Overflow

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 12, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4949 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.12.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Unspecified Remote HTA Execution
• Description: Microsoft Internet Explorer is affected by an unspecified remote issue. HTA files are HTML applications that are given higher levels of trust and access to the local system that remote web pages are normally given. Due to this higher level of trust, successful exploits may possibly facilitate arbitrary remote code execution and the compromise of affected computers. This vulnerability affects Internet Explorer 6.0 running on Microsoft Windows 98, Windows XP, and Windows Server 2003.
• Ref: http://www.securityfocus.com/bid/17181

• 06.12.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer CreateTextRange Remote Code Execution
• Description: Microsoft Internet Explorer is affected by a remote code execution issue due to a flaw in the application that results in an invalid table pointer dereference. Certain uses of the "createTextRange()" JavaScript method exposes this issue. Internet Explorer 6 and 7 beta 2 are affected.
• Ref: http://www.securityfocus.com/bid/17196

• 06.12.3 - CVE: CVE-2006-1298
• Platform: Third Party Windows Apps
• Title: Veritas Backup Exec Media Server BEngine Service Format String Vulnerability
• Description: Veritas Backup Exec Media Server provides backup solutions. The "bengine.exe" is vulnerable to a remote format string issue due to insufficient handling of malicious filenames during a backup run. Symantec Veritas Backup Exec for Windows Servers versions 10.1 and earlier are vulnerable.
• Ref: http://seer.support.veritas.com/docs/282254.htm

• 06.12.4 - CVE: CVE-2006-1323
• Platform: Third Party Windows Apps
• Title: WinHKI Remote Directory Traversal
• Description: WinHKI is a file compression and decompression application. It is vulnerable to a directory traversal issue when the application processes malformed RAR and TAR archives. WinHKI versions 1.6 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17153/info

• 06.12.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: avast! Antivirus Local Insecure Permissions
• Description: The avast! antivirus application is prone to a local insecure permissions vulnerability because it incorrectly resets the permissions on critical files in the "Program FilesAlwil SoftwareAvast4" directory during its periodic update process. avast! 4.x versions are vulnerable.
• Ref: http://www.securityfocus.com/bid/17158

• 06.12.6 - CVE: CVE-2006-1338
• Platform: Third Party Windows Apps
• Title: MailEnable Enterprise/Professional Editions Webmail Denial of Service
• Description: MailEnable is an email server application. It is vulnerable to a remote denial of service issue due to insufficient handling of specially formatted "quoted-printable" emails. The following versions resolve this issue: MailEnable Professional version 1.73 and Enterprise Edition version 1.21.
• Ref: http://www.mailenable.com/enterprisehistory.asp

• 06.12.7 - CVE: CVE-2006-1337
• Platform: Third Party Windows Apps
• Title: MailEnable Unspecified POP Authentication Bypass
• Description: MailEnable is an email server application. It is vulnerable to an unspecified authentication bypass issue in the POP service. The following versions resolve this issue: MailEnable Professional version 1.73, Enterprise Edition version 1.21 and standard version 1.93.
• Ref: http://www.mailenable.com/standardhistory.asp

• 06.12.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Microsoft ASP.NET COM Components W3WP Remote Denial of Service
• Description: w3wp.exe is a worker process associated with the Microsoft IIS access pool. ASP.NET is a set of tools based on the .NET framework for building web applications. The application is affected by a remote denial of service issue due to the "ASPCompat" directive when accessing COM and COM+ components.
• Ref: http://www.securityfocus.com/bid/17188

• 06.12.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Counterpane Password Safe Insecure Random Number Generation
• Description: Counterpane Password Safe is a password storage application for Microsoft Windows operating systems. It is susceptible to an insecure random number generation vulnerability that allows easier brute force decryption attacks. This issue is due to a failure of the application to properly utilize a cryptographically secure random number generation algorithm. This issue is only present when Password Safe 3.0 is running on operating systems prior to Microsoft Windows XP. Version 3.0 of the software is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/428552

• 06.12.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Baby FTP Server Information Disclosure Weakness
• Description: Baby FTP Server is vulnerable to an information disclosure weakness due to insufficient sanitization of user-supplied input such as "../". Baby FTP Server version 1.24 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17205/info

• 06.12.11 - CVE: CVE-2006-0745
• Platform: Linux
• Title: X.Org X Window Server Local Privilege Escalation
• Description: The X.Org X server is a windows server for Unix variants. It is vulnerable to a privilege escalation issue due to insufficient verification of credentials before permitting access to the "modulepath" and "logfile" command line options. X.Org X server version X11R7 1.0.2 resolves the issue.
• Ref: http://www.securityfocus.com/archive/1/428230

• 06.12.12 - CVE: Not Available
• Platform: Linux
• Title: Libcgi-session-perl Multiple Insecure Temporary File Creation Vulnerabilities
• Description: Libcgi-session-perl is vulnerable to multiple insecure temporary file creation issues because session files are written in an insecure manner such as with world readable permissions. Libcgi-session-perl version 4.03-1 for Debian is vulnerable.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555

• 06.12.13 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel Netfilter Do_Replace Remote Buffer Overflow
• Description: The Linux kernel is susceptible to a remote buffer overflow vulnerability due to improper boundary checking of user supplied input before using it in a memory copy operation. Linux kernel versions prior to 2.6.16 in the 2.6 series are affected by this issue.
• Ref: http://www.securityfocus.com/bid/17178

• 06.12.14 - CVE: CVE-2005-4418
• Platform: Linux
• Title: util-vserver Unknown Linux Capabilities
• Description: util-vserver is an administrative utility for the Linux-VServer package. It is susceptible to an unknown Linux capability vulnerability. This issue presents itself in the "vc_get_insecurebcaps()" function in the "lib/getinsecurebcaps.c" source file. This function operates on a list of hard coded capabilities, and fails to consider all others. This issue has been fixed in util-vserver version 0.30.210.
• Ref: http://www.securityfocus.com/bid/17180

• 06.12.15 - CVE: CVE-2006-1342, CVE-2006-1343
• Platform: Linux
• Title: Linux Kernel sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities
• Description: The Linux kernel is affected by multiple local memory disclosure vulnerabilities. These issues are due to a failure of the kernel to properly clear previously used kernel memory prior to returning it to local users. These issues return 6 bytes of previously-used kernel memory in the "sockaddr_in.sin_zero" memory buffer when local users call the following functions: accept(), getpeername(), getsockname(), getsockopt() with the "SO_ORIGINAL_DST" flag. Linux kernel versions 2.6.16 -rc1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17203/exploit

• 06.12.16 - CVE: CVE-2006-1248
• Platform: HP-UX
• Title: HP-UX Usermod Local Unauthorized Access
• Description: HP-UX is vulnerable to a local unauthorized access issue because a certain combination of options relating to usermod results in recursively modifying ownership of all files and directories under a user's home directory. HP-UX versions B.11.00, B.11.11 and B.11.23 are vulnerable.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&
  amp;objectID=c00614838&jumpid=reg_R1002_USEN

• 06.12.17 - CVE: Not Available
• Platform: HP-UX
• Title: HP-UX Swagentd Remote Denial Of Service
• Description: Swagentd is a local and remote software distribution application for HP-UX. It is vulnerable to an unspecified remote denial of service issue. HP-UX versions B.11.11 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17215/info

• 06.12.18 - CVE: CVE-2006-0905
• Platform: BSD
• Title: FreeBSD IPsec Replay Vulnerability
• Description: FreeBSD's IPsec implementation is vulnerable to remote replay attacks due to a flaw in the "fast_ipsec(4)" which allows all packets to pass the anti-replay sequence number validation check. FreeBSD versions 6.0 and earlier are vulnerable.
• Ref: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:11.ipsec.asc

• 06.12.19 - CVE: CVE-2006-1283
• Platform: BSD
• Title: OPIE Arbitrary Account Password Change
• Description: OPIE is a one-time password system designed to protect against replay attacks. It is prone to an arbitrary password change vulnerability. This issue exists because "opiepasswd" uses "getlogin" to identify the user that invoked "opiepasswd". Under certain circumstances "getlogin" may return root even when it is running as an unprivileged user, allowing the user to configure OPIE authentication for the root user. FreeBSD versions 6.0 -STABLE and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17194

• 06.12.20 - CVE: CVE-2006-1329
• Platform: Unix
• Title: Jabber Studio JabberD Remote Denial of Service
• Description: Jabber Studio JabberD is an instant messaging protocol application. It is vulnerable to a remote denial of service issue due to insufficient handling of malformed network messages. Jabber Server versions 2.0 s10 and earlier are vulnerable.
• Ref: http://article.gmane.org/gmane.network.jabber.admin/27372

• 06.12.21 - CVE: Not Available
• Platform: Unix
• Title: FreeRADIUS EAP-MSCHAPv2 Authentication Bypass
• Description: FreeRADIUS is a freely available, open source implementation of the RADIUS protocol. It is available for the Unix and Linux platforms. FreeRADIUS is prone to an authentication bypass vulnerability. This issue exists because adequate input validation was not being performed in the EAP-MSCHAPv2 client state machine. This could allow a user to manipulate the EAP-MSCHAPv2 client state machine to convince the server to bypass authentication checks. FreeRADIUS versions 1.0.0 to 1.1.0 are vulnerable.
• Ref: http://www.freeradius.org/security.html

• 06.12.22 - CVE: CVE-2006-1319
• Platform: Unix
• Title: runit CHPST Privilege Escalation
• Description: runit is an "init" replacement package for Unix, Linux, and other Unix-like operating systems. It is susceptible to a local privilege escalation vulnerability. This issue is due to a flaw in the "chpst" utility that results in programs gaining unintended, elevated group privileges. runit versions prior to 1.4.1 are affected by this issue.
• Ref: http://www.securityfocus.com/bid/17179

• 06.12.23 - CVE: CVE-2006-0997, CVE-2006-0998, CVE-2006-0999
• Platform: Novell
• Title: Novell SSL Server Multiple Vulnerabilities
• Description: Novell SSL Server contains multiple vulnerabilities, such as incorrectly facilitating cleartext communications or employing weak encryption algorithms. Novell Open Enterprise Server and Netware versions 6.5 SP4 and earlier are vulnerable.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm

• 06.12.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Monotone MT File Arbitrary Code Execution
• Description: Monotone is a version control system released under the GNU GPL. Monotone is prone to an arbitrary code execution vulnerability due to a design error in the application. This issue only affects Monotone on case insensitive filesystems such as Microsoft Windows and Apple Mac OS X. Monotone version 0.25 is affected.
• Ref: http://lists.gnu.org/archive/html/monotone-devel/2006-03/msg00062.html

• 06.12.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Veritas Backup Exec Multiple Remote Denial of Service Vulnerabilities
• Description: Veritas Backup Exec is a network enabled backup solution. It is affected by multiple remote denial of service issues. The vulnerabilities present themselves when the application handles specially crafted Network Data Management Protocol (NDMP) packets. Various versions of Backup Exec Windows, Linux and Netware are affected.
• Ref: http://www.securityfocus.com/bid/17098

• 06.12.26 - CVE: Not Available
• Platform: Cross Platform
• Title: phpMyAdmin Set_Theme Cross-Site Scripting
• Description: phpMyAdmin is a tool that provides a web interface for handling MySQL administrative tasks. phpMyAdmin is prone to a cross-site scripting vulnerability due to improper sanitization of user supplied input to the "set_theme" parameter of "index.php". phpMyAdmin version 2.8.1 is affected.
• Ref: http://www.securityfocus.com/bid/17142/exploit

• 06.12.27 - CVE: Not Available
• Platform: Cross Platform
• Title: BEA WebLogic Server and WebLogic Express HTTP Response Splitting
• Description: WebLogic Server and WebLogic Express are enterprise application server products distributed by BEA Systems. They are prone to an HTTP response splitting vulnerability. This issue is due to a failure in the application to properly sanitize user supplied input prior to using it to create dynamic content.
• Ref: http://www.securityfocus.com/bid/17163

• 06.12.28 - CVE: Not Available
• Platform: Cross Platform
• Title: BEA WebLogic Server Remote Filesystem Access
• Description: WebLogic Server is prone to a vulnerability that could allow a remote attacker with HTTP access to the server to read files on the local filesystem. This issue exists because an internal servlet installed by default allows access to the underlying Windows filesystem. WebLogic Server version 6.1 is vulnerable.
• Ref: http://dev2dev.bea.com/pub/advisory/180

• 06.12.29 - CVE: Not Available
• Platform: Cross Platform
• Title: BEA WebLogic Server Remote Denial of Service
• Description: BEA WebLogic Server and WebLogic Server Express are prone to a remote denial of service issue due to a design error in the application's XML parser. BEA Weblogic Server version 8.1 is affected.
• Ref: http://www.securityfocus.com/bid/17167

• 06.12.30 - CVE: Not Available
• Platform: Cross Platform
• Title: WebLogic Server and WebLogic Express Invalid Login Attempts Weakness
• Description: WebLogic Server and WebLogic Express are enterprise application server products distributed by BEA Systems. They are prone to a weakness facilitating excessive invalid login attempts a against an username. This issue can aid in brute force attacks. WebLogic Server versions 8.1 SP 4 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17168

• 06.12.31 - CVE: CVE-2006-0050
• Platform: Cross Platform
• Title: snmptrapfmt Insecure Temporary File Creation
• Description: snmptrapfmt is a configurable SNMP trap handler daemon for snmpd. snmptrapfmt creates temporary files in an insecure manner. This may allow a local attacker to perform symbolic link attacks. Debian Linux version 3.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17182

• 06.12.32 - CVE: CVE-2006-0058
• Platform: Cross Platform
• Title: Sendmail Asynchronous Signal Handling Remote Code Execution
• Description: Sendmail is a widely used MTA for Unix and Microsoft Windows systems. It is prone to a remote code execution vulnerability due to an unspecified race condition error. Sendmail versions prior to 8.13.6 are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/17192

• 06.12.33 - CVE: CVE-2006-0323, CAN-2005-2922
• Platform: Cross Platform
• Title: RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities
• Description: Various RealNetworks products are prone to multiple buffer overflow vulnerabilities. These issues arise because the applications fail to perform boundary checks prior to copying user-supplied data into sensitive process buffers. Please see the advisory below for details.
• Ref: http://www.securityfocus.com/bid/17202

• 06.12.34 - CVE: CVE-2006-0816
• Platform: Cross Platform
• Title: Orion Application Server JSP Source Disclosure
• Description: Orion Application Server is an enterprise application server. It is vulnerable to Java Server Pages (JSP) source disclosure due to insufficient validation of the filename extension. Orion Application Server versions 2.0.5 and 2.0.6 are vulnerable.
• Ref: http://secunia.com/secunia_research/2006-11/advisory/

• 06.12.35 - CVE: CVE-2006-0058
• Platform: Cross Platform
• Title: Sendmail SM_SysLog Remote Memory Leak Denial Of Service
• Description: Sendmail is a widely used MTA for UNIX and Microsoft Windows systems. Sendmail is prone to a remote denial of service vulnerability. This issue is due to a failure of the application to properly free allocated memory regions when it is finished with them. Remote attackers may leverage this issue to consume excessive memory, eventually crashing the application. Sendmail versions prior to 8.13.6 are vulnerable to this issue.
• Ref: http://www.sendmail.com/company/advisory/index.shtml

• 06.12.36 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting
• Description: IBM Tivoli Business Systems Manager is a web application for the management of IT operations. It is prone to a cross-site scripting vulnerability due to improper sanitization of user supplied input to the "skin" parameter of the "TbsmWebConsole/help/en/jsp/apwc_win_main.jsp" page. IBM Tivoli Business Systems Manager version 3.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17210/exploit

• 06.12.37 - CVE: CAN-2005-2711
• Platform: Cross Platform
• Title: Internet Security Systems BlackICE and RealSecure Desktop Local Privilege Escalation
• Description: Multiple Internet Security Systems (ISS) products are susceptible to a local privilege escalation vulnerability. This issue is due to a failure of the application to properly lower the privileges of the running process when required. This vulnerability allows local attackers to access and execute arbitrary files with SYSTEM privileges, facilitating the compromise of the local computer.
• Ref: http://www.securityfocus.com/archive/1/428588

• 06.12.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Invision Power Board Multiple Cross-Site Scripting Vulnerabilities
• Description: Invision Power Board is a web-based bulletin board application implemented in PHP. It is prone to multiple cross-site scripting vulnerabilities due to improper sanitization of user supplied input. Invision Board version 2.0.4 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17144/exploit

• 06.12.39 - CVE: CVE-2006-1336
• Platform: Web Application - Cross Site Scripting
• Title: ExtCalendar Cross-Site Scripting Vulnerabilities
• Description: ExtCalendar is a web-based calendar application that is implemented in PHP. ExtCalendar is prone to multiple cross site scripting vulnerabilities. ExtCalendar version 1.0 of the software is vulnerable.
• Ref: http://www.securityfocus.com/bid/17146

• 06.12.40 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Woltlab Burning Board Class_DB_MySQL.PHP Cross-Site Scripting
• Description: Woltlab Burning Board is a web-based bulletin board package. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "errormsg" variable in the "wbb/acp/lib/class_db_mysql.php" script. Woltlab Burning Board version 2.3.4 is affected.
• Ref: http://www.securityfocus.com/bid/17147

• 06.12.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Noah's Classifieds Index.PHP Multiple Cross-Site Scripting
• Description: Noah's Classifieds is a general purpose web-based advertising application. Insufficient sanitization of the "list" and "method" parameters of the "index.php" script exposes the application to multiple cross-site scripting issues.
• Ref: http://www.securityfocus.com/bid/17151

• 06.12.42 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Streber Unspecified HTML Injection
• Description: Streber is a web-based project management application written in PHP. Streber is affected by an unspecified HTML injection vulnerability. Streber versions 0.054 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/17157

• 06.12.43 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Verisign MPKI 6.0 Haydn.EXE Cross-Site Scripting
• Description: Verisign's MPKI 6.0 package contains CGI common components in various Verisign products, including those aimed at Digital ID certificate enrollment, revocation and validation of server certificates. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "VHTML_FILE" parameter of the "haydn.exe" script.
• Ref: http://www.securityfocus.com/bid/17170/exploit

• 06.12.44 - CVE: CVE-2006-1266
• Platform: Web Application - Cross Site Scripting
• Title: Virtual Communication Services VPMi Service_Requests.ASP Cross-Site Scripting
• Description: VPMi Enterprise is a project management system. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "Request_Name_Display" parameter of "Service_Requests.ASP" script. Virtual Communication Services VPMi version 3.3 is affected.
• Ref: http://www.securityfocus.com/bid/17172

• 06.12.45 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHP Live! Status_Image.PHP Cross-Site Scripting
• Description: PHP Live! is a live support system application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "base_url" variable in the "status_image.php" script. PHP Live! version 3.0 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/428452

• 06.12.46 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Invision Power Board PM Cross-Site Scripting
• Description: Invision Power Board is a web-based bulletin board application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input through "PM". Invision Board versions 2.1.5 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17187

• 06.12.47 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: EasyMoblog Img.PHP Cross-Site Scripting
• Description: EasyMoblog is a web log application implemented in PHP. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "i" parameter of the "img.php" script.
• Ref: http://www.securityfocus.com/bid/17199/exploit

• 06.12.48 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CoMoblog Img.PHP Cross-Site Scripting
• Description: CoMoblog is a web log application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "i" parameter of the "img.php" script. CoMoblog version 1.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17201

• 06.12.49 - CVE: CVE-2006-1321
• Platform: Web Application - Cross Site Scripting
• Title: Webcheck Username HTML Injection
• Description: Webcheck is web site crawling application. It is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input to the url, title, or author name in a crawled page. Webcheck versions 1.9.5 and earlier are vulnerable.
• Ref: http://ch.tudelft.nl/~arthur/webcheck/news.html#2006013

• 06.12.50 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Pubcookie Multiple Cross-Site Scripting Vulnerabilities
• Description: Pubcookie is a web application that provides single sign-on authentication for multiple websites. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "mod_pubcookie" Apache module and ISAPI filter as well as the "index.cgi" program. These issues were addressed in Pubcookie versions 3.3.0a and 3.2.1b.
• Ref: http://pubcookie.org/news/20060306-login-secadv.html http://pubcookie.org/news/20060306-apps-secadv.html

• 06.12.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: xhawk.net Discussion Discussion.Class.PHP SQL Injection
• Description: The "discussion" application from xhawk.net is bulletin board software implemented in PHP. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "view" parameter of the "discussion.class.php" script. xhawk.net version 2.0 beta2 is affected.
• Ref: http://www.securityfocus.com/bid/17121

• 06.12.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: BetaParticle Blog Multiple SQL Injection Vulnerabilities
• Description: BetaParticle Blog is a blogging application. Insufficient sanitization of the "id" variable in the "template_permalink.asp" script and the "fldGalleryID" variable in the "template_gallery_detail.asp" script exposes the application to an SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/17148

• 06.12.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: phpWebsite Multiple SQL Injection Vulnerabilities
• Description: phpWebSite is a content management system. It is prone to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "sid" parameter of "friend.php" and "article.php" scripts. phpWebsite versions 0.10.2 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17150

• 06.12.54 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Skull-Splitter Download Counter for Wallpapers Count.PHP SQL Injection
• Description: Skull-Splitter Download Counter for wallpapers is a web application implemented in PHP. Download Counter for Wallpapers is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input. Specifically, input to the "count_fieldname", "url_fieldname", and "url" parameters of the "count.php" script is not properly sanitized. Skull-Splitter Download Counter for Wallpapers version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17156

• 06.12.55 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Maian Weblog Multiple SQL Injection Vulnerabilities
• Description: Maian Weblog is a web blogging application. Insufficient sanitization of user-supplied input exposes the application to multiple SQL injection issues. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/17159

• 06.12.56 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SoftBB Reg.PHP SQL Injection
• Description: SoftBB is a web-based forum application. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input. Specifically, input to the "mail" parameter of "reg.php" is not properly sanitized. SoftBB version 0.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17160/exploit

• 06.12.57 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ASP Portal Download_click.ASP SQL Injection
• Description: ASP Portal is a website management application. Insufficient sanitization of the "downloadid" parameter of the "download_click.asp" script exposes the application to an SQL injection issue. ASP Portal version 3.1.1 is affected.
• Ref: http://www.securityfocus.com/bid/17174

• 06.12.58 - CVE: CVE-2006-1372
• Platform: Web Application - SQL Injection
• Title: 1WebCalendar Multiple SQL Injection Vulnerabilities
• Description: 1WebCalendar is a web-based calendar application implemented in Macromedia ColdFusion. 1WebCalendar is prone to multiple SQL injection vulnerabilities.
• Ref: http://pridels.blogspot.com/2006/03/1webcalendar-v-4x-vuln.html

• 06.12.59 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: AdMan ViewStatement.PHP SQL Injection
• Description: AdMan is an advertisement management application. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "transactions_offset" parameter of the "viewStatement.php" script. AdMan versions 1.0.20051221 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/17208

• 06.12.60 - CVE: Not Available
• Platform: Web Application
• Title: MusicBox Multiple Input Validation Vulnerabilities
• Description: MusicBox is a web-based application for hosting a music site. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. The issues include three cross-site scripting vulnerabilities and two SQL injection vulnerabilities. MusicBox 2.3-Beta 2 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/17149/exploit

• 06.12.61 - CVE: Not Available
• Platform: Web Application
• Title: CutePHP CuteNews Function.PHP Local File Include
• Description: CuteNews is a web-based news management application. CuteNews is prone to a local file include vulnerability. This issue is due to a failure in the application to properly sanitize user supplied input. The problem presents itself in how "functions.inc.php" sanitizes the "archive" parameter. CuteNews version 1.4.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17152/references

• 06.12.62 - CVE: CVE-2006-1358
• Platform: Web Application
• Title: BEA WebLogic Portal JSR-168 Portlets Information Disclosure
• Description: BEA WebLogic Portal is prone to an information disclosure vulnerability. The problem presents itself when the occasional JSR-168 Portlet is mistakenly rendered from cache. This may enable one user to view another user's JSR-168 Portlet. Versions of Weblogic prior to 8.1 SP6 are vulnerable.
• Ref: http://www.securityfocus.com/bid/17164

• 06.12.63 - CVE: CVE-2006-1348, CVE-2006-1347, CVE-2006-1346
• Platform: Web Application
• Title: gCards Multiple Input Validation Vulnerabilities
• Description: gCards is an electronic greeting card application. It is vulnerable to multiple input validation issues, such as cross-site scripting and SQL injection. These issues are due to insufficient sanitizaion of user-supplied input. gCards versions 1.45 and earlier are vulnerable.
• Ref: http://www.milw0rm.com/exploits/1595

• 06.12.64 - CVE: CVE-2006-1350
• Platform: Web Application
• Title: Free Articles Directory Remote File Include Vulnerability
• Description: Free Articles Directory is a web-based application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "page" paramter of the "Index.php" script. All versions of Free Articles Directories are vulnerable.
• Ref: http://www.securityfocus.com/bid/17183/info

• 06.12.65 - CVE: CVE-2006-1276
• Platform: Web Application
• Title: PHP SimpleNEWS Authentication Bypass
• Description: PHP SimpleNEWS is prone to an authentication bypass vulnerability. This is due to a lack of proper validation of cookie data by the affected scripts. User authentication may be bypassed simply by setting a value of "admin" to the "username" parameter of the "admin.php" script. Once this is done, the administrative interface of the application becomes available.
• Ref: http://www.securityfocus.com/archive/1/428427

• 06.12.66 - CVE: Not Available
• Platform: Web Application
• Title: OSWiki Username HTML Injection
• Description: OSWiki is a web-based wiki application. It is affected by an HTML injection vulnerability due to improper sanitization of user-supplied input to the "username" input field before including it in dynamically generated content. OSWiki versions prior to 0.3.1 are vulnerable.
• Ref: http://www.securityfocus.com/bid/17189

• 06.12.67 - CVE: Not Available
• Platform: Web Application
• Title: AnyPortal(PHP) Siteman.PHP3 Directory Traversal
• Description: AnyPortal(PHP) is a web-based portal application. It is prone to a directory traversal vulnerability due to insufficient sanitization of user-supplied input to the "siteman.php3" script. AnyPortal(PHP) release "12 MAY 00" is vulnerable.
• Ref: http://nger.org/anyportal/forum/read.php?f=1&i=152&t=152#reply_152

• 06.12.68 - CVE: CAN-2006-1296
• Platform: Web Application
• Title: Beagle Insecure Application Path
• Description: Beagle is a wiki application. It is vulnerable to an insecure application path issue due to a design error with the "beagle-status" script running the "beagle-info" script. Beagle version 0.2.2.1 is vulnerable.
• Ref: http://secunia.com/advisories/19278

• 06.12.69 - CVE: Not Available
• Platform: Web Application
• Title: VBulletin ImpEx Remote File Include
• Description: ImpEx is the importing and exporting system for VBulletin. It is prone to a remote file include vulnerability due to improper sanitization of user-supplied input to the "systempath" variable of "ImpExData.php".
• Ref: http://www.securityfocus.com/bid/17206/exploit

• 06.12.70 - CVE: Not Available
• Platform: Web Application
• Title: eXpandable Home Page CMS Multiple Access Validation Vulnerabilities
• Description: eXpandable Home Page CMS is a web content management application. Insufficient sanitization of user-supplied input exposes the application to multiple access validation issues. eXpandable version 0.5 is affected.
• Ref: http://www.securityfocus.com/bid/17209

• 06.12.71 - CVE: Not Available
• Platform: Web Application
• Title: Pablo Software Solutions Baby Web/Quick 'n Easy Web ASP Source Disclosure
• Description: A source disclosure issue is exposed in Pablo Software Solutions Baby Web/Quick 'n Easy web server due to a failure to properly validate filename extensions. Baby Web Server and versions prior to 3.1.1 of its successor Quick 'n Easy Web Server are affected.
• Ref: http://www.securityfocus.com/bid/17222

• 06.12.72 - CVE: Not Available
• Platform: Network Device
• Title: F5 Firepass 4100 SSL VPN Cross-Site Scripting
• Description: Firepass 4100 SSL VPN is a secure virtual private network device that utilizes SSL over HTTPS versus the standard IPSec VPN. It is prone to a cross-site scripting vulnerability. The application fails to properly sanitize user-supplied input to the "username" parameter of "my.support.php3". FirePass 4100 version 5.4.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/17175/exploit

• 06.12.73 - CVE: Not Available
• Platform: Network Device
• Title: Motorola PEBL U6 OBEX Setpath Buffer Overflow
• Description: Motorola PEBL U6 is a cellular telephone handset that supports the Bluetooth protocol. Motorola PEBL U6 devices are prone to a remote buffer overflow vulnerability. This issue occurs when the device processes a "setpath()" with an excessively long argument during an OBEX file transfer session. It is important to note that an attacker would have to convince a vulnerable user to accept an OBEX file transfer session in order to exploit this vulnerability. All Motorola PEBL handsets are vulnerable to this issue; other handsets may also be affected.
• Ref: http://www.securityfocus.com/archive/1/428431

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.