Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 14
April 10, 2006

SANS Newsletters Home

A light week for critical new vulnerabilities in operating systems and major applications offers us all an opportunity to focus on vulnerable web applications. Few targets are more inviting or more vulnerable than web applications written by people who are not super savvy about avoiding SQL injection and "remote file include" vulnerabilities. If you don't have a systematic way of eliminating these common errors, your systems and your customers' private information are easy pickings. (SANS Track 4: Hacker Exploits, at SANS Security San Diego and SANSFIRE in Washington, and in eleven other cities around the world and live on line is a great way to make sure you know how the attacks work and what to do about them: http://www.sans.org )

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 1 (#2)
    • Third Party Windows Apps
    • 5 (#4)
    • Mac OS
    • 1
    • Linux
    • 3
    • HP-UX
    • 1
    • Unix
    • 2
    • Cross Platform
    • 8 (#1, #5)
    • Web Application - Cross Site Scripting
    • 19
    • Web Application - SQL Injection
    • 9
    • Web Application
    • 26
    • Network Device
    • 2 (#3)

********************** Sponsored by Sourcefire **************************

Sourcefire, the creator of Snort, is offering the Open Source Snort community two comprehensive courses: "Snort: Building and Operating" and "Snort Rules." Purchase both Snort courses either as an instructor-led or 60-day online training bundle and receive a FREE Snort Certified Professional exam (save $395).

For more information: http://www.sans.org/info.php?id=1095

Contact Sourcefire Training at 800.501.6008 or at: http://www.sans.org/info.php?id=1096

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
HP-UX
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

Note: The number of SQL injection and remote file include vulnerabilities continues to increase, and many of these vulnerabilities are being actively exploited. The vulnerabilities are listed in separate sub-sections in Part 2 of the newsletter, and we avoid repeating them in Part 1. For this week, users of Claroline, PHP-Nuke-Clan, and PHPMyChat should harden their installations as exploits for the flaws in these packages are publicly available. The SANS Top-20 is another good reference to harden against PHP-based attacks - http://www.sans.org/top20/#c3

***************************** Sponsored Links: **************************

1) FREE Case Study/White Paper - SIEM Log Management Capability and Capacity at EDS: http://www.sans.org/info.php?id=1097

2) Internet Storm Center Threat Update: "What you need to know about 5 new Microsoft Patches" and "Advanced Web Application Hacking" Wednesday, April 12 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info.php?id=1098

3) Address HIPAA Security Awareness Specifications with Security 351 from SANS OnDemand - For a Limited Time Save 30%! http://www.sans.org/info.php?id=1099

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) MODERATE: ClamAV Multiple Buffer Overflows
  • Affected:
    • ClamAV versions prior to 0.88.1

  • Description: ClamAV is an open-source antivirus software designed mainly for scanning emails on UNIX mail gateways. The software includes a virus scanning library - libClamAV. This library is used by many third party email, web, FTP scanners as well as mail clients. The library contains an integer overflow that can be triggered by a specially crafted Windows Executable (PE format) if the "ArchiveMaxFileSize" option is disabled (not a default configuration). The attacker can send the malicious files via email, web, FTP or a file share, and exploit the overflow to execute arbitrary code on the system running the ClamAV library. Proof-of-concept Windows executable has been posted. The library also contains a format string vulnerability in its logging function for which limited technical details are available.

  • Status: Vendor confirmed, upgrade to ClamAV version 0.88.1.

  • Council Site Actions: Only one council site was affected by this issue. They have a few installations of this software, primarily on Debian GNU/Linux systems that are relied upon by relatively small numbers of users. Those systems will obtain the DSA-1024-1 update, or already have done so.

  • References:
Other Software
  • (3) HIGH: Barracuda Spam Firewall Multiple Buffer Overflows
  • Affected:
    • Barracuda Spam Firewall Appliance with firmware version prior to
    • 3.3.03.022 and spamdef version prior to 3.0.9388

  • Description: Barracuda Spam Firewall appliance is designed to protect e-mail servers from viruses, spam, spyware etc. The mail filtering software contains stack-based buffer overflows that can be triggered by specially crafted e-mail attachments. Specifically ZOO and LHA archives with overlong filenames in the archive trigger these overflows that can be exploited to execute arbitrary code on the appliance. Pirana, a tool to test e-mail content filtering solutions, can be used to exploit these overflows. The posted advisory shows how to use the Pirana tool to get a remote shell access to the appliance.

  • Status: Barracuda released a critical spamdef patch version 3.0.9388 on March 3, 2006 to mitigate the issue. It is advised to upgrade to firmware version 3.3.03.022.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) HIGH: McAfee WebShield Format String Vulnerability
  • Affected:
    • WebShield SMTP version 4.5 MR1a

  • Description: McAfee WebShield SMTP is a Windows-based software that scans e-mails for malicious attachments. This software contains a format string vulnerability that can be triggered when the software processes an email addressed to a non-existent domain. An unauthenticated attacker can exploit this flaw by sending an email to a non-existent domain with the email address containing format specifiers (such as %s), and execute arbitrary code on the WebShield server with SYSTEM privileges.

  • Status: McAfee released patch P0803 for version 4.5MR1a three years back. Version 4.5MR2 contains a fix for this issue.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (5) MODERATE: Ultr@VNC Client and Server Buffer Overflows
  • Affected:
    • Ultr@VNC version 1.0.1 and prior

  • Description: Ultr@VNC is an open-source VNC viewer that allows remote access to Windows-based systems. The VNC server contains a buffer overflow in its logging function that can be triggered by sending an overlong HTTP request (over 1024 bytes) to port 5800/tcp. If the "Log debug infos to the WinVNC.log file" option is enabled on the VNC server, the flaw can be exploited to execute arbitrary code. The client also contains a buffer overflow that can be triggered by a server response greater than 1024 bytes. The client overflow is difficult to exploit as the user needs to be tricked into connecting to a malicious VNC server. Proof-of-concept exploits for both flaws have been publicly posted.

  • Status: Vendor not confirmed, no patch available. Block HTTP requests over 1024 bytes to port 5800/tcp if running a UltraVNC server.

  • Council Site Actions: Only one of the reporting council sites is using the affected software. They have only a few installations. In addition, they feel that the conditions for exploitation would be difficult to achieve given the details of the deployment, and have classified this as a low risk.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 14, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4964 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.14.1 - CVE: CVE-2006-1626
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Address Bar Spoofing
  • Description: Internet Explorer is prone to an address bar spoofing vulnerability. The problem occurs during a race condition between the loading of web content and a Macromedia Flash application. Microsoft Internet Explorer versions 6.0, 7.0 beta1 and 7.0 beta 2 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17404
  • 06.14.2 - CVE: CVE-2006-0559
  • Platform: Third Party Windows Apps
  • Title: McAfee WebShield SMTP Remote Format String
  • Description: McAfee WebShield SMTP is an application designed to parse and scan incoming email for malicious content. It is vulnerable to a remote format string issue due to insufficient sanitization of user-supplied input before including it in a format specifier argument to a formatted printing function. McAfee WebShield versions 4.5 MR2 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/1219
  • 06.14.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: KGB Archiver Hostile Destination Path
  • Description: KGB Archiver is a file compression/decompression application. It contains a vulnerability in the handling of pathnames in archived files. By specifying a path for an archived item that points outside the expected destination directory, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. KGB Archiver versions 1.1.5.21 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17363
  • 06.14.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AN HTTPD Source Disclosure
  • Description: AN HTTPD is a web server. A problem with AN HTTPD in validating the filename extension may result in the disclosure of the source code of script files. This may allow an attacker to gain unauthorized access to sensitive information, potentially aiding them in further attacks. AN HTTPD version 1.42n is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17350
  • 06.14.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SynchronEyes Multiple Remote Denial of Service Vulnerabilities
  • Description: SynchronEyes is a classroom management application. It is vulnerable to multiple remote denial of service vulnerabilities due to insufficient handling of oversized or malicious UDP traffic. SMART Technologies SynchronEyes version 6.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/429843
  • 06.14.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: GlobalSCAPE Secure FTP Server Remote Denial of Service
  • Description: GlobalSCAPE Secure FTP Server is an FTP server application for Microsoft Windows. It is susceptible to a remote denial of service vulnerability. Long parameter lines to a custom command will cause the server to crash. Versions of Secure FTP Server prior to 3.1.4 Build 01.10.2006 are affected by this issue.
  • Ref: http://www.globalscape.com/gsftps/history.asp
  • 06.14.7 - CVE: CVE-2006-0401
  • Platform: Mac Os
  • Title: Apple Mac OS X Intel-Based Local Authentication Bypass
  • Description: Mac OS X running on Intel-based Macintosh computers is prone to an authentication bypass vulnerability. This issue is due to a failure in the firmware to properly authenticate a user with physical access to a vulnerable Intel-based Macintosh computer. A local attacker can exploit this issue to bypass the firmware password and gain access to Single User Mode.
  • Ref: http://docs.info.apple.com/article.html?artnum=303567
  • 06.14.8 - CVE: Not Available
  • Platform: Linux
  • Title: Util-VServer SUEXEC Privilege Escalation Weakness
  • Description: The Util-VServer package is an administrative utility for the Linux-VServer package. It is vulnerable to a privilege escalation weakness due to a flaw in the "suexec" option in the "vcontext.c" source file. VServer util-vserver versions 0.30.210 and earlier are vulnerable.
  • Ref: https://savannah.nongnu.org/bugs/?func=detailitem&item_id=15996
  • 06.14.9 - CVE: CVE-2006-1055
  • Platform: Linux
  • Title: Linux Kernel SYSFS PAGE_SIZE Local Denial of Service
  • Description: The Linux kernel is vulnerable to a local denial of service issue due to crafted data written to a SYSFS file. Linux kernel versions 2.6.12 to 2.6.17-rc1 are vulnerable. Ref: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6e0dd741a89be35defa05bd79f4211c5a2762825
  • 06.14.10 - CVE: CVE-2006-1060
  • Platform: Linux
  • Title: XZGV Image Viewer JPEG File Remote Heap Buffer Overflow
  • Description: XZGV is an X Windows version of commandline image viewer. It is vulnerable to a remote heap overflow issue due to failing to handle a crafted JPEG image within the CMYK/YCCK color space. XZGV versions 0.8 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17409
  • 06.14.11 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX SU Local Unauthorized Access
  • Description: HP-UX su(1) is prone to a local unauthorized-access issue which is only exploitable when the LDAP netgroup feature is enabled. HP-UX version B.11.11 is affected.
  • Ref: http://www.securityfocus.com/bid/17400
  • 06.14.12 - CVE: Not Available
  • Platform: Unix
  • Title: mpg123 Malformed MP3 File Memory Corruption
  • Description: mpg123 is a media player application. It is affected by a memory corruption issue related to the handling of MP3 streams when the player loads MP3 files with malformed header data. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17365
  • 06.14.13 - CVE: CVE-2006-1618
  • Platform: Unix
  • Title: Doomsday Multiple Remote Format String Vulnerabilities
  • Description: Doomsday is an open source port of the original Doom engine. It is prone to multiple remote format string vulnerabilities. An attacker can exploit these issues to execute arbitrary code in the context of the vulnerable application or crash the affected game server, effectively denying service to legitimate users.
  • Ref: http://aluigi.altervista.org/adv/doomsdayfs-adv.txt
  • 06.14.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Xine-Lib Malformed MPEG Stream Buffer Overflow
  • Description: Xine-lib is a C library that may be used to develop third party multimedia applications. It is susceptible to a buffer overflow vulnerability that is triggered when malformed MPEG stream data is handled by the affected library. Xine-lib version 1.1.1 is reportedly affected.
  • Ref: http://www.securityfocus.com/bid/17370
  • 06.14.16 - CVE: CVE-2006-0051
  • Platform: Cross Platform
  • Title: Kaffeine Remote HTTP_Peek Buffer Overflow
  • Description: Kaffiene is a Linux based media player. It is affected by a remote buffer overflow vulnerability due to insufficient boundary checks performed on user-supplied strings prior to copying them into finite stack-based buffers. Kaffeine Player versions 0.4.2 through 0.7.1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17372
  • 06.14.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Eset Software NOD32 Antivirus Local Arbitrary File Creation
  • Description: Eset Software's NOD32 Antivirus System is vulnerable to a local arbitrary file creation issue due to failing to drop SYSTEM privileges when performing operations on behalf of a local user. Eset Software's NOD32 Antivirus System versions 2.5 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/429892
  • 06.14.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: UltraVNC Multiple Remote Error Logging Buffer Overflow Vulnerabilities
  • Description: UltraVNC is a client/server remote access suite that allows remote users to access desktops as though they are local users. It is affected by multiple error logging and remote buffer overflow issues due to it's failure to properly bounds check user-supplied input prior to copying it to insufficiently-sized memory buffers. UltrVNC version 1.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/17378
  • 06.14.19 - CVE: CVE-2006-1614, CVE-2006-1615, CVE-2006-1630
  • Platform: Cross Platform
  • Title: Clam Anti-Virus ClamAV Multiple Vulnerabilities
  • Description: ClamAV is an antivirus application. It is vulnerable to numerous buffer overflow and denial of service issues. See reference for further details. ClamAV versions 0.88 and earlier are vulnerable.
  • Ref: http://www.overflow.pl/adv/clamavupxinteger.txt
  • 06.14.20 - CVE: CVE-2006-1629
  • Platform: Cross Platform
  • Title: OpenVPN Client Remote Code Execution Vulnerability
  • Description: OpenVPN is an OpenSSL based tunneling application. It is vulnerable to a remote code execution issue due to a lack of proper sanitization of server supplied data. OpenVPN versions 2.0.0 through 2.0.5 are vulnerable.
  • Ref: http://openvpn.net/changelog.html
  • 06.14.21 - CVE: CVE-2006-1555
  • Platform: Cross Platform
  • Title: Tachyondecay VSNS Lemon Authentication Bypass
  • Description: Tachyondecay VSNS Lemon is a news management script. It is vulnerable to an authentication bypass issue because it fails to properly validate cookie data. Tachyondecay VSNS Lemon version 3.2 is vulnerable.
  • Ref: http://evuln.com/vulns/106/description.html
  • 06.14.22 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP PHPInfo Large Input Cross-Site Scripting
  • Description: PHP is a freely available, open-source web scripting language package. It is available for Microsoft Windows, Linux, and UNIX operating systems. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to scripts containing the "phpinfo()" function.
  • Ref: http://www.securityfocus.com/bid/17362/references
  • 06.14.23 - CVE: CVE-2006-1567
  • Platform: Web Application - Cross Site Scripting
  • Title: SiteSearch Indexer Searchresults.ASP Cross-Site Scripting
  • Description: SiteSearch Indexer is a website indexing application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "searchField" parameter of the "searchresults.asp" script. SiteSearch Indexer version 3.5 is vulnerable.
  • Ref: http://pridels.blogspot.com/2006/03/sitesearch-indexer-35-xss-vuln.html
  • 06.14.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Hitachi Groupmax Cross-Site Scripting
  • Description: Hitachi Groupmax World Wide Web is prone to a cross-site scripting issue which occurs due to a failure in the application to properly sanitize user-supplied input prior to utilizing it in dynamically generated HTML content. Hitachi Groupmax version 06-52-/F has been released to address this issue.
  • Ref: http://www.securityfocus.com/bid/17337
  • 06.14.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Claroline RQMKHTML.PHP Cross-Site Scripting
  • Description: Claroline is an online collaborative learning application. Insufficient sanitization of the "file" parameter in the "rqmkhtml.php" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17344
  • 06.14.26 - CVE: CVE-2006-1582
  • Platform: Web Application - Cross Site Scripting
  • Title: Blank'N'Berg Cross-Site Scripting
  • Description: Blank'N'Berg is a web application used to create web sites. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "_path" parameter of the "index.php" script. Blank'N'Berg version 0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17346/info
  • 06.14.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Bugzero Multiple Cross-Site Scripting Vulnerabilities
  • Description: Bugzero is bug-tracking software implemented in Java. Insufficeint sanitization of the "msg" parameter of the "query.jsp" script and the "entryId" parameter of the "edit.jsp" script exposes the application to multiple cross-site scripting issues.
  • Ref: http://www.securityfocus.com/bid/17351
  • 06.14.28 - CVE: CVE-2006-1603
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPBB Profile.PHP Cross-Site Scripting
  • Description: PHPBB is a web-based bulletin board application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "cur_password" parameter of "profile.php" script. PHPBB version 2.0.19 is vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/1191
  • 06.14.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ReloadCMS User-Agent Cross-Site Scripting
  • Description: ReloadCMS is a Web content management application. It is vulnerable to an cross-site scripting issue due to insufficient sanitization of user-supplied input to the "User-Agent" field of the HTTP header before storing it for use in site statistics. ReloadCMS version 1.2.5 is vulnerable.
  • Ref: http://sourceforge.net/tracker/?atid=679602&group_id=117921&func=browse
  • 06.14.30 - CVE: CVE-2006-1427
  • Platform: Web Application - Cross Site Scripting
  • Title: WebAPP Multiple Cross-Site Scripting Vulnerabilities
  • Description: WebAPP is a web portal application. It is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. WebAPP versions 0.9.9.3.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17359/exploit
  • 06.14.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: LucidCMS Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: LucidCMS is a content management application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "login" and "panel" parameters of the "index.php" script. LucidCMS version 2.0.0 RC4 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/429744
  • 06.14.32 - CVE: CVE-2006-1438
  • Platform: Web Application - Cross Site Scripting
  • Title: Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities
  • Description: Andy's PHP Knowledgebase (aphpkb) is a web-based knowledgebase application. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to various scripts. Andy's PHP Knowledgebase version 0.57 is affected.
  • Ref: http://www.securityfocus.com/bid/17377
  • 06.14.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SKForum Multiple Cross-Site Scripting Vulnerabilities
  • Description: SKForum is a web-based J2EE forum application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "areaID", "time", and "userID' parameters. SKForum versions 1.4.1 and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2006/04/skforum-xss-vuln.html
  • 06.14.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpMyAdmin is a freely available tool that provides a web interface for handling MySQL administrative tasks, such as creating databases and tables. It is prone to multiple cross-site scripting vulnerabilities due to improper sanitization of user-supplied input to multiple unspecified scripts in the "themes" directory.
  • Ref: http://www.securityfocus.com/bid/17390
  • 06.14.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: GNU Mailman Private Archive Script Cross-Site Scripting
  • Description: GNU Mailman is an application that manages electronic mail discussions and e-newsletter lists. It is vulnerable to a cross-site scripting issue due to insufficent sanitization of user-supplied input to the private archive script. GNU Mailman versions 2.1.7 and earlier are vulnerable.
  • Ref: http://mail.python.org/pipermail/mailman-announce/2006-April/000084.html
  • 06.14.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Jupiter CMS Index.PHP Cross-Site Scripting
  • Description: Jupiter CMS is a web-based content management system implemented in PHP. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "layout" parameter of "index.php". Jupiter CMS version 1.1.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17405/exploit
  • 06.14.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: vBulletin Vbugs.PHP Cross-Site Scripting
  • Description: vBulletin is a bulletin board application written in PHP. It is prone to a cross-site scripting vulnerability. Version 3.5.1 is vulnerable. Ref: http://pridels.blogspot.com/2006/04/vbug-tracker-for-vbulletin-35x-xss.html
  • 06.14.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Bitweaver CMS Login.PHP Cross-Site Scripting
  • Description: Bitweaver CMS is a web-based content management system. Insufficient sanitization of the "error" parameter in the "login.php" script exposes the application to a cross-site scripting issue.
  • Ref: http://www.securityfocus.com/bid/17406
  • 06.14.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Cherokee Webserver Cross-Site Scripting
  • Description: Cherokee Webserver is a web server application. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input. Cherokee Webserver versions 0.5.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17408/exploit
  • 06.14.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SaPHPLesson Search.PHP Cross-Site Scripting
  • Description: SaphpLesson is a web-based tutoring application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "search' parameter of the "search.php" script. SaphpLesson version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17414
  • 06.14.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DbbS Topics.PHP SQL Injection
  • Description: DbbS is a bulletin-board application. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input before using it in an SQL query. Specifically, the application fails to sanitize data passed through the "limite" parameter of the "topics.php" script. DbbS versions 2.0-alpha and prior are reported to be affected.
  • Ref: http://www.securityfocus.com/bid/17338/exploit
  • 06.14.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Softbiz Image Gallery Multiple SQL Injection Vulnerabilities
  • Description: Softbiz Image Gallery is an image gallery application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to such script as image_desc.php, template.php, suggest_image.php, insert_rating.php and images.php. All versions of Softbiz Image Gallery are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/429763
  • 06.14.43 - CVE: CVE-2006-1586
  • Platform: Web Application - SQL Injection
  • Title: ISP Site Man Admin_Login.ASP SQL Injection
  • Description: Site Man is a web-based content management system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "pass" field of the "admin_login.asp" script. All versions of Site Man are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/429607
  • 06.14.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TuxBank ManageAccount.PHP SQL Injection
  • Description: TuxBank is a web-based application for organizing personal bank accounts. TuxBank is prone to an SQL injection vulnerability. TuxBank versions 0.8 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17376
  • 06.14.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Crafty Syntax Image Gallery Slides.PHP SQL Injection
  • Description: Crafty Syntax Image Gallery is a web-based thumbnail image gallery. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input to the "limitquery_s" parameter of the "slides.php" script. Crafty Syntax Image Gallery version 3.1g is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17379/exploit
  • 06.14.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: wpBlog Index.PHP SQL Injection
  • Description: wpBlog is a web log application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "postid" parameter of the "index.php" script. wpBlog version 0.4 is vulnerable.
  • Ref: http://evuln.com/vulns/119/summary.html
  • 06.14.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHPMyChat MessagesL.PHP3 SQL Injection
  • Description: PHPMyChat is a web chat application implemented in PHP. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "T" parameter of the "messagesL.php3" script. phpMyChat versions 0.14.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17382/exploit
  • 06.14.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MD News Admin.PHP SQL Injection
  • Description: MD News is a web-based news reader application. Insufficient sanitization of the "id" parameter in the "admin.php" script exposes the application to an SQL injection issue.
  • Ref: http://www.securityfocus.com/bid/17394
  • 06.14.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MAXDEV CMS PNuserapi.PHP SQL Injection
  • Description: MAXDEV CMS is a content management application. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "topicid" parameter of the "pnuserapi.php" script. MAXdev MD-Pro versions 1.0.72 and 1.0.73 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17399
  • 06.14.50 - CVE: CVE-2006-1479
  • Platform: Web Application
  • Title: gtd-php Multiple Input Validation Vulnerabilities
  • Description: gtd-php is a personal productivity application. An attacker can exploit these issues to execute arbitrary HTML and script code in the browser of a victim user in the context of the affected website. gtd-php version 0.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17366
  • 06.14.51 - CVE: Not Available
  • Platform: Web Application
  • Title: HP Toolbox Directory Traversal
  • Description: The HP Toolbox is an administrator software application for printers. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input. HP Color LaserJet models 2500 and 4600 that ship with Toolbox are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/429984
  • 06.14.52 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBulletinBoard Email BBCode Tag HTML Injection
  • Description: MyBulletinBoard is a bulletin board application implemented in PHP. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input before using it in dynamically generated content. Specifically, user-supplied input to "email" BBCode tags is not properly sanitized. MyBulletinBoard version 1.10 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17368
  • 06.14.53 - CVE: Not Available
  • Platform: Web Application
  • Title: AngelineCMS Loadkernel.PHP Remote File Include
  • Description: AngelineCMS is a content management application written in PHP. It is affected by a remote file include issue due to improper sanitization of user-supplied input to the "installPath" variable of "loadkernel.php" script. AngelineCMS version 0.8.1 is affected.
  • Ref: http://www.securityfocus.com/bid/17371
  • 06.14.54 - CVE: CVE-2006-1599
  • Platform: Web Application
  • Title: V-creator Remote Shell Code Execution
  • Description: V-creator is a web application framework. It is vulnerable to a remote shell code execution issue due to insufficient sanitization of user-supplied input to the "encrypt()" and "decrypt()" functions of the "VCEngine.php" script. V-creator versions 1.3-pre2 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/1189
  • 06.14.55 - CVE: Not Available
  • Platform: Web Application
  • Title: QLnews Multiple Input Validation Vulnerabilities
  • Description: QLnews is a web application implemented in PHP. It is prone to multiple input validation vulnerabilities due to improper sanitization of user-supplied input. QLnews version 1.2 are vulnerable to these issues.
  • Ref: http://www.securityfocus.com/bid/17335
  • 06.14.56 - CVE: CVE-2006-1584
  • Platform: Web Application
  • Title: Warcraft III Replay Parser for PHP Index.PHP Remote File Include
  • Description: Warcraft III Replay Parser for PHP is a web-based application that is used to parse Warcraft III Replay (.w3g) files. It is prone to a remote file include vulnerability due to improper sanitization of user-supplied input to the "page" variable of "index.php". Warcraft III Replay Parser for PHP 1.8c is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/429535
  • 06.14.57 - CVE: Not Available
  • Platform: Web Application
  • Title: RedCMS Multiple Input Validation Vulnerabilities
  • Description: RedCMS is a content management application. It is prone to multiple input validation vulnerabilities due to insufficient sanitization of user-supplied input to various scripts. RedCMS version 0.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17336
  • 06.14.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Claroline ScormExport.inc.PHP File Include
  • Description: Claroline is a collaborative learning application written in PHP. It is affected by a remote file include vulnerability due to insufficient sanitization of user input to the "includePath" parameter in the "claroline/learnPath/include/scormExport.inc.php" script. Claroline versions 1.7.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17341/exploit
  • 06.14.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Claroline Rqmkhtml.PHP Information Disclosure
  • Description: Claroline is an online collaborative learning application. It is prone to an information disclosure vulnerability due to insufficient sanitization of user-supplied input to the "file" parameter of the "rqmkhtml.php" script. Claroline versions 1.7.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17343
  • 06.14.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Blank'N'Berg Directory Traversal
  • Description: Blank'N'Berg is a web application used to create web sites. It is prone to a directory traversal vulnerability due to improper sanitization of user-supplied input to the "_path" parameter of the "index.php" script. Blank'N'Berg version 0.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/17345/exploit
  • 06.14.61 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPSelect Submit-A-Link HTML Injection
  • Description: Submit-A-Link is a web-based application used to add links to a site. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input before using it in dynamically generated content. Specifically, user-supplied input to the "description" field of "linklist.php" is not properly sanitized. All versions of Submit-A-Link are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/17348/exploit
  • 06.14.62 - CVE: Not Available
  • Platform: Web Application
  • Title: aWebBB Multiple Input Validation Vulnerabilities
  • Description: aWebBB is a web-based bulletin board application. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. The issues include: Multiple cross-site scripting vulnerabilities and Multiple SQL injection vulnerabilities. aWebBB version 1.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17352/references
  • 06.14.63 - CVE: CVE-2006-1505
  • Platform: Web Application
  • Title: Basic Analysis and Security Engine Base_maintenance.PHP Authentication Bypass
  • Description: BASE is a web interface to perform analysis of intrusions from the SNORT intrusion detection system. It is prone to an unspecified authentication bypass vulnerability. This issue exists in the "base_maintenance.php" script when running in standalone mode. BASE versions 1.2.4 and earlier are prone to this issue.
  • Ref: http://www.securityfocus.com/bid/17354
  • 06.14.64 - CVE: CVE-2006-1602
  • Platform: Web Application
  • Title: PHPNuke-Clan Functions_Common.PHP Remote File Include
  • Description: PHPNuke-Clan is a web-based clan Content Management System (CMS) based on PHPNuke. PHPNuke-Clan is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "vwar_root" variable of "modules/vWar_Account/includes/functions_common.php". This issue affects version 3.0.1.
  • Ref: http://www.securityfocus.com/bid/17356
  • 06.14.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Exponent CMS Banner Module Arbitrary Script Execution
  • Description: Exponent CMS is a content management application written in PHP. It is prone to an arbitrary script execution vulnerability due to insufficient sanitization of user-supplied input to the banner and image upload portion. Exponent CMS versions prior to 0.96.5 RC 1 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/17357
  • 06.14.66 - CVE: Not Available
  • Platform: Web Application
  • Title: VWar Get_header.PHP Remote File Include
  • Description: VWar is a team organizer application written in PHP. Insufficient sanitization of the "vwar_root" variable of the "get_header.php" script exposes the application to a remote file include issue. VWar versions 1.5.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17358
  • 06.14.67 - CVE: Not Available
  • Platform: Web Application
  • Title: ArabPortal Multiple Input Validation Vulnerabilities
  • Description: ArabPortal is a web-portal application implemented in PHP. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. The issues include multiple cross-site scripting vulnerabilities and an SQL injection vulnerability. Arab Portal version 2.0.1-stable is affected.
  • Ref: http://www.securityfocus.com/bid/17375/exploit
  • 06.14.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Czaries Network CzarNews Multiple Input Validation Vulnerabilities
  • Description: CzarNews is web-based forum software. The application is vulnerable to multiple input validation issues such as SQL injection and cross-site scripting. These are due to insufficient sanitization of user-supplied input. CzarNews version 1.14 is vulnerable.
  • Ref: http://evuln.com/vulns/118/summary.html
  • 06.14.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Interact Multiple Remote Vulnerabilities
  • Description: Interact is a web application. It is affected by multiple SQL injection, cross-site scripting and user enumeration issues. Interact version 2.1 and 2.1.1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17385
  • 06.14.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Chucky A. Ivey's N.T. Index.PHP HTML Injection
  • Description: N.T. is a wiki application. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the "username" parameter in the "index.php" script. Chucky A. Ivey's N.T. version 1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17387/references
  • 06.14.71 - CVE: CVE-2006-1590
  • Platform: Web Application
  • Title: Basic Analysis and Security Engine PrintFreshPage Cross-Site Scripting
  • Description: BASE is a web interface to perform analysis of intrusions from the SNORT intrusion detection system. It is prone to a cross-site scripting vulnerability. This issue affects version 1.2.4. Ref: http://sourceforge.net/mailarchive/forum.php?thread_id=10064470&forum_id=42223
  • 06.14.72 - CVE: CVE-2006-1434
  • Platform: Web Application
  • Title: Annuaire (Directory) HTML Injection
  • Description: Annuaire (Directory)is a web-based address book and directory application. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the "COMMENTAIRE" parameter of the "inscription.php" script. Annuaire (Directory) version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17393
  • 06.14.73 - CVE: CVE-2006-1554
  • Platform: Web Application
  • Title: VSNS Lemon Add Comment HTML Injection Vulnerability
  • Description: VSNS Lemon is a wiki application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the "name" parameter on the "Add Comment" page of the application. Tachyondecay VSNS Lemon version 3.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17395
  • 06.14.74 - CVE: CVE-2006-1435
  • Platform: Web Application
  • Title: ARIA Multiple Cross-Site Scripting Vulnerabilities
  • Description: ARIA is an accounting application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to such parameters as the "message" parameter of the "genmessage.php" script. ARIA version 0.99-6 is vulnerable.
  • Ref: http://osvdb.org/ref/24/24255-aria.txt
  • 06.14.75 - CVE: Not Available
  • Platform: Web Application
  • Title: Manic Web MWNewsletter Multiple Input Validation Vulnerabilities
  • Description: Manic Web MWNewsletter is a web-based newsletter application implemented in PHP. It is prone to multiple input validation vulnerabilities due to improper sanitization of user-supplied input. These vulnerabilities include SQL injection vulnerabilities and an HTML injection vulnerability.
  • Ref: http://www.securityfocus.com/bid/17412/references
  • 06.14.76 - CVE: CVE-2006-1631
  • Platform: Network Device
  • Title: Cisco 11500 Content Services Switch HTTP Compression Remote Denial of Service
  • Description: Cisco 11500 Content Services Switch is a load balancing device designed to provide scalable network services for datacenters. The device performs an analysis of protocol headers and directs requests to the appropriate resources based on policy configuration. A compression module enables the device to compress HTTP client traffic. Cisco 11500 Content Services Switch is prone to a remote denial of service vulnerability. This issue arises on devices that have been configured for HTTP compression when handling valid but obsolete or specially crafted HTTP requests.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060405-css.shtml
  • 06.14.77 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco Optical Networking System and Transport Controller Multiple Vulnerabilities
  • Description: Cisco Optical Networking System (ONS) 15000 series is affected by multiple denial of service vulnerabilities. These issues affect Optical nodes that have the Common Control Cards connected to a Data Communications Network (DCN) and are enabled for IPv4. See reference for list of vulnerable systems.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060405-ons.shtml

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

We just purchased Securing the Human, which I think is the best I have ever seen. In addition it's backed up by SANS extensive experience and knowledge base in infosec.
-- Karen McDowell

SANS Golden Gate 2013 - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage