The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 15
April 17, 2006

SANS Newsletters Home

Windows vulnerabilities and patches dominate this week's report, but Novell and Firefox users also have work to do.

Before looking at this week's @RISK, please complete this brief survey and email it to top20@sans.org.

The SANS 2005 Top20 Internet Security Vulnerabilities was done differently than in previous years. (a) Cross platform and application product vulnerabilities and networking equipment vulnerabilities were added to the operating system vulnerabilities. (b) The vulnerabilities covered in the 2005 study spanned a year and half of vulnerability data instead of trying to cover all of history.

Q1. Do you think those changes added value or made the Top-20 less valuable?

Q2. We are discussing moving to semi-annual updates. What are the pros and cons, from your perspective of moving to semi-annual updates?

Q4. What other data in the Top-20 would make this list more helpful?

Please send the answers and any other comments or concerns you have to top20@sans.org.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 3 (#4)
    • Other Microsoft Products
    • 6 (#1, #3, #6)
    • Third Party Windows Apps
    • 1 (#11)
    • Linux
    • 3
    • BSD
    • 3
    • Solaris
    • 2
    • Unix
    • 1
    • Novell
    • 1 (#2)
    • Cross Platform
    • 10 (#5, #10)
    • Web Application - Cross Site Scripting
    • 19
    • Web Application - SQL Injection
    • 12 (#9)
    • Web Application
    • 22 (#7, #8)

******************* Sponsored By Blue Lane Technologies *****************

Instant patch protection for Oracle without touching the server!

The Blue Lane(tm) Technologies PatchPoint(tm) System provides the only patch alternative that can help you put an end to the patching cycle. Eliminate reactive server patching, preserve application availability, and reduce the risk in deploying patches to critical servers. End your patch headaches today. http://www.sans.org/info.php?id=1106

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
BSD
Solaris
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

************************ Sponsored Links ******************************** 1) "Expediting Patching with Nuclear Fuels" - Free Webcast tomorrow - a WhatWorks in Vulnerability Management webcast Tuesday, April 18 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info.php?id=1107

2) from the SANS WhatWorks Poster - Free Vendor White Papers on a wide range of security topics - http://www.sans.org/info.php?id=1108

3) SANS OnSite InfoSec Training Your Location! Your Schedule! Lower Cost! http://www.sans.org/info.php?id=1109 *************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Internet Explorer Cumulative Security Update (MS06-013)
  • Affected:
    • Internet Explorer versions 5.01 and 6.0

  • Description: Microsoft has released a cumulative security update for Internet Explorer that fixes multiple vulnerabilities as well as provides enhanced security checks for ActiveX controls. This update addresses the 0-day flaw in IE's "createTextRange" function that is being actively exploited. The update fixes the following 8 remote code execution vulnerabilities that can be exploited by a malicious webpage to execute arbitrary code on a user's system. (a) IE contains a memory corruption vulnerability when methods designed for certain HTML objects are applied to other HTML objects. (b) IE contains a memory corruption vulnerability that can be triggered by an HTML page containing a hundred or more of script action handlers such as "onclick", "onmouseover" etc. (c) IE's security checks and a user dialog box can be bypassed by a malicious HTML application. (d) IE contains a memory corruption vulnerability in handling specially crafted HTML code. (e) IE contains a memory corruption vulnerability in instantiating COM objects that were not originally designed to be used in that fashion. (f) IE contains a memory corruption vulnerability in handling a specially crafted tag in an HTML element. (g) IE contains a memory corruption vulnerability in handling specially crafted URLs with Double-Byte character sets. (h) IE contains a remote code execution vulnerability in handling dynamically created embedded objects. In addition to these remote code execution vulnerabilities, the patch also addresses an information disclosure and a spoofing vulnerability (reported last week). The patch sets the kill bit for the ActiveX controls included with Danim.dll and Dxtmsft.dll. The technical details for a number of these flaws have not been publicly posted yet.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS06-013 as soon as possible. Microsoft has already documented known issues after applying this update. Please refer to the following KB912812 http://support.microsoft.com/kb/912812 .

  • Council Site Actions: All reporting council sites are responding to this item. Some of the sites are updating their systems on an accelerated schedule, while others are using their normal update process. The desktop systems are on a longer update cycle due to the need for more extensive regression testing.

  • References:
  • (3) HIGH: Microsoft Data Access Components Remote Code Execution (MS06-014)
  • Affected:
    • Windows installations with:
    • Microsoft Data Access Components version 2.5 SP3, 2.7 SP1, 2.8 and 2.8 SP1
    • Windows XP/2003 (default configuration)

  • Description: Microsoft Data Access Components (MDAC) is a collection of functions that provide support for common database operations, such as connecting to remote databases and returning data to a client. The RDS.Dataspace ActiveX control, that ships as a part of MDAC, contains a remote code execution vulnerability. A malicious webpage or an HTML email invoking the ActiveX control with crafted parameters can compromise a user's system. The technical details required to leverage this flaw have not been publicly posted yet.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS06-014.

  • Council Site Actions: All reporting council sites are responding to this item. Some of the sites are updating their systems on an accelerated schedule, while others are using their normal update process. One site voiced some concerns that internal apps may be impacted since the patch addresses some ActiveX behavior. The desktop systems are on a longer update cycle due to the need for more extensive regression testing.

  • References:
  • (4) HIGH: Windows Explorer Remote Code Execution (MS06-015)
  • Affected:
    • Windows 2000/XP/2003

  • Description: The "desktop.ini", a hidden file when present in a Windows folder, instructs Windows Explorer how to display the folder's contents. A problem arises when the ".ShellClassInfo" section in a folder's desktop.ini file points to an executable program. This feature can be exploited to execute arbitrary code on a client system when an unsuspecting user opens such a specially crafted folder. There is also a second way to create a malicious folder that has not been publicly disclosed. To exploit the flaw, an attacker would have to create a malicious "shared" folder and entice a victim to open it via WebDAV or SMB. The attacker can include the folder's URI for e.g.\\attacker-ip\bad-folder(SMB) or http://attacker-ip/bad-folder(WebDAV), in a webpage or email it to a potential victim.

  • Status: Apply the patch contained in the Microsoft Security Bulletin MS06-015. Block the ports 139/tcp and 445/tcp as it will block some attack vectors.

  • Council Site Actions: All reporting council sites are responding to this item. Some of the sites are updating their systems on an accelerated schedule, while others are using their normal update process. The desktop systems are on a longer update cycle due to the need for more extensive regression testing.

  • References:
  • (6) MODERATE: Cumulative Security Update for Outlook Express (MS06-016)
  • Affected:
    • Windows 2000/XP/2003

  • Description: Microsoft has released a cumulative security update for Outlook Express that fixes a buffer overflow vulnerability. The flaw is triggered when Outlook Express tries to parse a specially crafted Windows Address Book (.wab) file. The overflow can be exploited to execute arbitrary code on a user's system. In order to exploit the overflow, an attacker has to host a webpage containing a malicious wab file or send it to the victims as an email attachment. Note that user interaction is required to open the wab file. The technical details required to craft a malicious wab file have not been posted yet.

  • Status: Apply the patch referenced in the Microsoft Security Bulletin MS06-016.

  • Council Site Actions: All reporting council sites are responding to this item. Some of the sites are updating their systems on an accelerated schedule, while others are using their normal update process. The desktop systems are on a longer update cycle due to the need for more extensive regression testing.

  • References:
Other Software
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 15, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4974 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.15.1 - CVE: CVE-2006-1186
  • Platform: Windows
  • Title: Microsoft Internet Explorer COM Object Instantiation Code Execution
  • Description: Microsoft Internet Explorer is prone to a memory corruption vulnerability that is related to the instantiation of COM objects. The vulnerability arises because of the way Internet Explorer attempts to instantiate certain COM objects as ActiveX controls. The COM objects may let remote attackers corrupt process memory and facilitate arbitrary code execution in the context of the currently logged in user on the affected computer.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
  • 06.15.2 - CVE: CVE-2006-0014
  • Platform: Windows
  • Title: Microsoft Outlook Express Windows Address Book File Parsing Buffer Overflow
  • Description: Microsoft Outlook Express is prone to a remote buffer overflow vulnerability. Specifically, this vulnerability presets itself when the application processes a specially crafted Windows Address Book (.wab) file.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS06-016.mspx
  • 06.15.3 - CVE: CVE-2006-0012
  • Platform: Windows
  • Title: Microsoft Windows Shell COM Object Remote Code Execution
  • Description: Microsoft Windows Shell is susceptible to a remote code execution vulnerability due to a flaw in its handling of remote COM objects. This issue is exploited by creating a website that forces Windows Explorer to initiate a connection to a remote file server. The remote file server then causes Windows Explorer to fail in an unspecified manner, and to then execute remotely-supplied executable machine code.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx
  • 06.15.4 - CVE: CVE-2006-1185
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Invalid HTML Parsing Code Execution
  • Description: Microsoft Internet Explorer is vulnerable to an unspecified invalid HTML parsing code execution which causes memory corruption. See Microsoft's advisory for further details.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms06-013.mspx
  • 06.15.5 - CVE: CVE-2006-1189
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Double Byte Character Memory Corruption
  • Description: Microsoft Internet Explorer is prone to a memory corruption vulnerability. This is related to an error in how double byte character set (DBCS) characters are handled in IP addresses from rendered HTML content. This could let an attacker corrupt sensitive variables in memory with attacker specified data. In this manner it may be possible to execute arbitrary code by overwriting variables related to program control.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
  • 06.15.6 - CVE: CVE-2006-1190
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Erroneous IOleClientSite Data Zone Bypass
  • Description: Microsoft Internet Explorer is prone to a zone bypass issue. which is due to the browser returning erroneous IOleClientSite when dynamically creating an embedded object. Microsoft has released a security update MS06-013 to address this issue.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
  • 06.15.7 - CVE: CVE-2006-0003
  • Platform: Other Microsoft Products
  • Title: Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution
  • Description: Microsoft Data Access Components (MDAC) provide components for database access. The MDAC RDS.Dataspace ActiveX control is vulnerable to an unspecified remote code execution. Microsoft Data Access Components (MDAC) versions 2.7 and 2.8 are vulnerable.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx
  • 06.15.8 - CVE: CVE-2006-1192
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Persistent Window Content Address Bar Spoofing
  • Description: Microsoft Internet Explorer is vulnerable to an address bar spoofing issues because it is possible for the content of a web page to persist while the browser window navigates to another site. Microsoft Internet Explorer versions 6.0 SP2 and earlier are vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
  • 06.15.9 - CVE: CVE-2006-1188
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer HTML Tag Memory Corruption
  • Description: Microsoft Internet Explorer is prone to a memory corruption vulnerability. This is related to the handling of certain HTML tags. This issue could let an attacker corrupt sensitive memory with attacker specified data. In this manner it may be possible to execute arbitrary code by overwriting variables related to program control.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
  • 06.15.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: TUGZip Remote Directory Traversal
  • Description: TUGZip is a file-archiving/compression application. It is affected by a directory traversal issue when the application processes malicious GZ, JAR, RAR and ZIP archives. TUGZip version 3.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17432
  • 06.15.11 - CVE: CVE-2006-1522
  • Platform: Linux
  • Title: Linux Kernel __keyring_search_one Local Denial of Service
  • Description: The Linux kernel is vulnerable to a local denial-of-service issue due to the "__keyring_search_one" function allowing a non-keyring key request. Linux kernel versions 2.6.16.3 and earlier are vulnerable.
  • Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188466
  • 06.15.12 - CVE: Not Available
  • Platform: Linux
  • Title: mnoGoSearch-Common Local Database Administrator Password Disclosure
  • Description: Debian has a "debconf" utility that is used to ask and store configuration-related questions when installing packages. The "debconf" package improperly stores password for the database created during the "mnogosearch-common" package installation process in insecure "config.dat" file. Please see attached advisory for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/17477
  • 06.15.13 - CVE: CVE-2006-0558
  • Platform: Linux
  • Title: Linux Kernel Perfmon.c Local Denial of Service
  • Description: The Linux kernel is prone to a local denial of service vulnerability. This issue presents itself in "perfmon.c" on IA-64 platforms during exit processing when a task calls "pfm_context_create()" and "pfm_smpl_buffer_alloc()". An attacker must interrupt the task and another process must access its "mm_struct" for this condition to arise.
  • Ref: http://marc.theaimsgroup.com/?l=linux-ia64&m=113882384921688
  • 06.15.14 - CVE: Not Available
  • Platform: BSD
  • Title: NetBSD False Intel Hardware RNG Detection Predictable Random Number Generation Weakness
  • Description: NetBSD running on Intel chips provides a driver that employs the hardware random number generator (RNG) to gather entropy for the NetBSD kernel random number generator, rnd(4). It is prone to a predictable key generation weakness due to incorrect Intel hardware RNG detection. This issue arises on NetBSD systems with i8xx motherboard chipset for x86 CPUs.
  • Ref: http://www.securityfocus.com/bid/17496
  • 06.15.15 - CVE: Not Available
  • Platform: BSD
  • Title: NetBSD SIOCGIFALIAS IOCTL Local Denial of Service
  • Description: NetBSD is a Unix operating system. It is vulnerable to a denial of service issue because it does not handle exceptional conditions when the SIOCGIFALIAS IOCTL is used to get information about an alias that does not exist. NetBSD versions 3.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17497/info
  • 06.15.16 - CVE: Not Available
  • Platform: BSD
  • Title: NetBSD Sysctl Local Denial of Service
  • Description: NetBSD is a Unix operating system. It is vulnerable to a local denial of service issue arises when the sysctl function attempts to lock a user-supplied buffer that is used to store the results without checking the buffer's size. It may cause resource exhaustion. NetBSD versions 3.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17498
  • 06.15.17 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris SH Local Denial of Service
  • Description: Sun Solaris Bourne shell (sh) is prone to a local denial of service vulnerability. This vulnerability arises when a local unprivileged user creates temporary files in an unknown malicious manner.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102282-1
  • 06.15.18 - CVE: CVE-2006-1782
  • Platform: Solaris
  • Title: Sun Solaris LDAP2 RootDN Password Disclosure
  • Description: Sun Solaris LDAP2 is vulnerable to an information disclosure issue. Local unprivileged users may discover the Directory Server root Distinguished Name (rootDN) password if a privileged user uses the idsconfig command. Solaris versions 8 and 9 are vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102113-1
  • 06.15.19 - CVE: Not Available
  • Platform: Unix
  • Title: Sybase EAServer Manager Connection Cache Password Disclosure
  • Description: Sybase EAServer is an application server for hosting business applications. It is vulnerable to a passwowrd disclosure issue through the connection cache. EAServer versions 5.2 and 5.3 are vulnerable.
  • Ref: http://www.sybase.com/detail?id=1040117
  • 06.15.20 - CVE: Not Available
  • Platform: Novell
  • Title: Novell GroupWise Messenger Accept Language Remote Buffer Overflow
  • Description: Novell GroupWise Messenger is an instant-messaging solution. It is affected by a buffer overflow issue that arises when the server handles an "Accept-Language" header containing more than 16 bytes of data that doesn't contain any commas or semicolons. Novell GroupWise Messenger version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17503
  • 06.15.21 - CVE: CVE-2006-1705
  • Platform: Cross Platform
  • Title: Oracle Database Access Restriction Bypass
  • Description: Oracle Database is vulnerable to an access restriction bypass issue due to the failure of the application to properly enforce read-only privileges for user roles with "SELECT" privileges. Oracle versions 9.2.0.0 through 10.2.0.3 are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/1297
  • 06.15.22 - CVE: CVE-2006-0053
  • Platform: Cross Platform
  • Title: Imager JPEG and TGA Images Denial of Service
  • Description: Imager is a Perl module to manipulate various image file formats. It is affected by a denial of service issue because it fails to properly handle JPEG images with 2 or 4 channels or TGA files with 2 channels. Imager version 0.50 has been released to address this issue.
  • Ref: http://www.securityfocus.com/bid/17415
  • 06.15.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: fbida FBGS Insecure Temporary File Creation
  • Description: fbida is a set of applications for viewing image files. The "fbgs" program creates temporary files in an insecure manner and with insecure file permissions in "/var/tmp" when the "TMPDIR" environment variable has not been defined. fbida versions 2.03 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17436
  • 06.15.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cyrus SASL Remote Digest-MD5 Denial of Service
  • Description: SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. Cyrus SASL is affected by a remote denial of service issue that occurs prior to successful authentication, allowing anonymous remote attackers to trigger it. Cyrus SASL version 2.1.21 has been released to fix this issue.
  • Ref: http://www.securityfocus.com/bid/17446
  • 06.15.25 - CVE: CVE-2004-2655
  • Platform: Cross Platform
  • Title: XScreenSaver Local Password Disclosure
  • Description: XScreenSaver is a screen saver application. It is vulnerable to a local password disclosure issue due to failing to properly grab the keyboard of the local user while it locks the display. XScreenSaver version 4.18 resolves this issue.
  • Ref: http://www.jwz.org/xscreensaver/changelog.html
  • 06.15.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Firefox HTML Parsing Null Pointer Dereference Denial of Service
  • Description: Mozilla Firefox is vulnerable to a remote denial of service issue when the browser parses certain malformed HTML content. Mozilla Firefox versions 1.5.0.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/430875
  • 06.15.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: W3C Amaya Multiple Remote Buffer Overflow Vulnerabilities
  • Description: W3C Amaya is a web browser and editor application that is available for many platforms. It is susceptible to multiple remote buffer overflow vulnerabilities due to improper bounds checking on user-supplied data to the "colgroup compact", "textarea rows" and "legend color" tag arguments. Amaya version 9.4 is affected by these issues.
  • Ref: http://www.securityfocus.com/bid/17507
  • 06.15.29 - CVE: CVE-2006-1628
  • Platform: Cross Platform
  • Title: Adobe LiveCycle OBSOLETE User Access Validation
  • Description: Adobe LiveCycle is a process management solution for document services. It is vulnerable to an access validation issue because a user who has been marked OBSOLETE can still gain access to LiveCycle Workflow or LiveCycle Form Manager. Adobe LiveCycle Workflow and LiveCycle Form Manager 7.01 are vulnerable.
  • Ref: http://www.adobe.com/support/techdocs/333036.html
  • 06.15.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Stylesheet Attribute Buffer Overflow
  • Description: Opera is susceptible to a buffer overflow vulnerability. This issue presents itself when Opera attempts to parse CSS stylesheets containing attributes with more than approximately 32768 bytes. An integer conversion operation during a string copy causes an integer overflow, resulting in unintended portions of memory prior to the destination buffer being overwritten. Opera version 8.52 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/430876
  • 06.15.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpMyForum Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpMyForum is a web-based forum application. Insufficient sanitization of the "type" and "page" parameters of "index.php" script exposes the application to multiple cross-site scripting issues. phpMyForum version 4.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17420
  • 06.15.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPWebGallery Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHPWebGallery is a web-based photo gallery application. Insufficient sanitization of the "cat", "num" and "search" parameters of the "category.php" script and the "slideshow", "show_metadata" and "start" parameters of the "picture.php" script exposes the application to multiple cross-site scripting issues. PhpWebGallery version 1.4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/17421
  • 06.15.33 - CVE: CVE-2006-1717
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBulletinBoard Newthread.PHP Cross-Site Scripting
  • Description: MyBulletinBoard is web-based bulletin board application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "username" parameter of "newthread.php" script. MyBulletinBoard version 1.10 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/430464
  • 06.15.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Shadowed Portal Load.PHP Cross-Site Scripting
  • Description: Shadowed Portal is a web-based content management system. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "page" parameter of the "load.php" script. All versions of Shadowed Portal are considered to be vulnerable.
  • Ref: http://liz0zim.no-ip.org/shad0w.txt
  • 06.15.35 - CVE: CVE-2006-1716
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBulletinBoard Multiple HTML Injection Vulnerabilities
  • Description: MyBulletinBoard is a bulletin board application implemented in PHP. It is prone to multiple HTML-injection vulnerabilities due to insufficient sanitization of user-supplied input to the "Email" and "IMG" BBCode tags.
  • Ref: http://www.securityfocus.com/archive/1/430344
  • 06.15.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TalentSoft Web+ Shop Deptname Parameter Cross-Site Scripting
  • Description: TalentSoft Web+ Shop is a web-based ecommerce solution. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "deptname" parameter. TalentSoft Web+ Shop versions 5.0 and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2006/04/web-shop-50-xss.html
  • 06.15.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: JBook Index.PHP Cross-Site Scripting
  • Description: JBook is a web-based guestbook application implemented in PHP. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "page" parameter of "index.php". JBook version 1.3 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/17419
  • 06.15.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Gallery Unspecified Cross-Site Scripting
  • Description: Gallery is a web-based photo gallery application. Insufficient sanitization of user supplied input exposes the application to a cross-site scripting issue. Gallery version 1.5.3 has been released to address this issue.
  • Ref: http://www.securityfocus.com/bid/17437
  • 06.15.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: XMB Forum Flash Video Cross-Site Scripting
  • Description: XMB Forum is a web-based message board application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to Flash videos. An attacker can execute javascript by using "ActionScript", a built-in language of Flash. XMB Forum version 1.9.5 is affected.
  • Ref: http://www.securityfocus.com/bid/17445
  • 06.15.40 - CVE: CVE-2006-1759
  • Platform: Web Application - Cross Site Scripting
  • Title: SWSoft Confixx Jahr Parameter Cross-Site Scripting
  • Description: Confixx is a control panel system for Web sites. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "jahr" parameter of the "allgemein_transfer.php" script. SWSoft Confixx 3.1.2 is vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/1331
  • 06.15.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: JetPhoto Multiple Cross-Site Scripting Vulnerabilities
  • Description: JetPhoto is a web-based photo gallery application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "page" parameter of the "thumbnail.php" script, the "gallery.php" and "detail.php" script, and the name parameter of the "slideshow.php" script. JetPhoto versions 2.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17449/info
  • 06.15.42 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Tritanium Bulletin Board Multiple Cross-Site Scripting Vulnerabilities
  • Description: Tritanium Bulletin Board is a bulletin board application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "newuser_name", "newuser_email", and "newuser_hp" parameters of the "index.php" script. Tritanium Bulletin Board version 1.2.3 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/430669
  • 06.15.43 - CVE: CVE-2006-1562
  • Platform: Web Application - Cross Site Scripting
  • Title: Manila Multiple Cross-Site Scripting Vulnerabilities
  • Description: Manila is a web-log application written for the MacOS and Microsoft Windows platforms. It is prone to multiple cross-site scripting vulnerabilities. Manila versions 9.5 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/430668
  • 06.15.44 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Autogallery Multiple Cross-Site Scripting Vulnerabilities
  • Description: Autogallery is a news reader application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "pic" and "show" parameters of the "index.php" script. AutoGallery version 0.41 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17480/info
  • 06.15.45 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: interaktiv.shop Multiple Cross-Site Scripting Vulnerabilities
  • Description: interaktiv.shop is a shopping cart application. Insufficeint sanitization of the "interaktiv.shop" script and the "pn" and "sbeg" parameters of the "shop_main.cgi" script exposes the application to a cross site scripting issue. interaktiv.shop versions 5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17485
  • 06.15.46 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpMyAdmin SQL.PHP Cross-Site Scripting
  • Description: phpMyAdmin is a web-based administration tool for mySQL databases. It is affected by a cross-site scripting issue due to insufficient sanitization of user supplied input to the "sql_query" parameter of the "sql.php" script. phpMyAdmin version 2.7 -pl1 is affected.
  • Ref: http://www.securityfocus.com/bid/17487
  • 06.15.47 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBB Member.PHP Cross-Site Scripting
  • Description: MyBB is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input. Since the "url" parameter is not properly sanitized when submitted to the "member.php" script, an attacker can submit malicious HTML and script code. MyBB version 1.10 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/17492/exploit
  • 06.15.48 - CVE: CVE-2006-1779
  • Platform: Web Application - Cross Site Scripting
  • Title: Simplog Login.PHP Cross-Site Scripting
  • Description: Simplog is a web log application, written in PHP. Simplog is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "btag" parameter of the "login.php" script.
  • Ref: http://milw0rm.com/exploits/1663
  • 06.15.49 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PatroNet CMS Index.PHP Cross-Site Scripting
  • Description: PatroNet CMS is a content management application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "index.php" script.
  • Ref: http://www.securityfocus.com/bid/17495
  • 06.15.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: XBrite Members.PHP SQL Injection
  • Description: XBrite is a web based application. Insufficient sanitization of the "id" parameter of the "members.php" script exposes the appliction to a SQL injection issue. XBrite version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/17421
  • 06.15.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: APT-webshop Modules.PHP Multiple SQL Injection Vulnerabilities
  • Description: APT-webshop is a shopping cart application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "id", "seite" and "group" parameters of the "modules.php" script. APT-webshop versions 3.0 light, 3.0 basic, and 4.0 pro are vulnerable.
  • Ref: http://pridels.blogspot.com/2006/04/apt-webshop-system-vuln.html
  • 06.15.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: dnGuestbook Admin.PHP SQL Injection Vulnerabilities
  • Description: dnGuestbook is a guestbook script for websites implemented in PHP. It is prone to SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "mail" and "id" parameters of the "admin.php" script. dnGuestbook version 2.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17435
  • 06.15.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ShopWeezle Multiple SQL Injection Vulnerabilities
  • Description: ShopWeezle is an e-commerce application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "logon.php", "index.php" and "memo.php" scripts. ShopWeezle version 2.0 is vulnerable. Ref: http://pridels.blogspot.com/2006/04/shopweezle-20-multiple-vuln.html
  • 06.15.54 - CVE: CVE-2006-1708
  • Platform: Web Application - SQL Injection
  • Title: Clansys Index.PHP SQL Injection
  • Description: Clansys is a web based application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied to the "showid" parameter of the "index.php" script. Clansys version 1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17456/discuss
  • 06.15.55 - CVE: CVE-2006-1743
  • Platform: Web Application - SQL Injection
  • Title: JBook Form.PHP SQL Injection Vulnerabilities
  • Description: JBook is a web-based guestbook application implemented in PHP. It is prone to SQL injection vulnerabilities due to improper sanitization of user-supplied input to the "mail" and "nom" parameters of the "form.php" script.
  • Ref: http://www.securityfocus.com/bid/17458
  • 06.15.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Dokeos Viewtopic.PHP SQL Injection
  • Description: Dokeos is a web-based e-learning and course management application. Insufficient sanitization of the "topic" parameter of the "viewtopic.php" script exposes the application to a SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17463
  • 06.15.57 - CVE: CVE-2006-1773
  • Platform: Web Application - SQL Injection
  • Title: PHPKIT Include.PHP SQL Injection
  • Description: PHPKIT is a web-based e-learning and course management application implemented in PHP. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "contentid" parameter of the "include.php" script.
  • Ref: http://www.securityfocus.com/bid/17467
  • 06.15.58 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SWSoft Confixx Index.PHP SQL Injection
  • Description: Confixx is a web-based control panel application implemented in PHP. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "SID" parameter of the "index.php" script. SWSoft Confixx versions 3.1.2, 3.0.8 and 3.0.6 are affected.
  • Ref: http://www.securityfocus.com/bid/17476
  • 06.15.59 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Chipmunk Guestbook Index.PHP SQL Injection
  • Description: Chipmunk Guestbook is a guest book application implemented in PHP. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "username" parameter of the "index.php" script. Chipmunk Guestbook version 1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/17483
  • 06.15.60 - CVE: CVE-2006-1778
  • Platform: Web Application - SQL Injection
  • Title: Simplog Multiple SQL Injection Vulnerabilities
  • Description: Simplog is a web-based news application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "index.php" script. Simplog version 0.9.2 is vulnerable.
  • Ref: http://milw0rm.com/exploits/1663
  • 06.15.61 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP121 PHP121LOGIN.PHP SQL Injection
  • Description: PHP121 is a web-based instant messaging application. It is vulnerable to an SQL injection issue due to insufficient sanitization to the "php121login.php" script. PHP121 version 1.4 is vulnerable. Ref: http://downloads.securityfocus.com/vulnerabilities/exploits/PHP121_poc
  • 06.15.62 - CVE: CVE-2006-1746
  • Platform: Web Application
  • Title: PHPList Index.PHP Local File Include
  • Description: PHPList is a web-based utility to manage personalized mailing and customer lists. It is prone to a local file include vulnerability. The problem presents itself in "lists/index.php" when the "GLOBALS[database_module]" is not properly sanitized of directory traversal sequences.
  • Ref: http://www.securityfocus.com/archive/1/430597
  • 06.15.63 - CVE: Not Available
  • Platform: Web Application
  • Title: SIRE Arbitrary File Upload
  • Description: SIRE is a content management web application implemented in PHP. It is prone to an arbitrary file upload vulnerability because input to the "upload.php" script is not properly sanitized allowing arbitrary files to be uploaded to the webroot. SIRE version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17431
  • 06.15.64 - CVE: CVE-2006-1702
  • Platform: Web Application
  • Title: SPIP Spip_login.PHP Remote File Include
  • Description: SPIP is a website publishing application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "url" variable of the "spip_login.php" script. SPIP version 1.8.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17423/info
  • 06.15.65 - CVE: Not Available
  • Platform: Web Application
  • Title: VegaDNS Multiple Input Validation Vulnerabilities
  • Description: VegaDNS is a tinyDNS administration application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to the "index.php" and "users.php" scripts. VegaDNS version 0.9.9 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/430474
  • 06.15.66 - CVE: CVE-2006-1610
  • Platform: Web Application
  • Title: SQuery LibPath Parameter Multiple Remote File Include Vulnerabilities
  • Description: SQuery is a game server and query module. SQuery is prone to multiple remote file include vulnerabilities due to insufficient sanitization of user-supplied input to the "libpath" parameter of various scripts.
  • Ref: http://liz0zim.no-ip.org/alp.txt
  • 06.15.67 - CVE: CVE-2006-1700
  • Platform: Web Application
  • Title: AWeb's Scripts Seller Buy.PHP Authorization Bypass
  • Description: AWeb's Scripts Seller is a web-based application for selling code. It is vulnerable to an authorization bypass issue due to predictable cookie data. Currently all versions of AWeb's Scripts Seller is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17417/info
  • 06.15.68 - CVE: CVE-2006-1697
  • Platform: Web Application
  • Title: Matt Wright Guestbook Guestbook.PL Multiple HTML Injection Vulnerabilities
  • Description: Matt Wright's Guestbook is a guest book application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input to the "guestbook.pl" script. Matt Wright's GuestBook version 2.3.1 is vulnerable.
  • Ref: http://liz0zim.no-ip.org/mattguestbook.html
  • 06.15.69 - CVE: CVE-2006-1608, CVE-2006-1494
  • Platform: Web Application
  • Title: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities
  • Description: PHP is a general purpose web scripting language. It is vulnerable to multiple "safe_mode" and "open_basedir" restriction bypass issues. PHP versions 4.4.2 and 5.1.2 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/430461
  • 06.15.70 - CVE: CVE-2006-1747
  • Platform: Web Application
  • Title: VWar Admin.PHP Remote File Include
  • Description: VWar is a team organizer application written in PHP. VWar is prone to a remote file include vulnerability. The application fails to properly sanitize user-supplied input to the "vwar_root" parameter of the "admin.php" script.
  • Ref: http://www.milw0rm.com/exploits/1658
  • 06.15.71 - CVE: CVE-2006-1770
  • Platform: Web Application
  • Title: AzDGVote Remote File Include
  • Description: AzDGVote is a web-based voting application. AzDGVote is prone to a remote file include vulnerability because the application fails to properly sanitize user-supplied input to the "int_path" parameter of the "view.php", "vote.php", "admin.php", and "/admin/index.php" scripts.
  • Ref: http://www.securityfocus.com/bid/17447
  • 06.15.72 - CVE: CVE-2006-1749
  • Platform: Web Application
  • Title: SmartISoft phpListPro Config.PHP Remote File Include
  • Description: SmartISoft phpListPro is a web based top site application. It is vulnerable to a remote file include issue insufficient sanitization of user-supplied input to the "returnpath" parameter of the "config.php" script. SmartISoft phpListPro versions 2.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/430614
  • 06.15.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Clever Copy Connect.INC Information Disclosure
  • Description: Clever Copy is a website portal and news posting system. It is prone to an information disclosure vulnerability because the contents of the "connect.inc" file can be viewed by remote, unprivileged users. Sensitive configuration information, such as the username and password for the back end database administrator account can be obtained from this file. Clever Copy version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17461
  • 06.15.74 - CVE: Not Available
  • Platform: Web Application
  • Title: Blursoft Blur6ex Multiple Input Validation Vulnerabilities
  • Description: Blur6ex is a web-based blog and content management system implemented in PHP. It is prone to multiple input-validation vulnerabilities.
  • Ref: http://www.securityfocus.com/archive/1/430607
  • 06.15.75 - CVE: CVE-2006-0164
  • Platform: Web Application
  • Title: Phgstats Phgstats.Inc.PHP Remote File Include
  • Description: Phgstats is a gameserver status script. It is affected by a remote file include issue due to insufficient sanitization of the "phgdir" variable in the "phgstats.inc.php" script. Phgstats version 0.5.2 has been released to address this issue.
  • Ref: http://www.securityfocus.com/bid/17469
  • 06.15.76 - CVE: CVE-2006-1767
  • Platform: Web Application
  • Title: Indexu Multiple Remote File Include Vulnerabilities
  • Description: The "indexu" application is software for creating indexing websites through managing and organizing links. The "indexu" application is prone to multiple remote file include vulnerabilities. These issues are reported to affect versions 5.0.0 and 5.0.1.
  • Ref: http://www.securityfocus.com/archive/1/430599
  • 06.15.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Saxopress URL Parameter Directory Traversal
  • Description: SAXoPRESS is a web content management system. It is prone to a directory traversal vulnerability due to improper sanitization of user-supplied input. The problem occurs with specially crafted HTTP GET requests containing directory traversal strings supplied through the "url" parameter.
  • Ref: http://www.securityfocus.com/bid/17474/exploit
  • 06.15.78 - CVE: Not Available
  • Platform: Web Application
  • Title: MvBlog Multiple Input Validation Vulnerabilities
  • Description: MvBlog is a web log application implemented in PHP. It is prone to multiple input validation vulnerabilities due to improper sanitization of user-supplied input. MyBlog version 1.5 is affected.
  • Ref: http://www.securityfocus.com/bid/17481
  • 06.15.79 - CVE: CVE-2006-1711
  • Platform: Web Application
  • Title: Plone MembershipTool Access Control Bypass
  • Description: Plone is a content management system developed for the Zope web application platform. It is susceptible to a remote access control bypass vulnerability due to improper enforcing of privileges to various MembershipTool methods. This issue allows remote, anonymous attackers to modify and delete portrait images of members. All versions of Plone 2 are vulnerable.
  • Ref: http://plone.org/products/plonehotfix20060410/
  • 06.15.80 - CVE: Not Available
  • Platform: Web Application
  • Title: Simplog Remote File Include
  • Description: Simplog is a web log application. Insufficient sanitization of the "s" parameter of the "doc/index.php" script exposes the application to a remote file include issue. Simplog version 0.9.2 is affetced.
  • Ref: http://www.securityfocus.com/bid/17490
  • 06.15.81 - CVE: Not Available
  • Platform: Web Application
  • Title: SimpleBBS Remote Arbitrary Command Execution
  • Description: SimpleBBS is a web-based bulletin board application. It is prone to an arbitrary command execution vulnerability due to insufficient sanitization of user-supplied input to the "cmd" parameter of "posts.php". SimpleBBS versions 1.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17501
  • 06.15.82 - CVE: Not Available
  • Platform: Web Application
  • Title: Censtore Remote Arbitrary Command Execution
  • Description: Censtore is a web-based shopping cart system. It is prone to an arbitrary command execution vulnerability due to insufficient sanitization of user-supplied input to the "page" parameter of the "censtore.cgi" script.
  • Ref: http://www.securityfocus.com/bid/17515
  • 06.15.83 - CVE: Not Available
  • Platform: Web Application
  • Title: Sphider Configset.PHP Remote File Include
  • Description: Sphider is a web-based spider and search engine application. Insufficient sanitization of the "settings_dir" parameter of the "admin/configset.php" script exposes the application to a remote file include issue. Sphider version 1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/17514

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Absolutely wonderful, both in presentation and content
-Don Seymour, TerpSys

SANSFIRE 2010

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT