Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 2
January 16, 2006

SANS Newsletters Home

@RISK will be arriving on Monday instead of at the end of the week. We hope that will allow it to be even more useful to you.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#1)
    • Microsoft Office
    • 1
    • Other Microsoft Products
    • 2 (#2)
    • Third Party Windows Apps
    • 2 (#6)
    • Mac Os
    • 2
    • Linux
    • 1 (#4)
    • BSD
    • 3
    • Solaris
    • 3
    • Unix
    • 2
    • Cross Platform
    • 7 (#3, #5, #7, #8)
    • Web Application
    • 32
    • Network Device
    • 4
    • Hardware
    • 2

******************** Sponsored by SANS On Demand ************************

Can't get away for six days to take a SANS course? On Demand offers Security 401 Security Essentials and 504 Hacker Techniques online when it is convenient for you. Visit http://www.sans.org/info.php?id=983 or write us at ondemand@sans.org to set up a free demo. On Demand,

SANS Training. Anytime, Anywhere!

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
BSD
Solaris
Unix
Cross Platform
Web Application
Network Device
Hardware

*********************** Sponsored Links: ********************************

1) Free SANS Webcast: WhatWorks in Intrusion Prevention Systems: "Defending Government Security with Unisys" Tuesday, January 17 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=984

2) Free SANS Webcast: WhatWorks in Secure Email - Anti-spam Makes for Home Sweet Home at The Villages Thursday, January 19 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=985

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (5) HIGH: ClamAV UPX Processing Buffer Overflow
  • Affected:
    • ClamAV versions prior to 0.88

  • Description: ClamAV is an open-source antivirus software designed mainly for scanning emails on UNIX mail gateways. The software includes a virus scanning library - libClamAV. This library is used by many third party email, web, FTP scanners as well as mail clients. The library contains a buffer overflow that can be triggered by a specially crafted UPX packed executable file. The attacker can send the malicious file via email, web, FTP or a file share, and exploit the buffer overflow to execute arbitrary code on the system running the ClamAV library. The technical details can be obtained by comparing the fixed and the affected versions of the software. Note that for compromising the mail/web/FTP gateways no user interaction is required.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Other Software
  • (7) MODERATE: Apache auth_ldap Module Format String Vulnerabilities
  • Affected:
    • auth_ldap version 1.6.0 and prior

  • Description: auth_ldap module provides LDAP authentication for Apache servers on Windows and UNIX platforms. This module contains a format string vulnerability that can be triggered by supplying a specially crafted username during the LDAP authentication process. An attacker can exploit the flaw to execute arbitrary code on the Apache server with the privileges of the "apache" process. The technical details required to craft an exploit can be gathered by examining the fixed and the vulnerable code.

  • Status: Vendor has released version 1.6.1. Linux vendors such as Red Hat have also released their own updates.

  • Council Site Actions: Two of the reporting council sites are using the affected software. One site is awaiting the patch and will install during their next regularly scheduled system update cycle. The second site is still assessing and will likely handle at next scheduled maintenance window.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 2, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4771 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.2.1 - CVE: CVE-2006-0010
  • Platform: Windows
  • Title: Windows Embedded Web Font Buffer Overflow
  • Description: Microsoft Windows is vulnerable to a remotely exploitable buffer overflow issue due to insufficient handling of embedded web fonts that have been maliciously malformed. See Microsoft security bulletin MS06-002 for further details.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx
  • 06.2.2 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Excel Unspecified Code Execution
  • Description: Microsoft Excel is susceptible to an unspecified code execution vulnerability. The issue presents itself when Microsoft Excel attempts to process malformed or corrupted XLS files. Please visit the reference link provided for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/16181
  • 06.2.3 - CVE: CVE-2006-0002
  • Platform: Other Microsoft Products
  • Title: Microsoft Outlook / Microsoft Exchange TNEF Decoding Remote Code Execution
  • Description: Microsoft Exchange Server and Outlook email clients use the Transport Neutral Encapsulation (TNEF) format when sending Rich Text Format (RTF) messages. They are prone to a remote code execution vulnerability due to insufficient boundary checks performed by the applications. This issue affects Microsoft Outlook, Microsoft Exchange, and Microsoft Office Multilingual User Interface (MUI) Packs.
  • Ref: http://www.securityfocus.com/archive/1/421518
  • 06.2.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Visual Studio UserControl Remote Code Execution
  • Description: Microsoft Visual Studio is prone to a vulnerability that could allow remote arbitrary code execution. This is due to a design flaw that executes code contained in a project file without first notifying users. If a "UserControl" object is added to a Form in a Visual Studio project, the "UserControl_Load" function will execute it without notifying the user, without prior confirmation, and without compiling or executing the project. Microsoft Visual Studio 2005 is reportedly vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/16225
  • 06.2.5 - CVE: CVE-2006-0105
  • Platform: Third Party Windows Apps
  • Title: PostgreSQL Postmaster Denial of Service
  • Description: PostgreSQL is prone to a denial of service vulnerability. The problem occurs when the "postmaster" service receives multiple connection attempts at the same time. The application fails to handle multiple requests properly and crashes. The crash will not affect existing connections, but future connections will not be possible until the service is manually restarted. This issue only affects PostgreSQL for Microsoft Windows. PostgreSQL versions 8.0.0-8.0.5 and 8.1.0-8.1.1 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/421592
  • 06.2.6 - CVE: CVE-2006-0148
  • Platform: Third Party Windows Apps
  • Title: NetSarang XLPD Remote Denial of Service
  • Description: NetSarang Xlpd is a remotely accessible line printer daemon for the Microsoft Windows platform. It is vulnerable to a denial of service issue when it receives approximately 40 simultaneous connections from the same IP. NetSarang Xlpd version 2.1 is vulnerable.
  • Ref: http://www.ipomonis.com/advisories/xlpd.txt
  • 06.2.7 - CVE: CVE-2005-2340, CVE-2005-3707, CVE-2005-3708,CVE-2005-3709, CVE-2005-3710, CVE-2005-3711, CVE-2005-3713
  • Platform: Mac Os
  • Title: Apple QuickTime Multiple Code Execution Vulnerabilities
  • Description: QuickTime Player is the media player distributed by Apple for QuickTime as well as other media files. It is affected by multiple remote code execution issues due to failure of the application to perform boundary checks prior to copying user-supplied data into sensitive process buffers. QuickTime versions prior to 7.0.4 are affected.
  • Ref: http://www.securityfocus.com/bid/16202
  • 06.2.8 - CVE: CVE-2006-0141
  • Platform: Mac Os
  • Title: Eudora Internet Mail Server Multiple Denial of Service Vulnerabilities
  • Description: Qualcomm Eudora Internet Mail Server (EIMS) is vulnerable to multiple denial of service issues due to the application's inability to handle exceptional conditions such as a malformed NTLM authentication request. Qualcomm Eudora Internet Mail Server versions 3.2.8 and earlier are vulnerable.
  • Ref: http://www.eudora.co.nz/updates.html
  • 06.2.9 - CVE: CVE-2006-0150
  • Platform: Linux
  • Title: Dave Carrigan Auth_LDAP Remote Format String
  • Description: Dave Carrigan's Auth_ldap is an Apache authentication module that utilizes Lightweight Directory Access Protocol. It is vulnerable to a remote format string issue due to insufficient sanitization of user-supplied input to the "auth_ldap_log_reason()" function. Dave Carrigan's auth_ldap version 1.6.1 resolves this issue.
  • Ref: http://rhn.redhat.com/errata/RHSA-2006-0179.html http://www.rudedog.org/auth_ldap/Changes.html
  • 06.2.10 - CVE: CVE-2006-0054
  • Platform: BSD
  • Title: FreeBSD IPFW IP Fragment Remote Denial of Service
  • Description: FreeBSD IPFW is a packet filtering firewall that is integrated into the operating system's kernel. It is susceptible to a remote denial of service vulnerability. This issue is due to a flaw in affected kernels that results in an uninitialized kernel memory access when handling ICMP IP fragments. FreeBSD version 6.0 is affected.
  • Ref: http://www.securityfocus.com/advisories/10003
  • 06.2.11 - CVE: CVE-2006-0055
  • Platform: BSD
  • Title: FreeBSD ee Insecure Temporary File Creation
  • Description: FreeBSD ee is a screen oriented text editor. It creates temporary files in an insecure manner. An attacker with local access could exploit this to overwrite files in the context of the application. Please check the attached advisory for a list of affected versions.
  • Ref: http://www.securityfocus.com/bid/16207
  • 06.2.12 - CVE: CVE-2005-4352
  • Platform: BSD
  • Title: BSD Securelevel Time Setting Security Restriction Bypass
  • Description: Securelevels allow administrators to configure computers with various security restrictions. BSD Securelevels are vulnerable to a security restriction bypass issue that allows local users to set the system clock to any arbitrary value due to an integer overflow in the system clock. NetBSD versions 2.1 and earlier are vulnerable. Linux versions 2.6.15 and earlier are vulnerable.
  • Ref: http://www.redteam-pentesting.de/advisories/rt-sa-2005-16.txt
  • 06.2.13 - CVE: CAN-2004-0780
  • Platform: Solaris
  • Title: Sun Solaris uustat Local Buffer Overflow
  • Description: The Sun Solaris uustat utility is used to display status information about the Unix to Unix CoPy (UUCP) system. The utility is prone to a local buffer overflow vulnerability. The vulnerability arises when an attacker supplies excessive string data to the utility through the "-S" command line argument. A user-supplied string containing 1152 or more bytes can overflow a finite sized buffer leading to memory corruption. An attacker can exploit this issue to execute arbitrary code and gain "uucp" user privileges which correspond to user ID 5 by default.
  • Ref: http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-101933-1
  • 06.2.14 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Find In Proc Filesystem Local Denial of Service Vulnerability
  • Description: Sun Solaris is prone to a local denial of service vulnerability. A local unauthorized user can cause a system panic by running "find" in the "/proc" filesystem and cause a denial of service. This issue is triggered by a "readdir" call in an unspecified location, so any recursive utility like "find" will likely trigger this issue.
  • Ref: http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102108-1
  • 06.2.15 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Operating System Unspecified Privilege Escalation
  • Description: Sun Solaris on x86 platforms is prone to an unspecified privilege escalation issue. This vulnerability is due to an unspecified security issue which may allow a local unprivileged user to gain elevated privileges or panic the kernel. This issue affects Solaris 9 and 10.
  • Ref: http://www.securityfocus.com/bid/16224
  • 06.2.16 - CVE: Not Available
  • Platform: Unix
  • Title: XMame Multiple Local Command Line Argument Buffer Overflow
  • Description: XMame is a port of the MAME arcade emulator. It is prone to locally exploitable buffer overflow issues in the "xmame.x11" executable due to insufficient bounds checking of command line parameters. An attacker could exploit this issue to gain higher privileges. XMame version 0.102 is vulnerable to these issues.
  • Ref: http://www.securityfocus.com/bid/16203/info
  • 06.2.17 - CVE: Not Available
  • Platform: Unix
  • Title: NetBSD kernfs lseek Local Kernel Memory Disclosure
  • Description: The kernfs file system is a file system that allows users to access certain portions of kernel memory in user-space by accessing virtual files. It is vulnerable to a kernel memory disclosure issue due to insufficient sanitization of user-supplied arguments passed to the "lseek()" system call. An attacker could exploit this issue and could launch further attacks based on the information gathered. NetBSD version 3.0 is vulnerable.
  • Ref: http://www.securityfocus.com/advisories/9979
  • 06.2.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BEA WebLogic Server and WebLogic Express MBean Remote Information
  • Description: BEA WebLogic Server and WebLogic Express are susceptible to a remote information disclosure vulnerability. MBeanHome, and from there, further configuration MBeans may be retrieved via anonymous connections through remote RMI (Remote Method Invocation) access to the JNDI (Java Naming and Directory Interface). Anonymous administration lookup access to JNDI is enabled by default. WebLogic Server and Express versions 6.1, 7.0, and 8.1 on all platforms are vulnerable.
  • Ref: http://dev2dev.bea.com/pub/advisory/162
  • 06.2.19 - CVE: CAN-2005-2340
  • Platform: Cross Platform
  • Title: QuickTime PictureViewer JPEG/PICT File Buffer Overflow
  • Description: QuickTime Player is the media player. It is vulnerable to a buffer overflow issue due to insufficient handling of malformed JPEG and PICT files. QuickTime versions 6.5.2 and 7.0.3 are vulnerable.
  • Ref: http://www.cirt.dk/advisories/cirt-41-advisory.pdf
  • 06.2.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sudo Python Environment Variable Handling Security Bypass
  • Description: Sudo is a widely used Linux/Unix utility that allows users to securely run commands as the superuser or other users. It is prone to a security bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling the "PYTHONINSPECT" environment variable.
  • Ref: http://www.securityfocus.com/bid/16184/exploit
  • 06.2.21 - CVE: CVE-2005-2344
  • Platform: Cross Platform
  • Title: Blackberry Enterprise Server PNG Attachment Denial of Service
  • Description: Research In Motion Blackberry Enterprise Server is communications middleware for Blackberry devices. It is vulnerable to a denial of service attack due to insufficient handling of a malformed Portable Network Graphics (PNG) file. Research in Motion BlackBerry Enterprise Server versions 4.0 Service Pack 2 and earlier are vulnerable. Ref: http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167794
  • 06.2.22 - CVE: CVE-2006-0083
  • Platform: Cross Platform
  • Title: Stefan Frings SMS Server Tools Local Format String
  • Description: Stefan Frings SMS Server Tools is an application used to send and receive SMS (Short Message Service). A format string issue is exposed via the "syslog()" function in the "src/logging.c" source file. Version 1.14.8 of SMS Server Tools is affected.
  • Ref: http://www.securityfocus.com/bid/16188
  • 06.2.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Clam Anti-Virus ClamAV Unspecified UPX File Buffer Overflow
  • Description: ClamAV is an anti-virus application. It is prone to an unspecified heap buffer overflow vulnerability due to a failure of the application to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer. Exploitation of this issue could allow attacker-supplied machine code to be executed in the context of the affected application. Please refer to the following link for more details.
  • Ref: http://www.securityfocus.com/archive/1/421741
  • 06.2.24 - CVE: CVE-2005-4591, CVE-2005-4592
  • Platform: Cross Platform
  • Title: Bogofilter Multiple Remote Buffer Overflow Vulnerabilities
  • Description: Bogofilter is a Bayesian spam filtering application designed to be run on Linux and Unix platforms. Multiple remote buffer overflow vulnerabilities affect Bogofilter. These issues are due to a failure of the application to properly handle invalid input sequences and validate the length of user-supplied strings prior to copying them into static process buffers. Please visit the reference link for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/16171
  • 06.2.25 - CVE: Not Available
  • Platform: Web Application
  • Title: Interspire TrackPoint NX Index.PHP Cross-Site Scripting
  • Description: TrackPoint NX is an online advertising campaign and promotional activity management application. Insufficient sanitization of the "username" parameter of the "index.php" script exposes the application to a cross-site scripting issue. TrackPoint NX versions less than 0.1 are affetced.
  • Ref: http://www.securityfocus.com/bid/16214
  • 06.2.26 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Toolkit for PayPal IPN_success.PHP Logfile Injection
  • Description: PHP Toolkit for PayPal is a set of application scripts to integrate PayPal into an ecommerce application. All input parameters to the "ipn_success.php" script are modifiable by way of an HTTP "POST" request, and may be overwritten to create false transaction data in the application's transaction log file. PHP Toolkit version 0.50 is affected.
  • Ref: http://www.securityfocus.com/archive/1/421739
  • 06.2.27 - CVE: Not Available
  • Platform: Web Application
  • Title: Fog Creek Software FogBugz Default.ASP Cross-Site Scripting
  • Description: FogBugz is a project management application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "dest" parameter of the "default.asp" script. FogBugz versions 4.029 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16216/exploit
  • 06.2.28 - CVE: Not Available
  • Platform: Web Application
  • Title: MyPhPim Multiple Input Validation Vulnerabilities
  • Description: MyPhPim is a personal information manager written in PHP. It is vulnerable to multiple input validation issues due to a failure in the application to properly sanitize user-supplied input. SQL injection attacks are possible through the "cal_id" parameter of the "calendar.php3" script, and via the "login" input parameter on the login page of the application. Successful exploitation of these vulnerabilities could result in a compromise of the application or theft of cookie based authentication issues. MyPhPim version 1.05 is vulnerable.
  • Ref: http://evuln.com/vulns/22/summary.html
  • 06.2.29 - CVE: Not Available
  • Platform: Web Application
  • Title: CaLogic Calendars Add Event Multiple HTML Injection Vulnerabilities
  • Description: CaLogic Calendars is a web-based calendar application. It is prone to multiple HTML injection vulnerabilities due to insufficient sanitization of user-supplied input to multiple unspecified input variables when adding a new calendar event. CaLogic version 1.2.2 is reported to be vulnerable.
  • Ref: http://evuln.com/vulns/24/summary.html
  • 06.2.30 - CVE: CVE-2006-0169
  • Platform: Web Application
  • Title: MyPhPim Addresses.PHP3 Arbitrary File Upload
  • Description: MyPhPim is a personal information manager written in PHP. MyPhPim is prone to an arbitrary file upload vulnerability. Input to the "pdbfile" parameter of the "addresses.php3" script is not properly sanitized, allowing arbitrarily named files to be uploaded to the user's computer.
  • Ref: http://evuln.com/vulns/23/summary.html
  • 06.2.31 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP MySQLI Error Logging Remote Format String
  • Description: PHP is a free and widely used web page development language. It is susceptible to a remote format string vulnerability in the "mysqli" extension. This issue is due to insufficient sanitization of user-supplied input prior to using it in the format-specifier argument to a formatted printing function. PHP versions 5.1.0 and 5.1.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/421705
  • 06.2.32 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP 5 User-Supplied Session ID Input Validation
  • Description: PHP 5 is prone to an input validation vulnerability due to improper sanitization of user-supplied input of PHP session ID's, transmitted by way of HTTP headers. PHP 5 version 5.1.1 and prior are affected.
  • Ref: http://www.hardened-php.net/advisory_012006.112.html
  • 06.2.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Orjinweb Index.PHP Remote File Include
  • Description: Orjinweb E-commerce is a shopping cart application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "page" parameter of the "index.php" script.
  • Ref: http://www.securityfocus.com/bid/16199/info
  • 06.2.34 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPNuke Multiple Modules IMG Tag HTML Injection
  • Description: The PHPNuke Pool and News Modules are prone to an HTML injection vulnerability. This issue is due to improper sanitization of user-supplied input to "IMG" tags of posted comments to the application modules.
  • Ref: http://www.securityfocus.com/bid/16192/exploit
  • 06.2.35 - CVE: Not Available
  • Platform: Web Application
  • Title: WebWiz Forums Search_form.ASP Cross-Site Scripting
  • Description: WebWiz Forums is a forum application written in ASP. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "search" parameter of the "search_form.asp" script. WebWiz Forum version 6.34 is affected.
  • Ref: http://www.securityfocus.com/bid/16196
  • 06.2.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Hummingbird Enterprise Collaboration Multiple Vulnerabilities
  • Description: Hummingbird Enterprise Collaboration is a web-based collaborative groupware application. It is affetced by multiple issues like arbitrary HTML/script upload and information disclosure. Hummingbird Enterprise Collaboration version 5.2.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/16195
  • 06.2.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Xoops Pool Module HTML Injection
  • Description: The XOOPS Pool Module is a sports betting module for XOOPS. It is vulnerable to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to "IMG" tags of posted comments. Xoops Pool Module is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/421325
  • 06.2.38 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPNuke EV Search Module SQL Injection
  • Description: PHPNuke EV is an input validation and filtering system written in PHP. It is prone to an SQL injection vulnerability caused by insufficient sanitization of user-supplied input to the "query" parameter of the search script. PHPNuke EV version 7.7 is vulnerable.
  • Ref: http://lostmon.blogspot.com/2006/01/phpnuke-ev-77-search-module-query.html
  • 06.2.39 - CVE: Not Available
  • Platform: Web Application
  • Title: AppServ Open Project Remote File Include
  • Description: AppServ Open Project is an installation utility that ships with an application suite made up of open source software. It is prone to a remote file include vulnerability due to improper sanitization of user-supplied input to the "appserv_root" parameter of the "main.php" script. AppServ Open Project version 2.4.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16166
  • 06.2.40 - CVE: CVE-2006-0146
  • Platform: Web Application
  • Title: ADOdb Server.PHP SQL Injection
  • Description: ADOdb is a database abstraction library for PHP. ADOdb is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "sql" parameter of the "server.php" script before using it in an SQL query.
  • Ref: http://secunia.com/secunia_research/2005-64/advisory/
  • 06.2.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Andromeda Andromeda.php Cross-Site Scripting
  • Description: Andromeda is a streaming MP3 server written in PHP and ASP. It is prone to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "s" parameter of the "andromeda.php" script. An attacker could exploit this issue to steal cookie-based authentication credentials as well as perform other attacks. Andromeda version 1.9.3.4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16183/info
  • 06.2.42 - CVE: CVE-2006-0114
  • Platform: Web Application
  • Title: Joomla Vcard Access Information Disclosure
  • Description: Joomla is a web content management application. It is vulnerable to an information disclosure issue due to insufficient handling of the "hide" control setting when displaying the vcard data. Joomla versions 1.0.5 and earlier are vulnerable.
  • Ref: http://forge.joomla.org/sf/go/artf2950
  • 06.2.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Magic News Plus Administrator Password Change
  • Description: Magic News Plus is software to display news and events. It is affected by a password change issue in which an attacker can change the administrator password and gain access to the affected application. Magic News version 1.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/16182
  • 06.2.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Venom Board Post.PHP3 Multiple SQL Injection Vulnerabilities
  • Description: Venom Board is a bulletin board application. It is prone to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "parent", "root" and "topic_id" parameters of the "post.php3" script. Venom Board version 1.22 is affected.
  • Ref: http://www.securityfocus.com/bid/16176/exploit
  • 06.2.45 - CVE: CVE-2006-0152
  • Platform: Web Application
  • Title: phpChamber Search_result.PHP Cross-Site Scripting
  • Description: phpChamber is a member directory management application written in PHP. It is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "needle" parameter of the "search_result.php" script.
  • Ref: http://www.securityfocus.com/bid/16180
  • 06.2.46 - CVE: CVE-2006-0153
  • Platform: Web Application
  • Title: 427BB Authentication Bypass
  • Description: 427BB is a bulletin board application. It is vulnerable to an authentication bypass issue due to insufficient validation of user-supplied cookie data with the "login.php" and "getvar.php" scripts. 427BB versions 2.2 and 2.2.1 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/421326
  • 06.2.47 - CVE: CVE-2006-0154
  • Platform: Web Application
  • Title: 427BB Showthread.PHP SQL Injection
  • Description: 427BB is a bulletin board application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "ForumID" parameter of the "showthread.php" script. 427BB versions 2.2 and 2.2.1 are vulnerable.
  • Ref: http://evuln.com/vulns/18/summary.html
  • 06.2.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Foxrum Multiple BBCode Tag Script Injection Vulnerabilities
  • Description: Foxrum is web forum software. It is prone to multiple script injection vulnerabilities due to improper sanitization of user-supplied input to the "[url]" BBCode tag of "addpost1.php" and "addtopic1.php. Foxrum version 4.0.4f is reported to be vulnerable.
  • Ref: http://evuln.com/vulns/20/summary.html
  • 06.2.49 - CVE: CVE-2006-0132
  • Platform: Web Application
  • Title: SysCP WebFTP Module Local File Include
  • Description: System Control Panel (SysCP) is a web-based server administration application. SysCP WebFTP module is prone to a local file include vulnerability. The "webftp_language" parameter of the "webftp.php" script is not properly sanitized, allowing an attacker to include and execute local files in the context of the affected web server process. WebFTP 1.2.6 is reportedly vulnerable to this issue. Other versions may be affected as well.
  • Ref: http://www.securityfocus.com/bid/16175
  • 06.2.50 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP PEAR Go-Pear.PHP Arbitrary Remote Code Execution
  • Description: go-pear.php is a script to automatically download all the files needed to run the PEAR package installer. It is affected by an issue that could permit the execution of arbitrary code. An attacker can exploit this issue to supply a malicious proxy server and upload arbitrary files and execute them in the context of the web server process. go-pear.php version 0.2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/16174
  • 06.2.51 - CVE: Not Available
  • Platform: Web Application
  • Title: PD9 Software MegaBBS Private Message Information Disclosure
  • Description: MegaBBS is web forum software implemented in ASP. It is vulnerable to an information disclosure issue due to a failure in the application to properly sanitize user-supplied data. An attacker can exploit this issue to view private messages of other users. MegaBBS versions 2.0 and 2.1 are vulnerable.
  • Ref: http://www.pd9soft.com/megabbs/forums/thread-view.asp?tid=4924
  • 06.2.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Aquifer CMS Index.ASP Cross-Site Scripting
  • Description: Aquifer CMS is a web content management system. Insufficient sanitization of the "keyword" parameter in the "public/index.asp" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/16162
  • 06.2.53 - CVE: Not Available
  • Platform: Web Application
  • Title: TinyPHPForum Multiple Directory Traversal Vulnerabilities
  • Description: TinyPHPForum is Web-based forum software. It is vulnerable to multiple directory traversal issues due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to retrieve arbitrary files from the vulnerable system in the context of the web server process. TinyPHPForum versions 3.6 and earlier are vulnerable.
  • Ref: http://evuln.com/vulns/14/summary.html
  • 06.2.54 - CVE: CVE-2006-0140
  • Platform: Web Application
  • Title: Navboard Multiple Cross-Site Scripting Vulnerabilities
  • Description: Navboard is a web forum application. It is vulnerable to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "[url]", "[b]" and "[textlarge]" BBCode tags of "post.php". Navboard versions V17beta2 and V16 are vulnerable.
  • Ref: http://evuln.com/vulns/19/summary.html
  • 06.2.55 - CVE: CVE-2005-3655
  • Platform: Web Application
  • Title: SuSE Open Enterprise Server Novell Remote Manager HTTP Request Header Heap Overflow
  • Description: Novell Remote Manager is a remote management interface that is accessible over the HTTP protocol. It is vulnerable to a remotely exploitable heap overflow issue triggered by a malicious HTTP request header. The issue is due to a boundary condition error in "httpstkd" when handling extremely large or negative size values in HTTP request header fields. Successful exploitation will allow for arbitrary code execution in the context of the application.
  • Ref: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=371
  • 06.2.56 - CVE: Not Available
  • Platform: Web Application
  • Title: TankLogger General Functions Script SQL Injection Vulnerabilities
  • Description: TankLogger is a web-based aquarium tracking application. It is prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "livestock_id" and "tank_id" parameters of the "general_functions.php" script before using it in an SQL query. TankLogger version 2.4 is affected.
  • Ref: http://www.securityfocus.com/bid/16228/exploit
  • 06.2.57 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco Aironet Wireless Access Point ARP Memory Exhaustion Denial of Service
  • Description: The Cisco Aironet Wireless Access Point devices are a series of devices that provide wireless access points. They are vulnerable to a denial of service issue due to a failure of the device to properly limit the memory consumption of its ARP table. This issue allows attackers that can successfully associate with a vulnerable access point to exhaust the memory of the affected device. This issue affects various devices running Cisco IOS, and not the models running the VxWorks-based operating system (version 12.05 and earlier).
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060112-wireless.shtml
  • 06.2.58 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco CS-MARS Default Administrative Password
  • Description: Cisco Security Monitoring, Analysis and Response System (CS-MARS) is a security management appliance. The appliace sets a default administrative password during installation. Cisco Security Monitoring, Analysis and Response System version 4.1.3 resolves this issue.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060111-mars.shtml
  • 06.2.59 - CVE: Not Available
  • Platform: Network Device
  • Title: eStara Softphone SIP SDP Data Packet Remote Buffer Overflow
  • Description: eStara Softphone is a commercial SIP (Session Initiation Protocol) VoIP (Voice Over IP) phone for the Microsoft Windows platform. A remote buffer overflow vulnerability affects eStara Softphone due to improper validation of the length of user-supplied strings. eStara Softphone versions 3.0.1.14 and 3.0.1.46 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/421596
  • 06.2.60 - CVE: Not Available
  • Platform: Network Device
  • Title: Trac HTML WikiProcessor Wiki Content HTML Injection
  • Description: Trac is a project tracking application written in the Python programming language. It is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to unspecified fields of the HTML WikiProcessor before using it in dynamically generated content.
  • Ref: http://projects.edgewall.com/trac/wiki/ChangeLog
  • 06.2.61 - CVE: Not Available
  • Platform: Hardware
  • Title: Cray UNICOS Multiple Buffer Overflow Vulnerabilities
  • Description: Cray is a supercomputer. The Cray UNICOS is vulnerable to locally exploitable buffer overflow issues due to insufficient boundry checking of command line parameters in various utilities with setuid-superuser privileges. Cray UNICOS version 9.0.2.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16205
  • 06.2.62 - CVE: Not Available
  • Platform: Hardware
  • Title: Cisco IP Phone 7940 Remote Denial of Service
  • Description: Cisco IP Phone 7940 is prone to a remote denial of service vulnerability which arises when the device handles malformed network data containing a packetcount of 1000 and a packetdelay of 0.002 over TCP port 80. Successful exploitation causes the phone to restart.
  • Ref: http://www.securityfocus.com/bid/16200/info

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Wow! It's an incident handler's Christmas morning, tools, tools, tools. Very Applicable!
-Todd Davis, Symantec

SANS San Diego 2013

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County