Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 20
May 22, 2006

SANS Newsletters Home

The Microsoft Word vulnerability is extremely critical, and there are three others of similar impact this week.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Microsoft Office
    • 1 (#1)
    • Third Party Windows Apps
    • 6
    • Linux
    • 1
    • BSD
    • 1
    • Solaris
    • 1
    • Unix
    • 1
    • Novell
    • 1 (#2)
    • Cross Platform
    • 13 (#3, #4, #6, #7)
    • Web Application - Cross Site Scripting
    • 11
    • Web Application - SQL Injection
    • 9
    • Web Application
    • 21 (#5)
    • Network Device
    • 1
    • Hardware
    • 1
    • Updates
    • 1 (#8)

***************** Sponsored By Blue Coat Systems, Inc. *****************

New security ebook on Information Theft Prevention

In The Definitive Guide to Information Theft Prevention, security author Dan Sullivan provides advice on information protection and privacy regulations; how to tackle threats from unmanaged devices; how to secure managed devices; and how to leverage new security technologies. This guide also discusses risk management, incident responses and emerging best practices around information security. Download the eBook now.

http://www.sans.org/info.php?id=1170

*************************************************************************

SECURITY TRAINING UPDATE FOR JUNE and JULY, 2006

Washington DC: 18 tracks

Denver: 6 tracks

London: 5 tracks

Toronto: 4 tracks

Plus 10 other cities and live-online programs you can take from your home. See http://sans.org/ for course schedule registration

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Microsoft Office
Third Party Windows Apps
Linux
BSD
Solaris
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

************************ Sponsored Links: *******************************

1) ComputraceComplete tracks & recovers stolen laptops - guaranteed. Download a free whitepaper on laptop & data security.

http://www.sans.org/info.php?id=1171

2) SANS OnSite InfoSec Training Your Location! Your Schedule! Lower Cost!

http://www.sans.org/info.php?id=1172

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/index.php#process

Widely Deployed Software
  • (1) CRITICAL: Microsoft Word Memory Corruption/Remote Code Execution
  • Affected: Microsoft Word 2000 and later

  • Description: A critical vulnerability exists in Microsoft Word 2000 and later versions. This vulnerability was not reported publicly. It was discovered when a virus exploiting this vulnerability was seen in the wild. Analysis of the virus has revealed that specially-crafted Microsoft Word documents can result in code execution when opened on a vulnerable system. The currently spreading virus installs a trojan on vulnerable systems. There is no patch available; users of the vulnerable software should not open Word documents from untrusted sources. Users are advised to keep their antivirus signatures updated, and be prepared to deploy a patch from Microsoft. Users should also keep watch for signs of a targeted attack on their systems. Some known behavior of the virus includes HTTP access to the hostname "localhosts.3322.org". Users should monitor DNS queries and investigate any attempts to resolve this address. Note that the owner of this domain has changed the IP address for which this resolves several times.

  • Status: Microsoft confirmed. Update expected to be released as part of the next update cycle.

  • References:
  • (3) CRITICAL: AWStats Remote Code Execution
  • Affected: AWStats version 6.5 and prior

  • Description: AWStats is a popular log-analysis tool for web servers. AWStats can be configured to generate static reports at intervals, or can be called interactively via a CGI interface. When configured to run as a CGI script, AWStats suffers from a remote code execution vulnerability by failing to properly validate certain parameters. A simple workaround would be to block access to AWStats pages from the Internet. Vulnerabilities in AWStats have been used in the past to facilitate worms such as the Linux Lupper worm.

  • Status: AWStats confirmed, update available.

  • References:
  • (4) CRITICAL: Cyrus imapd Remote Buffer Overflow
  • Affected: Cyrus imapd version 2.3.2 and prior

  • Description: Cyrus imapd is a popular IMAP (Internet Message Access Protocol) mail server maintained by Project Cyrus at Carnegie Mellon University. Recent versions of the software suffer from a remote buffer overflow vulnerability. A specially-crafted IMAP request can trigger this buffer overflow and can result in malicious code injection. Note that the imapd "popsubfolders" option must be enabled for a server to be vulnerable. This option is not enabled by default, but is commonly enabled after installation to allow POP users subfolder access (normally only available via IMAP). Technical details and a proof-of-concept exploit are known to be in the wild. Note that the attacker need not be authenticated to exploit this vulnerability.

  • Status: Project Cyrus has not confirmed, no updates are available.

  • References:
  • (5) MODERATE: Sender Policy Framework Library Remote Format String Vulnerability
  • Affected: libspf version 1.0.0-p5

  • Description: The libspf library is an implementation of the Sender Policy Framework. The Sender Policy Framework is a DNS-based system to reduce unsolicited email ("spam") by verifying the servers authorized to send email for a given DNS domain. This library is widely deployed on many email servers. Multiple vulnerabilities have been discovered in this library, allowing an attacker to execute arbitrary code on a vulnerable server by specifying a specially-crafted email address or domain name. Note that only servers running with debugging enabled are vulnerable.

  • Status: libspf confirmed, patch released.

  • References:
  • (6) MODERATE: Nagios CGI Interface Remote Integer Overflow
  • Affected: Nagios version 1.4.1 and prior
    • Nagios version 2.3.1 and prior

  • Description: Nagios is a popular Open Source network and host monitoring system. Nagios uses CGI scripts to provide a web-based interface for monitoring information. These scripts are the primary way to access Nagios's reports and monitoring information. These scripts are commonly configured with a minimum of access control. Several scripts fail to properly validate HTTP "Content-Length" headers, allowing attackers to exploit an integer overflow vulnerability and execute code with the privileges of the webserver user. Please note that this is a different vulnerability from the one disclosed in @RISK Volume 5, Number 18.

  • Status: Nagios confirmed, updates available.

  • Council Site Actions: Only two of the reporting council sites are using the affected software, but on a very small number of systems. Both plan to update their systems during the next regularly scheduled system update process.

  • References:
Other Software
  • (7) MODERATE: Multiple libextractor Heap Overflows
  • Affected: libextractor version 0.5.13 and prior

  • Description: The libextractor library is used to extract file-specific metadata from a variety of file formats. It is used in several popular open source and free software systems, including the Doodle file-indexing system and the GNUnet file-sharing program. Buffer overflow vulnerabilities have been discovered in the "asfextractor" and "qtextractor" plugins, used to analyze Microsoft ASF and Apple QuickTime media files, respectively. By tricking a user into accessing a specially-crafted ASF or QuickTime file, an attacker could execute arbitrary code on the victim's system. Technical details of this vulnerability have been posted. Note that, depending on configuration, no user interaction beyond simply downloading the file may be necessary.

  • Status: Vendor confirmed, patch released.

  • Council Site Actions: Only one of the reporting council sites is using the affected software and only on a few dozen systems which are not supported by their central IT department. Most of these systems already have the appropriate update.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 20, 2006

PART II - Weekly Comprehensive List of Newly-Discovered Vulnerabilities This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5016 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.20.1 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Word Unspecified Remote Code Execution
  • Description: Microsoft Word is prone to an unspecified remote code execution vulnerability. The cause of this issue is currently unknown. This issue is being actively exploited in the wild to place a backdoor named Backdoor.Ginwui on targeted computers through a trojan named Trojan.Mdropper.H. Microsoft Word versions 2003 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18037
  • 06.20.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FileZilla Client Unspecified Remote Buffer Overflow
  • Description: FileZilla is an FTP client and server suite. It is affected by a buffer overflow issue due to the failure of the application to properly bounds check user-supplied input prior to copying it to memory buffers. FileZilla versions prior to 2.2.23 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/17972
  • 06.20.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RealVNC Remote Authentication Bypass
  • Description: RealVNC is susceptible to an authentication bypass vulnerability. This issue is due to a flaw in the authentication process of the affected package. This allows them to gain full control of the VNC server session. RealVNC version 4.1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17978
  • 06.20.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Pragma FortressSSH SSH_MSG_KEXINIT Remote Buffer Overflow
  • Description: FortressSSH is an SSH server for Microsoft Windows. A remote buffer overflow vulnerability exists in FortressSSH. The source of the vulnerability is insufficient bounds checking of data supplied in "SSH_MSG_KEXINIT" messages by a client. Version 4.0.7.20 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/17991
  • 06.20.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Caucho Resin Remote Directory Traversal
  • Description: Caucho Resin is a servlet and JSP server. It is prone to a remote directory traversal vulnerability due to the application's failure to sanitize user-supplied input containing directory traversal sequences. Caucho Resin versions 3.0.17 and 3.0.18 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18005
  • 06.20.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ipswitch WhatsUp Professional 2006 Authentication Bypass
  • Description: Ipswitch WhatsUp Professional 2006 is a network monitoring and management application. It is affected by a authentication bypass issue in the "ApplicationContext.prototype.ValidateUser()" function of the "NmConsole/StandardIncludes/ApplicationContext.inc" source file. The function improperly uses HTTP request header data which can be easily spoofed to determine if a remote user is connecting via a trusted console. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18019
  • 06.20.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Novell eDirectory Server Unspecified iMonitor Buffer Overflow
  • Description: eDirectory is a directory server software package distributed by Novell. It is prone to a buffer overflow issue which could lead to arbitrary code execution. iMonitor version 2.4 is affected.
  • Ref: http://www.securityfocus.com/bid/18026
  • 06.20.8 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel Multiple SCTP Remote Denial of Service Vulnerabilities
  • Description: The Linux kernel SCTP module is affected by multiple denial of service issues which are triggered when the kernel handles unexpected SCTP packets. Linux kernel version 2.6.16 is affected.
  • Ref: http://www.securityfocus.com/bid/17955
  • 06.20.9 - CVE: Not Available
  • Platform: BSD
  • Title: NetBSD Audiosetinfo IOCTL Local Denial of Service
  • Description: NetBSD is prone to a local denial of service vulnerability. The problem occurs if the filter list is modified by "audiosetinfo ioctl" while "audio_write()" is running. NetBSD version 3.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17999
  • 06.20.10 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun N1 System Manager Local Password Disclosure
  • Description: Sun N1 is a suite of applications that automates lifecycle management and grid services for servers and applications. It is vulnerable to password disclosure due to insecure permissions associated with unspecified scripts. Sun N1 System Manager version 1.1 for Solaris 10 is vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102024-1&searchclau
    se
  • 06.20.11 - CVE: Not Available
  • Platform: Unix
  • Title: Quagga BGPD Local Denial of Service
  • Description: Quagga is a suite of routing applications written for multiple Unix platforms. The application is exposed to a denial of service condition when the "sh ip bgp" command is executed. Quagga BGPD version 0.98.3 is affected.
  • Ref: http://www.securityfocus.com/bid/17979
  • 06.20.12 - CVE: Not Available
  • Platform: Novell
  • Title: Novell NetWare Local Information Disclosure
  • Description: Novell NetWare is susceptible to a local information disclosure vulnerability. This issue is due to potentially sensitive information being written to a log file on affected computers. Specifically, when a bug with the "PORTAL.NLM|groupOperationsMethod" method is triggered, information regarding the error is logged into the "abend.log" file. The information included in the log file includes usernames and passwords in cleartext form. Novell NetWare version 6.5 Support Pack 5 is vulnerable to this issue.
  • Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?2973698.htm
  • 06.20.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GNU Strings Denial of Service Vulnerability
  • Description: GNU strings utility is susceptible to a denial of service vulnerability. This issue is due to a failure of the utility to properly handle crafted input files while attempting to convert the textual representation of hexidecimal strings.
  • Ref: http://www.securityfocus.com/bid/17950
  • 06.20.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor SSH Server Remote Buffer Overflow Vulnerabilities
  • Description: wodSSHServer is an ActiveX component providing an SSH server implementation. Multiple SSH server implementations are prone to a remote buffer overflow issue because the application fails to perform boundary checks before copying user-supplied data into finite sized process buffers. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17958
  • 06.20.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GNUnet Empty UDP Datagram Remote Denial of Service
  • Description: GNUnet is a framework for secure peer to peer networking that does not use any centralized or otherwise trusted services. A denial of service vulnerability affects GNUnet. The problem occurs during the handling of empty (zero bytes) UDP datagrams. GNUnet versions 0.7.0d and SVN revision 2780 are affected by this issue.
  • Ref: http://www.securityfocus.com/bid/17980
  • 06.20.16 - CVE: CVE-2006-2426
  • Platform: Cross Platform
  • Title: Sun Java Applet Font.createFont Remote Denial of Service
  • Description: Sun Java is vulnerable to a remote denial of service issue due to insufficient handling of Java applets calling the "Font.createFont" function. Sun Java JDK versions 1.4.2_11 and 1.5.0_06 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434001
  • 06.20.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Raydium Multiple Remote Buffer Overflow and Denial of Service Vulnerabilities
  • Description: Raydium is a game engine available for Linux and Microsoft Windows. It supports the creation of network based games. Raydium is susceptible to multiple remote vulnerabilities that allow remote attackers to execute arbitrary machine code in the context of affected client and server instances of games that utilize the affected game engine software. Attackers may also crash vulnerable instances.
  • Ref: http://www.securityfocus.com/archive/1/433930
  • 06.20.18 - CVE: CVE-2006-2438
  • Platform: Cross Platform
  • Title: Caucho Resin Viewfile Information Disclosure
  • Description: Caucho Technology Resin is a servlet and JSP server. It is vulnerable to an information disclosure issue due to a failure in the application to properly sanitize user-supplied input in the "contextpath" parameter. Caucho Technology Resin versions 3.0.18 and earlier are vulnerable.
  • Ref: http://www.caucho.com/products/resin/changes.xtp
  • 06.20.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: LiveData ICCP Server Remote Heap Overflow
  • Description: LiveData ICCP Server is a real time middleware solution for electric power utilities and manufacturers. It is susceptible to a remote heap overflow vulnerability. The issue arises in the server's implementation of RFC 1006. LiveData ICCP Server versions prior to 5.00.035 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18010
  • 06.20.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MP3Info Unspecified Buffer Overflow
  • Description: MP3Info is a utility to modify the ID3 tags of MP3 files. It is affected by a buffer overflow issue due to insufficient sanitization of user-supplied data. MP3Info version 0.8.4 is affected.
  • Ref: http://www.securityfocus.com/bid/18016
  • 06.20.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Directory Server Authentication Bypass
  • Description: Sun Java System Directory Server is an LDAP server product. It is susceptible to an authentication bypass vulnerability. It is conjectured that incorrect authentication data for the administrative account is written during the installation process, allowing attackers to authenticate with a predictable, or possibly blank password. Sun Java System Directory Server version 5.2, and version 5.2 patchsets 2, 3 and 4 are vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102345-1
  • 06.20.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: libextractor Multiple Heap Buffer Overflow Vulnerabilities
  • Description: libextractor is a library that extracts metadata from files of arbitrary type. It is affected by multiple buffer overflow vulnerabilities. An attacker exploits these issues by enticing a vulnerable user to open a malformed file using an application that employs libextractor. libextractor version 0.5.13 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18021
  • 06.20.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SAP sapdba Local Privilege Escalation
  • Description: SAP sapdba is an administrative utility to manage databases. It is vulnerable to a local privilege escalation issue due to an unspecified flaw in environment variable handling. SAP sapdba command for Informix versions prior to 700, and version 700 up to patch number 100 are vulnerable. Ref: http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Local_Privilege_Escalation_in_SAP_sapdba_Command.pdf
  • 06.20.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FreeType LWFN Files Buffer Overflow
  • Description: FreeType is an open-source font handling library. It is prone to a buffer overflow vulnerability. This issue presents itself when FreeType tries to process malformed LWFN files. An integer overflow may occur in the "read_lwfn()" function in the "src/base/ftmac.c" source file. FreeType versions prior to 2.2.1 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/18034
  • 06.20.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun ONE and Sun Java System Error Page Cross-Site Scripting
  • Description: Sun Java System Application Server and Sun ONE Application Server is affected by a cross-site scripting issue due to a failure in the applications to properly sanitize the URI containing double quote characters. Please refer to the referenced link for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/18035
  • 06.20.26 - CVE: CVE-2006-2351, CVE-2006-2352, CVE-2006-2353,CVE-2006-2354, CVE-2006-2355, CVE-2006-2356, CVE-2006-2357
  • Platform: Web Application - Cross Site Scripting
  • Title: Ipswitch WhatsUp Professional Multiple Input Validation Vulnerabilities
  • Description: WhatsUp Professional is a server monitoring application implemented in ASP. The application is prone to multiple input validation vulnerabilities because it fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/archive/1/433808
  • 06.20.27 - CVE: CVE-2006-2358
  • Platform: Web Application - Cross Site Scripting
  • Title: Web-Labs CMS Multiple Cross-Site Scripting Vulnerabilities
  • Description: Web-Labs CMS is a web-based content management system implemented in ASP. It is prone to multiple cross-site scripting vulnerabilities.
  • Ref: http://www.securityfocus.com/bid/17956
  • 06.20.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpMyAdmin Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpMyAdmin is a web-based administration interface for mySQL databases. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "theme" and "db" parameters of the "index.php" script. phpMyAdmin versions prior to 2.8.0.4 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17973
  • 06.20.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpODP ODP.PHP Cross-Site Scripting
  • Description: phpODP is affected by a cross-site scripting issue due to insufficient sanitization of the "browse" parameter of the "odp.php" script. phpODP version 1.5h is affected.
  • Ref: http://www.securityfocus.com/bid/17976
  • 06.20.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Confixx Index.PHP Cross-Site Scripting
  • Description: Confixx is a web-based control panel application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "login" parameter of the "index.php" script. Confixx versions 3.1.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17984
  • 06.20.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPRemoteView PRV.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: PhpRemoteView is a web-based file transfer application. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "f", "d" and "ref" parameters of the "PRV.php" script. All versions of PHPRemoteView are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17994
  • 06.20.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Sphider Search.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: Sphider is a web spider and search engine. Insufficient sanitization of the "category" parameter in the "search.php" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17997
  • 06.20.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IceWarp Universal WebMail PHPSESSID Parameter Cross-Site Scripting
  • Description: IceWarp Universal WebMail is a web-based interface to allow users to send and receive email messages using a third party mail server. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "PHPSESSID" parameter when submitted to the "index.html" script.
  • Ref: http://www.securityfocus.com/archive/1/434121
  • 06.20.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: BoastMachine Admin.PHP Cross-Site Scripting
  • Description: BoastMachine is a web-based forum application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "admin.php" script. BoastMachine version 3.1 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/18012
  • 06.20.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Open Wiki OW.ASP Cross-Site Scripting
  • Description: Open Wiki is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "p" parameter of the "ow.asp" script. Open Wiki version 0.78 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434295
  • 06.20.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ASPBB Multiple Cross-Site Scripting Vulnerabilities
  • Description: ASPBB is web-based bulletin board software. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "action" parameter of the "default.asp" script and the "get" parameter of the "profila.asp" script. ASPBB version 0.5.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/18025
  • 06.20.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: e107 SQL Injection
  • Description: e107 is a content management application. Insufficient sanitization of the "class2.php" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17966
  • 06.20.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Chirpy! Multiple Unspecified SQL Injection Vulnerabilities
  • Description: Chirpy! is an online quote management system. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query. Chirpy! version 0.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17957
  • 06.20.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: YapBB Find.PHP SQL Injection
  • Description: YapBB is a bulletin board application. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "userID" parameter of the "find.php" script. YapBB versions 1.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17988
  • 06.20.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DeluxeBB SQL Injection
  • Description: DeluxeBB is a web-based bulletin-board application. It is vulnerable to an SQL injection issue due to insufficient sanitization of the user-supplied cookie data to the "name" parameter of the "misc.php" script. DeluxeBB version 1.06 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434040
  • 06.20.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AZBoard List.ASP SQL Injection
  • Description: AZBoard is a web-based bulletin board application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied data to the "cate" and "searchstring" parameters of the "list.asp" script. AZBoard versions 1.0 and earlier are vulnerable.
  • Ref: http://user.chol.com/~jyj9782/sec/azboard_advisory.txt
  • 06.20.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Fusion Srch_Where Parameter SQL Injection
  • Description: PHP-Fusion is a website management application, implemented in PHP. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "srch_where" parameter of the "messages.php" script.
  • Ref: http://retrogod.altervista.org/phpfusion_600306_sql.html
  • 06.20.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Hitachi EUR Unspecified SQL Injection
  • Description: Hitachi EUR is a set of end user reporting applications. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to an unspecified parameter. Hitachi EUR versions 05-06 and earlier are vulnerable. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS06-010_e/index-e.html
  • 06.20.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Cosmoshop Lshop.CGI SQL Injection
  • Description: Cosmoshop is a commercial shopping cart system. Insufficient sanitization of the "artnum" parameter of the "lshop.cgi" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18024
  • 06.20.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CodeAvalanche News Default.ASP SQL Injection
  • Description: CodeAvalanche News is a web-based news publishing application. Insufficient sanitization of the "password" parameter of the "Admin/default.asp" script exposes the application to an SQL injection issue. CodeAvalanche News version 1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/18016
  • 06.20.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Pixaria PopPhoto CFG[popphoto_base_path] Parameter Remote File Include
  • Description: PopPhoto is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "cfg[popphoto_base_path]" parameter of the "resources/includes/popp.config.loader.inc.php" script. This issue affects PopPhoto version 3.5.4.
  • Ref: http://www.securityfocus.com/bid/17970
  • 06.20.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Foing Multiple Remote File Include Vulnerabilities
  • Description: Foing is an mp3 portal application. It is affected by multiple remote file include issues due to a failure to sanitize user-supplied input to the "phpbb_root_path" parameter. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/17963
  • 06.20.48 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Unauthorized HTTP Proxy
  • Description: phpBB is a web-based bulletin board application. It is prone to a vulnerability that could permit it to become an unauthorized HTTP proxy. This issue is due to insufficient sanitization of user-supplied input to the "avatarurl" parameter in "usercp_avatar.php". phpBB version 2.0.20 is affected.
  • Ref: http://www.securityfocus.com/bid/17965
  • 06.20.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Gphotos Multiple Input Validation Vulnerabilities
  • Description: Gphotos is a web-based image gallery application. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. Gphotos versions 1.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17967
  • 06.20.50 - CVE: Not Available
  • Platform: Web Application
  • Title: PSY Auction Multiple Input Validation Vulnerabilities
  • Description: PSY Auction is web-based auction software. It is vulnerable to multiple input validation issues because the application fails to properly sanitize user-supplied input to the "email_request.php" and "item.php" scripts. All versions of PSY Auction are vulnerable.
  • Ref: http://www.securityfocus.com/bid/17974/info
  • 06.20.51 - CVE: Not Available
  • Platform: Web Application
  • Title: RadLance popup.php Local File Include
  • Description: RadLance is a web-based auction script. It is vulnerable to a local file include issue due to insufficient sanitization of user-supplied input to the "read" parameter of the "popup.php" script. RadLance Gold version 7.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/17975/info
  • 06.20.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Php Blue Dragon CMS VSDragonRootPath Parameter Remote File Include
  • Description: Php Blue Dragon CMS is a web-based content management system implemented in PHP. Php Blue Dragon CMS is prone to a remote file include vulnerability. This issue affects Php Blue Dragon CMS version 2.8.0.
  • Ref: http://www.securityfocus.com/bid/17977
  • 06.20.53 - CVE: Not Available
  • Platform: Web Application
  • Title: BEA WebLogic Multiple Vulnerabilities
  • Description: BEA WebLogic Platform is an enterprise application server. BEA released several advisories identifying various vulnerabilities. See referenced link for further details.
  • Ref: http://dev2dev.bea.com/pub/advisory/195
  • 06.20.54 - CVE: Not Available
  • Platform: Web Application
  • Title: MonoChat HTML Injection
  • Description: MonoChat is a web-based chat application. Insufficient sanitization of user-supplied input to the "monochat_form.php3" script exposes the application to an HTML injection issue. MonoChat version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17983
  • 06.20.55 - CVE: Not Available
  • Platform: Web Application
  • Title: DUware DUbanner Arbitrary File Upload
  • Description: DUbanner is a web-based banner management application. Insufficient sanitization of user-supplied input to the "add.asp" script exposes the application to an arbitrary file upload issue. DUbanner version 3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/17993
  • 06.20.56 - CVE: Not Available
  • Platform: Web Application
  • Title: EZUserManager EZusermanager_pwd_forgott.PHP Remote File Include
  • Description: EZUserManager is a webserver administration application. It is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "ezUserManager_Path" parameter of the "ezusermanager_pwd_forgott.php" script. EZUserManager versions 1.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/17998
  • 06.20.57 - CVE: Not Available
  • Platform: Web Application
  • Title: NewsPortal Remote PHP Script Code Injection
  • Description: NewsPortal is a web-based NNTP application. It is vulnerable to a remote PHP code injection issue due to an unspecified flaw in the "extras/poll/poll.php" script. NewsPortal version 0.36 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434122
  • 06.20.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Sugar Suite Open Source Multiple Remote and Local File Include Vulnerabilities
  • Description: Sugar Suite Open Source is a customer service and relations application. It is vulnerable to multiple remote and local file include issues to various scripts. Sugar Suite Open Source versions 4.2 and earlier are vulnerable. See the referenced link for details.
  • Ref: http://www.securityfocus.com/archive/1/434009
  • 06.20.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Lighthouse Development Squirrelcart Cart_Content.PHP Remote File Include
  • Description: Squirrelcart is a shopping cart application. Insufficient sanitization of the "cart_isp_root" parameter of the "cart_content.php" script exposes the application to a remote file include issue. Squirrelcart version 2.2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/17992
  • 06.20.60 - CVE: CVE-2006-1039
  • Platform: Web Application
  • Title: SAP Web Application Server Input Validation
  • Description: SAP Web Application Server is a platform for developing and implementing web applications. It is vulnerable to an input validation issue due to insufficient sanitization of user-supplied input in request URIs. SAP Web Application Server versions 7.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434148
  • 06.20.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Quezza BB Class_template.PHP Remote File Include
  • Description: Quezza BB is a web-based bulletin board application. It is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "quezza_root_path" parameter of "class_template.php". Quezza BB version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18011
  • 06.20.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Snitz Forums Avatar Mod Arbitrary File Upload
  • Description: Avatar MOD is a plugin module for Snitz Forums that enables portal administrators the ability to upload avatar images. Avatar Mod is prone to an arbitrary file upload vulnerability. This issue is due to a failure in the application to properly enforce filename restrictions. Through use of NULL byte characters an attacker can bypass file restrictions to upload arbitrary ASP files. This issue affects version 1.3.
  • Ref: http://www.securityfocus.com/archive/1/434366
  • 06.20.63 - CVE: Not Available
  • Platform: Web Application
  • Title: ScozNet ScozNews Multiple Remote File Include Vulnerabilities
  • Description: ScozNews is a web-based news script. It is prone to multiple remote file include vulnerabilities because the application fails to properly sanitize user-supplied input to the "CONFIG[main_path]" parameter of multiple scripts. ScozNews version 1.2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/18027
  • 06.20.64 - CVE: Not Available
  • Platform: Web Application
  • Title: FCKeditor Arbitrary File Upload
  • Description: FCKeditor is an online text/DHTML editor. It is vulnerable to an arbitrary file upload issue when an invalid value for the "Type" parameter is selected when using the "editor/filemanager/upload/php/upload.php" script. FCKeditor version 2.2 is vulnerable.
  • Ref: http://www.fckeditor.net/whatsnew/default.html
  • 06.20.65 - CVE: Not Available
  • Platform: Web Application
  • Title: CodeAvalanche News Add_News.ASP HTML Injection
  • Description: CodeAvalanche News is a web-based news publishing application. It is prone to an HTML injection vulnerability because user-supplied input to the "Headline" field of "add_news.asp" isn't properly sanitized.
  • Ref: http://www.securityfocus.com/bid/18032
  • 06.20.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board Multiple Arbitrary PHP Code Execution Vulnerabilities
  • Description: Invision Power Board is web forum software. Insufficient sanitization of user-supplied input exposes the application to multiple code execution issues. Invision Power Board versions 2.1.6 and 2.0.4 are affected.
  • Ref: http://www.securityfocus.com/bid/18040
  • 06.20.67 - CVE: Not Available
  • Platform: Network Device
  • Title: Mobotix IP Camera Multiple Cross-Site Scripting Vulnerabilities
  • Description: The Mobotix IP Camera is a network CCTV and webcam device. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various scripts. Mobotix IP Camera M10 version 2.0.5.2 and Mobotix IP Camera M1 version 1.9.4.7 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434289
  • 06.20.68 - CVE: Not Available
  • Platform: Hardware
  • Title: AdderLink IP Vulnerability
  • Description: AdderLink IP is a KVM Switch hardware device. It is reportedly prone to an unspecified security vulnerability in the VNC functionality. Adder Technology AdderLink IP Firmware version 3.3 is affected.
  • Ref: http://www.securityfocus.com/bid/18001

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

504 was a great course to better enhance my understanding of attack methods and how to better defend my systems
-Dustin Odsa, Indiana University

vLive FOR508

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County