Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 23
June 12, 2006

SANS Newsletters Home

A moderately quiet week - though the VOIP vulnerability (#1 below) reminds us of the dark side of moving telephony to the Internet. It's also another big week for cross-sight scripting, SQL injection, and file include vulnerability discoveries - nearly forty this week alone. Alan

PS Save $150 on SANSFIRE (Washington DC, July 5-12) if you get your registration in this Wednesday (June 14)

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 2
    • Third Party Windows Apps
    • 4 (#5)
    • Linux
    • 1
    • Solaris
    • 1
    • Unix
    • 4 (#1)
    • Cross Platform
    • 7 (#2, #3, #4, #7)
    • Web Application - Cross Site Scripting
    • 19
    • Web Application - SQL Injection
    • 13
    • Web Application
    • 33 (#6)
    • Network Device
    • 2

**************** SPONSORED BY SANS SPECIAL COURSES ********************** Like gold hidden in rocks, a number of surprising security assets have been discovered hiding in log data - in logs you might not be keeping. More than a dozen users from banks, hospitals, manufacturers, and government will be sharing their discoveries at the Log Management Summit July 12-14 in Washington, DC. And in the same hotel, you can attend any of 16 SANS immersion training courses, taught by the world's best instructors. You'll also be allowed to attend insider briefings on new developments in malware and other security innovations. That's SANSFIRE 2006, July 5-12.

- -- Log Management Summit information: http://www.sans.org/logmgtsummit06

- -- SANSFIRE 2006 information: http://www.sans.org/sansfire06

- -- Schedule for all SANS courses: www.sans.org *************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
Solaris
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

************************* SPONSORED LINK ********************************

1) Do you know what your privileged users are doing? We do. Learn more at http://www.sans.org/info.php?id=1189

************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar and Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Asterisk PBX Video Frame Handling Vulnerability
  • Affected:
    • Asterisk PBX version 1.2.8 and prior
    • Asterisk PBX version 1.0.10 and prior

  • Description: Asterisk is an open-source PBX server for UNIX-based systems and is being deployed from small and medium to large enterprises for VoIP services. Asterisk contains a vulnerability in handling IAX2 protocol (Inter Asterisk Exchange protocol) that can be triggered by specially crafted video frames. An attacker can exploit the flaw via specially crafted UDP packets on port 4569/udp to execute arbitrary code on the Asterisk server. The technical details required to craft an exploit have been publicly posted.

  • Status: Asterisk confirmed, upgrade to version 1.2.9 and 1.0.11.

  • References:
  • (2) MODERATE: Apache SpamAssassin Remote Code Execution
  • Affected:
    • SpamAssassin versions 2.5x, 2.6x, 3.0.x, 3.1.x

  • Description: SpamAssassin, a popular open source spam detection engine contains a remote code execution vulnerability. The flaw can be triggered by sending a specially-crafted e-mail message, and can be exploited to execute arbitrary commands with the privileges of the SpamAssassin daemon (spamd). However, the vulnerability exists only when the spamd daemon has been executed with the "vpopmail (-v)" and "paranoid (-p)" options. The "vpopmail" option is typically used in virtual mail hosting environment to operate the SpamAssassin daemon with individual user preferences. The "paranoid" option is used to validate commands from the SpamAssassin clients; invalid commands cause operational faults in the daemon. Although in common installations neither option is enabled by default, "vpopmail" is generally enabled on large mail hosting sites with many virtual users. Note that when SpamAssassin is configured to run with both these options, no user interaction is required to exploit the flaw.

  • Status: SpamAssassin has released fixed versions 3.1.3 and 3.0.6.

  • Council Site Actions: Only one of the reporting council sites is using the affected software. They rely heavily on SpamAssassin for their central and departmental mail systems; however they believe it would be very unlikely for any their installations to have the daemon options needed for exploitation.

  • References:
  • (3) LOW: MySQL Mysql_real_escape SQL Injection
  • Affected: MySQL packages prior to version 4.1.20

  • Description: The MySQL "Mysql_real_escape" function contains a SQL injection vulnerability. This function is used to ensure that strings are properly escaped in SQL requests. However, in certain multibyte encoding schemes (such as SJIS, BIG5, and GBK), it is still possible to inject SQL commands into requests to a MySQL server via this function. Note that encodings like BIG5 are commonly used in Asian languages.

  • Status: MySQL has released a fixed version 4.1.20. A possible workaround for vulnerable versions is to set the "NO_BACKSLASH_ESCAPES" server parameter. This will enable strict SQL compatibility mode, which will cause the server to treat backslashes as normal characters. Note that this workaround is acceptable only if backslashes are acceptable in the stored data.

  • Council Site Actions: Several of the reporting council sites are using the affected software. Two of them plan to distribute the patches during their next regularly scheduled system update cycle. The third site is still assessing whether their deployment is vulnerable to exploitation.

  • References:
  • (4) LOW: Multiple Browsers Arbitrary File Upload Vulnerability
  • Affected: All Mozilla-based web browsers and Microsoft Internet Explorer

  • Description: Multiple web browsers contain an implementation flaw in the handling of certain JavaScript constructs. By tricking a user into typing a file name in a form, a specially-crafted webpage can read any file that is accessible to the user. Hence, the vulnerability can be used to steal sensitive information from the user's system. The problem arises due to input-focus-management in the file upload dialog windows. Exploit code has been publicly posted.

  • Status: Vendors are aware of the flaw, no updates available.

  • Council Site Actions: All of the reporting council sites are waiting for IE patches from Microsoft. The council sites that are also using Firefox/Mozilla will be updated via the automatic update facility. One site commented that they rated this as a low risk because of the requirement for the end user to enter text.

  • References:
Other Software
  • (5) CRITICAL: Qbik WinGate WWW Proxy Server Request Buffer Overflow
  • Affected: WinGate 6.1.2.1094 and prior

  • Description: Qbik WinGate, a popular HTTP proxy server, contains a buffer overflow vulnerability. The overflow can be triggered by specifying an overly-long URL in an HTTP request and exploited to execute arbitrary code. Exploit code for this vulnerability is publicly available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (7) MODERATE: TIBCO Administrative Interface Buffer Overflow
  • Affected:
    • Rendezvous versions prior to 7.5.1
    • Runtime Agent versions prior to 5.4
    • Hawk versions prior to 4.6.1

  • Description: A vulnerability has been discovered in multiple TIBCO products, including the Rendezvous, Runtime Agent, and Hawk products. These products are used for monitoring and reporting network status. A specially-crafted request can allow an attacker to execute arbitrary code with the privileges of the TIBCO administrative user.

  • Status: Vendor confirmed, updates available. Users are advised to limit access to the TIBCO administrative interface, which is often configured to run on port 80.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5026 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.23.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Frameset Denial of Service
  • Description: Microsoft Internet Explorer is vulnerable to a denial of service issue due to insufficient handling of pages containing "frameset" tags, along with "self.resizeTo" method calls with excessively large arguments. Microsoft Internet Explorer versions 6 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434742
  • 06.23.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: NetMeeting Memory Corruption Denial of Service
  • Description: Microsoft NetMeeting is a network collaboration application. It is vulnerable to a memory corruption denial of service issue due to insufficient handling of malformed network traffic. Microsoft NetMeeting version 3.01 is vulnerable.
  • Ref: http://www.hexview.com/docs/20060606-1.txt
  • 06.23.3 - CVE: CVE-2006-2856
  • Platform: Third Party Windows Apps
  • Title: ActiveState ActivePerl Local Privilege Escalation
  • Description: ActiveState ActivePerl is vulnerable to a local privilege escalation issue due to incorrectly creating permissions on a directory that allow all local users to create files in it. ActivePerl for Windows version 5.8.8.817 is vulnerable.
  • Ref: http://secunia.com/advisories/20328
  • 06.23.4 - CVE: CVE-2006-2869
  • Platform: Third Party Windows Apps
  • Title: Avast! Antivirus CHM Unpacker Unspecified Vulnerability
  • Description: The Avast! Antivirus product is an antivirus application for the Microsoft Windows platform. It is prone to an unspecified vulnerability. This issue affects the CHM unpacker in versions 4.7.827 and earlier.
  • Ref: http://www.securityfocus.com/bid/18238
  • 06.23.5 - CVE: CVE-2006-2926
  • Platform: Third Party Windows Apps
  • Title: Qbik WinGate Remote HTTP Request Buffer Overflow
  • Description: Qbik WinGate is a sharing proxy server. It is exposed to a remote buffer overflow issue due to insufficient boundry checking when receiving maliciously long packets. Qbick version 6.1.1.1077 is affected.
  • Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046646.html
  • 06.23.6 - CVE: CVE-2006-1091
  • Platform: Third Party Windows Apps
  • Title: Kaspersky Internet Security Suite Multiple Local Vulnerabilities
  • Description: Kaspersky Internet Security Suite is a personal security suite. It is vulnerable to multiple local issues including a denial of service issue. Kaspersky Internet Security Suite version 5.0 is vulnerable. See reference for further details.
  • Ref: http://www.securityfocus.com/archive/1/436440
  • 06.23.7 - CVE: CVE-2006-2193
  • Platform: Linux
  • Title: LibTIFF tiff2pdf Remote Buffer Overflow
  • Description: tiff2pdf is a conversion utility to convert TIFF files to PDF format. It is exposed to a buffer overflow issue. This is becasue it fails to check the input file size. LibTIFF version 3.8.2 is affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370355
  • 06.23.8 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun StorADE Local Privilege Escalation
  • Description: Sun Storage Automated Diagnostic Environment (StorADE) is a utility that enables centralized monitoring. It is affected by a privilege escalation issue when the optional "SUNWstadm" package is installed. Sun StorADE version 2.4 is affected.
  • Ref: http://www.securityfocus.com/bid/18266
  • 06.23.9 - CVE: CVE-2006-2447
  • Platform: Unix
  • Title: SpamAssassin Vpopmail and Paranoid Switches Remote Command Execution
  • Description: SpamAssassin is a mail filter designed to identify and process spam. It is vulnerable to an arbitrary command execution issue due to an error when processing a specially formatted input message when the "-v" and "-P" options are enabled. SpamAssassin versions 3.1.2 and earlier are vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2006-0543.html
  • 06.23.10 - CVE: CVE-2006-289
  • Platform: Unix
  • Title: Asterisk IAX2 Remote Denial of Service
  • Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. Asterisk is prone to a remote denial of service vulnerability. The problem occurs in the IAX2 channel driver (chan_iax2) and can be exploited to cause a denial of service in a server through use of compromised client applications.
  • Ref: http://www.securityfocus.com/archive/1/436127
  • 06.23.11 - CVE: Not Available
  • Platform: Unix
  • Title: Tor Multiple Vulnerabilities
  • Description: Tor is an implementation of second-generation Onion Routing, a connection-oriented anonymizing communication service. Tor uses the DH (Diffie-Hellman) key-exchange protocol to create ephemeral keys for encryption when communicating with servers in the Tor network. The Tor network uses random paths through the Tor routers to obscure the origin, destination, and contents of TCP-based network communication. Tor is affected by multiple vulnerabilities that can be exploited to access sensitive information, crash the affected application, and potentially gain remote access to the underlying computer.
  • Ref: http://archives.seul.org/or/announce/May-2006/msg00000.html
  • 06.23.12 - CVE: CVE-2006-2659
  • Platform: Unix
  • Title: Courier Mail Server Username Encoding Remote Denial of Service
  • Description: Courier Mail Server is an email server application. Courier Mail Server is prone to a remote denial of service vulnerability because it fails to properly handle certain usernames in email messages. This issue occurs when usernames contain the "=" character prior to an "@" character in email addresses. This triggers an infinite loop, and ultimately the consumption of CPU resources. Versions of the Courier MTA prior to 0.53.2 are vulnerable to this issue.
  • Ref: http://www.courier-mta.org/beta/patches/verp-fix/README.txt
  • 06.23.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GD Graphics Library Remote Denial of Service
  • Description: The GD Graphics Library (gdlib) is an open-source graphics library. It is affetced by a denial of service issue due to the "gdImageCreateFromGifPtr()" function entering an infinite loop condition while trying to process specially crafted GIF images. GD version 2.0.33 is affected.
  • Ref: http://www.securityfocus.com/bid/18294
  • 06.23.14 - CVE: CVE-2006-2829
  • Platform: Cross Platform
  • Title: TIBCO Hawk Configuration Interface Local Buffer Overflow
  • Description: TIBCO Hawk is a network-based monitoring and management application. It is susceptible to a local buffer overflow vulnerability. Specifically, this issue is present in the "tibhawkhma" component. Attackers that can modify the configuration of this component may be able to trigger a buffer overflow, allowing them to execute arbitrary machine code with elevated privileges. TIBCO Hawk versions prior to 4.6.1 and TIBCO Runtime Agent versions prior to 5.4 are vulnerable to this issue.
  • Ref: http://www.tibco.com/resources/mk/hawk_security_advisory.txt
  • 06.23.15 - CVE: CVE-2006-2894
  • Platform: Cross Platform
  • Title: Multiple Vendor Web Browser JavaScript Key Filtering
  • Description: Multiple web browser products are vulnerable to a JavaScript key filtering issue because an attacker can trick a user into typing the characters of the target filename in a text box and using the OnKeyDown, OnKeyPress, and OnKeyUp Javascript keystroke events to change the focus and cause those characters to be inserted into a file upload input control. Please see the reference below for further details.
  • Ref: http://www.mozilla.org/security/#Security_Alerts
  • 06.23.16 - CVE: CVE-2006-0800,CVE-2006-0801, CVE-2006-0802
  • Platform: Cross Platform
  • Title: PostNuke Multiple Input Validation Vulnerabilities
  • Description: PostNuke is a content management application, written in PHP. PostNuke is prone to multiple input validation vulnerabilities. The issues include cross-site scripting and SQL injection vulnerabilities. PostNuke version 0.76 RC2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18319
  • 06.23.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FreeType TTF File Remote Buffer Overflow
  • Description: FreeType is an open-source font-handling library. It is affected by an integer underflow issue in the "psh_blues_set_zones_0()" function of the "src/pshinter/pshglob.c" source file. FreeType versions 2.2.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18326
  • 06.23.18 - CVE: CVE-2006-2661
  • Platform: Cross Platform
  • Title: FreeType TTF File Remote Denial of Service
  • Description: FreeType is a font handling library. It is prone to a denial of service issue due to a flaw in the "base/ftutil.c" source file. FreeType versions 2.2.0 and earlier are vulnerable.
  • Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183676
  • 06.23.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GD Graphics Library Truncated GIF File Remote Denial of Service
  • Description: The GD Graphics Library is prone to a denial of service vulnerability. Attackers can trigger an infinite loop condition when the library tries to handle truncated GIF image files. This issue allows attackers to consume excessive CPU resources on computers that use the affected software. This may deny service to legitimate users. GD version 2.0.33 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18347
  • 06.23.20 - CVE: CVE-2006-2815
  • Platform: Web Application - Cross Site Scripting
  • Title: Two Shoes Mambo Factory SimpleBoard HTML Injection
  • Description: SimpleBoard is a bulletin board application to be used with Joomla CMS, implemented in PHP. The application is prone to an HTML injection vulnerability. This issue affects version 1.1.0.
  • Ref: http://www.securityfocus.com/archive/1/435615
  • 06.23.21 - CVE: CVE-2006-2851
  • Platform: Web Application - Cross Site Scripting
  • Title: dotProject Unspecified Cross-Site Scripting
  • Description: dotProject is a web-based project management application implemented in PHP. The application is prone to a cross-site scripting vulnerability.
  • Ref: http://www.securityfocus.com/bid/18275
  • 06.23.22 - CVE: CVE-2006-2850
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP Labware LabWiki Recentchanges.PHP Cross-Site Scripting
  • Description: LabWiki is a web-based wiki application, implemented in PHP. The application is prone to a cross-site scripting vulnerability.
  • Ref: http://pridels.blogspot.com/2006/06/labwiki-xss-vuln.html
  • 06.23.23 - CVE: CVE-2006-2876
  • Platform: Web Application - Cross Site Scripting
  • Title: DeltaScripts PHP Pro Publish Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHP Pro Publish is a web-based application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various parameters. DeltaScripts PHP Pro Publish version 2.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/435787
  • 06.23.24 - CVE: CVE-2006-2882
  • Platform: Web Application - Cross Site Scripting
  • Title: ASPScriptz Guest Book Default.ASP Multiiple Cross-Site Scripting Vulnerabilities
  • Description: ASPScriptz Guest Book is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "Name", "City", and "Country" parameters of the "default.asp" script. ASPScriptz Guest Book versions 2.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/436028
  • 06.23.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Dmx Forum Edit.PHP SQL Injection
  • Description: Dmx Forum is a web forum application. It is exposed to an SQL injection issue. This is due to insufficient sanitization of inputs to the "membre" parameter of the "edit.php" script. Dmx Forum version 2.1a is affected.
  • Ref: http://www.securityfocus.com/archive/1/435997
  • 06.23.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP Labware LabWiki Search.PHP Cross-Site Scripting
  • Description: LabWiki is a web-based wiki application. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the search input field of the "search.php" script. LabWiki version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18288
  • 06.23.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PyBlosxom Contributed Packages Comments Plugin Multiple Cross-Site Scripting Vulnerabilities
  • Description: PyBlosxom is a lightweight weblog application. It is prone to multiple cross-site scripting vulnerabilities due to improper sanitization of user-supplied input to the "url" and "author" fields in the "Comments" plugin. Contributed Packages for Pyblosxom version 1.2.2 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18292
  • 06.23.28 - CVE: CVE-2006-2892
  • Platform: Web Application - Cross Site Scripting
  • Title: GANTTy Index.PHP Cross-Site Scripting
  • Description: GANTTy is a web-based project-management application, implemented in PHP. The application is prone to a cross-site scripting vulnerability.
  • Ref: http://www.securityfocus.com/archive/1/436125
  • 06.23.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBulletinBoard Private.PHP Cross-Site Scripting
  • Description: MyBulletinBoard is a bulletin board application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "subject" parameter of the "private.php" script. MyBulletinBoard version 1.1.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/436286
  • 06.23.30 - CVE: CVE-2006-2680
  • Platform: Web Application - Cross Site Scripting
  • Title: AZ Photo Album Script Pro Cross-Site Scripting
  • Description: AZ Photo Album Script Pro is a web-based photo album application that is implemented in PHP. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/18306
  • 06.23.31 - CVE: CVE-2006-2572
  • Platform: Web Application - Cross Site Scripting
  • Title: DGbook Multiple Cross-Site Scripting Vulnerabilities
  • Description: DGbook is a web-based guest book application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "Name", "Homepage", and "Address" parameters. DGbook version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/434869
  • 06.23.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: KnowledgeTree Open Source Cross-site Scripting
  • Description: KnowledgeTree Open Source is a web-based document management system. It is prone to multiple cross-site scripting vulnerabilities due to improper sanitization of the "fSearchableText" parameter of the "/search/simpleSearch.php" script and the "fDocumentId" parameter of the "view.php" script. KnowledgeTree Open Source version 3.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/18324
  • 06.23.33 - CVE: CVE-2006-2678
  • Platform: Web Application - Cross Site Scripting
  • Title: Pre News Manager Multiple Cross-Site Scripting Vulnerabilities
  • Description: Pre News Manager is a web-based news-publishing application written in PHP. It is prone to multiple cross-site scripting vulnerabilities. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site.
  • Ref: http://www.securityfocus.com/archive/1/435020
  • 06.23.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ScriptsEZ Chemical Dictionary.PHP Cross-Site Scripting
  • Description: Chemical Dictionary is a web-based application. Insufficient sanitization of the "keyword" parameter of the "dictionary.php" script exposes the application to a cross-site scripting issue.
  • Ref: http://www.securityfocus.com/bid/18337
  • 06.23.35 - CVE: CVE-2006-2232
  • Platform: Web Application - Cross Site Scripting
  • Title: ScriptsEZ Easy Ad-Manager Details.PHP Cross-Site Scripting
  • Description: Easy Ad-Manager is a web-based application. The application is prone to a cross-site scripting vulnerability.
  • Ref: http://www.securityfocus.com/archive/1/436413
  • 06.23.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ScriptsEZ Ez Ringtone Manager Player.PHP Cross-Site Scripting
  • Description: Ez Ringtone Manager is a web-based application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "player.php" script. All versions of Ez Ringtone Manager are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/436424
  • 06.23.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Baby Katie Media vsREAL and vSCAL Multiple Cross-Site Scripting
  • Description: vsREAL (Very Simple Realty Lister) is a web-based realty listing application. vSCAL (Very Simple CAr Lister) is a web-based application for listing cars for sale. vsREAL and vSCAL are prone to multiple cross-site scripting vulnerabilities.
  • Ref: http://www.securityfocus.com/archive/1/436411
  • 06.23.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Lucid Calendar Cal.PHP3 Cross-Site Scripting
  • Description: Lucid Calendar is a web-based calendar application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "y" parameter of the "cal.php3" script. Lucid Calendar version 0.22 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18351/info
  • 06.23.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: XUEBook Index.PHP SQL Injection
  • Description: XUEBook Guestbook is a web-based guest book. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "start" parameter of the "index.php" script. XUEBook version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18262/info
  • 06.23.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: LocazoList Classifieds Viewmsg.ASP SQL Injection
  • Description: LocazoList Classifieds is a web-based classifieds system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "msgid" parameter of the "viewmsg.asp" script. LocazoList Classifieds versions 1.05e and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/435867
  • 06.23.41 - CVE: CVE-2006-2854
  • Platform: Web Application - SQL Injection
  • Title: iBWd Guestbook Index.PHP SQL Injection
  • Description: iBWd Guestbook is a web-based guest book. iBWd Guestbook is prone to an SQL injection vulnerability. iBWd Guestbook version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18256
  • 06.23.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Particle Wiki Index.PHP SQL Injection
  • Description: Particle Wiki is a web-based wiki application. Insufficient sanitization of the "version" parameter of the "index.php" script exposes the application to an SQL injection issue. Particle Wiki version 1.0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/18273
  • 06.23.43 - CVE: CVE-2006-2889
  • Platform: Web Application - SQL Injection
  • Title: Pixelpost Multiple SQL Injection Vulnerabilities
  • Description: Pixelpost is a photoblog web application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "category" and "archivedate" parameters of the "index.php" script. Pixelpost version 1.5rc1-2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18276
  • 06.23.44 - CVE: CVE-2006-2867
  • Platform: Web Application - SQL Injection
  • Title: CoolForum Editpost.PHP SQL Injection
  • Description: CoolForum is a web forum application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "post" parameter of the "editpost.php" script. CoolForum versions 0.8.3 and earlier are vulnerable.
  • Ref: http://mgsdl.free.fr/advisories/coolforum083ba.txt
  • 06.23.45 - CVE: CVE-2006-2862
  • Platform: Web Application - SQL Injection
  • Title: Particle Gallery Viewimage.PHP SQL Injection
  • Description: Particle Gallery is a web-based gallery application. It is exposed to an SQL injection issue. This is due to insufficient sanitization of inputs to the "imageid" parameter of the "viewimage.php" script. Particle Gallery versions 1.0.0 and earlier are affected.
  • Ref: http://pridels.blogspot.com/2006/06/particle-gallery-sql-inj.html
  • 06.23.46 - CVE: CVE-2006-2875
  • Platform: Web Application - SQL Injection
  • Title: LifeType Index.PHP SQL Injection
  • Description: LifeType is a web blog application written in PHP. It is prone to an SQL injection vulnerability.
  • Ref: http://www.securityfocus.com/archive/1/435874
  • 06.23.47 - CVE: CVE-2006-2887
  • Platform: Web Application - SQL Injection
  • Title: myNewsletter UserName SQL Injection
  • Description: myNewsletter is an email newsletter script implemented in ASP. myNewsletter is prone to an SQL-injection issue due to insufficient sanitization of user-supplied input.
  • Ref: http://www.securityfocus.com/archive/1/436018
  • 06.23.48 - CVE: CVE-2006-2879
  • Platform: Web Application - SQL Injection
  • Title: Alex NewsEngine Newscomments.PHP SQL Injection
  • Description: NewsEngine is a news reader application written in PHP. NewsEngine is prone to an SQL injection vulnerability.
  • Ref: http://www.securityfocus.com/archive/1/435988
  • 06.23.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Alex DownloadEngine Comments.PHP SQL Injection
  • Description: DownloadEngine is a web-based application. It is exposed to an SQL injection issue. This is due to insufficient sanitization of inputs to the "dlid" parameter of the "comments.php" script. Alex DownloadEngine version 1.4.1 is affected.
  • Ref: http://www.alexscriptengine.de/v2/index.php
  • 06.23.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Calendar Express Month.PHP SQL Injection
  • Description: Calendar Express is a web-based application for creating calendars. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input to the "catid" and "cid" parameters of the "month.php" script. Calendar Express version 2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/18314
  • 06.23.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Vice Stats VS_Resource.PHP SQL Injection
  • Description: Vice Stats is a web traffic and statistics tracker. Insufficient sanitization of the "ID" parameter in the "vs_resource.php" script exposes the application to a SQL injection issue. Vice Stats version 0.5b is affected.
  • Ref: http://www.securityfocus.com/bid/18317
  • 06.23.52 - CVE: Not Available
  • Platform: Web Application
  • Title: DotClear Prepend.PHP Remote File Include
  • Description: DotClear is a web log application. Insufficient sanitization of the "blog_dc_path" variable in the "prepend.php" script exposes the application to a remote file include issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18259
  • 06.23.53 - CVE: CVE-2006-2860
  • Platform: Web Application
  • Title: WebspotBlogging Multiple Remote File Include Vulnerabilities
  • Description: WebspotBlogging is a web log application written in PHP. WebspotBlogging is prone to multiple remote file include vulnerabilities.
  • Ref: http://www.milw0rm.com/exploits/1871
  • 06.23.54 - CVE: CVE-2006-2864
  • Platform: Web Application
  • Title: BlueShoes Framework Multiple Remote File Include Vulnerabilities
  • Description: BlueShoes Framework is a content management application. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to various scripts. BlueShoes Framework version 4.6 is vulnerable.
  • Ref: http://www.milw0rm.com/exploits/1870
  • 06.23.55 - CVE: CVE-2006-2801, CVE-2006-2800
  • Platform: Web Application
  • Title: Unak CMS Multiple Input Validation Vulnerabilities
  • Description: Unak CMS is a web-based content management system. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to the "u_a" and "u_s" parameters. Unak CMS versions 1.5 RC2 and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2006/06/unak-cms-vuln.html
  • 06.23.56 - CVE: CVE-2006-2865
  • Platform: Web Application
  • Title: phpBB Template.PHP Remote File Include
  • Description: phpBB is a web-based bulletin board application. It is exposed to a remote file include vulnerability due to insufficient sanitization of inputs to the "page" variable of the "template.php" script. Group phpBB versions 2.0.20 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/435869
  • 06.23.57 - CVE: Not Available
  • Platform: Web Application
  • Title: dotWidget CMS Multiple Remote File Include Vulnerabilities
  • Description: dotWidget CMS is a content management application. It is prone to multiple remote file include vulnerabilities due to improper sanitization of user-supplied input to the "file_path" parameter of multiple scripts. dotWidget CMS version 1.0.6 is affected.
  • Ref: http://www.securityfocus.com/bid/18258
  • 06.23.58 - CVE: CVE-2006-2831
  • Platform: Web Application
  • Title: Drupal Multiple Input Validation Vulnerabilities
  • Description: Drupal is a content management system (CMS). It is exposed to cross-site scripting, SQL injection and arbitrary file execution issues. This is due to insufficient handling of user-supplied input to various scripts. Drupal versions 4.7.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18245/references
  • 06.23.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Ashwebstudio Ashnews Multiple Remote File Include Vulnerabilities
  • Description: Ashnews is a web-based news application implemented in PHP. It is prone to multiple remote file include vulnerabilities. All current versions are affected.
  • Ref: http://www.milw0rm.com/exploits/1864
  • 06.23.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Informium Remote File Include
  • Description: Informium is a web-based news application. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "CONF[local_path]" variable of the "admin/common-menu.php" script.
  • Ref: http://www.securityfocus.com/bid/18249
  • 06.23.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Igloo Remote File Include
  • Description: Igloo is a web-based social networking application. Insufficient sanitization of the "c_node[class_path]" variable in the "Wiki.php" script exposes the application to a remote file include issue.
  • Ref: http://www.securityfocus.com/bid/18250
  • 06.23.62 - CVE: Not Available
  • Platform: Web Application
  • Title: CyBoards PHP Lite Common.PHP Remote File Include
  • Description: CyBoards PHP Lite is a web-based social-networking application. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "script_path" parameter of the "common.php" script. Cyboards PHP Lite version 1.25 is affected.
  • Ref: http://www.securityfocus.com/bid/18272
  • 06.23.63 - CVE: CVE-2006-2812
  • Platform: Web Application
  • Title: TAL RateMyPic Multiple Input Validation Vulnerabilities
  • Description: TAL RateMyPic is a photo album application, implemented in PHP. It is affected by multiple input validation vulnerabilities.
  • Ref: http://www.securityfocus.com/archive/1/435599
  • 06.23.64 - CVE: CVE-2006-2849
  • Platform: Web Application
  • Title: ByteHoard Server.PHP Remote File Include
  • Description: ByteHoard is a web-based file-upload/download application implemented in PHP. ByteHoard is prone to a remote file include vulnerability.
  • Ref: http://milw0rm.com/exploits/1860
  • 06.23.65 - CVE: CVE-2006-2899
  • Platform: Web Application
  • Title: ESTsoft InternetDisk Arbitrary File Upload and Script Execution
  • Description: ESTsoft InternetDisk is a web-based file storage application. It is exposed to an arbitrary file upload and script execution issues. This is due to improper handling of uploaded data files. ESTsoft InternetDisk versions prior to 04/20/2006 are affected.
  • Ref: http://www.securityfocus.com/archive/1/436001
  • 06.23.66 - CVE: Not Available
  • Platform: Web Application
  • Title: OSADS Alliance Database Board Comment HTML Injection
  • Description: OSADS Alliance Database is a web application for the German MMOG Space-Pioneers. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input. OSADS Alliance Database versions 1.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18288
  • 06.23.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Bookmark4U Multiple Remote File Include Vulnerabilities
  • Description: Bookmark4U is a web-based bookmark application. It is prone to multiple remote file include vulnerabilities due to improper sanitization of user-supplied input to the "env[include_prefix]" parameter of multiple scripts.
  • Ref: http://www.securityfocus.com/bid/18281
  • 06.23.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Kmita FAQ Multiple Input Validation Vulnerabilities
  • Description: Kmita FAQ is a web-based knowledge base and FAQ application. Insufficient sanitization of user-supplied input exposes the application to multiple cross-site scripting and SQL injection issues.
  • Ref: http://www.securityfocus.com/bid/18282
  • 06.23.69 - CVE: CVE-2006-2881
  • Platform: Web Application
  • Title: DreamAccount Auth.cookie.inc.PHP Remote File Include
  • Description: DreamAccount is a web log application written in PHP. DreamAccount is prone to a remote file include vulnerability. DreamAccount versions 3.1 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/435991
  • 06.23.70 - CVE: CVE-2006-2863
  • Platform: Web Application
  • Title: CS-Cart Class.cs_phpmailer.PHP Remote File Include
  • Description: CS-Cart is a shopping cart application. It is exposed to a remote file include vulnerability due to insufficient sanitization of inputs to the "classes_dir" variable of the "class.cs_phpmailer.php" script. CS-Cart version 1.3.3 is affected.
  • Ref: http://www.milw0rm.com/exploits/1872
  • 06.23.71 - CVE: Not Available
  • Platform: Web Application
  • Title: Claroline Multiple Remote File Include Vulnerabilities
  • Description: Claroline is an online teaching application. It is prone to multiple remote file include vulnerabilities due to improper sanitization of user-supplied input to multiple scripts. Claroline versions 1.7.6 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18265
  • 06.23.72 - CVE: Not Available
  • Platform: Web Application
  • Title: Weblog Oggi Index.PHP HTML Injection
  • Description: Weblog Oggi is a web log application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the "comment" field on the "index.php" page.
  • Ref: http://www.securityfocus.com/bid/18240
  • 06.23.73 - CVE: Not Available
  • Platform: Web Application
  • Title: CodeAvalanche Forum Post.ASP HTML Injection
  • Description: CodeAvalanche Forum is a web-based forum application. It is implemented in ASP. CodeAvalanche is prone to an HTML injection vulnerability.
  • Ref: http://www.securityfocus.com/bid/18239
  • 06.23.74 - CVE: CVE-2006-2803
  • Platform: Web Application
  • Title: PHP ManualMaker Multiple Input Validation Vulnerabilities
  • Description: PHP ManualMaker is a documentation generation application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. PHP ManualMaker version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/435717
  • 06.23.75 - CVE: CVE-2006-0791
  • Platform: Web Application
  • Title: DreamCost HostAdmin Multiple Remote File Include Vulnerabilities
  • Description: DreamCost HostAdmin is a web-based shopping cart and site administration tool. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to various parameters. Dreamcost HostAdmin versions 3.1 and earlier are vulnerable.
  • Ref: http://www.majorsecurity.de/advisory/major_rls9.txt
  • 06.23.76 - CVE: Not Available
  • Platform: Web Application
  • Title: DokuWiki Remote PHP Script Code Injection
  • Description: DokuWiki is a web-based wiki application. Insufficient input validation in the AJAX spellchecking service script exposes the application to a remote script code injection issue.
  • Ref: http://www.securityfocus.com/bid/18289
  • 06.23.77 - CVE: CVE-2006-2888
  • Platform: Web Application
  • Title: Wikiwig WK_lang.PHP Remote File Include
  • Description: Wikiwig is a web log application. It is vulnerable to a remote file include issue because of insufficient sanitization of user-supplied input to the "WK[wkPath]" parameter of the "wk_lang.php" script. Wikiwig versions 4.1 and earlier are vulnerable.
  • Ref: http://www.milw0rm.com/exploits/1883
  • 06.23.78 - CVE: CVE-2006-2685
  • Platform: Web Application
  • Title: Basic Analysis and Security Engine Multiple Remote File Include Vulnerabilities
  • Description: Basic Analysis and Security Engine (BASE) performs analysis of intrusions from the SNORT intrusion detection system. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "Base_path" parameter. BASE Basic Analysis and Security Engine versions 1.2.4 and earlier are vulnerable.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370576
  • 06.23.79 - CVE: Not Available
  • Platform: Web Application
  • Title: TinyPHPForum Profile.PHP Local File Include
  • Description: TinyPHPForum is a web-based forum application. It is prone to a local file include vulnerability because it fails to properly sanitize user-supplied input to the "uname" parameter of the "profile.php" script. TinyPHPForum version 3.6 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18304
  • 06.23.80 - CVE: CVE-2006-2922
  • Platform: Web Application
  • Title: MiraksGalerie Multiple Remote File Include Vulnerabilities
  • Description: MiraksGalerie is a web-based photo gallery application implemented in PHP. MiraksGalerie is prone to multiple remote file include issues due to insufficient sanitization of user-supplied input. MiraksGalerie version 2.62 is affected.
  • Ref: http://www.securityfocus.com/archive/1/436333
  • 06.23.81 - CVE: CVE-2006-2684
  • Platform: Web Application
  • Title: CMS Mundo Cross-Site Scripting
  • Description: CMS Mundo is a web-based content management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the search box parameter. CMS Mundo version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/435017
  • 06.23.82 - CVE: CVE-2006-2644
  • Platform: Web Application
  • Title: Awstats Configuration File Remote Arbitrary Command Execution
  • Description: AWstats is an application that provides statistics on server traffic. It is prone to an arbitrary command execution vulnerability. The problem occurs because the "LogFile" command does not properly sanitize user-supplied input and an attacker can control the "config_dir". An attacker with the ability to upload a configuration file can exploit this issue to inject arbitrary commands into the Perl "open()" function through use of the pipe "|" character. An attacker can exploit this vulnerability to execute arbitrary shell commands in the context of the webserver process.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=365910
  • 06.23.83 - CVE: Not Available
  • Platform: Web Application
  • Title: ScriptsEZ E-Dating System Multiple Input Validation Vulnerabilities
  • Description: E-Dating System is a web-based dating application. It is vulnerable to an HTML injection issue when sending a message and editing the profile, and a cross-site scripting vulnerability resides in the "id" parameter of the "cindex.php" script.
  • Ref: http://www.securityfocus.com/bid/18336
  • 06.23.84 - CVE: Not Available
  • Platform: Web Application
  • Title: SelectaPix Multiple Input Validation Vulnerabilities
  • Description: SelectaPix is a web-based image gallery. It is affected by multiple cross-site scripting and SQL injection issues due to insufficient sanitization of user supplied input. SelectaPix version 1.4 has been released to fix this issue.
  • Ref: http://www.securityfocus.com/bid/18349
  • 06.23.85 - CVE: CVE-2006-2901
  • Platform: Network Device
  • Title: D-Link DWL-2100AP Information Disclosure
  • Description: D-Link DWL-2100AP devices are 802.11b/g wireless access points. They are exposed to a remote information disclosure issue. This is due to insufficient sanitization of HTTP GET requests to the "cgi-bin" directory. D-Link model DWL-2100AP is affected.
  • Ref: http://www.intruders.com.br/adv0206en.html
  • 06.23.86 - CVE: CVE-2006-2925
  • Platform: Network Device
  • Title: Ingate Firewall and SIParator Remote SSL/TLS Handshake Denial of Service
  • Description: Ingate Firewalls are hardware firewall devices that support Session Initiation Protocol (SIP). They are exposed to a remote denial of service attack. Ingate Firewall and SIParator versions 4.4.0 and earlier are vulnerable.
  • Ref: http://www.ingate.com/relnote-441.php

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS delivers the best training I have seen in the industry.
-Brian Hughes, Idaho State University

Forensics 526

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet