Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 27
July 10, 2006

SANS Newsletters Home

This week's biggest and most critical new vulnerability is one that affects VOIP and AOL Triton and other important internet services (#1 below). The software's largely unknown name, SipXtapi, belies the breadth of its use, and the vulnerability can be exploited very simply. Also at risk this week are users of Microsoft Internet Explorer, Excel and Windows Explorer. (#2, #5, and #6 below)

You should now have received your program for Network Security 2006 in Las Vegas, October 1-9. It is by far the largest fall computer security conference. If you didn't get a copy, you can see it at http://www.sans.org/ns2006/

Invitations will be going out this week for the SCADA/Process Control Security Summit in Las Vegas September 28-30. This one will unveil the new security standards to be written into all SCADA and process control systems and provide in depth information about the changing threat and how the new standard procurement specs can help block attacks. To get an invitation, email scada@sans.org.

Alan

PS At the end of this issue is a bonus section by SPI Dynamics describing the recent PayPal attack that coupled phishing with web vulnerabilities to cause a lot of pain.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 2 (#2, #6)
    • Microsoft Office
    • 1 (#5, #11)
    • Other Microsoft Products
    • 5
    • Third Party Windows Apps
    • 8 (#3, #4, #9)
    • Mac Os
    • 5
    • Linux
    • 4
    • HP-UX
    • 1
    • Unix
    • 3
    • Cross Platform
    • 13 (#1, #10)
    • Web Application - Cross Site Scripting
    • 19
    • Web Application - SQL Injection
    • 13 (#8)
    • Web Application
    • 35 (#7)
    • Network Device
    • 1

*************** Summer Security Training Extravaganza *******************

Over the next two months, you may attend one or more of 50 SANS courses in 20 cities on four continents. And if you cannot make those events, because of travel restrictions, you may attend live SANS courses with the best teachers in the world, without leaving your home. You can even take SANS courses online at your own schedule. Attendance at SANS educational events is experiencing the largest growth spurt in half a decade. Pick your class and register early to get a seat.

http://www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
HP-UX
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: SIPfoundry sipXtapi Buffer Overflow
  • Affected:
    • sipXtapi library versions compiled before 24-Mar-2006
    • PingTel products compiled against those versions of the library
    • AOL Triton products compiled against those versions of the library
    • Details: SIPfoundry is an international software community dedicated to
    • accelerating the adoption of SIP (Session Initiation Protocol)-based
    • VoIP solutions. One of SIPfoundry's products, the sipXtapi library, is
    • used by multiple cross-platform VoIP applications. This library contains
    • a buffer overflow that can be triggered by sending a "CSeq" SIP header
    • field larger than 24 bytes. An attacker can exploit the flaw to execute
    • arbitrary code with the privileges of the user running the affected
    • application. Note that several common user applications, including AOL's
    • Triton messaging application, are compiled using vulnerable versions of
    • the library. Exploit code for this vulnerability has been publicly
    • posted.

  • Status: SIPfoundry confirmed, updates available. Updates from PingTel and AOL are also available.

  • References:
  • (2) HIGH: Internet Explorer "Internet.HHCtrl" ActiveX Heap Overflow
  • Affected:
    • Microsoft Windows XP Service Pack 2; other versions may be affected
    • Details: Internet Explorer contains a heap-based buffer overflow that
    • can be triggered after instantiating the Windows Help and Support
    • ActiveX control (hhctrl.ocx). The problem arises because setting the
    • "Image" property of this ActiveX component results in a small heap
    • overflow. A malicious webpage or an HTML email may exploit the flaw to
    • execute arbitrary code with the privileges of the logged-on user. The
    • technical details along with a proof-of-concept have been publicly
    • posted. This flaw was reported by a researcher who plans to release a
    • new flaw everyday for the month of July in various browsers. The
    • researcher has also reported other DoS vulnerabilities in IE.

  • Status: Microsoft has not confirmed, no updates available. A workaround is to set the killbit for the hhctrl.ocx ActiveX control with the following UUID: 41B23C28-488E-4E5C-ACE2-BB0BBABE99E8. Note that Windows Help and Support Center may not function properly if this kill bit is set.

  • Council Site Actions: All responding council sites are waiting on additional information from the vendor.

  • References:
  • (3) HIGH: Hosting Controller Multiple Vulnerabilities
  • Affected:
    • Hosting Controller versions prior to 6.1 Hotfix 3.1

  • Description: Hosting Controller is a popular set of hosting automation tools for Microsoft Windows-based servers. This package contains multiple remotely exploitable vulnerabilities: (a) A flaw in properly validating user-supplied input in the "Admin/Check_Password.asp" script allows any user with reseller privileges to become a site administrator. (b) Failure to properly validate user-supplied input in the "hosting/addreseller.asp" script allows authenticated users to give themselves reseller privileges, thus allowing further privilege escalation via flaw (a). (c) A failure to properly validate user-supplied input in the "Accounts/AccountActions.asp" script allows authenticated users to change the passwords of any reseller account, as well as increase the billing credit for any reseller account. All of these flaws arise because the software passes parameters from the HTTP forms without any further validation. Technical details for all of these flaws have been publicly posted.

  • Status: Hosting Controller confirmed, updates available.

  • References:
  • (4) MODERATE: WebEx Downloader Plug-In Remote Code Execution
  • Affected:
    • WebEx Downloader Plug-In version 2.0.0.7 and possibly others
    • Details: WebEx is a popular presentation, meeting, and
    • video-conferencing solution. WebEx provides a "downloader" plugin that
    • is used to download the WebEx viewer application. This plugin is
    • installed automatically upon viewing a WebEx presentation. WebEx does
    • not properly sanitize parameters passed to the "GpcUrlRoot" and
    • "GpcIniFileName" parameters of the downloader plug-in. An attacker can
    • exploit this flaw to download malicious programs to a victim's computer
    • and execute the downloaded programs with the privileges of the current
    • user. Additionally, the Downloader Plug-In ActiveX control also contains
    • buffer overflows (more details unavailable at the moment).

  • Status: WebEx confirmed, updates available. Note that users are automatically upgraded to a non-vulnerable version upon watching a WebEx-hosted presentation.

  • Council Site Actions: Most of the council sites are using the affected software, but it is not supported by their central IT departments. Several sites plan to use SMS to remove the control from the desktops and then ask the users to reinstall if they are using WebEx. Other sites plan to take no action.

  • References:
  • (5) MODERATE: Microsoft Excel "Style" Processing Overflow (0-day)
  • Affected:
    • Microsoft Excel 2000/XP/2003 (Asian languages editions only)
    • Details: Another 0-day buffer overflow vulnerability has been reported
    • in versions of Microsoft Excel localized into certain Asian languages
    • (e.g. Chinese). The overflow is triggered by an Excel document with an
    • overlong "style" string. By tricking a user into opening a
    • specially-crafted file, an attacker could execute arbitrary code with
    • the privileges of the logged-on user. However, user interaction is
    • required to exploit this flaw. In case of Excel XP and 2003, the user
    • must repair the document using Excel's repair feature whereas Excel 2000
    • requires that the user click on the "Style" option. A proof-of-concept
    • has been publicly posted.

  • Status: Microsoft has not confirmed, no updates available.

  • Council Site Actions: responding council sites are waiting on additional information from the vendor.

  • References:
  • (6) LOW: Microsoft Windows Explorer URL File Format Overflow
  • Affected:
    • Microsoft Windows XP/2003
    • Details: Microsoft Windows Explorer, the primary user interface shell
    • for the Microsoft Windows operating system, is prone to a file format
    • vulnerability during the parsing of "Internet Shortcut" (.url) files.
    • By tricking a user into viewing a folder containing a specially-crafted
    • shortcut file, an attacker can crash the Windows Explorer session. It
    • is currently unknown as to whether code execution is possible. Note that
    • only viewing the folder containing the shortcut file is necessary;
    • therefore, simply placing the shortcut file on the desktop or clicking
    • a link to a shared folder containing such a file is all that is
    • necessary for exploitation.

  • Status: Microsoft has not confirmed, no updates available.

  • Council Site Actions: responding council sites are waiting on additional information from the vendor.

  • References:
Other Software
  • (9) HIGH: iMBCContents ActiveX Control "Execute()" Vulnerable Method Call
  • Affected:
    • IMBC iMBCContents ActiveX Control 2.x
    • Details: The iMBCContents ActiveX control is installed with various IMBC
    • products, including the "touch" video-on-demand service. This service
    • is popular in Korea and southeast Asia. The ActiveX control's
    • "Execute()" method fails to properly sanitize URLs in its arguments. By
    • specifying a "file://" URL pointing to a path on the user's local
    • machine, an attacker can execute arbitrary executables with the
    • permissions of the current user. Note that no user interaction beyond
    • viewing a malicious web page would be necessary. Only executable files
    • already on the victim's system may be executed. Disabling access to this
    • ActiveX control via the killbit mechanism would also disable the
    • associated viewing capability.

  • Status: IMBC confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary. One site commented that they have new ActiveX code installs controlled at network perimeter.

  • References:
  • (10) MODERATE: AdPlug Multiple File-Format Parsing Vulnerabilities
  • Affected:
    • AdPlug version 2.0 and prior
    • Details: AdPlug is an open source library used for playing sounds
    • designed to play on AdLib and Sound Blaster sound cards. It is
    • cross-platform, and includes plugins for such popular media players as
    • Winamp and XMMS. AdPlug fails to properly validate the sizes of various
    • data structures in playable sound files, leading to numerous
    • buffer-overflow conditions. By tricking a user into playing a
    • specially-crafted sound file, an attacker could execute arbitrary code
    • with the privileges of the current user. Technical details and a
    • proof-of-concept exploit have been publicly posted.

  • Status: AdPlug has not confirmed, no updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 27, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5057 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.27.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Internet Explorer HHCtrl ActiveX Control Memory Corruption
  • Description: Internet Explorer is exposed to a memory corruption vulnerability. This is related to the handling of the Internet.HHCtrl image property, which results in heap memory corruption. Internet Explorer versions 6.0 SP1 and earlier are affected. Ref: http://browserfun.blogspot.com/2006/07/mobb-2-internethhctrl-image-property.html
  • 06.27.2 - CVE: Not Available
  • Platform: Windows
  • Title: Internet Explorer Structured Graphics Control Denial of Service
  • Description: Microsoft Internet Explorer is exposed to a denial of service issue. It fails to handle malicious ActiveX controls properly. This issue is triggered when an attacker convinces a victim user to activate a malicious ActiveX control. Microsoft Internet Explorer 6.0 versions SP2 and earlier are affected. Ref: http://browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html
  • 06.27.3 - CVE: CVE-2006-3059
  • Platform: Microsoft Office
  • Title: Excel Style Handling and Repair Remote Code Execution
  • Description: Microsoft Excel is vulnerable to a remote code execution issue due to insufficient handling of malformed XLS files that contain long styles. Visit the referenced link for further details.
  • Ref: http://www.securityfocus.com/bid/18872
  • 06.27.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer 7 Denial of Service
  • Description: Microsoft Internet Explorer 7 is vulnerable to a denial of service issue when parsing HTML content containing numerous nested "applet" tags. Microsoft Internet Explorer versions 7.0 beta3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438754
  • 06.27.5 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer OutlookExpress.AddressBook Denial of Service
  • Description: Internet Explorer is prone to a denial of service vulnerability. This issue occurs when the browser loads a non-ActiveX COM object. Reports indicate that the "OutlookExpress.AddressBook" COM object may be used to trigger this issue.
  • Ref: http://www.securityfocus.com/bid/18771
  • 06.27.6 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Href Title Denial of Service
  • Description: Microsoft Internet Explorer is prone to a denial of service issue due to an error in processing a HTML "href" tag with a title that is larger than one thousand characters. Please see the attached advisory for details.
  • Ref: http://www.securityfocus.com/bid/18820/info
  • 06.27.7 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Explorer.exe Denial of Service
  • Description: Microsoft Internet Explorer is vulnerable to a denial of service issue because the application fails to handle malicious ".url" files properly while parsing the URI file. All versions of Microsoft Internet Explorer are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/439153
  • 06.27.8 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Table Frameset Denial of Service
  • Description: Internet Explorer is prone to a denial of service vulnerability. The attacker supplied code at the attacker's site will cause Internet Explorer to create a Frameset inside a Table using the "appendChild" function. This can lead to dereferencing a NULL pointer. As a result, Internet Explorer will crash, effectively denying service to legitimate users.
  • Ref: http://www.securityfocus.com/bid/18873
  • 06.27.9 - CVE: CVE-2006-3326
  • Platform: Third Party Windows Apps
  • Title: QuickZip Multiple Directory Traversal Vulnerabilities
  • Description: QuickZip is an application for managing archives. It is vulnerable to multiple directory traversal issues due to insufficient sanitization of user-supplied input. QuickZip version 3.06.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18722
  • 06.27.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: PatchLink Update Server Arbitrary File Overwrite
  • Description: PatchLink Update Server is a patch and vulnerability management solution. It is vulnerable to a remote file overwrite issue due to insufficient sanitization of user-supplied input to the "nwupload.asp" script. PatchLink Update versions 6.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438710
  • 06.27.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Internet Explorer ADODB.Recordset Filter Property Denial of Service
  • Description: Microsoft Internet Explorer is vulnerable to a denial of service issue when the browser loads a non-ActiveX COM object. Microsoft Internet Explorer versions 6.0 SP1 and 6.0 are vulnerable. Ref: http://browserfun.blogspot.com/2006/07/mobb-1-adodbrecordset-filter-property.html
  • 06.27.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Zone Labs ZoneAlarm Registry Key Local Denial of Service
  • Description: Zone Labs ZoneAlarm Internet Security Suite is a security software package. It is exposed to a denial of service vulnerability due to a failure in the application to properly handle exceptional conditions. ZoneAlarm Security Suite versions 6.5.722 and 6.1.737 are affected. Ref: http://www.matousec.com/info/advisories/ZoneAlarm-Insufficient-protection-of-registry-key-VETFDDNT-Enum.php
  • 06.27.13 - CVE: CVE-2006-2910
  • Platform: Third Party Windows Apps
  • Title: COWON America JetAudio Audio File ID Tag Remote Buffer Overflow
  • Description: JetAudio is an audio/video player. It is vulnerable to a remote buffer overflow vulnerability when receiving excessive string values from a malicious audio file. JetAudio version 6.2.6.8330 Basic is vulnerable.
  • Ref: http://secunia.com/secunia_research/2006-45/advisory/
  • 06.27.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IMBCContents Insecure ActiveX 'Execute()' Method Code Execution
  • Description: The iMBCContents ActiveX control is an interactive component of Munhwa Broadcasting Corporation's website. It uses an insecure "Execute()" method. By using "file:" URI handler that references a local program, an attacker can execute local applications and code in the context of the user visiting a malicious web page.
  • Ref: http://www.securityfocus.com/bid/18848
  • 06.27.15 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RARLAB WinRAR Self-Extracting Archive Buffer Overflow
  • Description: RARLAB WinRAR is a compression utility capable of reading and writing files using several different archival formats. It is prone to a client side buffer overflow vulnerability. This issue arises when processing a malicious self extracting archive (.sfx) file having a large comment as part of the archive. WinRAR versions 3.60 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18851
  • 06.27.16 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WebEx ActiveX Control DLL Remote Code Execution
  • Description: WebEx is a sharing and conferencing application for Microsoft Windows. It is prone to a remote code execution. An attacker could exploit this issue by creating a malicious web page that would initialize the WebEx ActiveX control, download and initialize malicious DLL files. Versions 2.1.0.0 and prior versions are affected
  • Ref: http://www.securityfocus.com/bid/18860
  • 06.27.17 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X LaunchD Local Format String
  • Description: Apple Mac OS X launchd is a setuid daemon application. It is affected by a local format string issue due to a vulnerable "syslog()" function call when the daemon logs messages. Apple Mac OS X Server version 10.4.7 is not affected.
  • Ref: http://www.securityfocus.com/bid/18724/info
  • 06.27.18 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X OpenLDAP Denial of Service
  • Description: Mac OS X Open Directory Server is exposed to a denial of service issue due to a failure in the application to handle exceptional conditions. The problem occurs because the server fails to properly handle malicious ldap-bind messages. Apple Mac OS X Server versions 10.4.6 and earlier are affected.
  • Ref: http://www.info.apple.com/usen/security/security_updates.html
  • 06.27.19 - CVE: CVE-2006-1468
  • Platform: Mac Os
  • Title: Mac OS X AFP Information Disclosure
  • Description: Mac OS X is prone to an information disclosure vulnerability. This issue affects AFP, the Apple File Protocol server. Specifically, the information returned in a search can include the file and directory names for folders where the user has no access.
  • Ref: http://www.securityfocus.com/bid/18733
  • 06.27.20 - CVE: Not Available10.4.7 is not affected.
  • Platform: Mac Os
  • Title: Apple Mac OS X ImageIO TIFF Images Remote Buffer Overflow
  • Description: Mac OS X is prone to a buffer overflow issue which occurs when handling malformed TIFF image files and may be exploited by remote attackers to execute arbitrary code. Apple Mac OS X version
  • Ref: http://www.securityfocus.com/bid/18731/info
  • 06.27.21 - CVE: Not Available
  • Platform: Mac Os
  • Title: Safari Web Browser DHTML SetAttributeNode() Null Dereference Denial of Service
  • Description: Apple Safari web browser is prone to a denial of service issue when parsing certain malformed DHTML elements. Apple Safari version 2.0.4 on Mac OS X 10.4.7 is affected. Ref: http://browserfun.blogspot.com/2006/07/mobb-5-dhtml-setattributenode.html
  • 06.27.22 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel Netfilter Conntrack_Proto_SCTP.C Denial of Service
  • Description: The Linux kernel netfilter module is prone to a denial of service vulnerability. The problem occurs in the "ipv4/netfilter/ip_conntrack_proto_sctp.c" and "netfilter/nf_conntrack_proto_sctp.c" scripts. Specifically, when a packet without any chunks is received the newconntrack variable in sctp_packet contains an out of bounds value. That value is used to look up a pointer from the array of timeouts, which is then dereferenced. This results in a crash.
  • Ref: http://www.securityfocus.com/bid/18755
  • 06.27.23 - CVE: Not Available
  • Platform: Linux
  • Title: Efone Config.INC Information Disclosure
  • Description: Efone is a distributed internet phone system. It is exposed to a local information disclosure issue due to improperly set file permissions on the "config.inc" file. Efone version 20000723 is affected.
  • Ref: http://www.securityfocus.com/bid/18811
  • 06.27.24 - CVE: CVE-2006-2935
  • Platform: Linux
  • Title: Linux Kernel CD-ROM Driver Local Buffer Overflow
  • Description: The Linux kernel is susceptible to a local buffer overflow issue. It fails to properly bounds check user-supplied input before using it in a memory copy operation. Linux kernel versions 2.6.17.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18847
  • 06.27.25 - CVE: Not Available
  • Platform: Linux
  • Title: Ubuntu Linux Passwd Potential Privilege Escalation
  • Description: Ubuntu Linux passwd is vulnerable to an elevated privileges issue because the application fails to verify the result to a call to the "setuid()" function and allows a local attacker to invoke certain applications such as "chfn", "gpasswd", or "chsh" with superuser privileges. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/18850
  • 06.27.26 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX Mkdir Local Unauthorized Access
  • Description: HP-UX mkdir is prone to a local unauthorized access issue that can be used to gain unauthorized access to potentially sensitive directories. Please see the attached advisory for a list of affected versions.
  • Ref: http://www.securityfocus.com/bid/18748/info
  • 06.27.27 - CVE: Not Available
  • Platform: Unix
  • Title: Gentoo-Specific MPG123 Malicious URI Remote Buffer Overflow
  • Description: The mpg123 application is a media player. It is exposed to a remote buffer overflow issue due to improper bounds checking of user-supplied input. All versions of Gentoo are affected.
  • Ref: http://bugs.gentoo.org/show_bug.cgi?id=133988
  • 06.27.28 - CVE: CVE-2006-2194
  • Platform: Unix
  • Title: PPPD Winbind Plugin Local Privilege Escalation
  • Description: Winbind plugin PPPD is an open source implementation of PPP (Point-to-Point Protocol). It is vulnerable to a local privilege escalation issue because the application fails to verify the results of a "setuid()" call and allows a local attacker to invoke the NTLM authentication helper with superuser privileges. PPPD versions 2.4.3 and earlier are vulnerable.
  • Ref: http://www.ubuntu.com/usn/usn-310-1
  • 06.27.29 - CVE: Not Available
  • Platform: Unix
  • Title: Linux Kernel PRCTL Core Dump Handling Privilege Escalation
  • Description: Linux kernel is exposed to a local privilege escalation issue. This issue affects "prctl" because the application handles core dump files in an insecure manner. Linux kernel versions 2.6.17.3 and earlier are vulnerable.
  • Ref: http://rhn.redhat.com/errata/RHSA-2006-0574.html
  • 06.27.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Document Stylesheet Denial of Service
  • Description: Opera is exposed to a denial of service issue due to a failure in the application to properly handle user-supplied input. Opera Web Browser version 9 is affected.
  • Ref: http://www.securityfocus.com/archive/1/438872
  • 06.27.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: LibWMF WMF File Handling Integer Overflow
  • Description: LibWMF is a library that allows for reading and manipulation of Windows Metafile Format (WMF) files. It is vulnerable to an integer overflow issue in the "wmf_header_read()" function. LibWMF versions 0.2.8.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438803
  • 06.27.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hobbit Monitor Logfetch Information Disclosure
  • Description: Hobbit Monitor is system for monitoring of hosts and networks, providing real-time monitoring, an easy web interface, historical data, availability reports and performance graphs. It is prone to an information disclosure vulnerability. The problem occurs in the "logfetch" utility, and can be exploited to view files in the context of the affected application.
  • Ref: http://www.securityfocus.com/bid/18752
  • 06.27.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PatchLink Update Server Proxyreg.ASP Authentication Bypass
  • Description: PatchLink Update Server is a patch and vulnerability management solution for medium and large enterprise networks. It is susceptible to a remote authentication bypass vulnerability due to improper verification of authentication credentials in the "proxyreg.asp" script. Malicious servers may be added to this proxy server list by a malicious user, which may then be used to distribute malicious code to unsuspecting roaming PatchLink client computers.
  • Ref: http://www.securityfocus.com/bid/18723
  • 06.27.34 - CVE: CVE-2006-1467
  • Platform: Cross Platform
  • Title: Apple iTunes AAC File Parsing Integer Overflow
  • Description: iTunes is prone to an integer overflow vulnerability because it fails to properly handle malformed AAC (Advanced Audio Coding) files. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the affected application; failed exploit attempts will likely result in denial of service conditions. Apple iTunes versions 6.0.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18730
  • 06.27.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox OuterHTML Redirection Handling Information Disclosure
  • Description: Mozilla Firefox is exposed to an information disclosure vulnerability because it fails to properly enforce cross domain policies. Please refer to link below for further details. Mozilla Firefox version 1.5 beta 2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18734/info
  • 06.27.36 - CVE: CVE-2006-2199
  • Platform: Cross Platform
  • Title: OpenOffice Java Applet System Unauthorized Access
  • Description: OpenOffice is a multiplatform office suite. It is vulnerable to an unauthorized acccess issue that allows a malicious Java applet to escape the sandbox and gain unauthorized access to a computer. OpenOffice version 2.0.3 resolves this issue.
  • Ref: http://www.openoffice.org/security/CVE-2006-2199.html
  • 06.27.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenOffice Arbitrary Macro Execution
  • Description: OpenOffice is prone to a macro code injection vulnerability that allows attackers to gain unauthorized access to a vulnerable computer. This issue is due to a failure in the application to properly secure macros embedded in malicious documents, and does not require user interaction beyond accessing the file.
  • Ref: http://www.securityfocus.com/bid/18738
  • 06.27.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenOffice XML File Format Buffer Overflow
  • Description: OpenOffice is a multiplatform office suite. It is affected by an XML file format buffer overflow issues that allows attackers to gain unauthorized access to a vulnerable machine. Please see the attached advisory for a list of affected versions.
  • Ref: http://www.openoffice.org/security/CVE-2006-3117.html
  • 06.27.39 - CVE: CVE-2006-0468
  • Platform: Cross Platform
  • Title: Communigate Pro Server Pop Denial of Service
  • Description: CommuniGate Pro is an Internet messaging server. It is vulnerable to an unspecified denial of service issue. CommuniGate Pro Server versions 5.x are vulnerable.
  • Ref: http://www.stalker.com/CommuniGatePro/History.html
  • 06.27.40 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AdPlug Multiple Remote File Buffer Overflow Vulnerabilities
  • Description: AdPlug is an audio application. The library is vulnerable to multiple remote buffer overflow issues due to various functions. The AdPlug library versions 2.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/439432
  • 06.27.41 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Kaillera Message Buffer Overflow
  • Description: Kaillera is a middleware application for implementing network capabilities in numerous emulators. It is susceptible to a buffer overflow vulnerability that exists at the nickname part of the message. An attacker may exploit this issue by sending messages with a nickname larger then 32 bytes.
  • Ref: http://www.securityfocus.com/bid/18871
  • 06.27.42 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Gimp XCF_load_vector Function Buffer Overflow
  • Description: Gimp is a free image manipulation application. The "xcf_load_vector()" function is vulnerable to a buffer overflow when the application processes a malicious image file. GIMP versions 2.2.11 and earlier are vulnerable.
  • Ref: http://bugzilla.gnome.org/show_bug.cgi?id=346742
  • 06.27.43 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: mAds Search Cross-site Scripting
  • Description: mAds is a web-based application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the search function. mAds version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438869
  • 06.27.44 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ezWaiter Cross-site Scripting
  • Description: ezWaiter is an online menu system for restaurants. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "Who is this item for?" and "Special Instructions:" input fields.
  • Ref: http://www.securityfocus.com/bid/18746
  • 06.27.45 - CVE: CVE-2006-2418
  • Platform: Web Application - Cross Site Scripting
  • Title: phpMyAdmin Table Parameter Cross-site Scripting
  • Description: phpMyAdmin is a web-based administration interface for mySQL databases. It is vulnerable to a cross-site scripting issue, due to insufficient sanitization of user-supplied input to the "table" parameter. phpMyAdmin versions 2.8.1 and earlier are vulnerable.
  • Ref: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-4
  • 06.27.46 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP iCalender Index.PHP Cross-Site Scripting
  • Description: PHP iCalender is an online calendar. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "cal" parameter of the "rss/index.php" script. PHP iCalendar version 2.22 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18721
  • 06.27.47 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Softbiz Banner Exchange Multiple Cross-Site Scripting Vulnerabilities
  • Description: Softbiz Banner Exchange is a website banner application. It is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize HTML and script code from URI input to various scripts.
  • Ref: http://www.securityfocus.com/bid/18735
  • 06.27.48 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Vincent Leclercq News Cross-Site Scripting
  • Description: Vincent Leclercq News is a web-based bulletin board. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "id" and "disable" parameters of the "diver.php" script.
  • Ref: http://www.securityfocus.com/bid/18775
  • 06.27.49 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Invision Power Board Multiple Cross-Site Scripting Vulnerabilities
  • Description: Invision Power Board is affected by multiple cross-site scripting issues due to insufficient sanitization of the "url_photo", "url_avatar" and "url" parameters in the "lib/func_usercp.php" and the "classes/bbcode/class_bbcode_core.php" scripts. Invision Power Board versions 2.1.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18776
  • 06.27.50 - CVE: CVE-2006-2330
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP-Fusion Avatar Image Edit_profile.PHP HTML Injection
  • Description: PHP-Fusion is a website management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "edit_profile.php" script. PHP-Fusion versions 6.0.307 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438938
  • 06.27.51 - CVE: CVE-2006-3132
  • Platform: Web Application - Cross Site Scripting
  • Title: QTO File Manager Multiple Cross-Site Scripting Vulnerabilities
  • Description: QTO File Manager is a web-based file management system. It is vulneable to multiple cross-site scripting issues due to insufficient sanitization of various parameters. QTO File manager version 1.0 is vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/2434
  • 06.27.52 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: The Banner Engine Top.PHP Cross-site Scripting
  • Description: The Banner Engine (TBE) is a web-based banner ad script. Insufficient sanitization of the "text" parameter of the "top.php" script exposes the application to a cross-site scripting issue. TBE Banner Engine version 4.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/438972
  • 06.27.53 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPWebGallery Comments.PHP Cross-site Scripting
  • Description: PhpWebGallery is a web-based photo-gallery application. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "keyword" parameter of "comments.php". PhpWebGallery versions 1.5.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/439049
  • 06.27.54 - CVE: CVE-2006-1357
  • Platform: Web Application - Cross Site Scripting
  • Title: F5 Firepass 4100 SSL VPN Multiple Unspecified Cross-Site Scripting Vulnerabilities
  • Description: FirePass 4100 SSL VPN is a secure virtual private network device. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various unspecified parameters. FirePass 4100 SSL VPN versions 5.x are affected.
  • Ref: http://www.frsirt.com/english/advisories/2006/1036
  • 06.27.55 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: AutoRank Multiple Cross-Site Scripting Vulnerabilities
  • Description: AutoRank is toplist software. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "keyword" parameter of the "search.php" script and the "Username" parameter of the "main.cgi" script.
  • Ref: http://www.securityfocus.com/bid/18796
  • 06.27.56 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Taskjitsu Multiple Cross-Site Scripting Vulnerabilities
  • Description: Taskjitsu is a web-based task tracking and management application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to the "Title" and "Description" fields. Taskjitsu versions 2.0 and earlier are vulnerable.
  • Ref: https://www.pkrinternet.com/taskjitsu/task/3313
  • 06.27.57 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PostNuke Multiple Cross-Site Scripting Vulnerabilities
  • Description: PostNuke is a content management system. It is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input to the "module.php" and "index.php" scripts. PostNuke versions 0.761 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18819
  • 06.27.58 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Hitachi GroupMax and UCosminexus Collaboration Portal Multiple Cross-Site Scripting Vulnerabilities
  • Description: Hitachi GroupMax and uCosminexus Collaboration Portal software are web-based groupware products. They are prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to various unknown scripts.
  • Ref: http://www.securityfocus.com/bid/18830
  • 06.27.59 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPMailList MailList.PHP Cross-site Scripting
  • Description: PHPMailList is a mailing list application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "email" field of the "maillist.php" script. PHPMailList versions 1.8.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18840
  • 06.27.60 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Horde Application Framework Services Multiple Cross-Site Scripting Vulnerabilities
  • Description: The Horde Application Framework is a suite of applications. It is exposed to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to different parameters of various scripts. Horde versions 3.1.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18845
  • 06.27.61 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ATutor Multiple Cross-Site Scripting Vulnerabilities
  • Description: ATutor is a web-based Learning Content Management System (LCMS). It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various scripts. ATutor versions 1.5.3 RC2 and earlier are vulnerable.
  • Ref: http://www.atutor.ca/view/3/8341/1.html
  • 06.27.62 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Diesel Joke Site Category.PHP SQL Injection
  • Description: Diesel Joke Site is a web-based joke forum. It is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "id" parameter of the "category.php" script.
  • Ref: http://www.securityfocus.com/bid/18760
  • 06.27.63 - CVE: CVE-2006-3346
  • Platform: Web Application - SQL Injection
  • Title: MyNewsGroups Tree.PHP SQL Injection
  • Description: MyNewsGroups is a web-based news reader. It is exposed to an SQL injection issue due to insufficient sanitization of user-supplied input to the "grp_id" parameter of "tree.php". MyNewsGroup version 0.6 is affected.
  • Ref: http://www.securityfocus.com/bid/18757
  • 06.27.64 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Vincent-Leclercq News Diver.PHP SQL Injection
  • Description: Vincent-Leclercq News is a web-based bulletin board. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "diver.php" script. Vincent-Leclercq News versions 5.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438859
  • 06.27.65 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! Multiple Input Validation Vulnerabilities
  • Description: Joomla! is an open-source content-management application. It is exposed to multiple input validation vulnerabilities due to insufficient sanitization of user-supplied input. Joomla versions 1.0.9 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18742
  • 06.27.66 - CVE: CVE-2006-3347
  • Platform: Web Application - SQL Injection
  • Title: deV!Lz Clanportal ID Parameter SQL Injection
  • Description: deV!Lz Clanportal is a web-based portal. It is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "id" parameter of "index.php". This issue affects version 1.34.
  • Ref: http://www.securityfocus.com/bid/18762
  • 06.27.67 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: BXCP Index.PHP SQL Injection
  • Description: BXCP is a content management system. It is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "where" parameter of "index.php". This issue affects versions 0.3.0.4 and prior.
  • Ref: http://www.securityfocus.com/bid/18765
  • 06.27.68 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WordPress Paged Parameter SQL Injection
  • Description: WordPress is a web-based publishing application. It is exposed to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "paged" parameter of the "index.php" script. WordPress version 2.0.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/438942
  • 06.27.69 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Invision Power Board Index.PHP Act Parameter SQL Injection
  • Description: Invision Power Board is web forum software. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "act" parameter of the "index.php" script. Version 1.3 Final is affected.
  • Ref: http://www.securityfocus.com/bid/18782
  • 06.27.70 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: VirtuaStore Password Parameter SQL Injection
  • Description: VirtuaStore is an ecommerce application. It is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "password" parameter of the login page.
  • Ref: http://www.securityfocus.com/bid/18790
  • 06.27.71 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Kyberna AG Ky2help Meine Links SQL Injection
  • Description: Kyberna AG Ky2help is a commercial web-based customer support system. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "Meine Links" input link.
  • Ref: http://www.securityfocus.com/bid/18800
  • 06.27.72 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: LifeType Index.PHP Date Parameter SQL Injection
  • Description: LifeType is a web log application. Insufficient sanitization of the "date" parameter of the "index.php" script exposes the application to an SQL injection issue. LifeType version 1.0.5 is affected.
  • Ref: http://www.securityfocus.com/bid/18835/info
  • 06.27.73 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Invision Power Board Multiple SQL Injection Vulnerabilities
  • Description: Invision Power Board is an online bulletin board. It is exposed to multiple SQL injection issues due to insufficient sanitization of user-supplied input to various scripts. Invision Power Board versions 2.1.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/439145
  • 06.27.74 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Blog:CMS Multiple SQL Injection Vulnerabilities
  • Description: Blog:CMS is a web-based publishing application. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input to various scripts. Version 4.1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18839
  • 06.27.75 - CVE: Not Available
  • Platform: Web Application
  • Title: Buddy Zone Multiple HTML Injection Vulnerabilities
  • Description: Buddy Zone is a social networking script to keep track of and make new friends. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input to various parameters. Buddy Zone versions 1.0.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438868
  • 06.27.76 - CVE: Not Available
  • Platform: Web Application
  • Title: iPlanet/Sun Java Messaging Server Local Information Disclosure
  • Description: iPlanet Messaging Server and Sun Java Messaging Server are exposed to a local information disclosure issue. This issue is due to a failure in the application to ensure proper access controls. Sun Java System Messaging Server versions 6 2005Q1 and earlier are affected. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102496-1&searchclause=
  • 06.27.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Plume CMS DBInstall.PHP Remote File Include
  • Description: Plume CMS is a web-based content management system. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "_PX_config[manager_path]" variable of "dbinstall.php". Plume CMS version 1.1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/18750
  • 06.27.78 - CVE: Not Available
  • Platform: Web Application
  • Title: SiteBuilder-FX Top.PHP Remote File Include
  • Description: SiteBuilder-FX is a content management system. Insufficient sanitization of the "admindir" parameter of the "top.php" script exposes the application to a remote file include issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18756
  • 06.27.79 - CVE: Not Available
  • Platform: Web Application
  • Title: NewsPHP 2006 PRO Multiple Input Validation Vulnerabilities
  • Description: NewsPHP 2006 PRO is a web portal application. It is exposed to multiple input validation issues due to insufficient sanitization of user-supplied input to different parameters. NewsPHP version 2006 PRO is affected.
  • Ref: http://www.securityfocus.com/archive/1/438858
  • 06.27.80 - CVE: Not Available
  • Platform: Web Application
  • Title: Geeklog Multiple Remote File Include Vulnerabilities
  • Description: Geeklog is a content management system for managing dynamic web content, blogs and customer forums. Geeklog is prone to multiple remote file include vulnerabilities because it fails to properly sanitize user-supplied input to multiple scripts. Geeklog versions 1.4 sr1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18740
  • 06.27.81 - CVE: Not Available
  • Platform: Web Application
  • Title: Stud.IP Multiple Remote File Include Vulnerabilities
  • Description: Stud.IP is an information management and learning system designed for educational institutions. It is exposed to multiple remote file include issues due to insufficient sanitization of user-supplied input to various parameters of different scripts. Stud.IP version 1.3 2 is affected.
  • Ref: http://www.securityfocus.com/bid/18741
  • 06.27.82 - CVE: CVE-2006-3235,CVE-2006-3234
  • Platform: Web Application
  • Title: FineShop Multiple Input Validation Vulnerabilities
  • Description: FineShop is an online shopping application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. FineShop versions 3.0 and earlier are vulnerable.
  • Ref: http://pridels.blogspot.com/2006/06/fineshop-vuln.html
  • 06.27.83 - CVE: Not Available
  • Platform: Web Application
  • Title: Webmin/Usermin Unspecifed Information Disclosure
  • Description: Webmin is a web-based UNIX/Linux system administration tool. Usermin is a web-based user interface for UNIX and Linux users. Both are prone to an unspecified information disclosure vulnerability. This issue is due to a failure in the applications to properly sanitize user-supplied input. This issue affects Webmin versions prior to 1.290 and Usermin versions prior to 1.220.
  • Ref: http://www.securityfocus.com/bid/18744
  • 06.27.84 - CVE: Not Available
  • Platform: Web Application
  • Title: Randshop Header.Inc.PHP Remote File Include
  • Description: Randshop is an online ecommerce system. Insufficient sanitization of the "dateiPfad" parameter in the "header.inc.php" script exposes the application to a remote file include issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18763/info
  • 06.27.85 - CVE: Not Available
  • Platform: Web Application
  • Title: SturGeoN Upload Arbitrary File Upload
  • Description: SturGeoN Upload is a file upload script. It is exposed to an arbitrary file upload vulnerability because the application fails to properly verify the type of file being uploaded. SturGeoN Upload version 1 is affected.
  • Ref: http://acidr00t.free.fr/poc/sturgeonupv1.txt
  • 06.27.86 - CVE: Not Available
  • Platform: Web Application
  • Title: Geeklog Connector.PHP Arbitrary File Upload
  • Description: Geeklog is a CMS for managing dynamic web content, blogs and customer forums. Insufficient sanitization of user-supplied input in the ".../php/connector.php" script exposes the application to a file upload issue.
  • Ref: http://www.securityfocus.com/bid/18767/info
  • 06.27.87 - CVE: Not Available
  • Platform: Web Application
  • Title: phpFormGenerator Arbitrary File Upload
  • Description: phpFormGenerator is used to create web forms. It is exposed to an arbitrary file upload issue. An attacker can upload arbitrary files using the "file upload" feature of the application. phpFormGenerator version 2.09c is affected.
  • Ref: http://www.securityfocus.com/bid/18768
  • 06.27.88 - CVE: CVE-2006-2645
  • Platform: Web Application
  • Title: Plume CMS Multiple Remote File Include Vulnerabilities
  • Description: Plume CMS is a CMS for managing dynamic web content, blogs and customer forums. Plume CMS is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "_PX_config[manager_path]" parameter of various scripts. Plume CMS versions 1.0.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/438948
  • 06.27.89 - CVE: Not Available
  • Platform: Web Application
  • Title: SF ImgSvr Denial Of Service
  • Description: ImgSvr is a web-based picture gallery server implemented in ADA. It is prone to a denial of service vulnerability. The problem occurs when the server receives a malicious POST request consisting of excessive data. ImgSrv version 0.6.5 is affected.
  • Ref: http://www.securityfocus.com/bid/18784
  • 06.27.90 - CVE: Not Available
  • Platform: Web Application
  • Title: Hiki Diff Denial of Service
  • Description: Hiki is a Wiki application. It is affected by a denial of service issue due to an error in processing a comparison between two large pages. Hiki version 0.8.6 is affected.
  • Ref: http://hikiwiki.org/en/advisory20060703.html
  • 06.27.91 - CVE: CVE-2006-2998
  • Platform: Web Application
  • Title: Free QBoard QB_Path Remote File Include Vulnerabilities
  • Description: The free QBoard script is an open-source tag board application. It is exposed to multiple remote file include vulnerabilities due to insufficient sanitization of user-supplied input to the "qb_path" variable of various scripts. Free QBoard version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/18788
  • 06.27.92 - CVE: Not Available
  • Platform: Web Application
  • Title: Glossaire Remote File Include
  • Description: Glossaire is a plug-in application for Xoops. It is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "ap" variable of the "index.php" script.
  • Ref: http://www.securityfocus.com/bid/18792
  • 06.27.93 - CVE: Not Available
  • Platform: Web Application
  • Title: Randshop Index.PHP Remote File Include
  • Description: Randshop is an online ecommerce system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "incl" parameter of the "index.php" script. Randshop versions 1.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/439063
  • 06.27.94 - CVE: Not Available
  • Platform: Web Application
  • Title: Galleria Remote File Include
  • Description: Galleria is a picture component for Mambo. Insufficient sanitization of the "mosConfig_absolute_path" parameter in the "/components/com_galleria/galleria.html.php" script exposes the application to a remote file include issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/439035
  • 06.27.95 - CVE: Not Available
  • Platform: Web Application
  • Title: Pearl Product Multiple Remote File Include Vulnerabilities
  • Description: Multiple Pearl products are exposed to remote file includes issues due to insufficient sanitization of user-supplied input to various scripts. Please refer to the link below for further details.
  • Ref: http://www.securityfocus.com/bid/18797
  • 06.27.96 - CVE: Not Available
  • Platform: Web Application
  • Title: Kamikaze-QSCM Config.INC Information Disclosure
  • Description: Kamikaze-QSCM is a CVS query tool. It is vulnerable to an information disclosure issue because the access controls on the configuration files are not properly set. Kamikaze-QSCM version 0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18816
  • 06.27.97 - CVE: Not Available
  • Platform: Web Application
  • Title: Eupla Foros Config.INC Information Disclosure
  • Description: Foros is a web-based forum application. It is prone to an information disclosure vulnerability. The problem exists because the configuration file for the application is retrievable from a web accessible directory. This is due to improperly set file permissions on the "inc/config.inc" file.
  • Ref: http://www.securityfocus.com/bid/18817
  • 06.27.98 - CVE: Not Available
  • Platform: Web Application
  • Title: WonderEdit Pro User_Bottom.PHP Remote File Include
  • Description: WonderEdit Pro is a content management system. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "config[template_path]" parameter of the "user_bottom.php" script. All versions of WonderEdit Pro are affected.
  • Ref: http://www.milw0rm.com/exploits/1982
  • 06.27.99 - CVE: CVE-2006-1225
  • Platform: Web Application
  • Title: Drupal Form_mail Module Multiple CRLF Injection Vulnerabilities
  • Description: Drupal is a content management application. The Form_mail module for Drupal is vulnerable to multiple CRLF injection issues due to insufficient sanitization of unspecified parameters. Drupal version 4.6 resolves this issue.
  • Ref: http://drupal.org/node/72177
  • 06.27.100 - CVE: Not Available
  • Platform: Web Application
  • Title: MyPHP CMS Global_header.PHP Remote File Include
  • Description: MyPHP CMS is a content management system. It is prone to a remote file include vulnerability due to improper sanitization of user-supplied input to the "domain" variable of "global_header.php". Versions 0.3 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/18834
  • 06.27.101 - CVE: Not Available
  • Platform: Web Application
  • Title: Blog:CMS Thumb.PHP Remote File Include
  • Description: Blog:CMS is a web-based publishing application. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "gallery" variable of "thumb.php". BLOG:CMS version 4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/18837
  • 06.27.102 - CVE: Not Available
  • Platform: Web Application
  • Title: Shopping Cart Multiple HTML Injection Vulnerabilities
  • Description: Shopping Cart is a web-based grocery list application. It is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input to the input boxes "shop name" and "item" in the "index.php", "editshop.php" and "edititem.php" scripts.
  • Ref: http://www.securityfocus.com/bid/18841
  • 06.27.103 - CVE: Not Available
  • Platform: Web Application
  • Title: TTCalc Script Loan And Mortgage HTML Injection
  • Description: TTCalc Script is a mortgage and loan calculator. Insufficient sanitization of user-supplied input exposes the application to an HTML injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18844
  • 06.27.104 - CVE: Not Available
  • Platform: Web Application
  • Title: Zope Docutils Information Disclosure
  • Description: Zope is an open source web application server. It is exposed to an information disclosure issue due to insufficient sanitization of user-supplied input. Zope versions 2.7.0 to 2.9.3 are affected.
  • Ref: http://www.securityfocus.com/bid/18856
  • 06.27.105 - CVE: Not Available
  • Platform: Web Application
  • Title: Randshop DateiPfad Parameter Remote File Include
  • Description: Randshop is an online ecommerce system. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "dateiPfad" parameter of the "index.php" script. Randshop versions 1.1.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/18865
  • 06.27.106 - CVE: Not Available
  • Platform: Web Application
  • Title: AuraCMS Multiple Input Validation
  • Description: AuraCMS is a web-based content management application. It is exposed to multiple input validation vulnerabilities due to insufficient sanitization of user-supplied input. Aura CMS version 1.62 is affected.
  • Ref: http://www.securityfocus.com/bid/18867
  • 06.27.107 - CVE: Not Available
  • Platform: Web Application
  • Title: phpSysInfo Index.php Information Disclosure
  • Description: phpSysInfo is a web application to display host information. It is vulnerable to an information disclosure issue due to insufficient sanitization of user-supplied input to the "lng" parameter of the "index.php" script. phpSysInfo version 2.5.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/18868
  • 06.27.108 - CVE: Not Available
  • Platform: Web Application
  • Title: TWiki Arbitrary File Upload
  • Description: TWiki is a web-based wiki application. Insufficient sanitization of user-supplied input exposes the application to an arbitrary file upload issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/18854
  • 06.27.109 - CVE: Not Available
  • Platform: Web Application
  • Title: FreeWebshop Multiple Input Validation Vulnerabilities
  • Description: FreeWebshop is a web-based shopping cart application. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/18878
  • 06.27.110 - CVE: Not Available
  • Platform: Network Device
  • Title: Siemens SpeedStream Wireless Router Authorization Bypass
  • Description: Siemens SpeedStream Wireless Router web interface is prone to an authorization bypass issue due to a design error in the web interface that allows users to login without any authentication. Speedstream Wireless Router version 2624 is affected.
  • Ref: http://www.digitalarmaments.com/2006290674551938.html

Bonus Section: Lessons Learned The Hard Way in Web Application Vulnerabilities (a special section by SPI Dynamics).

XSS Plus Phishing Comes of Age Last month, Paypal was hit with an emerging trend in phishing scams. An attacker used a Cross Site Scripting (XSS) vulnerability in paypal.com to inject their own HTML into web pages served from Paypal. By coupling phishing techniques with a web application vulnerability, the attacker created a phishing scenario that appeared legitimate and circumvented traditional anti-phishing defenses.

The attack started by a mass email telling people they needed to update their Paypal account information. The email contained a link to paypal.com, with a XSS attack embedded in the URL. Unlike traditional phishing attacks which link to a fake website and attempt to hide the URL, this email did in fact link to the actual paypal.com host. When the user clicked on the link they visited SSL encrypted page on Paypal's site. Checking the hostname, the SSL certificate, or other common anti-phishing techniques all lead a victim to believe they were safe. By injecting their own HTML into the web page through the XSS vulnerability, the attacker was able to present anything they wanted to a victim and make them believe it was from Paypal. In this case, the injected HTML simply informed the user their account was deactivated and used JavaScript to redirect them to a 3rd party website where the actual information theft occurred.

Paypal was extremely lucky that the XSS vulnerability wasn't properly exploited. The phisher could have injected a fake login form, added a keylogger, or completely rewritten the entire page with anything they wanted. XSS vulnerabilities can even been used to launch self propagating worms like the Yamanner worm or the MySpace.com worm. Instead the phisher merely redirected the victim to a 3rd party website just like a classic phishing attack.

SPI Labs has been researching how XSS can amplify phishing attacks for quite some time. One of our researchers, Billy Hoffman, gave a well received presentation entitled ThePhuture of Phishing at the Toorcon Security conference in September 2005. This presentation includes an extensive guide on how to properly secure applications against XSS. SPI Labs has also created and released LineBreaker a proxy that detects and stop XSS+Phishing attacks. The both the presentation and program are available at http://www.spidynamics.com/spilabs/education/presentations/phishing.html

What should you take away from all of this? Simple. XSS can greatly amplify the damage of a phishing attack by circumventing traditional defenses. XSS can have a number of very dangerous payloads, any one of which can steal personal information. Fortunately, XSS is also 100% preventable if developers perform proper input validation.

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

This instructor had an impressive, solid background and does an excellent job presenting the material in a way that geek wannabes can understand
-Julie Stroud, U.S. Department of Energy

CyberTalent Assessments

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee