Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 30
July 31, 2006

SANS Newsletters Home

This will be a bad week for cyber defenders; the vulnerabilities that will be announced this week will affect a very large proportion of business executives. Last week's critical vulnerabilities included an unpatched, important vulnerability in Apple Safari and a very critical vulnerability in Firefox that demands immediate upgrading.

Now some good news: you still have nearly three weeks to get the early registration discounts for SANS Network Security (October 1-8) in Las Vegas and for the SCADA Security Summit (Sept. 28-30) with the free courses sponsored by DHS and DoE. Network Security at a glance: http://www.sans.org/ns2006/caag.php SCAD Security Summit: http://www.sans.org/scadasummit_fall06/

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 2
    • Other Microsoft Products
    • 5
    • Third Party Windows Apps
    • 6 (#4, #5)
    • Linux
    • 3
    • Solaris
    • 2
    • Mac OS X
    • 1 (#2)
    • Cross Platform
    • 12 (#1, #3)
    • Web Application - Cross Site Scripting
    • 7
    • Web Application - SQL Injection
    • 4
    • Web Application
    • 31 (#6, #9)
    • Network Device
    • 4 (#7, #8, #10)

************************** Sponsored Link: ******************************

1) Minimize the Impact of MS Patch Tuesday: Shavlik Security Webinar, August 9th, Register here:

http://www.sans.org/info.php?id=1244

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
Solaris
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: Apple Safari KHTMLParser Remote Code Execution
  • Affected:
    • Apple Safari version 2.0.4 and possibly prior

  • Description: Apple's Safari web browser, installed by default on all recent versions of Mac OS X, contains a remotely-exploitable code execution vulnerability. The problem arises because Safari fails to properly handle "<script>" tags embedded in "<div>" tags. This causes an invalid object pointer dereference that can be exploited to execute arbitrary code with the privileges of the current user. Technical details for this vulnerability have been posted. This vulnerability was disclosed by a researcher who released a new browser vulnerability every day for the month of July.

  • Status: Apple has not confirmed, no updates available.

  • References:
  • (3) MODERATE: Apache "mod_rewrite" Remote Buffer Overflow
  • Affected:
    • Apache httpd versions 1.3.28 - 1.3.36, 2.0.46 - 2.0.58, 2.2.0 - 2.2.2

  • Description: The Apache HTTP daemon (httpd) contains a remotely-exploitable buffer overflow in the "mod_rewrite" URL rewriting module, which is included in most Apache httpd distributions. This module is used to perform transformations on URLs passed to the server according to administrator-supplied "rewrite rules". The module contains an off-by-one buffer overflow when parsing LDAP URLs. If the rewrite rules are structured such that an attacker can supply the initial portion of the URL (for example, a rewrite rule begins with an "$1"), an attacker could exploit this buffer overflow and execute arbitrary code with the privileges of the server process. Rewrite rules that affect the latter portions of the URL, or that contain the "Forbidden", "Gone", or "NoEscape" options are not affected. Additionally, if the httpd binary was compiled with any form of automatic or explicit stack padding, the binary is not vulnerable. Since Apache is Open Source software, technical details can easily be obtained by examining the source code.

  • Status: Apache confirmed, updates available.

  • References:
Other Software
  • (5) HIGH: AGEphone Remote SIP Buffer Overflow
  • Affected:
    • AGEphone versions 1.24 and 1.38.1

  • Description: AGEphone, a popular SIP-based VoIP (Voice-over-Internet Protocol) softphone for Windows systems contains a remotely-exploitable buffer overflow. By sending a specially crafted SIP header containing an overlong version or identifier string to an AGEphone process, an attacker could execute arbitrary code with the privileges of the current user. No authentication would be required to exploit this vulnerability. Users are advised to block port 5060 (TCP and UDP) at the network perimeter, if possible. Technical details and a proof-of-concept have been publicly posted.

  • Status: AGEphone confirmed, updates available.

  • References:
  • (6) HIGH: Multiple Products PHP File Include Vulnerabilities
  • Affected:
    • Vanilla CMS version 1.0.1 and prior
    • PHP Live! version 3.2
    • Mambo MultiBanners Component version 1.x
    • Mambo MoSpray Compoenent version 1.8RC1

  • Description: The following popular software packages reportedly contain PHP remote file include vulnerabilities: Vanilla CMS, PHP Live!, the Mambo MultiBanners component, and the Mambo MoSpray component. These flaws can be exploited by a remote attacker to run arbitrary PHP code on the webserver hosting the vulnerable software packages. The postings show how to craft the malicious HTTP requests to exploit the flaws. All of these vulnerabilities require that the PHP "register_globals" option be enabled. The "register_globals" option is disabled by default in PHP version 4.2.0 and later. However, many sites enable this option. Users are advised to disable the "register_globals" option if possible, and run web server software under a low-privilege account. Status: Vanilla CMS has not confirmed, no updates available. PHP Live! has not confirmed, no updates available. Mambo has not confirmed, no updates available.

  • References:
  • (7) MODERATE: ISS RealSecure/BlackICE Mailslot Heap Overflow Detect DoS
  • Affected:
    • ISS RealSecure Network/Server/Desktop 7.0
    • Proventia A/G/M Series
    • Proventia Server/Desktop
    • BlackICE PC Protection 3.6
    • BlackICE Server Protection 3.6

  • Description: ISS's RealSecure and BlackICE network intrusion detection and prevention devices and software suffer from a remotely-exploitable denial-of-service attack when detecting and filtering attacks against Microsoft's Mailslot implementation (outlined in a previous @RISK entry). By sending a specially-crafted packet through a network segment monitored by a RealSecure or BlackICE sensor, an attacker could cause the sensor, and possibly the system running the sensor, to stop responding. Rebooting is required to restore normal operation.

  • Status: ISS confirmed, updates available.

  • References:
  • (8) MODERATE: TippingPoint Network Traffic Inspection Bypass
  • Affected:
    • All TippingPoint appliances with TOS verion 2.2.3.6514 or prior.

  • Description: TippingPoint intrusion prevention devices are vulnerable to a remotely-exploitable inspection-bypass vulnerability. By sending a specially-crafted packet to a network segment monitored by a TippingPoint device, an attacker can cause that device to fallback to layer 2 mode, in which the device will forward all traffic without further inspection. Rebooting is required to restore normal operation.

  • Status: TippingPoint confirmed, updates available.

  • References:
  • (9) MODERATE: OpenCMS Multiple Vulnerabilities
  • Affected:
    • OpenCMS 6.2.1, 6.2, 6.0.4, 6.0.3 and possibly prior

  • Description: OpenCMS, a popular open source content management system, contains multiple vulnerabilities. Due to a failure to properly validate user credentials, authenticated attackers can perform normally-forbidden actions, including: viewing and downloading arbitrary system files, adding web users, viewing application source code, importing and exporting data from the database, and sending arbitrary JavaScript files to other users. Other actions may be possible. Technical details for these vulnerabilities have been publicly posted.

  • Status: OpenCMS confirmed, updates available.

  • References:
  • (10) LOW: Internet Key Exchange Protocol Denial-of-Service Vulnerability
  • Affected:
    • Any device using the Internet Key Exchange (IKE) protocol version 1 is
    • potentially vulnerable

  • Description: IKE, the Internet Key Exchange Protocol, is used to exchange shared secret information between hosts to enable the use of IPsec and related protocols. IKE is generally used as a component in VPN solutions, but can be used whenever secure key exchange is required. Due to the stateless nature of the IKE version 1 protocol, it is possible for an attacker to exhaust all available IKE resources on a target system, preventing other users from using the IKE facilities of the target system. Note that individual implementations may attempt to protect systems from this vulnerability, but the protocol specification itself allows for this vulnerability. Users are advised to ask their vendor if their systems use IKE version 1. Users of Cisco's IOS can mitigate the impact of this vulnerability by implementing the "Call Admission Control for IKE" IOS feature.

  • Status: Cisco has provided workaround information for IOS-based devices; other IKE implementations may have additional workarounds.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5089 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.30.1 - CVE: Not Available
  • Platform: Windows
  • Title: Windows Remote Denial of Service
  • Description: Microsoft Windows is reportedly susceptible to a remote denial of service issue when a large number of malformed TCP packets with both source and destination ports set to 135 are sent to the system. These packets also have various header fields set to randomized values. Please refer to the advisory for details.
  • Ref: http://www.securityfocus.com/archive/1/441007
  • 06.30.2 - CVE: CVE-2006-3838
  • Platform: Windows
  • Title: eIQNetworks Enterprise Security Analyzer SyslogServer.EXE Buffer Overflow
  • Description: eIQnetworks Enterprise Security Analyzer is a distributed enterprise security application. Its Syslog daemon is exposed to a remote buffer overflow issue due to improper boundary checks before copying user-supplied data into sensitive process buffers. Enterprise Security Analyzer versions prior to 2.5.0 are affected.
  • Ref: http://www.tippingpoint.com/security/advisories/TSRT-06-03.html
  • 06.30.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Internet.HHCtrl Click Denial of Service
  • Description: Microsoft Internet Explorer is prone to a denial of service vulnerability. The vulnerability presents itself when the browser instantiates a new "Internet.HHCtrl.1" object. An attacker can trigger a NULL pointer dereference by calling the "Click" method without first initializing the URL parameter.
  • Ref: http://www.securityfocus.com/bid/19109
  • 06.30.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Multiple Object ListWidth Property Denial of Service
  • Description: Microsoft Internet Explorer is prone to a denial of service vulnerability. The vulnerability presents itself when the browser instantiates a new "Forms.ListBox.1" or "Forms.ComboBox.1" object. An attacker can trigger a NULL pointer dereference by setting the "ListWidth" property to "0x7ffffffe".
  • Ref: http://www.securityfocus.com/bid/19113
  • 06.30.5 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer NMSA.ASFSourceMediaDescription Stack Overflow
  • Description: Microsoft Internet Explorer is prone to a stack overflow when the browser processes the "NMSA.ASFSourceMediaDescription" object with a "dispValue" property set as a long string. All current versions are affected. Ref: http://browserfun.blogspot.com/2006/07/mobb-23-nmsaasfsourcemediadescription.html
  • 06.30.6 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Native Function Iterator Denial Of Service
  • Description: Microsoft Internet Explorer is prone to an unspecified denial of service vulnerability that is triggered when an attacker convinces a victim user to visit a malicious website, causing Internet Explorer to crash. Versions 6.0 and 6.0 SP1 are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19140
  • 06.30.7 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer NDFXArtEffects Stack Overflow
  • Description: Microsoft Internet Explorer is prone to a stack overflow vulnerability. The vulnerability presents itself when the browser processes the "NDFXArtEffects" object with the "RGBExtraColor", "RGBForeColor" and "RGBBackColor" properties set as long strings. A successful attack can cause Internet Explorer to crash.
  • Ref: http://www.securityfocus.com/bid/19184
  • 06.30.8 - CVE: CVE-2006-3675
  • Platform: Third Party Windows Apps
  • Title: Password Safe Local Insecure Idle Timeout Lock
  • Description: Password Safe is a password storage application. It is vulnerable to an inactivity timer issue because the inactivity timer will fail to lock the database when certain dialog boxes are open. Password Safe versions 3.0 beta 1 and earlier are vulnerable.
  • Ref: http://passwordsafe.sourceforge.net/
  • 06.30.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Internet Explorer String To Binary Function Denial Of Service
  • Description: Microsoft Internet Explorer is vulnerable to a denial of service issue due to insufficient handling of a long string to the "stringToBinary()" function. Microsoft Internet Explorer versions 6.0 SP2 and earlier are vulnerable.
  • Ref: http://browserfun.blogspot.com/atom.xml
  • 06.30.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AGEphone SIP Packet Handling Buffer Overflow
  • Description: AGEphone is a phone application for Microsoft Windows. It is exposed to a remote buffer overflow issue due to improper boundary checks prior to copying user-supplied data into sensitive process buffers. AGEphone versions 1.24 and 1.38.1 are affected.
  • Ref: http://vuln.sg/agephone1381-en.html
  • 06.30.11 - CVE: CVE-2006-3768
  • Platform: Third Party Windows Apps
  • Title: Intervations FileCopa Directory Arguments Multiple Buffer Overflow Vulnerabilities
  • Description: FileCopa FTP Server is a file transfer application. It is vulnerable to multiple buffer overflow issues when handling directory arguments to "CWD", "DELE", "MDTM", and "MKD" commands. FileCOPA versions 1.01-2006-07-18 and earlier are vulnerable.
  • Ref: http://secunia.com/secunia_research/2006-55/advisory/
  • 06.30.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: eIQnetworks Enterprise Security Analyzer Topology Server Remote Buffer Overflow
  • Description: eIQnetworks Enterprise Security Analyzer is a distributed enterprise security application. It is affected by a remote buffer overflow issue when the "Topology.exe" process listening on TCP port 10628 handles excessive string values supplied as an argument to the "GUIADDDEVICE", "ADDDEVICE" or "DELETEDEVICE" commands. Enterprise Security Analyzer versions prior to 2.5.0 are affected.
  • Ref: http://www.securityfocus.com/archive/1/441198
  • 06.30.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: eIQNetworks Enterprise Security Analyzer Multiple Syslog Daemon Buffer Overflow Vulnerabilities
  • Description: eIQnetworks Enterprise Security Analyzer is a distributed enterprise security application. It is vulnerable to multiple remote buffer overflow issues due to insufficient handling of excessive arguments passed to various commands over TCP port 10617. eIQnetworks Enterprise Security Analyzer versions 2.4.9 and earlier are vulnerable. Ref: http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf
  • 06.30.14 - CVE: CVE-2006-3119
  • Platform: Linux
  • Title: fbgs PostScript Filter Bypass
  • Description: fbgs is a wrapper script for viewing postscript files on fbi. fbi is an application that allows you to view PDF/PostScript files and is available for linux. fbgs is prone to a filter bypass vulnerability. This issue occurs because the application fails to filter malicious postscript commands properly.
  • Ref: http://www.securityfocus.com/bid/19131
  • 06.30.15 - CVE: Not Available
  • Platform: Linux
  • Title: KDE Desktop Screensaver Lock Activation Failure
  • Description: KDE is a freely available, open source X Desktop Manager. It has application features to make systems user-friendly, and is designed for Unix and Linux operating systems. The KDE desktop is prone to a vulnerability that can cause the manual locking of the desktop to fail, or stop the screensaver from activating. The problem occurs because the "kdesktop_lock" process sometimes fails to terminate properly.
  • Ref: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177755
  • 06.30.16 - CVE: CVE-2006-3815
  • Platform: Linux
  • Title: Linux-HA Heartbeat Insecure Default Permissions on Shared Memory
  • Description: Linux-HA heartbeat is a utility designed to indicate the availability of a Linux system. It has improper default permissions set in "/linux-ha/heartbeat/heartbeat.c" which may allow local attackers to cause a denial of service. Linux-HA heartbeat versions 2.0.5 and earlier are affected.
  • Ref: http://www.frsirt.com/english/advisories/2006/2994
  • 06.30.17 - CVE: CVE-2006-3825
  • Platform: Solaris
  • Title: Sun Internet Protocol Implementation Routing Table Bypass
  • Description: Sun's Internet Protocol implementation is vulnerable to a routing table bypass vulnerability. This vulnerability exists because the kernel fails to ensure that network traffic only routes to addresses configured in the system's routing table. Therefore, an attacker may redirect network packets using individual specified sockets to an on-link router ignoring system settings. A successful exploit may allow an attacker to bypass the system's routing table configuration in order to redirect traffic to unauthorized addresses. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102509-1&amp;searchclause=
  • 06.30.18 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris SysInfo Local Information Disclosure
  • Description: Sun Solaris is prone to a local information disclosure issue due to an unspecified flaw in the "sysinfo" system call. Please refer to the attached advisory for details. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1&amp;searchclause=
  • 06.30.19 - CVE: CVE-2006-3878
  • Platform: Cross Platform
  • Title: Opsware NAS Root Password Information Disclosure
  • Description: Opsware NAS is a network management tool and is available for various operating systems. It is prone to a local information disclosure vulnerability. The application discloses information about the root password by placing it into an initialization script, which is located in the "/etc/init.d/mysqll" directory. The initialization script has world readable access. Opsware NAS 6.0 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/441024
  • 06.30.20 - CVE: CVE-2006-3814
  • Platform: Cross Platform
  • Title: Cheese Tracker XM Loader Buffer Overflow
  • Description: Cheese Tracker is a music tracker application. It is exposed to a buffer overflow issue due to improper bounds-check of user-supplied input data before copying it to an insufficiently sized memory buffer. Cheese Tracker version 0.9.9 is affected.
  • Ref: http://www.securityfocus.com/archive/1/440962
  • 06.30.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GnuPG Parse_Comment Remote Buffer Overflow
  • Description: GNU Privacy Guard (GnuPG) is an encryption application. It is affected by a remote buffer overflow issue due to insufficient sanitization of the "parse_comment()" function in the "parse-packet.c" source file. GnuPG version 1.4.4 is affected. Ref: http://lists.immunitysec.com/pipermail/dailydave/2006-July/003354.html
  • 06.30.22 - CVE: CVE-2006-3668
  • Platform: Cross Platform
  • Title: libmikmod XCOM Handler Remote Heap Buffer Overflow
  • Description: libmikmod is a library used to play audio files. A buffer overflow vulnerability occurs in the libmikmod library because of the improper handling of ".GT2" audio files. The "XCOM chunk" which is a field that contains a comment may be manipulated by using a value of "0xffffffff" for the size of this comment field. Versions 3.2.2 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19134
  • 06.30.23 - CVE: CVE-2006-3885
  • Platform: Cross Platform
  • Title: Checkpoint FireWall-1 Webserver Directory Traversal
  • Description: Checkpoint FireWall-1 is a firewall available for various operating systems. It is exposed to a directory traversal vulnerability due to improper sanitization of user-supplied input. The problem occurs with specially crafted HTTP GET requests containing directory traversal strings. Checkpoint FireWall-1 versions R55W HFA2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/440990
  • 06.30.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: InnerMedia DynaZip ZIP Archive Handling Multiple Buffer Overflow Vulnerabilities
  • Description: InnerMedia DynaZip is a library designed to create, modify, and decompress ZIP archive files. It is prone to multiple remote buffer overflow vulnerabilities. These vulnerabilities affect DynaZip Max with DZIP32.DLL version 5.0.0.7 and DynaZip Max Secure with DZIPS32.DLL version 6.0.0.4.
  • Ref: http://www.securityfocus.com/bid/19143
  • 06.30.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Tumbleweed MailGate Email Firewall Multiple LHA Buffer Overflow Vulnerabilities
  • Description: Tumbleweed MailGate Email Firewall is prone to multiple buffer overflow vulnerabilities in its LHA processing routines. All current versions are affected.
  • Ref: http://www.hustlelabs.com/advisories/04072006_tweed.pdf
  • 06.30.26 - CVE: CVE-2006-3353
  • Platform: Cross Platform
  • Title: Opera Web Browser CSS Background HTTPS URI Memory Corruption
  • Description: Opera Web Browser is prone to a memory corruption vulnerability when processing a CSS background property of a DHTML element to a long HTTPS URI. Opera version 9 is vulnerable. Ref: http://browserfun.blogspot.com/2006/07/mobb-26-opera-css-background.html
  • 06.30.27 - CVE: CVE-2006-3350
  • Platform: Cross Platform
  • Title: AutoVue SolidModel Professional Archive Multiple Remote Buffer Overflow Vulnerabilities
  • Description: AutoVue SolidModel Professional facilitates viewing and markup for 2D / 3D CAD and EDA PCB / IC documents. It is vulnerable to multiple remote buffer overflow vulnerabilities that may be exploited when the application processes ARJ, RAR, and ZIP archive files with malicious content. The Desktop Edition DEMO version 19.1 Build 5993 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19170
  • 06.30.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cisco Internet Key Exchange Denial of Service
  • Description: Cisco Internet Key Exchange (IKE) is prone to a denial of service issue due to resource exhaustion when handling a high rate of IKE requests. A sustained attack of 10 packets per second at 122 bytes each is sufficient to cause the issue. Please refer to the attached cisco advisory for details.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sr-20060726-ike.shtml
  • 06.30.29 - CVE:CVE-2006-3812,CVE-2006-3811,CVE-2006-3810,CVE-2006-3809,CVE-2006-3808,CVE-2006-3807,CVE-2006-3806,CVE-2006-3805,CVE-2006-3804,CVE-2006-3803,CVE-2006-3802,CVE-2006-3801,CVE-2006-3113,CVE-2006-3677
  • Platform: Cross Platform
  • Title: Mozilla Firefox Javascript Navigator Object Remote Code Execution
  • Description: Mozilla Firefox is prone to a remote code execution vulnerability. The application fails to properly sanitize user-supplied input before using it to create a new Javascript object. The vulnerability exists when assigning unspecified parameters to the "window.navigator" object. An attacker may replace the navigator object before Java starts to trigger this vulnerability. Mozilla Firefox versions 1.5.0 to 1.5.0.4 are vulnerable to this issue.
  • Ref: http://www.mozilla.org/security/announce/2006
  • 06.30.30 - CVE: CVE-2006-3113
  • Platform: Cross Platform
  • Title: Mozilla Foundation Products XPCOM Memory Corruption
  • Description: Mozilla Foundation products Firefox, Thunderbird and SeaMonkey are vulnerable to a memory corruption issue due to insufficient handling of simultaneous XPCOM events. See the referenced advisory for further details.
  • Ref: http://www.mozilla.org/security/announce/2006/mfsa2006-46.html
  • 06.30.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IP Calculator Cross-Site Scripting
  • Description: IP Calculator is a web-based network address calculator. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to unspecified parameters of the "ipcalc" script. IP Calculator versions 0.40 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19130
  • 06.30.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: BLOG:CMS ID Parameter Cross-Site Scripting
  • Description: BLOG:CMS is a web-based publishing application. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "id" parameter of an unspecified script. BLOG:CMS version 4.0.0j is affected.
  • Ref: http://www.securityfocus.com/bid/19111
  • 06.30.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBB Usercp.PHP HTML Injection Vulnerability
  • Description: MyBB is a web-based bulletin-board application that is implemented in PHP. The application fails to sanitize HTML and script code from input submitted to the "avatarurl" variable of the "usercp.php" script. Version 1.1.6 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19141
  • 06.30.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: sNews Search_Query Cross-Site Scripting
  • Description: sNews is a web-based news article management application. Insufficient sanitization of the "search_query" parameter of the "snews.php" script exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://security-net.biz/adv/D25706a.txt
  • 06.30.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: wwwThreads Calendar.PHP Cross-Site Scripting
  • Description: wwwThreads is a web-based forum application. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "week" parameter of the "calendar.php" script. WWWThreads versions 5.4 and RC3 are affected.
  • Ref: http://www.securityfocus.com/archive/1/441191
  • 06.30.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Zyxel Prestige 660H-61 ADSL Router RPSysAdmin.HTML Cross-Site Scripting
  • Description: The Zyxel Prestige 660H-61 ADSL Router is a web-based forum application written in PHP. The device is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "a" parameter of the "rpSysAdmin.html" script.
  • Ref: http://www.securityfocus.com/archive/1/441193
  • 06.30.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: GeoClassifieds Enterprise Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: GeoClassifieds Enterprise is a classified advertisiing script. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various parameters of the "index.php" script. GeoClassifieds Enterprise versions 2.0.5.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/441294
  • 06.30.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MusicBox Page Parameter SQL Injection
  • Description: MusicBox is a web-based application for hosting a music site. Insufficient sanitization of the "page" parameter of the "index.php" script exposes the application to an SQL injection issue. MusicBox version 2.3.4 is affected.
  • Ref: http://www.securityfocus.com/bid/19129
  • 06.30.39 - CVE: CVE-2006-3851
  • Platform: Web Application - SQL Injection
  • Title: X7 Chat Upgradev1.PHP SQL Injection
  • Description: X7 Chat is a web-based chat application. It is exposed to an SQL injection issue due to insufficient sanitization of user-supplied input to the "step" parameter of the "upgradev1.php" script. X7 Chat versions 2.0.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19123
  • 06.30.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Etomite Index.PHP SQL Injection
  • Description: Etomite is a content management system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "username" parameter of the "manager/index.php" script. Etomite versions 0.6.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19150
  • 06.30.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHPBB-Auction Multiple SQL Injection Vulnerabilities
  • Description: PHPBB-Auction is a web-based auction site application. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input in a number of scripts. Versions 1.3 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19179
  • 06.30.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Vanilla CMS RootDirectory Remote File Include
  • Description: Vanilla CMS is a web-based content management system. It is prone to a remote file include vulnerability due to improper sanitization of user-supplied input to the "RootDirectory" parameter of the "upgrader.php" script. This issue affects version 1.0.1.
  • Ref: http://www.securityfocus.com/bid/19127
  • 06.30.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Multiple RadScript Products Authentication Bypass
  • Description: Radscript Products are exposed to an authentication bypass issue. These issues occur because they fail to prevent an attacker from accessing admin scripts directly without requiring authentication. RadNics Gold version 0, RadLance Gold version 7.0 and RadBids Gold version v2 are affected.
  • Ref: http://www.securityfocus.com/bid/19128
  • 06.30.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Apache Tomcat Information Disclosure Vulnerability
  • Description: Apache Tomcat is a servlet container for JavaServer Pages and Java Servlets. It is vulnerable to an information disclosure issue because it fails to correctly handle a request for a mapped file extension prepended with a semicolon. Apache Tomcat versions 5.028, 5.5.23, 5.5.9 and 5.5.7 are vulnerable. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html
  • 06.30.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Chameleon LE Index.PHP Directory Traversal
  • Description: Chameleon LE is a web-based classified advertising application. It is prone to a directory traversal vulnerability, as the application fails to properly sanitize user-supplied input to the "rmid" parameter of "index.php". Chameleon version 1.203 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19107
  • 06.30.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Moodle Moodle.PHP Remote File Include
  • Description: Moodle is a module for the Mambo content management system. The Mambo Server component in Moodle is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter in the "moodle.php" script. Moodle version pre_alpha is vulnerable.
  • Ref: http://www.milw0rm.com/exploits/2066
  • 06.30.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Fire-Mouse TopList Add.PHP HTML Injection
  • Description: Fire-Mouse TopList is a script written in PHP. It is prone to an HTML injection vulnerability since it fails to sanitize HTML and script code from input submitted to the "Seitenname" variable of the "add.php" script. This issue affects version 1.1.
  • Ref: http://www.securityfocus.com/archive/1/440859
  • 06.30.48 - CVE: Not Available
  • Platform: Web Application
  • Title: MoSpray Component Multiple Remote File Include Vulnerabilities
  • Description: MoSpray is a software development tracking system available for Mambo and Joomla. It is affected by multiple file include issues due to insufficient sanitization of the "basedir" parameter in multiple php scripts. MoSpray version 1.8 RC1 is affected.
  • Ref: http://www.securityfocus.com/bid/19122
  • 06.30.49 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Live Css_Path Remote File Include
  • Description: PHP Live is a customer support application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "css_path" parameter of the "help.php" and "header.php" scripts. PHP Live version 3.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/440955
  • 06.30.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Micro Guestbook Add.PHP HTML Injection
  • Description: Micro Guestbook is a guestbook script written in PHP. It fails to properly sanitize HTML and script code from input submitted to the "name" and "comment" variables of the "add.php" script. Php Toys Micro Guestbook version 0 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19119
  • 06.30.51 - CVE: CVE-2006-3676
  • Platform: Web Application
  • Title: planetGallery Gallery_Admin.PHP Arbitrary File Upload
  • Description: planetGallery is a photo gallery application implemented in PHP. planetGallery is prone to an arbitrary file upload vulnerability. The issue resides in the "admin/gallery_admin.php" script when validating file types of the form "example.png.php". Versions 22.05.2006 and prior are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/440643
  • 06.30.52 - CVE: Not Available
  • Platform: Web Application
  • Title: MiniBB News.PHP Multiple Remote File Include Vulnerabilities
  • Description: MiniBB is a web-based forum application. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "news.php" script. MiniBB versions 1.5a and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/440875
  • 06.30.53 - CVE: Not Available
  • Platform: Web Application
  • Title: MultiBanner Component Extadminmenus.Class.PHP Remote File Include
  • Description: MultiBanner is a banner ad component available for Mambo and Joomla. It is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter in the "extadminmenus.class.php" script. Versions 1.01 and prior are vulnerable to this issue.
  • Ref: msg://bugtraq/20060720165328.1005.qmail@securityfocus.com
  • 06.30.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Blackboard Academic Suite HTML Injection
  • Description: Blackboard Academic Suite is an online teaching application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the "View Attempt Details" portion of the application. This issue affects version 6.2.3.23.
  • Ref: http://www.securityfocus.com/archive/1/440888
  • 06.30.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Advanced Poll Common.Inc.PHP Remote File Include
  • Description: Advanced Poll is a user-feedback/polling application. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "base_path" parameter of the "common.inc.php" script. Advanced Poll version 2.02 is affected.
  • Ref: http://www.securityfocus.com/archive/1/440780
  • 06.30.56 - CVE: CVE-2006-2686
  • Platform: Web Application
  • Title: ActionApps Multiple Remote File Include Vulnerabilities
  • Description: ActionApps is a collaborative web-publishing tool. It is prone to multiple remote file include vulnerabilities, due to a failure in the application to properly sanitize user-supplied input in the "GLOBALS[AA_INC_PATH]" parameter of multiple scripts. ActionApps version 2.8.1 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19133
  • 06.30.57 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Forge Cfg_Racine Remote File Include
  • Description: PHP Forge is a web-based portal system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "cfg_racin" variable of the "inc/gabarits.php" script. PHP Forge versions 0.3 beta 2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19139
  • 06.30.58 - CVE: Not Available
  • Platform: Web Application
  • Title: LinksCaffe Multiple Input Validation Vulnerabilities
  • Description: LinksCaffe is a MySQL database driven link indexing script. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. LinksCaffe version 3.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19149
  • 06.30.59 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPSavant Savant2 Multiple Remote File Include Vulnerabilities
  • Description: Savant2 is a lightweight object oriented template system. It is prone to multiple remote file include vulnerabilities, due to a failure in the application to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter in a number of scripts. PHPSavant version 0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19151
  • 06.30.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Etomite CMS Rfiles.PHP Arbitrary File Upload
  • Description: Etomite CMS is a content management application. It is exposed to an input validation issue due to insufficient sanitization of user-supplied input to the "rfiles.php" script. Etomite version 0.6.1 is affected.
  • Ref: http://www.securityfocus.com/bid/19157
  • 06.30.61 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Pro Bid Multiple Input Validation Vulnerabilities
  • Description: PHP Pro Bid is a web based auction application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. PHP Pro Bid versions 5.24 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19158/info
  • 06.30.62 - CVE: Not Available
  • Platform: Web Application
  • Title: TP Book Guestbook.PHP HTML Injection
  • Description: TP Book is a web-based bulletin-board application that is implemented in PHP. It is prone to an HTML injection vulnerability, as it fails to properly sanitize user-supplied HTML and script code from input submitted to the "name" variable of the "guestbook.php" script. TP book versions 1.00 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19159/info
  • 06.30.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Professional Homepage Tools Login Script Multiple HTML Injection Vulnerabilities
  • Description: Professional Homepage Tools Login Script is a web-based login administration and user registration application implemented in PHP. It is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input to unspecified input boxes in the user registration form.
  • Ref: http://www.securityfocus.com/bid/19161
  • 06.30.64 - CVE: Not Available
  • Platform: Web Application
  • Title: SD Studio CMS Multiple Input Validation Vulnerabilities
  • Description: SD Studio CMS is a web-based CMS system implemented in PHP. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/19173
  • 06.30.65 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenCMS Multiple Unauthorized Access Vulnerabilities
  • Description: OpenCMS is a content management application. The application is prone to multiple unauthorized access vulnerabilities because it fails to properly authenticate users when performing administrative tasks. An attacker may simply navigate to administrative sections of the application. Versions 6.2.1, 6.2, 6.04 and 6.03 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19174
  • 06.30.66 - CVE: Not Available
  • Platform: Web Application
  • Title: EzUpload Multiple Unauthorized Access Vulnerabilities
  • Description: EzUpload is a web-based file transfer application. It is vulnerable to multiple unauthorized access vulnerabilities due to insufficient handling of administrative scripts. EzUpload version 2.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/441172
  • 06.30.67 - CVE: Not Available
  • Platform: Web Application
  • Title: WMNews Base_Datapath Remote File Include
  • Description: WMNews is web-based news software. Insufficient sanitization of the "base_datapath" variable in the "index.php" script exposes the application to a remote file include issue. WMNews version 0.2a is affected.
  • Ref: http://www.milw0rm.com/exploits/2077
  • 06.30.68 - CVE: CVE-2006-3819
  • Platform: Web Application
  • Title: TWiki Configure Script TYPEOF Parameter Remote Command Execution
  • Description: TWiki is a web-based application that allows creation and maintenance of Web sites. It is vulnerable to a remote command execution issue because the application fails to sanitize the "TYPEOF" parameter. TWiki versions 04x00x03 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/2995
  • 06.30.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Bosdates Payment.PHP Remote File Include
  • Description: Bosdates is web-based calendar application implemented in PHP. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "insPath" parameter of the "payment.php" script. Bosdates versions 4.0 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19191
  • 06.30.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Krusader Bookmark Manager Password Information Disclosure
  • Description: Krusader Bookmark Manager is prone to a local information disclosure issue because the application stores passwords of users in plaintext in the "krbookmarks.xml" file. Krusader Bookmark Manager versions 1.70.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19194
  • 06.30.71 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBulletinBoard UserCP.PHP Directory Traversal
  • Description: MyBulletinBoard is a web-based bulletin board application. The application is exposed to a directory traversal issue due to insufficient sanitization of user-supplied input to the "gallery" parameter of "usercp.php". MyBulletinBoard versions 1.1.7 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19195/info
  • 06.30.72 - CVE: Not Available
  • Platform: Web Application
  • Title: A6MamboHelpDesk Admin.a6mambohelpdesk.PHP Remote File Include
  • Description: A6MamboHelpDesk is a PHP based help desk module for the Mambo CMS. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter in the "admin.a6mambohelpdesk.php" script. A6MamboHelpDesk versions 18 RC1 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19198
  • 06.30.73 - CVE: Not Available
  • Platform: Network Device
  • Title: Multiple TippingPoint IPS Malformed Packet Detection Bypass
  • Description: TippingPoint Intrusion Prevention Systems (IPS) are network appliances with traffic inspection and filtering. They are prone to a detection bypass vulnerability that is exploited when handling an unspecified malformed packet. TippingPoint Intrusion Prevention Systems with TOS versions 2.2.3.6514 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19125
  • 06.30.74 - CVE: Not Available
  • Platform: Network Device
  • Title: Siemens SpeedStream Wireless Router Denial of Service
  • Description: Siemens SpeedStream Wireless Routers are vulnerable to a remote denial of service issue due to insufficient handling of unspecified network traffic destined for the device's web interface. Siemens firmware versions 2624 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/440985
  • 06.30.75 - CVE: CVE-2006-3838
  • Platform: Network Device
  • Title: eIQnetworks Enterprise Security Analyzer License Manager Remote Buffer Overflow
  • Description: eIQnetworks Enterprise Security Analyzer is a distributed enterprise security application. It is prone to a remote buffer overflow vulnerability. The vulnerability exits in "EnterpriseSecurityAnalyzer.exe" and presents itself when the application handles excessive string values supplied as an argument to the "LICMGR_ADDLICENSE" command. The "EnterpriseSecurityAnalyzer.exe" process listens on TCP port 10616. Authentication is not required by default. Enterprise Security Analyzer versions prior to 2.5.0 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19163
  • 06.30.76 - CVE: Not Available
  • Platform: Network Device
  • Title: Internet Security Systems SMB Mailslot Parsing Denial of Service
  • Description: The Internet Security Systems implementation of SMB/TCP Mailslot is prone to a denial of service due to a design error when dealing with certain legitimate SMB Mailslot traffic. See the referenced advisory for further details.
  • Ref: http://xforce.iss.net/xforce/alerts/id/230

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Years of experience downloaded into your brain in 6 days.
-Chris Koutras, Titan Corp

CyberTalent Assessments

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP