@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Microsoft Server Service Remote Code Execution (MS06-040)
• (2) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS06-042)
• (3) CRITICAL: Microsoft MHTML Link Parsing Remote Code Execution (MS06-043)
• (4) CRITICAL: Microsoft HTML Help ActiveX Component Remote Code Execution (MS06-046)
• (5) CRITICAL: Clam AntiVirus UPX Decompression Remote Code Execution
• (6) CRITICAL: McAfee Subscription Manager ActiveX Component Remote Code Execution
• (7) HIGH: Microsoft Management Console Remote Code Execution (MS06-044)
• (8) HIGH: Microsoft Windows Explorer Remote Code Execution (MS06-045)
• (9) HIGH: Microsoft Windows Hyperlink Object Library Multiple Remote Code Execution Vulnerabilities (MS06-050)
• (10) HIGH: Barracuda Spam Firewall Remote Command Injection
• (11) MODERATE: Microsoft DNS Multiple Remote Code Execution Vulnerabilities (MS06-041)
• (12) MODERATE: Microsoft Office Visual Basic Remote Code Execution (MS06-047)
• (13) MODERATE: Microsoft PowerPoint BIFF File Format Remote Code Execution (MS06-048)
• (14) MODERATE: Microsoft Kernel Remote Code Execution Vulnerability (MS06-051)
• (15) MODERATE: SAP Internet Graphics Service Undisclosed Remote Buffer Overflow
• (16) MODERATE: Ruby-on-Rails Remote Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 06.32.1 - Microsoft Windows Explorer GDI32.DLL WMF Remote Denial of Service
• 06.32.2 - Microsoft Internet Explorer HTML Layout and Positioning Remote Code Execution
• 06.32.3 - Microsoft Internet Explorer Chained Cascading Style Sheets Remote Code Execution
• 06.32.4 - Microsoft Winsock Gethostbyname Buffer Overflow
• 06.32.5 - Internet Explorer COM Object Instantiation Code Execution
• 06.32.6 - Windows User Profile Privilege Escalation
• 06.32.7 - Microsoft Windows Unhandled Exception Remote Code Execution
• 06.32.8 - Microsoft Windows 2000 Kernel Local Privilege Escalation
• 06.32.9 - Microsoft Windows Explorer Drag and Drop Remote Code Execution
• 06.32.10 - Microsoft Windows DNS Client Buffer Overrun
• 06.32.11 - Microsoft Hyperlink Object Library Function Remote Buffer Overflow
• 06.32.12 - Windows Server Service Remote Buffer Overflow
• 06.32.13 - Microsoft Management Console Zone Bypass

Microsoft Office

• 06.32.14 - Powerpoint Remote Code Execution

Other Microsoft Products

• 06.32.15 - Internet Explorer IFrame Refresh Denial of Service
• 06.32.16 - Internet Explorer Window Location Cross-Domain Information Disclosure
• 06.32.17 - Internet Explorer Source Element Cross-Domain Information Disclosure
• 06.32.18 - Microsoft Visual Basic for Applications Document Check Buffer Overflow

Third Party Windows Apps

• 06.32.19 - LHAZ LHA Long Multiple Buffer Overflow Vulnerabilities
• 06.32.20 - Computer Associates Virus Definition Downgrade
• 06.32.21 - EasyCafe Security Restriction Bypass
• 06.32.22 - eIQnetworks Enterprise Security Analyzer Monitoring.EXE Multiple Buffer Overflow Vulnerabilities
• 06.32.23 - OpenMPT Multiple Remote Code Execution Vulnerabilities
• 06.32.24 - IrfanView ANI Image File Denial of Service

Linux

• 06.32.25 - DConnect Daemon Multiple Format String Vulnerabilities
• 06.32.26 - Linux Kernel NFS and EXT3 Combination Remote Denial of Service
• 06.32.27 - Ncompress Decompress Buffer Underflow

Solaris

• 06.32.28 - Sun Ray UTXConfig Local Arbitrary File Overwrite

Unix

• 06.32.29 - LessTif Debug Feature Local Arbitrary File Creation

Cross Platform

• 06.32.30 - Yahoo! Messenger File Extension Spoofing
• 06.32.31 - Clam Anti-Virus ClamAV UPX Compressed PE File Heap Buffer Overflow
• 06.32.32 - XChat Remote Denial of Service
• 06.32.33 - MIT Kerberos 5 Multiple Local Privilege Escalation Vulnerabilities
• 06.32.34 - Apache CGI Script Source Code Information Disclosure

Web Application - Cross Site Scripting

• 06.32.35 - CakePHP Error.PHP Multiple Cross-Site Scripting Vulnerabilities
• 06.32.36 - Tinyportal Guestbook Multiple HTML Injection Vulnerabilities
• 06.32.37 - VBulletin Multiple Cross-Site Scripting Vulnerabilities
• 06.32.38 - DeluxeBB Newpost.PHP Cross-Site Scripting
• 06.32.39 - Simplog Archive.PHP Cross-Site Scripting

Web Application - SQL Injection

• 06.32.40 - XennoBB Profile.PHP Multiple SQL Injection Vulnerabilities
• 06.32.41 - Pike Unspecified SQL Injection
• 06.32.42 - The Address Book Login Page Multiple SQL Injection Vulnerabilities
• 06.32.43 - MyBloggie Trackback.PHP Multiple SQL Injection Vulnerabilities
• 06.32.44 - YenerTurK Haber Default.ASP SQL Injection
• 06.32.45 - Netious CMS Username Parameter SQL Injection
• 06.32.46 - Drupal Jobsearch Module SQL Injection
• 06.32.47 - CLUB Nuke Multiple SQL Injection Vulnerabilities

Web Application

• 06.32.48 - JD Wiki For Joomla Main.PHP Remote File Include
• 06.32.49 - YaBB Unauthorized Access
• 06.32.50 - PHPCC Base_Dir Parameter Remote File Include
• 06.32.51 - NEWSolved ABS_Path Parameter Remote File Include
• 06.32.52 - CA eTrust Antivirus WebScan Remote Buffer Overflow
• 06.32.53 - Eremove Gui.CPP Remote Buffer Overflow
• 06.32.54 - PHPAutoMembersArea Auto_Check_Renewals.PHP Remote File Include
• 06.32.55 - PHPCodeCabinet Core.PHP Remote File Include
• 06.32.56 - TurnkeyWebTools PHP Simple Shop Multiple Remote File Include Vulnerabilities
• 06.32.57 - SAPID Products Multiple Remote File Include Vulnerabilities
• 06.32.58 - Torbstoff News News.PHP Remote File Include
• 06.32.59 - VWar Multiple Remote File Include Vulnerabilities
• 06.32.60 - Simple CMS Auth.PHP Remote Authentication Bypass
• 06.32.61 - FTD Search Box HTML Injection
• 06.32.62 - Blur6ex Title HTML Injection
• 06.32.63 - Visual Events Calendar Calendar.PHP Remote File Include
• 06.32.64 - phpPrintAnalyzer Index.php Remote File Include
• 06.32.65 - CA eTrust Antivirus WebScan Malicious Update Code Execution
• 06.32.66 - PHP SSCANF() Safe_Mode Restriction Bypass
• 06.32.67 - DeluxeBB PM.PHP Unauthorized Access
• 06.32.68 - phNNTP File_newsportal Remote File Include
• 06.32.69 - Netious CMS Authorization Bypass
• 06.32.70 - Drupal Recipe Module HTML Injection
• 06.32.71 - ColdFusion AdminAPI Authentication Bypass
• 06.32.72 - Docpile Init_path Parameter Multiple Remote File Include Vulnerabilities
• 06.32.73 - MojoGallery Multiple HTML Injection Vulnerabilities
• 06.32.74 - Archangel Weblog Multiple HTML Injection Vulnerabilities
• 06.32.75 - Comet WebFileManager CheckUpload.PHP Remote File Include
• 06.32.76 - Hitweb REP_INC Remote File Include
• 06.32.77 - SmartSiteCMS Admin.PHP Authentication Bypass
• 06.32.78 - Simple One File Guestbook Security Bypass
• 06.32.79 - CivicSpace Multiple HTML Injection
• 06.32.80 - PgMarket Common.Inc.PHP Remote File Include
• 06.32.81 - Boite de News Remote File Include
• 06.32.82 - Drupal Bibliography Multiple Input Validation Vulnerabilities
• 06.32.83 - See-Commerce Owimg.PHP Remote File Include
• 06.32.84 - XennoBB Profile.PHP Directory Traversal
• 06.32.85 - MyBloggie Mybloggie_Root_Path Parameter Multiple Remote File Include
• 06.32.86 - AlsaPlayer Multiple Buffer Overflow Vulnerabilities
• 2006-4030 - Gallery Stats Module Information Disclosure
• 06.32.88 - PHPMyRing IDSITE SQL Injection
• 06.32.89 - Mafia Moblog Big.PHP Remote File Include
• 06.32.90 - SaveWebPortal Page Parameter Remote File Include
• 06.32.91 - Tagger LE Tags.PHP Remote File Include
• 06.32.92 - Spaminator Page Parameter Remote File Include
• 06.32.93 - PHPWCMS Multiple Remote File Include Vulnerabilities
• 06.32.94 - PHPPrintAnalyzer Header.inc.PHP Remote File Include

Network Device

• 06.32.95 - Linksys WRT54GS POST Request Configuration Change Authentication Bypass

Hardware

• 06.32.96 - ArcSoft MMS Composer Multiple Vulnerabilities

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 32, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5121 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.32.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Explorer GDI32.DLL WMF Remote Denial of Service
• Description: Microsoft Windows Explorer is reportedly prone to a remote denial of service issue. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/archive/1/442426

• 06.32.2 - CVE: CVE-2006-3450
• Platform: Windows
• Title: Microsoft Internet Explorer HTML Layout and Positioning Remote Code Execution
• Description: Microsoft Internet Explorer is prone to a remote code execution vulnerability. The issue is caused by an HTML rendering problem, and can be exploited by enticing a victim into visiting a malicious web page. Versions of Internet Explorer on Windows 2000, Windows XP, and Windows Server 2003 are reported as vulnerable.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

• 06.32.3 - CVE: CVE-2006-3451
• Platform: Windows
• Title: Microsoft Internet Explorer Chained Cascading Style Sheets Remote Code Execution
• Description: Microsoft Internet Explorer is prone to a remote code execution vulnerability that is related to how the browser handles chained CSS (Cascading Style Sheets). It can be exploited by a user viewing a malicious web page. This issue affects Internet Explorer on Windows 2000, Windows XP excluding XP SP2, and Windows Server 2003.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

• 06.32.4 - CVE: CVE-2006-3440
• Platform: Windows
• Title: Microsoft Winsock Gethostbyname Buffer Overflow
• Description: The Microsoft Winsock API is exposed to a buffer overflow issue. Please refer to the advisory for further details.
• Ref: http://www.microsoft.com/technet/security/bulletin/MS06-041.mspx

• 06.32.5 - CVE: CVE-2006-3638
• Platform: Windows
• Title: Internet Explorer COM Object Instantiation Code Execution
• Description: Microsoft Internet Explorer is exposed to a memory corruption issue that is related to the instantiation of COM objects. This issue results from a design error. Please refer to the advisroy for further details.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

• 06.32.6 - CVE: CVE-2006-3443, CVE-2006-3648:
• Platform: Windows
• Title: Windows User Profile Privilege Escalation
• Description: Microsoft Windows is vulnerable to a local privilege escalation issue due to an insecure search path for the WinLogon facility. Please see the advisory for further details.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-051.mspx

• 06.32.7 - CVE: CVE-2006-3648
• Platform: Windows
• Title: Microsoft Windows Unhandled Exception Remote Code Execution
• Description: Microsoft Windows is prone to a remote code execution vulnerability that is caused by an error in how chained exceptions are unloaded by the operating system. This vulnerability could be exploited by a malicious web page, with a successful exploit completely compromising the affected computer. Multiple versions of Windows XP, 2000, and 2003 are reported as vulnerable.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-051.mspx

• 06.32.8 - CVE: CVE-2006-3444
• Platform: Windows
• Title: Microsoft Windows 2000 Kernel Local Privilege Escalation
• Description: A local privilege escalation vulnerability exists in Microsoft Windows 2000 that seems to be caused by insufficient checking of an input buffer size in the kernel, and can result in the complete compromise of a vulnerable system. Windows 2000 SP4 is reported as vulnerable.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-049.mspx

• 06.32.9 - CVE: CVE-2006-3281
• Platform: Windows
• Title: Microsoft Windows Explorer Drag and Drop Remote Code Execution
• Description: Microsoft Windows is exposed to a remote code execution issue. This issue affects the Windows Explorer component. This issue is caused by insecure handling of drag and drop events. Please refer to the advisory for further details.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-045.mspx

• 06.32.10 - CVE: CVE-2006-3441
• Platform: Windows
• Title: Microsoft Windows DNS Client Buffer Overrun
• Description: Microsoft Windows is exposed to a remotely exploitable buffer overrun condition in the DNS client. Please refer to the advisory for further details.
• Ref: http://www.microsoft.com/technet/security/bulletin/MS06-041.mspx

• 06.32.11 - CVE: CVE-2006-3438
• Platform: Windows
• Title: Microsoft Hyperlink Object Library Function Remote Buffer Overflow
• Description: Microsoft's Hyperlink Object Library (HLINK.DLL) is a library used to handle operations involving URIs. It is vulnerable to a buffer overflow issue when applications utilizing the affected library attempt to process malformed URIs. See the advisory for further details.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-050.mspx

• 06.32.12 - CVE: Not Available
• Platform: Windows
• Title: Windows Server Service Remote Buffer Overflow
• Description: Microsoft Windows Server Service facilitates sharing of local resources over the network including RPC support, file, printer, and named pipe sharing. It is affected by a remote buffer overflow issue. Please see the attached advisory for details.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx

• 06.32.13 - CVE: CVE-2006-3643
• Platform: Windows
• Title: Microsoft Management Console Zone Bypass
• Description: Microsoft Management console is an integrated administration user interface and administration model for Windows-based environments. It is prone to a cross-zone scripting vulnerability, due to the operating system allowing MMC files to be referenced from the Internet Zone in some cases. A successful exploit could completely compromise the computer. Windows 2000 SP4 is reported as vulnerable.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx

• 06.32.14 - CVE: CVE-2006-3449
• Platform: Microsoft Office
• Title: Powerpoint Remote Code Execution
• Description: Microsoft PowerPoint is vulnerable to a remote code execution when the application handles malformed record data within a presentation file. See the advisory for futher details.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx

• 06.32.15 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer IFrame Refresh Denial of Service
• Description: Microsoft Internet Explorer is prone to a denial of service issue when handling malicious HTML files. The issue is exposed when when trying to refresh an iframe containing an XML file. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19364/info

• 06.32.16 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Window Location Cross-Domain Information Disclosure
• Description: Microsoft Internet Explorer is prone to a cross-domain information disclosure issue. The vulnerability occurs because it is possible to persist script across navigations. As a result a malicious page may gain access to the "window.location" of a web page in another domain or Internet Explorer zone. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19339

• 06.32.17 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer Source Element Cross-Domain Information Disclosure
• Description: Microsoft Internet Explorer is prone to an information disclosure issue because it fails to properly enforce cross-domain policies. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19400

• 06.32.18 - CVE: CVE-2006-3649
• Platform: Other Microsoft Products
• Title: Microsoft Visual Basic for Applications Document Check Buffer Overflow
• Description: Microsoft Visual Basic for Applications (VBA) is a development platform implemented by various applications. It is vulnerable to a buffer overflow vulnerability that is caused by insufficient bounds checking when the application parses the properties of a malicious document that supports VBA. The issue exists in all applications that implement the use of VBA, such as Microsoft Office products, except for Office 2003 SP1 and SP2.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-047.mspx

• 06.32.19 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: LHAZ LHA Long Multiple Buffer Overflow Vulnerabilities
• Description: LHAZ is a file extractor application. It is vulnerable to multiple buffer overflow issues due to insufficient boundary checking. LHAZ versions 1.31 and earlier are vulnerable.
• Ref: http://vuln.sg/lhaz131-en.html

• 06.32.20 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Computer Associates Virus Definition Downgrade
• Description: Computer Associates WebScan is a web-based virus scanner. It is exposed to a flaw which could cause the application's virus definitions to become downgraded to a previous version. Computer Associates WebScan version 1.1.0.1047 and 1.1.0.1045 are affected.
• Ref: http://www.securityfocus.com/archive/1/442476

• 06.32.21 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EasyCafe Security Restriction Bypass
• Description: EasyCafe is an internet cafe management system. It is vulnerable to a security restriction bypass issue because the application fails to prevent an attacker from gaining unauthorized access to a client computer. EasyCafe versions 2.1.7 to 2.2.14 are vulnerable.
• Ref: http://www.securityfocus.com/bid/19401

• 06.32.22 - CVE: CVE-2006-3838
• Platform: Third Party Windows Apps
• Title: eIQnetworks Enterprise Security Analyzer Monitoring.EXE Multiple Buffer Overflow Vulnerabilities
• Description: eIQnetworks Enterprise Security Analyzer is a distributed application for enterprise security. It is exposed to multiple remote buffer overflow issues. Enterprise Security Analyzer versions earlier to 2.5.0 are affected.
• Ref: http://www.tippingpoint.com/security/advisories/TSRT-06-07.html

• 06.32.23 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: OpenMPT Multiple Remote Code Execution Vulnerabilities
• Description: OpenMPT is an audio application. It is vulnerable to multiple remote code execution vulnerabilities due to insufficient boundary checking. OpenMPT versions 1.17.02.43 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/442721

• 06.32.24 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: IrfanView ANI Image File Denial of Service
• Description: IrfanView is a graphics image manipulation application. It is affected by a denial of service issue because of an error in processing of malformed "ANI" image files. IrfanView version 3.98.0 is affected.
• Ref: http://www.securityfocus.com/bid/19443

• 06.32.25 - CVE: Not Available
• Platform: Linux
• Title: DConnect Daemon Multiple Format String Vulnerabilities
• Description: DConnect Daemon is a P2P server for the direct connection protocol. It is vulnerable to multiple remote format string issues due to insufficient sanitization of user-supplied input to various functions. DConnect versions 0.7.0 and earlier are vulnerable.
• Ref: http://aluigi.altervista.org/adv/dconnx-adv.txt

• 06.32.26 - CVE: CVE-2006-3468
• Platform: Linux
• Title: Linux Kernel NFS and EXT3 Combination Remote Denial of Service
• Description: The Linux kernel is susceptible to a remote denial of service vulnerability, due to a failure of the EXT3 filesystem code to properly handle unexpected conditions in malformed "iget()" requests. Versions 2.6.17.7 and prior are reported as vulnerable.
• Ref: http://bugzilla.kernel.org/show_bug.cgi?id=6828

• 06.32.27 - CVE: CVE-2006-1168
• Platform: Linux
• Title: Ncompress Decompress Buffer Underflow
• Description: Ncompress is a compression utility. It is vulnerable to a buffer underflow issue caused by a boundary error in the "decompress()" routine in "compress42.c" code. Ncompress versions 4.2.4 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19455

• 06.32.28 - CVE: Not Available
• Platform: Solaris
• Title: Sun Ray UTXConfig Local Arbitrary File Overwrite
• Description: The utxconfig utility is the Sun Ray DTU X server configuration utility. Due to an unspecified input sanitization failure, it is prone to a vulnerability that may permit local attackers the ability to create or overwrite arbitrary files. Sun Ray Server Software 3.0 is reported as vulnerable.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101924-1&searchclau
  se=

• 06.32.29 - CVE: Not Available
• Platform: Unix
• Title: LessTif Debug Feature Local Arbitrary File Creation
• Description: LessTif is a freely-available implementation of the OSF/Motif GUI framework. It is susceptible to a local arbitrary file creation vulnerability that only presents itself when the library is compiled without the "LESSTIF_PRODUCTION" definition. This allows an attacker to set the "DEBUG_FILE" environment variable, which allows the writing of arbitrary files. Version 0.93.94 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19430

• 06.32.30 - CVE: Not Available
• Platform: Cross Platform
• Title: Yahoo! Messenger File Extension Spoofing
• Description: Yahoo Messenger is exposed to a remote file extension spoofing issue due to a design error that facilitates the spoofing of file name extensions. Yahoo! Messenger version 8.0.0.863 is affected.
• Ref: http://www.securityfocus.com/bid/19353

• 06.32.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Clam Anti-Virus ClamAV UPX Compressed PE File Heap Buffer Overflow
• Description: ClamAV is an antivirus application. It is affecetd by a heap overflow issue due to the application's failure to properly user supplied data. ClamAV versions 0.88.2 and 0.88.3 are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19381

• 06.32.32 - CVE: Not Available
• Platform: Cross Platform
• Title: XChat Remote Denial of Service
• Description: XChat is prone to a remote denial of service issue when private (PRIVMSG) messages containing malformed data are sent to vulnerable clients. XChat version 2.6.7 is affected.
• Ref: http://www.securityfocus.com/bid/19398

• 06.32.33 - CVE: Not Available
• Platform: Cross Platform
• Title: MIT Kerberos 5 Multiple Local Privilege Escalation Vulnerabilities
• Description: MIT Kerberos 5 is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. It is affected by multiple local privilege escalation issues because it fails to properly implement privilege dropping functionality when used in conjunction with Linux 2.6 kernels or with AIX operating systems. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19427

• 06.32.34 - CVE: Not Available
• Platform: Cross Platform
• Title: Apache CGI Script Source Code Information Disclosure
• Description: Apache is exposed to an information disclosure issue. The problem occurs when the application receives request for a CGI script file. The application fails to properly handle the request and returns the script source instead of executing it. Apache version 2.2.2 for Microsoft Windows is affected.
• Ref: http://www.securityfocus.com/bid/19447

• 06.32.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CakePHP Error.PHP Multiple Cross-Site Scripting Vulnerabilities
• Description: CakePHP is a content management application. It is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize input for several unspecified parameters in the "error.php" script. Versions 1.1.6.3264 and prior are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19372

• 06.32.36 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Tinyportal Guestbook Multiple HTML Injection Vulnerabilities
• Description: Tinyportal is a web forum application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input to the in the "message" and the "email" fields. Tiny Portal version 0.8.6 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/442308

• 06.32.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: VBulletin Multiple Cross-Site Scripting Vulnerabilities
• Description: vBulletin is a web-based forum application implemented in PHP. It is prone to multiple cross-site scripting vulnerabilities, as it fails to properly sanitize user-supplied input to the "temp[csscolors]" parameter of the "global.php" script and to the "stylevar[right]" parameter of the "adminfunction.php" script. Version 3.0.14 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19358

• 06.32.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: DeluxeBB Newpost.PHP Cross-Site Scripting
• Description: DeluxeBB is a web-based message board application implemented in PHP. It is prone to a cross-site scripting vulnerability, due to a failure in the application to properly sanitize user-supplied input to the "title" parameter of a new topic in "postnew.php". Version 1.08 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19390

• 06.32.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Simplog Archive.PHP Cross-Site Scripting
• Description: Simplog is a web-log application, written in PHP. It is prone to a cross-site scripting vulnerability, due to a failure to properly sanitize user-supplied input to the "keyw" parameter of the "archive.php" script. Version 0.9.3.1 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19411

• 06.32.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: XennoBB Profile.PHP Multiple SQL Injection Vulnerabilities
• Description: XennoBB is web-based bulletin-board software. It is exposed to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "bday_day", "bday_month" and "bday_year" parameters of "profile.php" script. XennoBB version 2.1.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/442423

• 06.32.41 - CVE: CVE-2006-4041
• Platform: Web Application - SQL Injection
• Title: Pike Unspecified SQL Injection
• Description: Pike is a general purpose programming language. It is vulnerable to an SQL injection issue because it fails to properly sanitize user-supplied input to an unspecified parameter before using it in an SQL query. Pike versions 7.6.85 and earlier are vulnerable.
• Ref: http://pike.ida.liu.se/download/notes/7.6.86.xml

• 06.32.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: The Address Book Login Page Multiple SQL Injection Vulnerabilities
• Description: The Address Book is an open source address management system, implemented in PHP. It is prone to several SQL injection vulnerabilities because it fails to properly sanitize user-supplied input in multiple unspecified parameters and scripts. Version 1.04e is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19378

• 06.32.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MyBloggie Trackback.PHP Multiple SQL Injection Vulnerabilities
• Description: MyBloggie is a PHP based weblog application. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize input for a number of parameters within the "trackback.php" script. Versions 2.1.4 and prior are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19362

• 06.32.44 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: YenerTurK Haber Default.ASP SQL Injection
• Description: YenerTurK Haber is a web-based script. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "default.asp" script. YenerTurk Haber Script version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19393/info

• 06.32.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Netious CMS Username Parameter SQL Injection
• Description: Netious CMS is a content management application. It is exposed to an SQL injection issue due to insufficient sanitization of user-supplied input to the "Username" parameter of the application's login page. Netious CMS version 0.4 is affected.
• Ref: http://www.securityfocus.com/bid/19419

• 06.32.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Drupal Jobsearch Module SQL Injection
• Description: Drupal Jobsearch Module is a component of the Drupal content management system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to an unspecified parameter. Drupal Jobsearch Module versions 4.6 revision 1.3.2.0 and earlier are vulnerable.
• Ref: http://drupal.org/node/77537

• 06.32.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CLUB Nuke Multiple SQL Injection Vulnerabilities
• Description: CLUB Nuke is a content management system. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to various scripts. CLUB Nuke versions v2.0 LCID 2048 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19442

• 06.32.48 - CVE: Not Available
• Platform: Web Application
• Title: JD Wiki For Joomla Main.PHP Remote File Include
• Description: JD-Wiki is a component for the Joomla content management system. It is affected by a remote file include issue to insufficient sanitization of the "mosConfig_absolute_path" parameter of the "main.php" script. Versions 1.0.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19364/info

• 06.32.49 - CVE: Not Available
• Platform: Web Application
• Title: YaBB Unauthorized Access
• Description: YaBB is a web forum application. It is vulnerable an unauthorized access issue due to failing to properly secure sensitive information in the cookie. YaBB versions Y1Gold_Beta 2.0 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19366

• 06.32.50 - CVE: Not Available
• Platform: Web Application
• Title: PHPCC Base_Dir Parameter Remote File Include
• Description: PHPCC is a web-based content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "base_dir" parameter of the "login.php", "reactivate.php", and "register.php" scripts. PHPCC versions Beta4.2 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/442428

• 06.32.51 - CVE: Not Available
• Platform: Web Application
• Title: NEWSolved ABS_Path Parameter Remote File Include
• Description: NEWSolved is a web-based news script. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "abs_path" parameter of several scripts. Version 1.9.2 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19379

• 06.32.52 - CVE: CVE-2006-3975
• Platform: Web Application
• Title: CA eTrust Antivirus WebScan Remote Buffer Overflow
• Description: CA eTrust Antivirus WebScan is a web-based virus scanner. It is prone to a remote buffer overflow vulnerability due to an unspecified bounds checking error. Versions 1.1.0.1047 and prior are reported as vulnerable.
• Ref: http://www.tippingpoint.com/security/advisories/TSRT-06-06.html

• 06.32.53 - CVE: Not Available
• Platform: Web Application
• Title: Eremove Gui.CPP Remote Buffer Overflow
• Description: Eremove is an application that allows users to access a POP3 account to view and delete emails. It is affected by a buffer overflow issue when processing an overly large message body. Version 1.4 is affected.
• Ref: http://www.securityfocus.com/bid/19352

• 06.32.54 - CVE: Not Available
• Platform: Web Application
• Title: PHPAutoMembersArea Auto_Check_Renewals.PHP Remote File Include
• Description: PHPAutoMembersArea is a script to automate adding/removing members from a site. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "installed_config_file" parameter of the "auto_check_renewals.php" script. PHPAutoMembersArea versions 3.2.4 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/442242

• 06.32.55 - CVE: Not Available
• Platform: Web Application
• Title: PHPCodeCabinet Core.PHP Remote File Include
• Description: PHPCodeCabinet is a PHP based web application that allows software developers to store code snippets from any language. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "BEAUT_PATH" parameter of the "Core.PHP" script. Versions 0.5 and prior are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19359

• 06.32.56 - CVE: Not Available
• Platform: Web Application
• Title: TurnkeyWebTools PHP Simple Shop Multiple Remote File Include Vulnerabilities
• Description: PHP Simple Shop is a web-based ecommerce application. It is exposed to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "abs_path" parameter of various scripts. Simple Shop version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/19382

• 06.32.57 - CVE: CVE-2006-4026
• Platform: Web Application
• Title: SAPID Products Multiple Remote File Include Vulnerabilities
• Description: SAPID applications are web-based. Multiple SAPID applications are vulneable to multiple remote file include issues. See advisory for further details.
• Ref: http://www.securityfocus.com/archive/1/442425

• 06.32.58 - CVE: CVE-2006-4045
• Platform: Web Application
• Title: Torbstoff News News.PHP Remote File Include
• Description: Torbstoff News is a web-based news script. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "pfad" parameter of the "news.php" script. Torbstoff News version 4 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19385

• 06.32.59 - CVE: Not Available
• Platform: Web Application
• Title: VWar Multiple Remote File Include Vulnerabilities
• Description: VWar is a team organizer application written in PHP. It is prone to multiple remote file include vulnerabilities that are due to a failure in the application to properly sanitize input to the "vwar_path" parameter of a number of scripts. Version 1.5 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19387

• 06.32.60 - CVE: Not Available
• Platform: Web Application
• Title: Simple CMS Auth.PHP Remote Authentication Bypass
• Description: Simple CMS is a content management application, written in PHP. It is prone to an authentication bypass vulnerability due to a flaw in the "auth.php" script that allows an attacker to set the "loggedin" parameter to "1", thus authenticating as an administrative user. Version 0 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19386

• 06.32.61 - CVE: Not Available
• Platform: Web Application
• Title: FTD Search Box HTML Injection
• Description: FTD is a content filter system. Insufficient sanitization of the "search" input field exposes the application to an HTML injection issue. FTD versions 3.7.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19391

• 06.32.62 - CVE: Not Available
• Platform: Web Application
• Title: Blur6ex Title HTML Injection
• Description: Blur6ex is a content management system. It is exposed to an HTML injection issue due to insufficient sanitization of user-supplied input before using it in dynamically generated content. Blur6ex version 0.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/442435

• 06.32.63 - CVE: CVE-2006-4060
• Platform: Web Application
• Title: Visual Events Calendar Calendar.PHP Remote File Include
• Description: Visual Events Calendar is an event calendar application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "cfg_dir" parameter in the "calendar.php" script. Visual Events Calendar version 1.1 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/442468

• 06.32.64 - CVE: Not Available
• Platform: Web Application
• Title: phpPrintAnalyzer Index.php Remote File Include
• Description: phpPrintAnalyzer is a PHP-based system that analyzes page logs and gets HTML graphics for the CUPS System. It is prone to a remote file include vulnerability because the application fails to properly sanitize user-supplied input to the "rep_par_rapport_racine" parameter in the "index.php" script. Version 1.1 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19397

• 06.32.65 - CVE: CVE-2006-3976, CVE-2006-3977
• Platform: Web Application
• Title: CA eTrust Antivirus WebScan Malicious Update Code Execution
• Description: CA eTrust Antivirus WebScan is a web-based virus scanner. It is vulnerable to a remote code execution issue because it fails to properly validate parameters supplied to the WebScan ActiveX control. CA eTrust Antivirus WebScan versions 1.1.0.1047 and earlier are vulnerable.
• Ref: http://www.tippingpoint.com/security/advisories/TSRT-06-05.html

• 06.32.66 - CVE: Not Available
• Platform: Web Application
• Title: PHP SSCANF() Safe_Mode Restriction Bypass
• Description: PHP is exposed to a "safe_mode" restriction bypass issue. This issue arises when the "sscanf()" function of the "scanf.c" source file handles a format specifier in the form of "s". This may allow attackers to bypass "safe_mode" and gain unauthorized read/write access to the data. PHP versions 4.4.3 and 5.1.4 are affected.
• Ref: http://bugs.php.net/bug.php?id=38322

• 06.32.67 - CVE: Not Available
• Platform: Web Application
• Title: DeluxeBB PM.PHP Unauthorized Access
• Description: DeluxeBB is a web bulletin board. Insufficient sanitization of the "membercookie" cookie parameter exposes the application to an unauthorized access vulenrability. DeluxeBB version 1.08 is affected.
• Ref: http://www.securityfocus.com/bid/19418

• 06.32.68 - CVE: Not Available
• Platform: Web Application
• Title: phNNTP File_newsportal Remote File Include
• Description: phNNTP is a web-based NNTP portal application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "file_newsportal" variable of the "article-raw.php" script. phNNTP version 1.3 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19423

• 06.32.69 - CVE: Not Available
• Platform: Web Application
• Title: Netious CMS Authorization Bypass
• Description: Netious CMS is a content management application. It is exposed to an authorization bypass vulnerability because it fails to properly authenticate administrative users. Netious CMS version 0.4 is affected.
• Ref: http://www.securityfocus.com/bid/19421

• 06.32.70 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Recipe Module HTML Injection
• Description: Drupal Recipe Module is a component of the Drupal content management system. It is affected by an HTML injection issue due to insufficient sanitization of user-supplied input. Drupal versions 1.54 are earlier are affected.
• Ref: http://www.securityfocus.com/bid/19422

• 06.32.71 - CVE: CVE-2006-3979
• Platform: Web Application
• Title: ColdFusion AdminAPI Authentication Bypass
• Description: ColdFusion is an application server and software development framework. It is vulnerable to an authentication bypass issue because the application fails to verify that users have proper credentials before allowing administrative calls to the "AdminAPI" code. ColdFusion MX versions 7.0.2 and earlier are vulnerable.
• Ref: http://www.adobe.com/support/security/bulletins/apsb06-10.html

• 06.32.72 - CVE: Not Available
• Platform: Web Application
• Title: Docpile Init_path Parameter Multiple Remote File Include Vulnerabilities
• Description: Docpile is a web-based document management application. It is prone to multiple remote file include vulnerabilities because the application fails to properly sanitize user-supplied input to the "INIT_PATH" parameter of several scripts. Version 0.2.2 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19428

• 06.32.73 - CVE: Not Available
• Platform: Web Application
• Title: MojoGallery Multiple HTML Injection Vulnerabilities
• Description: MojoGallery is a web forum. It is exposed to multiple HTML injection issues due to insufficient sanitization of user-supplied input to the username and password input boxes on the "admin.cgi" page. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19431

• 06.32.74 - CVE: Not Available
• Platform: Web Application
• Title: Archangel Weblog Multiple HTML Injection Vulnerabilities
• Description: Archangel Weblog is prone to multiple HTML injection issues because it fails to properly sanitize the "name" and the "comment" variables. Archangel Weblog versions 0.90.02 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19432

• 06.32.75 - CVE: Not Available
• Platform: Web Application
• Title: Comet WebFileManager CheckUpload.PHP Remote File Include
• Description: Comet WebFileManager is a web file manager. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "Language" variable of the "CheckUpload.php" script. Comet Webfile Manager version 0.9.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/442714

• 06.32.76 - CVE: Not Available
• Platform: Web Application
• Title: Hitweb REP_INC Remote File Include
• Description: Hitweb is used to create a collection of web sites. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "REP_INC" variable of the "genpage-cgi.php" script. Hitweb version 4.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19436

• 06.32.77 - CVE: Not Available
• Platform: Web Application
• Title: SmartSiteCMS Admin.PHP Authentication Bypass
• Description: SmartSiteCMS is a web-based content management application. It is affected by an authentication bypass issue due to insufficient sanitization of the "userName" parameter of the "admin.php" script. SmartSiteCMS v1.0 is affected.
• Ref: http://www.securityfocus.com/bid/19434

• 06.32.78 - CVE: Not Available
• Platform: Web Application
• Title: Simple One File Guestbook Security Bypass
• Description: Simple one file is a PHP-based guestbook application. Attackers can delete all guestbook entries by submitting a GET request to "guestbook.php" which includes the necessary variables to bypass the administration panel and required login credentials. Version 1.0 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19437

• 06.32.79 - CVE: Not Available
• Platform: Web Application
• Title: CivicSpace Multiple HTML Injection
• Description: CivicSpace is a component for the Drupal content management system and is implemented in PHP. It is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input in the "subject" and "comment" input boxes of the "Add Comment" page. Version 0.8.5 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19438

• 06.32.80 - CVE: Not Available
• Platform: Web Application
• Title: PgMarket Common.Inc.PHP Remote File Include
• Description: PgMarket is a shopping cart application. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "CFG[libdir]" variable of the "common.inc.php" script. PgMarket version 2.2.3 is affected.
• Ref: http://www.securityfocus.com/bid/19439

• 06.32.81 - CVE: Not Available
• Platform: Web Application
• Title: Boite de News Remote File Include
• Description: Boite de News is a news reader application. Insufficient sanitization of the "url_index" variable of the "index.php" script exposes the application to a remote file include issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19440

• 06.32.82 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Bibliography Multiple Input Validation Vulnerabilities
• Description: Drupal is an open source content management system. Drupal Bibliography module is exposed to multiple input validation issue due to insufficient sanitization of user-supplied input. Drupal versions prior to 4.7 are affected.
• Ref: http://www.securityfocus.com/bid/19441

• 06.32.83 - CVE: Not Available
• Platform: Web Application
• Title: See-Commerce Owimg.PHP Remote File Include
• Description: See-Commerce is affected by a remote file include issue due to insufficient sanitization of the "path" parameter of the "owimg.php" script. See-Commerce version 1.0.625 is affected.
• Ref: http://www.securityfocus.com/bid/19443

• 06.32.84 - CVE: Not Available
• Platform: Web Application
• Title: XennoBB Profile.PHP Directory Traversal
• Description: XennoBB is a web-based bulletin-board application written in PHP. It is prone to a directory traversal vulnerability because it fails to properly sanitize user-supplied input to the "gallery" parameter of the "profile.php". Versions 2.1.0 and prior are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19446

• 06.32.85 - CVE: Not Available
• Platform: Web Application
• Title: MyBloggie Mybloggie_Root_Path Parameter Multiple Remote File Include
• Description: MyBloggie is a web-log application implemented in PHP. It is prone to multiple remote file include vulnerabilities, due to a failure in the application to properly sanitize user-supplied input in the "mybloggie_root_path" parameter of the "index.php" and "db.php" scripts. Versions 2.1.3 and prior are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19449

• 06.32.86 - CVE: Not Available
• Platform: Web Application
• Title: AlsaPlayer Multiple Buffer Overflow Vulnerabilities
• Description: AlsaPlayer is an open source media player. It is affected by multiple buffer overflow issues due to insufficient sanitization of user-supplied input. AlsaPlayer versions 0.99.76 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19450

• 2006-4030 - CVE: CVE
• Platform: Web Application
• Title: Gallery Stats Module Information Disclosure
• Description: Gallery is a web-based photo album and is available for the Linux operating system. It is prone to an information disclosure vulnerability, as the application fails to protect sensitive information in the stats module. Versions 2.4 and prior are reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19453

• 06.32.88 - CVE: Not Available
• Platform: Web Application
• Title: PHPMyRing IDSITE SQL Injection
• Description: PHPMyRing is prone to an SQL injection issue due to insufficient sanitization of the "idsite" parameter of the "view_com.php" script. PHPMyRing versions 4.2.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19450

• 06.32.89 - CVE: Not Available
• Platform: Web Application
• Title: Mafia Moblog Big.PHP Remote File Include
• Description: Mafia Moblog is a weblog application. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "pathtotemplate" variable of the "big.php" script. Mafia Moblog version 6 is affected.
• Ref: http://www.securityfocus.com/bid/19458

• 06.32.90 - CVE: CVE-2006-4012
• Platform: Web Application
• Title: SaveWebPortal Page Parameter Remote File Include
• Description: SaveWebPortal is a web-based content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "page" parameter of the "index.php" script. SaveWebPortal version 3.4 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19459

• 06.32.91 - CVE: Not Available
• Platform: Web Application
• Title: Tagger LE Tags.PHP Remote File Include
• Description: Tagger LE (Luxury Edition) is a web-based bulletin board application implemented in PHP. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "BBCodeFile" parameter of "tags.php". Version 3 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19464

• 06.32.92 - CVE: Not Available
• Platform: Web Application
• Title: Spaminator Page Parameter Remote File Include
• Description: Spaminator is a web-based management interface for Sendmail's built-in anti-spam functionality. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "page" parameter of "Login.php". Version 1.7 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19466

• 06.32.93 - CVE: Not Available
• Platform: Web Application
• Title: PHPWCMS Multiple Remote File Include Vulnerabilities
• Description: PHPWCMS is a web-based content management system. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "spaw_root" parameter of various scripts. PHPWCMS versions 1.2.6 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19467

• 06.32.94 - CVE: CVE-2006-4061
• Platform: Web Application
• Title: PHPPrintAnalyzer Header.inc.PHP Remote File Include
• Description: PHPPrintAnalyzer is a web log analyzer. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "ficStyle" parameter of the "header.inc.php" script. PHPPrintAnalyzer version 1.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19474

• 06.32.95 - CVE: Not Available
• Platform: Network Device
• Title: Linksys WRT54GS POST Request Configuration Change Authentication Bypass
• Description: Linksys WRT54GS is a Wireless-G broadband router. It is prone to an authentication bypass vulnerability when a victim user visits a specially-crafted web page on an attacker-controlled web site. Firmware version 1.00.9 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19347

• 06.32.96 - CVE: Not Available
• Platform: Hardware
• Title: ArcSoft MMS Composer Multiple Vulnerabilities
• Description: ArcSoft MMS Composer is a multimedia messaging service (MMS) application. It is vulnerable to multiple vulnerabilities such as a denial of service. ArcSoft Composer versions 2.0.13 and earlier are vulnerable. See the advisory for further details.
• Ref: http://www.securityfocus.com/bid/19451

*************************************************************************

BONUS SECTION: Drive By Port Scanning and Exploitation of Internal Networks

SPI Labs has discovered a technique to use JavaScript to portscan an internal network, fingerprint all the web-enabled devices found, and send attacks or commands to those devices. All the code uses parts of the JavaScript standard that are almost ten years old. Accordingly, the code can execute in nearly any Web browser on nearly any platform when a user opens a Webpage that contains the JavaScript. Since this is not exploiting any browser bug or vulnerability, there is no patch or defense for the end user other than turning off JavaScript support in the browser. The code can be part of a Cross-site scripting (XSS) attack payload, thereby increasing the damage XSS can do.

Simply viewing a page with an embedded scanner will download the JavaScript along with the HTML to a user's browser, automatically executing the code. The scanner can be included in a site an attacker controls, or injected into popular sites using XSS vulnerabilities. The scanner finds targets by implementing a "ping" feature using the JavaScript Image object and an IFrame tag. Uses a blend of these two objects allows the scanner to quickly detect hosts and confirm they are serving HTTP content. Once the scanner has detected a host with a web interface, the scanner tries to fingerprint the Web server to determine its type and version number. This is done using the Image object to retrieve graphics from well known locations on the device. For example, most Microsoft IIS Web server's have an image /pagerror.gif that is 36 by 48 pixels in size, Linksys WRK54G wireless routers have an image /UI_Linksys.gif that is 165 by 57 pixels, and Plone wiki applications have an image /plone_powered.gif that is 80 by 15 pixels. Once the scanner knows what applications exist on the intranet, it can send attacks to exploit known vulnerabilities in the applications. By dynamically building HTML forms and automatically submitting them, the scanner can send attacks using either GET or POST against the application. At the very least, the information collected from scanning and fingerprinting can be sent to the attacker to assist in planning another attack.

SPI Labs has created a proof of concept web page that implements the detection and fingerprinting functionality of a full scanner. This site is available to the public and is listed at the end of this article. The scanner does not automatically start scanning or attacking any internal applications.

Most of these traditional XSS attacks target the Website where the XSS vulnerability exists and the damage of the attack is limited by the features of that Website. For example, session hijacking is only damaging if the site that has the XSS vulnerability actually issues session state and does something meaningful with it. The danger is that scanning and attacking internal applications or systems targets the end user. This means any XSS vulnerability on any site can be used to attack the end user, regardless of the features of the vulnerable site. There is no longer any such thing as a harmless XSS vulnerability.

More information: Complete Whitepaper: http://www.spidynamics.com/assets/documents/JSportscan.pdf Proof of Concept: http://www.spidynamics.com/spilabs/js-port-scan/ Upcoming BlackHat Presentation, Jeremiah Grossman, WhiteHat Security: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Grossman Upcoming BlackHat Presentation, Billy Hoffman, SPI Dynamics: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Hoffman2

______________________________________________________________________

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.