Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 32
August 14, 2006

SANS Newsletters Home

The huge number of critical new vulnerabilities disclosed by Microsoft on Tuesday *do not* appear to reflect increased failures by their development process. Instead, they are a result of the recent upsurge in organized criminal hacker activity that has already shown up in 450% increases in bank losses due to cyber fraud (since the first half of 2005), broad penetration of US government (and other governments') computers as well as those of military contractor systems. The number of people engaged in cyber crime as a full-time "profession" in Eastern Europe and, especially, in Asia is skyrocketing.

The increasing threat level makes this a particularly important time to ensure your security people have current, hands-on technical skills so they can find the penetrations, clean them up, and build sensible defenses. By far the best way to do that is to encourage them to attend one of the "national" SANS training programs. The national programs have all SANS best instructors, so you learn from the top teachers in the world, and they have big expos, free evening classes, and more. This Friday is the early registration deadline for the next SANS national conference, SANS Network Security 2006 in Las Vegas, Oct. 1-9. The full 37 course matrix is at http://www.sans.org/ns2006/caag.php

A bonus section at the end of this issue from SPI Dynamics covers Port Scanning and Exploitation of Internal Networks that shows how simply visiting an infected web site, whether or not your system is patched, causes an exploitation tool to get on your system and take over systems inside your perimeter. Read the Bonus Section to see how it works.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 13 (#1,#2,#3,#4,#8,#9,#11, #14)
    • Microsoft Office
    • 1 (#12, #13)
    • Other Microsoft Products
    • 4 (#7)
    • Third Party Windows Apps
    • 6 (#6)
    • Linux
    • 3
    • Solaris
    • 1
    • Unix
    • 1
    • Cross Platform
    • 5 (#5, #15)
    • Web Application - Cross Site Scripting
    • 5
    • Web Application - SQL Injection
    • 8
    • Web Application
    • 47 (#16)
    • Network Device
    • 1 (#10)
    • Hardware
    • 1

****************** Sponsored By Shavlik Technologies ********************

Free software! Patch & Spyware Management!

Simplify your complex enterprise network security with Shavlik NetChk Protect, Patch & Spyware Management on one easy-to-use console. For a complete security solution, remediate spyware and install patches with Shavlik NetChk Protect.

Download Now: http://www.sans.org/info.php?id=1269

************************************************************************* How Good Are SANS Courses? Ask the alumni.

++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines

++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA

++ "This conference provided the opportunity to learn from many of the people who are defining the future direction of information technology" - Larry Anderson, Computer Sciences Corp.

++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - David Ritch, Department of Defense

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
Solaris
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

************************ Sponsored Links: *****************************

1) FREE WebcastFeaturing Penetration Testing with CORE IMPACT. Wednesday, August 16 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info.php?id=1270

2) CDI 8570 Training Event 16-22 OCTOBER, Silver Spring, MD SEC309, To earn the certifications now required of all contractors and military personnel with security responsibility: Security Essentials (GSEC), SANS Training for CISSP, And SANS Security Leadership (GSLC) http://www.sans.org/info.php?id=1271

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (3) CRITICAL: Microsoft MHTML Link Parsing Remote Code Execution (MS06-043)
  • Affected:
    • Microsoft Windows 2000 SP4
    • Microsoft Windows XP SP1/SP2
    • Microsoft Windows Server 2003 SP0/SP1

  • Description: Microsoft Windows fails to properly parse MHTML URLs in links. MHTML is an extension to HTML (the HyperText Markup Language; the language used to write most web pages) that allows embedded objects and metadata. A malicious web page containing a specially-crafted MHTML link could exploit this vulnerability and execute arbitrary code with the privileges of the current user. Because this flaw exists in a core library, applications other than web browsers and email clients may be affected.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. Several sites are addressing this issue on a fast track schedule and have already pushed the patches. Others are deploying the patch during their next regularly scheduled system update process. A few sites are addressing desktops on an urgent basis and servers on a standard basis.

  • References:
  • (4) CRITICAL: Microsoft HTML Help ActiveX Component Remote Code Execution (MS06-046)
  • Affected:
    • Microsoft Windows 2000 SP4
    • Microsoft Windows XP SP1/SP2
    • Microsoft Windows Server 2003 SP0/SP1

  • Description: An ActiveX component used by the Microsoft HTML help system contains a remote code execution vulnerability. A malicious web page that instantiates the vulnerable component could trigger this vulnerability and execute arbitrary code with the privileges of the current user. Users can limit the impact of this vulnerability by preventing the vulnerable component from being instantiated inside Internet Explorer via the "killbit" mechanism for CLSID "{52a2aaae-085d-4187-97ea-8c30db990436}".

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. All sites plan to deploy the patch during their next regularly scheduled system update process.

  • References:
  • (5) CRITICAL: Clam AntiVirus UPX Decompression Remote Code Execution
  • Affected:
    • Clam AntiVirus version 0.88.3 and prior

  • Description: Clam AntiVirus (ClamAV), a popular open source virus scanning engine, contains a remotely-exploitable buffer overflow. By sending a specially-crafted UPX-compressed executable as an attachment to an email message through a server running ClamAV, an attacker could execute arbitrary code with the privileges of the ClamAV process. No user interaction is necessary to exploit this vulnerability. The default configuration of ClamAV is believed to be vulnerable. Users can limit the impact of this vulnerability by disabling the scanning of UPX-compressed executables. Note that a proof-of-concept is publicly available.

  • Status: ClamAV confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (6) CRITICAL: McAfee Subscription Manager ActiveX Component Remote Code Execution
  • Affected:
    • Any McAfee product that uses the McAfee Subscription Manager is
    • potentially vulnerable. The following products are known to contain the
    • vulnerable component:
    • McAfee AntiSpyware
    • McAfee Internet Security Suite
    • McAfee Personal Firewall Plus
    • McAfee Privacy Service
    • McAfee QuickClean
    • McAfee SpamKiller
    • McAfee VirusScan
    • McAfee Wireless Home Network Security

  • Description: The McAfee Subscription Manager ActiveX component, installed along with all McAfee's Home and Home Business products, contains a remotely-exploitable buffer overflow. A malicious web page that instantiates the vulnerable component could exploit a buffer overflow in the McSubMgr.dll component and execute arbitrary code with the privileges of the current user. Note that technical details for this vulnerability are publicly available, as well as a simple proof-of-concept. Users may be able to limit the impact of this vulnerability by disallowing the instantiation of the vulnerable component in Internet Explorer via Microsoft's "killbit" mechanism for the CLSID "{9BE8D7B2-329C-442A-A4AC-ABA9D7572602}".

  • Status: McAfee confirmed, updates available.

  • Council Site Actions: Only one of the responding council sites is using the affected software and only on a small scale. They are relying on the ability of the end user to take the update directly from the vendor.

  • References:
  • (7) HIGH: Microsoft Management Console Remote Code Execution (MS06-044)
  • Affected:
    • Microsoft Windows 2000 SP4

  • Description: A malicious web site can exploit a cross-site scripting vulnerability in Microsoft Windows. This vulnerability allows access to local HTML resource files in the Microsoft Management Console library; access to these files allows remote users to execute arbitrary commands with the privileges of the current user. Users can limit the impact of the vulnerability by disabling Microsoft "Active Scripting" for the "My Computer" zone. Note that this may affect operating system functionality. Users are also advised to read email messages in plain text.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. All sites plan to deploy the patch during their next regularly scheduled system update process.

  • References:
  • (8) HIGH: Microsoft Windows Explorer Remote Code Execution (MS06-045)
  • Affected:
    • Microsoft Windows 2000 SP4
    • Microsoft Windows XP SP1/SP2
    • Microsoft Windows Server 2003 SP0/SP1

  • Description: Failure to properly handle specially-crafted filenames in SMB and WebDAV fileshares could allow an attacker to execute arbitrary code with the privileges of the current user. This flaw can be exploited by visiting a fileshare containing a file with a specially-crafted name and double-clicking somewhere in that window. If the filename contains the GUID (Globally Unique Identifier) of an application, that application will be executed. Note that users must first visit a malicious share and then double-click in the newly-opened window. Technical details and a proof-of-concept for this vulnerability have been publicly posted.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. All sites plan to deploy the patch during their next regularly scheduled system update process.

  • References:
  • (9) HIGH: Microsoft Windows Hyperlink Object Library Multiple Remote Code Execution Vulnerabilities (MS06-050)
  • Affected:
    • Microsoft Windows 2000 SP4
    • Microsoft Windows XP SP1/SP2
    • Microsoft Windows Server 2003 SP0/SP1

  • Description: Clicking on a specially crafted link in an email message or Office document could result in arbitrary code execution with the privileges of the current user. This is due to multiple flaws in the Hyperlink Object Library, used to parse and manipulate hyperlinks. Note that, for at least one of the vulnerabilities, the provided link must go to a live website, limiting the life span of any potential malware based on this vulnerability. Note that the technical details for one of the vulnerabilities has been publicly posted. Because this is a flaw in an operating system library, other applications may be affected.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. Several sites are addressing this issue on a fast track schedule and have already pushed the patches. Others are deploying the patch during their next regularly scheduled system update process. A few sites are addressing desktops on an urgent basis and servers on a standard basis.

  • References:
  • (10) HIGH: Barracuda Spam Firewall Remote Command Injection
  • Affected:
    • Barracuda Spam Firewall Appliance

  • Description: The Barracuda spam firewall appliance, a popular enterprise anti-spam appliance, contains a remote command injection vulnerability. By sending specially-crafted requests to the "/cgi-bin/preview_email.cgi" script on the appliance, an unauthenticated attacker could execute arbitrary commands with the administrative privileges. Technical details for this vulnerability are publicly available. Users are advised to block access to the barracuda administrative interface at the network perimeter.

  • Status: Barracuda confirmed, updates available.

  • Council Site Actions: Only one of the reporting council sites is using the affected software. They use it for incoming mail for a large user population. They noticed that the Matthew Hall bugtraq posting on August 4 says "It was noted that the original file input sanitation vulnerability seems to have been 'silently' fixed by Barracuda Networks (as of 11pm GMT 03/08/06), which mitigates the attacks above." Thus they plan no action at this time.

  • References:
  • (11) MODERATE: Microsoft DNS Multiple Remote Code Execution Vulnerabilities (MS06-041)
  • Affected:
    • Microsoft Windows 2000 SP4
    • Microsoft Windows XP SP1/SP2
    • Microsoft Windows Server 2003 SP0/SP1

  • Description: Multiple flaws in Microsoft's DNS (Domain Name System) client implementation allow attackers to take complete control of the vulnerable system. The first flaw may be exercised by a specially-crafted web page that forces the vulnerable system to call the affected API, an attacker could execute arbitrary code with SYSTEM privileges. The second flaw can be triggered by forcing the vulnerable system to look up a specially-crafted record on a malicious nameserver; this also allows arbitrary code execution with SYSTEM privileges. Users can mitigate the impact of the first vulnerability by disabling the "Autodial.DLL" library; this will prevent access to the vulnerable API. The second vulnerability can be mitigated by blocking ATMA, TXT, X25, HINFO, and ISDN DNS record responses at the network perimeter.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. Several sites are addressing this issue on a fast track schedule and have already pushed the patches. Others are deploying the patch during their next regularly scheduled system update process. A few sites are addressing desktops on an urgent basis and servers on a standard basis.

  • References:
  • (12) MODERATE: Microsoft Office Visual Basic Remote Code Execution (MS06-047)
  • Affected:
    • Microsoft Office 2000/XP
    • Microsoft Project 2000/2002
    • Microsoft Access 2000
    • Microsoft Visio 2002
    • Microsoft Works Suite 2004/2005/2006
    • Microsoft Visual Basic for Applications SDK 6.0 - 6.4

  • Description: Opening a malicious Microsoft Office document containing a specially-crafted Visual Basic document properties could result in arbitrary code execution with the privileges of the current user. In most common configurations, Office documents are not opened automatically. Users are advised to not open documents received from untrusted sources. Note that the vulnerable document properties are not currently publicly known.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. All sites plan to deploy the patch during their next regularly scheduled system update process.

  • References:
  • (13) MODERATE: Microsoft PowerPoint BIFF File Format Remote Code Execution (MS06-048)
  • Affected:
    • Microsoft PowerPoint 2000
    • Microsoft PowerPoint 2002
    • Microsoft Office PowerPoint 2003
    • PowerPoint 2004/X for Mac

  • Description: Opening a malicious Microsoft PowerPoint document containing specially-crafted document properties could result in arbitrary arbitrary code execution with the privileges of the current user. In most common configurations other than PowerPoint 2000, PowerPoint documents are not opened automatically. Users are advised to not open documents received from untrusted sources. Some technical details for this vulnerability have been publicly posted. This update patches a vulnerability mentioned in a previous @RISK entry.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. All sites plan to deploy the patch during their next regularly scheduled system update process.

  • References:
  • (14) MODERATE: Microsoft Kernel Remote Code Execution Vulnerability (MS06-051)
  • Affected:
    • Microsoft Windows 2000 SP4
    • Microsoft Windows XP SP1/SP2
    • Microsoft Windows Server 2003 SP0/SP1

  • Description: Microsoft Windows is vulnerable to an remote code execution vulnerability through the Windows kernel's exception handling facility. This attack could be exploited by a malicious web site. No other technical details about this vulnerability are publicly available.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to all Microsoft issues. Several sites are addressing this issue on a fast track schedule and have already pushed the patches. Others are deploying the patch during their next regularly scheduled system update process. A few sites are addressing desktops on an urgent basis and servers on a standard basis.

  • References:
  • (15) MODERATE: SAP Internet Graphics Service Undisclosed Remote Buffer Overflow
  • Affected:
    • SAP IGS versions 6.40 and 7.00

  • Description: SAP Internet Graphics Service, a component of the SAP suite that allows graphical output, contains a remotely-exploitable buffer overflow. No technical details for this vulnerability have been publicly posted, other than that the vulnerability is exploitable via the HTTP protocol.

  • Status: SAP confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (16) MODERATE: Ruby-on-Rails Remote Vulnerability
  • Affected: Ruby-on-Rails versions 1.10 - 1.1.4

  • Description: Ruby-on-Rails, a popular Ruby-based web application development platform, is vulnerable to an undisclosed vulnerability. No technical details about this vulnerability have been publicly posted, except that the issue is considered critical by the Ruby-on-Rails team. Because Ruby-on-Rails is open source software, some technical details may be easily available by analyzing the source code.

  • Status: Ruby-on-Rails confirmed, updates available.

  • Council Site Actions: One of the reporting council sites is using the affected software; however it is not supported by their central IT department. In most cases, the owner of the system is active in the Rails community and was able to receive the vendor notice and complete an update within a day or two.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 32, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5121 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.32.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows Explorer GDI32.DLL WMF Remote Denial of Service
  • Description: Microsoft Windows Explorer is reportedly prone to a remote denial of service issue. Please refer to the advisory for further details.
  • Ref: http://www.securityfocus.com/archive/1/442426
  • 06.32.2 - CVE: CVE-2006-3450
  • Platform: Windows
  • Title: Microsoft Internet Explorer HTML Layout and Positioning Remote Code Execution
  • Description: Microsoft Internet Explorer is prone to a remote code execution vulnerability. The issue is caused by an HTML rendering problem, and can be exploited by enticing a victim into visiting a malicious web page. Versions of Internet Explorer on Windows 2000, Windows XP, and Windows Server 2003 are reported as vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx
  • 06.32.3 - CVE: CVE-2006-3451
  • Platform: Windows
  • Title: Microsoft Internet Explorer Chained Cascading Style Sheets Remote Code Execution
  • Description: Microsoft Internet Explorer is prone to a remote code execution vulnerability that is related to how the browser handles chained CSS (Cascading Style Sheets). It can be exploited by a user viewing a malicious web page. This issue affects Internet Explorer on Windows 2000, Windows XP excluding XP SP2, and Windows Server 2003.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx
  • 06.32.5 - CVE: CVE-2006-3638
  • Platform: Windows
  • Title: Internet Explorer COM Object Instantiation Code Execution
  • Description: Microsoft Internet Explorer is exposed to a memory corruption issue that is related to the instantiation of COM objects. This issue results from a design error. Please refer to the advisroy for further details.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx
  • 06.32.6 - CVE: CVE-2006-3443, CVE-2006-3648:
  • Platform: Windows
  • Title: Windows User Profile Privilege Escalation
  • Description: Microsoft Windows is vulnerable to a local privilege escalation issue due to an insecure search path for the WinLogon facility. Please see the advisory for further details.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-051.mspx
  • 06.32.7 - CVE: CVE-2006-3648
  • Platform: Windows
  • Title: Microsoft Windows Unhandled Exception Remote Code Execution
  • Description: Microsoft Windows is prone to a remote code execution vulnerability that is caused by an error in how chained exceptions are unloaded by the operating system. This vulnerability could be exploited by a malicious web page, with a successful exploit completely compromising the affected computer. Multiple versions of Windows XP, 2000, and 2003 are reported as vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-051.mspx
  • 06.32.8 - CVE: CVE-2006-3444
  • Platform: Windows
  • Title: Microsoft Windows 2000 Kernel Local Privilege Escalation
  • Description: A local privilege escalation vulnerability exists in Microsoft Windows 2000 that seems to be caused by insufficient checking of an input buffer size in the kernel, and can result in the complete compromise of a vulnerable system. Windows 2000 SP4 is reported as vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-049.mspx
  • 06.32.9 - CVE: CVE-2006-3281
  • Platform: Windows
  • Title: Microsoft Windows Explorer Drag and Drop Remote Code Execution
  • Description: Microsoft Windows is exposed to a remote code execution issue. This issue affects the Windows Explorer component. This issue is caused by insecure handling of drag and drop events. Please refer to the advisory for further details.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-045.mspx
  • 06.32.10 - CVE: CVE-2006-3441
  • Platform: Windows
  • Title: Microsoft Windows DNS Client Buffer Overrun
  • Description: Microsoft Windows is exposed to a remotely exploitable buffer overrun condition in the DNS client. Please refer to the advisory for further details.
  • Ref: http://www.microsoft.com/technet/security/bulletin/MS06-041.mspx
  • 06.32.11 - CVE: CVE-2006-3438
  • Platform: Windows
  • Title: Microsoft Hyperlink Object Library Function Remote Buffer Overflow
  • Description: Microsoft's Hyperlink Object Library (HLINK.DLL) is a library used to handle operations involving URIs. It is vulnerable to a buffer overflow issue when applications utilizing the affected library attempt to process malformed URIs. See the advisory for further details.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-050.mspx
  • 06.32.12 - CVE: Not Available
  • Platform: Windows
  • Title: Windows Server Service Remote Buffer Overflow
  • Description: Microsoft Windows Server Service facilitates sharing of local resources over the network including RPC support, file, printer, and named pipe sharing. It is affected by a remote buffer overflow issue. Please see the attached advisory for details.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
  • 06.32.13 - CVE: CVE-2006-3643
  • Platform: Windows
  • Title: Microsoft Management Console Zone Bypass
  • Description: Microsoft Management console is an integrated administration user interface and administration model for Windows-based environments. It is prone to a cross-zone scripting vulnerability, due to the operating system allowing MMC files to be referenced from the Internet Zone in some cases. A successful exploit could completely compromise the computer. Windows 2000 SP4 is reported as vulnerable.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx
  • 06.32.14 - CVE: CVE-2006-3449
  • Platform: Microsoft Office
  • Title: Powerpoint Remote Code Execution
  • Description: Microsoft PowerPoint is vulnerable to a remote code execution when the application handles malformed record data within a presentation file. See the advisory for futher details.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
  • 06.32.15 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer IFrame Refresh Denial of Service
  • Description: Microsoft Internet Explorer is prone to a denial of service issue when handling malicious HTML files. The issue is exposed when when trying to refresh an iframe containing an XML file. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19364/info
  • 06.32.16 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Window Location Cross-Domain Information Disclosure
  • Description: Microsoft Internet Explorer is prone to a cross-domain information disclosure issue. The vulnerability occurs because it is possible to persist script across navigations. As a result a malicious page may gain access to the "window.location" of a web page in another domain or Internet Explorer zone. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19339
  • 06.32.17 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Source Element Cross-Domain Information Disclosure
  • Description: Microsoft Internet Explorer is prone to an information disclosure issue because it fails to properly enforce cross-domain policies. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19400
  • 06.32.18 - CVE: CVE-2006-3649
  • Platform: Other Microsoft Products
  • Title: Microsoft Visual Basic for Applications Document Check Buffer Overflow
  • Description: Microsoft Visual Basic for Applications (VBA) is a development platform implemented by various applications. It is vulnerable to a buffer overflow vulnerability that is caused by insufficient bounds checking when the application parses the properties of a malicious document that supports VBA. The issue exists in all applications that implement the use of VBA, such as Microsoft Office products, except for Office 2003 SP1 and SP2.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-047.mspx
  • 06.32.19 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: LHAZ LHA Long Multiple Buffer Overflow Vulnerabilities
  • Description: LHAZ is a file extractor application. It is vulnerable to multiple buffer overflow issues due to insufficient boundary checking. LHAZ versions 1.31 and earlier are vulnerable.
  • Ref: http://vuln.sg/lhaz131-en.html
  • 06.32.20 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Computer Associates Virus Definition Downgrade
  • Description: Computer Associates WebScan is a web-based virus scanner. It is exposed to a flaw which could cause the application's virus definitions to become downgraded to a previous version. Computer Associates WebScan version 1.1.0.1047 and 1.1.0.1045 are affected.
  • Ref: http://www.securityfocus.com/archive/1/442476
  • 06.32.21 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: EasyCafe Security Restriction Bypass
  • Description: EasyCafe is an internet cafe management system. It is vulnerable to a security restriction bypass issue because the application fails to prevent an attacker from gaining unauthorized access to a client computer. EasyCafe versions 2.1.7 to 2.2.14 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19401
  • 06.32.22 - CVE: CVE-2006-3838
  • Platform: Third Party Windows Apps
  • Title: eIQnetworks Enterprise Security Analyzer Monitoring.EXE Multiple Buffer Overflow Vulnerabilities
  • Description: eIQnetworks Enterprise Security Analyzer is a distributed application for enterprise security. It is exposed to multiple remote buffer overflow issues. Enterprise Security Analyzer versions earlier to 2.5.0 are affected.
  • Ref: http://www.tippingpoint.com/security/advisories/TSRT-06-07.html
  • 06.32.23 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: OpenMPT Multiple Remote Code Execution Vulnerabilities
  • Description: OpenMPT is an audio application. It is vulnerable to multiple remote code execution vulnerabilities due to insufficient boundary checking. OpenMPT versions 1.17.02.43 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/442721
  • 06.32.24 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IrfanView ANI Image File Denial of Service
  • Description: IrfanView is a graphics image manipulation application. It is affected by a denial of service issue because of an error in processing of malformed "ANI" image files. IrfanView version 3.98.0 is affected.
  • Ref: http://www.securityfocus.com/bid/19443
  • 06.32.25 - CVE: Not Available
  • Platform: Linux
  • Title: DConnect Daemon Multiple Format String Vulnerabilities
  • Description: DConnect Daemon is a P2P server for the direct connection protocol. It is vulnerable to multiple remote format string issues due to insufficient sanitization of user-supplied input to various functions. DConnect versions 0.7.0 and earlier are vulnerable.
  • Ref: http://aluigi.altervista.org/adv/dconnx-adv.txt
  • 06.32.26 - CVE: CVE-2006-3468
  • Platform: Linux
  • Title: Linux Kernel NFS and EXT3 Combination Remote Denial of Service
  • Description: The Linux kernel is susceptible to a remote denial of service vulnerability, due to a failure of the EXT3 filesystem code to properly handle unexpected conditions in malformed "iget()" requests. Versions 2.6.17.7 and prior are reported as vulnerable.
  • Ref: http://bugzilla.kernel.org/show_bug.cgi?id=6828
  • 06.32.27 - CVE: CVE-2006-1168
  • Platform: Linux
  • Title: Ncompress Decompress Buffer Underflow
  • Description: Ncompress is a compression utility. It is vulnerable to a buffer underflow issue caused by a boundary error in the "decompress()" routine in "compress42.c" code. Ncompress versions 4.2.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19455
  • 06.32.28 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Ray UTXConfig Local Arbitrary File Overwrite
  • Description: The utxconfig utility is the Sun Ray DTU X server configuration utility. Due to an unspecified input sanitization failure, it is prone to a vulnerability that may permit local attackers the ability to create or overwrite arbitrary files. Sun Ray Server Software 3.0 is reported as vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101924-1&searchclau
    se=
  • 06.32.29 - CVE: Not Available
  • Platform: Unix
  • Title: LessTif Debug Feature Local Arbitrary File Creation
  • Description: LessTif is a freely-available implementation of the OSF/Motif GUI framework. It is susceptible to a local arbitrary file creation vulnerability that only presents itself when the library is compiled without the "LESSTIF_PRODUCTION" definition. This allows an attacker to set the "DEBUG_FILE" environment variable, which allows the writing of arbitrary files. Version 0.93.94 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19430
  • 06.32.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Yahoo! Messenger File Extension Spoofing
  • Description: Yahoo Messenger is exposed to a remote file extension spoofing issue due to a design error that facilitates the spoofing of file name extensions. Yahoo! Messenger version 8.0.0.863 is affected.
  • Ref: http://www.securityfocus.com/bid/19353
  • 06.32.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Clam Anti-Virus ClamAV UPX Compressed PE File Heap Buffer Overflow
  • Description: ClamAV is an antivirus application. It is affecetd by a heap overflow issue due to the application's failure to properly user supplied data. ClamAV versions 0.88.2 and 0.88.3 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/19381
  • 06.32.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: XChat Remote Denial of Service
  • Description: XChat is prone to a remote denial of service issue when private (PRIVMSG) messages containing malformed data are sent to vulnerable clients. XChat version 2.6.7 is affected.
  • Ref: http://www.securityfocus.com/bid/19398
  • 06.32.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: MIT Kerberos 5 Multiple Local Privilege Escalation Vulnerabilities
  • Description: MIT Kerberos 5 is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. It is affected by multiple local privilege escalation issues because it fails to properly implement privilege dropping functionality when used in conjunction with Linux 2.6 kernels or with AIX operating systems. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19427
  • 06.32.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apache CGI Script Source Code Information Disclosure
  • Description: Apache is exposed to an information disclosure issue. The problem occurs when the application receives request for a CGI script file. The application fails to properly handle the request and returns the script source instead of executing it. Apache version 2.2.2 for Microsoft Windows is affected.
  • Ref: http://www.securityfocus.com/bid/19447
  • 06.32.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CakePHP Error.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: CakePHP is a content management application. It is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize input for several unspecified parameters in the "error.php" script. Versions 1.1.6.3264 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19372
  • 06.32.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Tinyportal Guestbook Multiple HTML Injection Vulnerabilities
  • Description: Tinyportal is a web forum application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input to the in the "message" and the "email" fields. Tiny Portal version 0.8.6 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/442308
  • 06.32.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: VBulletin Multiple Cross-Site Scripting Vulnerabilities
  • Description: vBulletin is a web-based forum application implemented in PHP. It is prone to multiple cross-site scripting vulnerabilities, as it fails to properly sanitize user-supplied input to the "temp[csscolors]" parameter of the "global.php" script and to the "stylevar[right]" parameter of the "adminfunction.php" script. Version 3.0.14 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19358
  • 06.32.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DeluxeBB Newpost.PHP Cross-Site Scripting
  • Description: DeluxeBB is a web-based message board application implemented in PHP. It is prone to a cross-site scripting vulnerability, due to a failure in the application to properly sanitize user-supplied input to the "title" parameter of a new topic in "postnew.php". Version 1.08 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19390
  • 06.32.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Simplog Archive.PHP Cross-Site Scripting
  • Description: Simplog is a web-log application, written in PHP. It is prone to a cross-site scripting vulnerability, due to a failure to properly sanitize user-supplied input to the "keyw" parameter of the "archive.php" script. Version 0.9.3.1 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19411
  • 06.32.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: XennoBB Profile.PHP Multiple SQL Injection Vulnerabilities
  • Description: XennoBB is web-based bulletin-board software. It is exposed to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "bday_day", "bday_month" and "bday_year" parameters of "profile.php" script. XennoBB version 2.1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/442423
  • 06.32.41 - CVE: CVE-2006-4041
  • Platform: Web Application - SQL Injection
  • Title: Pike Unspecified SQL Injection
  • Description: Pike is a general purpose programming language. It is vulnerable to an SQL injection issue because it fails to properly sanitize user-supplied input to an unspecified parameter before using it in an SQL query. Pike versions 7.6.85 and earlier are vulnerable.
  • Ref: http://pike.ida.liu.se/download/notes/7.6.86.xml
  • 06.32.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: The Address Book Login Page Multiple SQL Injection Vulnerabilities
  • Description: The Address Book is an open source address management system, implemented in PHP. It is prone to several SQL injection vulnerabilities because it fails to properly sanitize user-supplied input in multiple unspecified parameters and scripts. Version 1.04e is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19378
  • 06.32.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MyBloggie Trackback.PHP Multiple SQL Injection Vulnerabilities
  • Description: MyBloggie is a PHP based weblog application. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize input for a number of parameters within the "trackback.php" script. Versions 2.1.4 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19362
  • 06.32.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: YenerTurK Haber Default.ASP SQL Injection
  • Description: YenerTurK Haber is a web-based script. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "default.asp" script. YenerTurk Haber Script version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19393/info
  • 06.32.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Netious CMS Username Parameter SQL Injection
  • Description: Netious CMS is a content management application. It is exposed to an SQL injection issue due to insufficient sanitization of user-supplied input to the "Username" parameter of the application's login page. Netious CMS version 0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/19419
  • 06.32.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Drupal Jobsearch Module SQL Injection
  • Description: Drupal Jobsearch Module is a component of the Drupal content management system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to an unspecified parameter. Drupal Jobsearch Module versions 4.6 revision 1.3.2.0 and earlier are vulnerable.
  • Ref: http://drupal.org/node/77537
  • 06.32.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CLUB Nuke Multiple SQL Injection Vulnerabilities
  • Description: CLUB Nuke is a content management system. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to various scripts. CLUB Nuke versions v2.0 LCID 2048 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19442
  • 06.32.48 - CVE: Not Available
  • Platform: Web Application
  • Title: JD Wiki For Joomla Main.PHP Remote File Include
  • Description: JD-Wiki is a component for the Joomla content management system. It is affected by a remote file include issue to insufficient sanitization of the "mosConfig_absolute_path" parameter of the "main.php" script. Versions 1.0.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19364/info
  • 06.32.49 - CVE: Not Available
  • Platform: Web Application
  • Title: YaBB Unauthorized Access
  • Description: YaBB is a web forum application. It is vulnerable an unauthorized access issue due to failing to properly secure sensitive information in the cookie. YaBB versions Y1Gold_Beta 2.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19366
  • 06.32.50 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPCC Base_Dir Parameter Remote File Include
  • Description: PHPCC is a web-based content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "base_dir" parameter of the "login.php", "reactivate.php", and "register.php" scripts. PHPCC versions Beta4.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/442428
  • 06.32.51 - CVE: Not Available
  • Platform: Web Application
  • Title: NEWSolved ABS_Path Parameter Remote File Include
  • Description: NEWSolved is a web-based news script. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "abs_path" parameter of several scripts. Version 1.9.2 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19379
  • 06.32.52 - CVE: CVE-2006-3975
  • Platform: Web Application
  • Title: CA eTrust Antivirus WebScan Remote Buffer Overflow
  • Description: CA eTrust Antivirus WebScan is a web-based virus scanner. It is prone to a remote buffer overflow vulnerability due to an unspecified bounds checking error. Versions 1.1.0.1047 and prior are reported as vulnerable.
  • Ref: http://www.tippingpoint.com/security/advisories/TSRT-06-06.html
  • 06.32.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Eremove Gui.CPP Remote Buffer Overflow
  • Description: Eremove is an application that allows users to access a POP3 account to view and delete emails. It is affected by a buffer overflow issue when processing an overly large message body. Version 1.4 is affected.
  • Ref: http://www.securityfocus.com/bid/19352
  • 06.32.54 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPAutoMembersArea Auto_Check_Renewals.PHP Remote File Include
  • Description: PHPAutoMembersArea is a script to automate adding/removing members from a site. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "installed_config_file" parameter of the "auto_check_renewals.php" script. PHPAutoMembersArea versions 3.2.4 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/442242
  • 06.32.55 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPCodeCabinet Core.PHP Remote File Include
  • Description: PHPCodeCabinet is a PHP based web application that allows software developers to store code snippets from any language. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "BEAUT_PATH" parameter of the "Core.PHP" script. Versions 0.5 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19359
  • 06.32.56 - CVE: Not Available
  • Platform: Web Application
  • Title: TurnkeyWebTools PHP Simple Shop Multiple Remote File Include Vulnerabilities
  • Description: PHP Simple Shop is a web-based ecommerce application. It is exposed to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "abs_path" parameter of various scripts. Simple Shop version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/19382
  • 06.32.57 - CVE: CVE-2006-4026
  • Platform: Web Application
  • Title: SAPID Products Multiple Remote File Include Vulnerabilities
  • Description: SAPID applications are web-based. Multiple SAPID applications are vulneable to multiple remote file include issues. See advisory for further details.
  • Ref: http://www.securityfocus.com/archive/1/442425
  • 06.32.58 - CVE: CVE-2006-4045
  • Platform: Web Application
  • Title: Torbstoff News News.PHP Remote File Include
  • Description: Torbstoff News is a web-based news script. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "pfad" parameter of the "news.php" script. Torbstoff News version 4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19385
  • 06.32.59 - CVE: Not Available
  • Platform: Web Application
  • Title: VWar Multiple Remote File Include Vulnerabilities
  • Description: VWar is a team organizer application written in PHP. It is prone to multiple remote file include vulnerabilities that are due to a failure in the application to properly sanitize input to the "vwar_path" parameter of a number of scripts. Version 1.5 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19387
  • 06.32.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple CMS Auth.PHP Remote Authentication Bypass
  • Description: Simple CMS is a content management application, written in PHP. It is prone to an authentication bypass vulnerability due to a flaw in the "auth.php" script that allows an attacker to set the "loggedin" parameter to "1", thus authenticating as an administrative user. Version 0 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19386
  • 06.32.61 - CVE: Not Available
  • Platform: Web Application
  • Title: FTD Search Box HTML Injection
  • Description: FTD is a content filter system. Insufficient sanitization of the "search" input field exposes the application to an HTML injection issue. FTD versions 3.7.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19391
  • 06.32.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Blur6ex Title HTML Injection
  • Description: Blur6ex is a content management system. It is exposed to an HTML injection issue due to insufficient sanitization of user-supplied input before using it in dynamically generated content. Blur6ex version 0.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/442435
  • 06.32.63 - CVE: CVE-2006-4060
  • Platform: Web Application
  • Title: Visual Events Calendar Calendar.PHP Remote File Include
  • Description: Visual Events Calendar is an event calendar application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "cfg_dir" parameter in the "calendar.php" script. Visual Events Calendar version 1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/442468
  • 06.32.64 - CVE: Not Available
  • Platform: Web Application
  • Title: phpPrintAnalyzer Index.php Remote File Include
  • Description: phpPrintAnalyzer is a PHP-based system that analyzes page logs and gets HTML graphics for the CUPS System. It is prone to a remote file include vulnerability because the application fails to properly sanitize user-supplied input to the "rep_par_rapport_racine" parameter in the "index.php" script. Version 1.1 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19397
  • 06.32.65 - CVE: CVE-2006-3976, CVE-2006-3977
  • Platform: Web Application
  • Title: CA eTrust Antivirus WebScan Malicious Update Code Execution
  • Description: CA eTrust Antivirus WebScan is a web-based virus scanner. It is vulnerable to a remote code execution issue because it fails to properly validate parameters supplied to the WebScan ActiveX control. CA eTrust Antivirus WebScan versions 1.1.0.1047 and earlier are vulnerable.
  • Ref: http://www.tippingpoint.com/security/advisories/TSRT-06-05.html
  • 06.32.66 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP SSCANF() Safe_Mode Restriction Bypass
  • Description: PHP is exposed to a "safe_mode" restriction bypass issue. This issue arises when the "sscanf()" function of the "scanf.c" source file handles a format specifier in the form of "s". This may allow attackers to bypass "safe_mode" and gain unauthorized read/write access to the data. PHP versions 4.4.3 and 5.1.4 are affected.
  • Ref: http://bugs.php.net/bug.php?id=38322
  • 06.32.67 - CVE: Not Available
  • Platform: Web Application
  • Title: DeluxeBB PM.PHP Unauthorized Access
  • Description: DeluxeBB is a web bulletin board. Insufficient sanitization of the "membercookie" cookie parameter exposes the application to an unauthorized access vulenrability. DeluxeBB version 1.08 is affected.
  • Ref: http://www.securityfocus.com/bid/19418
  • 06.32.68 - CVE: Not Available
  • Platform: Web Application
  • Title: phNNTP File_newsportal Remote File Include
  • Description: phNNTP is a web-based NNTP portal application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "file_newsportal" variable of the "article-raw.php" script. phNNTP version 1.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19423
  • 06.32.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Netious CMS Authorization Bypass
  • Description: Netious CMS is a content management application. It is exposed to an authorization bypass vulnerability because it fails to properly authenticate administrative users. Netious CMS version 0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/19421
  • 06.32.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Recipe Module HTML Injection
  • Description: Drupal Recipe Module is a component of the Drupal content management system. It is affected by an HTML injection issue due to insufficient sanitization of user-supplied input. Drupal versions 1.54 are earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19422
  • 06.32.71 - CVE: CVE-2006-3979
  • Platform: Web Application
  • Title: ColdFusion AdminAPI Authentication Bypass
  • Description: ColdFusion is an application server and software development framework. It is vulnerable to an authentication bypass issue because the application fails to verify that users have proper credentials before allowing administrative calls to the "AdminAPI" code. ColdFusion MX versions 7.0.2 and earlier are vulnerable.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb06-10.html
  • 06.32.72 - CVE: Not Available
  • Platform: Web Application
  • Title: Docpile Init_path Parameter Multiple Remote File Include Vulnerabilities
  • Description: Docpile is a web-based document management application. It is prone to multiple remote file include vulnerabilities because the application fails to properly sanitize user-supplied input to the "INIT_PATH" parameter of several scripts. Version 0.2.2 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19428
  • 06.32.73 - CVE: Not Available
  • Platform: Web Application
  • Title: MojoGallery Multiple HTML Injection Vulnerabilities
  • Description: MojoGallery is a web forum. It is exposed to multiple HTML injection issues due to insufficient sanitization of user-supplied input to the username and password input boxes on the "admin.cgi" page. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19431
  • 06.32.74 - CVE: Not Available
  • Platform: Web Application
  • Title: Archangel Weblog Multiple HTML Injection Vulnerabilities
  • Description: Archangel Weblog is prone to multiple HTML injection issues because it fails to properly sanitize the "name" and the "comment" variables. Archangel Weblog versions 0.90.02 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19432
  • 06.32.75 - CVE: Not Available
  • Platform: Web Application
  • Title: Comet WebFileManager CheckUpload.PHP Remote File Include
  • Description: Comet WebFileManager is a web file manager. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "Language" variable of the "CheckUpload.php" script. Comet Webfile Manager version 0.9.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/442714
  • 06.32.76 - CVE: Not Available
  • Platform: Web Application
  • Title: Hitweb REP_INC Remote File Include
  • Description: Hitweb is used to create a collection of web sites. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "REP_INC" variable of the "genpage-cgi.php" script. Hitweb version 4.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19436
  • 06.32.77 - CVE: Not Available
  • Platform: Web Application
  • Title: SmartSiteCMS Admin.PHP Authentication Bypass
  • Description: SmartSiteCMS is a web-based content management application. It is affected by an authentication bypass issue due to insufficient sanitization of the "userName" parameter of the "admin.php" script. SmartSiteCMS v1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/19434
  • 06.32.78 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple One File Guestbook Security Bypass
  • Description: Simple one file is a PHP-based guestbook application. Attackers can delete all guestbook entries by submitting a GET request to "guestbook.php" which includes the necessary variables to bypass the administration panel and required login credentials. Version 1.0 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19437
  • 06.32.79 - CVE: Not Available
  • Platform: Web Application
  • Title: CivicSpace Multiple HTML Injection
  • Description: CivicSpace is a component for the Drupal content management system and is implemented in PHP. It is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input in the "subject" and "comment" input boxes of the "Add Comment" page. Version 0.8.5 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19438
  • 06.32.80 - CVE: Not Available
  • Platform: Web Application
  • Title: PgMarket Common.Inc.PHP Remote File Include
  • Description: PgMarket is a shopping cart application. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "CFG[libdir]" variable of the "common.inc.php" script. PgMarket version 2.2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/19439
  • 06.32.81 - CVE: Not Available
  • Platform: Web Application
  • Title: Boite de News Remote File Include
  • Description: Boite de News is a news reader application. Insufficient sanitization of the "url_index" variable of the "index.php" script exposes the application to a remote file include issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19440
  • 06.32.82 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Bibliography Multiple Input Validation Vulnerabilities
  • Description: Drupal is an open source content management system. Drupal Bibliography module is exposed to multiple input validation issue due to insufficient sanitization of user-supplied input. Drupal versions prior to 4.7 are affected.
  • Ref: http://www.securityfocus.com/bid/19441
  • 06.32.83 - CVE: Not Available
  • Platform: Web Application
  • Title: See-Commerce Owimg.PHP Remote File Include
  • Description: See-Commerce is affected by a remote file include issue due to insufficient sanitization of the "path" parameter of the "owimg.php" script. See-Commerce version 1.0.625 is affected.
  • Ref: http://www.securityfocus.com/bid/19443
  • 06.32.84 - CVE: Not Available
  • Platform: Web Application
  • Title: XennoBB Profile.PHP Directory Traversal
  • Description: XennoBB is a web-based bulletin-board application written in PHP. It is prone to a directory traversal vulnerability because it fails to properly sanitize user-supplied input to the "gallery" parameter of the "profile.php". Versions 2.1.0 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19446
  • 06.32.85 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBloggie Mybloggie_Root_Path Parameter Multiple Remote File Include
  • Description: MyBloggie is a web-log application implemented in PHP. It is prone to multiple remote file include vulnerabilities, due to a failure in the application to properly sanitize user-supplied input in the "mybloggie_root_path" parameter of the "index.php" and "db.php" scripts. Versions 2.1.3 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19449
  • 06.32.86 - CVE: Not Available
  • Platform: Web Application
  • Title: AlsaPlayer Multiple Buffer Overflow Vulnerabilities
  • Description: AlsaPlayer is an open source media player. It is affected by multiple buffer overflow issues due to insufficient sanitization of user-supplied input. AlsaPlayer versions 0.99.76 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19450
  • 2006-4030 - CVE: CVE
  • Platform: Web Application
  • Title: Gallery Stats Module Information Disclosure
  • Description: Gallery is a web-based photo album and is available for the Linux operating system. It is prone to an information disclosure vulnerability, as the application fails to protect sensitive information in the stats module. Versions 2.4 and prior are reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19453
  • 06.32.88 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPMyRing IDSITE SQL Injection
  • Description: PHPMyRing is prone to an SQL injection issue due to insufficient sanitization of the "idsite" parameter of the "view_com.php" script. PHPMyRing versions 4.2.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19450
  • 06.32.89 - CVE: Not Available
  • Platform: Web Application
  • Title: Mafia Moblog Big.PHP Remote File Include
  • Description: Mafia Moblog is a weblog application. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "pathtotemplate" variable of the "big.php" script. Mafia Moblog version 6 is affected.
  • Ref: http://www.securityfocus.com/bid/19458
  • 06.32.90 - CVE: CVE-2006-4012
  • Platform: Web Application
  • Title: SaveWebPortal Page Parameter Remote File Include
  • Description: SaveWebPortal is a web-based content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "page" parameter of the "index.php" script. SaveWebPortal version 3.4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19459
  • 06.32.91 - CVE: Not Available
  • Platform: Web Application
  • Title: Tagger LE Tags.PHP Remote File Include
  • Description: Tagger LE (Luxury Edition) is a web-based bulletin board application implemented in PHP. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "BBCodeFile" parameter of "tags.php". Version 3 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19464
  • 06.32.92 - CVE: Not Available
  • Platform: Web Application
  • Title: Spaminator Page Parameter Remote File Include
  • Description: Spaminator is a web-based management interface for Sendmail's built-in anti-spam functionality. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "page" parameter of "Login.php". Version 1.7 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19466
  • 06.32.93 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPWCMS Multiple Remote File Include Vulnerabilities
  • Description: PHPWCMS is a web-based content management system. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "spaw_root" parameter of various scripts. PHPWCMS versions 1.2.6 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19467
  • 06.32.94 - CVE: CVE-2006-4061
  • Platform: Web Application
  • Title: PHPPrintAnalyzer Header.inc.PHP Remote File Include
  • Description: PHPPrintAnalyzer is a web log analyzer. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "ficStyle" parameter of the "header.inc.php" script. PHPPrintAnalyzer version 1.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19474
  • 06.32.95 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WRT54GS POST Request Configuration Change Authentication Bypass
  • Description: Linksys WRT54GS is a Wireless-G broadband router. It is prone to an authentication bypass vulnerability when a victim user visits a specially-crafted web page on an attacker-controlled web site. Firmware version 1.00.9 is reported as vulnerable.
  • Ref: http://www.securityfocus.com/bid/19347
  • 06.32.96 - CVE: Not Available
  • Platform: Hardware
  • Title: ArcSoft MMS Composer Multiple Vulnerabilities
  • Description: ArcSoft MMS Composer is a multimedia messaging service (MMS) application. It is vulnerable to multiple vulnerabilities such as a denial of service. ArcSoft Composer versions 2.0.13 and earlier are vulnerable. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/19451

*************************************************************************

BONUS SECTION: Drive By Port Scanning and Exploitation of Internal Networks

SPI Labs has discovered a technique to use JavaScript to portscan an internal network, fingerprint all the web-enabled devices found, and send attacks or commands to those devices. All the code uses parts of the JavaScript standard that are almost ten years old. Accordingly, the code can execute in nearly any Web browser on nearly any platform when a user opens a Webpage that contains the JavaScript. Since this is not exploiting any browser bug or vulnerability, there is no patch or defense for the end user other than turning off JavaScript support in the browser. The code can be part of a Cross-site scripting (XSS) attack payload, thereby increasing the damage XSS can do.

Simply viewing a page with an embedded scanner will download the JavaScript along with the HTML to a user's browser, automatically executing the code. The scanner can be included in a site an attacker controls, or injected into popular sites using XSS vulnerabilities. The scanner finds targets by implementing a "ping" feature using the JavaScript Image object and an IFrame tag. Uses a blend of these two objects allows the scanner to quickly detect hosts and confirm they are serving HTTP content. Once the scanner has detected a host with a web interface, the scanner tries to fingerprint the Web server to determine its type and version number. This is done using the Image object to retrieve graphics from well known locations on the device. For example, most Microsoft IIS Web server's have an image /pagerror.gif that is 36 by 48 pixels in size, Linksys WRK54G wireless routers have an image /UI_Linksys.gif that is 165 by 57 pixels, and Plone wiki applications have an image /plone_powered.gif that is 80 by 15 pixels. Once the scanner knows what applications exist on the intranet, it can send attacks to exploit known vulnerabilities in the applications. By dynamically building HTML forms and automatically submitting them, the scanner can send attacks using either GET or POST against the application. At the very least, the information collected from scanning and fingerprinting can be sent to the attacker to assist in planning another attack.

SPI Labs has created a proof of concept web page that implements the detection and fingerprinting functionality of a full scanner. This site is available to the public and is listed at the end of this article. The scanner does not automatically start scanning or attacking any internal applications.

Most of these traditional XSS attacks target the Website where the XSS vulnerability exists and the damage of the attack is limited by the features of that Website. For example, session hijacking is only damaging if the site that has the XSS vulnerability actually issues session state and does something meaningful with it. The danger is that scanning and attacking internal applications or systems targets the end user. This means any XSS vulnerability on any site can be used to attack the end user, regardless of the features of the vulnerable site. There is no longer any such thing as a harmless XSS vulnerability.

More information: Complete Whitepaper: http://www.spidynamics.com/assets/documents/JSportscan.pdf Proof of Concept: http://www.spidynamics.com/spilabs/js-port-scan/ Upcoming BlackHat Presentation, Jeremiah Grossman, WhiteHat Security: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Grossman Upcoming BlackHat Presentation, Billy Hoffman, SPI Dynamics: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Hoffman2

______________________________________________________________________

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS is without a doubt the best technical training organization out there. If I had to limit my training budget to one course per year, it would be from SANS.
-Anthony DiMarco, Osteotech, Inc.

SANS Pen Test Hackfest 2013 - Washington

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd