@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed software

• (0) HIGH: Microsoft PowerPoint Remote Code Execution
• (1) HIGH: IBM eGatherer ActiveX Component Remote Code Execution
• (2) HIGH: Multiple IBM Informix Database Vulnerabilities
• (3) HIGH: Multiple Microsoft Internet Explorer COM Objects Instantiation Vulnerabilities
• (4) HIGH: Symantec Backup Exec Remote RPC Buffer Overflows
• (5) MODERATE: HP OpenView Storage Data Protector Remote Code Execution
• (6) LOW: Microsoft Windows SMB Denial-of-Service

Other Software

• (7) HIGH: Multiple Products PHP File Include Vulnerabilities
• (8) MODERATE: ImageMagick SGI Image Heap Overflow

Exploit Code

• (9) Microsoft Office Visual Basic Remote Code Execution (MS06-047)
• (10) Apache mod_rewrite Remote Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 06.33.1 - Windows PNG File IHDR Block Denial of Service

Other Microsoft Products

• 06.33.2 - Microsoft Internet Explorer CHTSKDIC.DLL Denial Of Service
• 06.33.3 - Internet Explorer MSOE.DLL Denial of Service

Third Party Windows Apps

• 06.33.4 - Internet Explorer IMSKDIC.DLL Denial of Service
• 06.33.5 - IPCheck Server Monitor Directory Traversal
• 06.33.6 - ScatterChat ECB Mode Cryptographic Module Weakness
• 06.33.7 - 04WebServer Multiple Vulnerabilities
• 06.33.8 - SmartLine DeviceLock Local Privilege Escalation

Linux

• 06.33.9 - Linux-HA Heartbeat Remote Denial of Service
• 06.33.10 - Linux Kernel Unspecified Socket Buffer Handling Remote Denial of Service

HP-UX

• 06.33.11 - HP-UX Trusted Mode Local Denial of Service

Solaris

• 06.33.12 - Sun Solaris Netstat and Ifconfig Local Denial of Service

Unix

• 06.33.13 - GNU BinUtils GAS Buffer Overflow Vulnerability

Novell

• 06.33.14 - Novell eDirectory Unspecified Nessus Denial of Service

Cross Platform

• 06.33.15 - Libmusicbrainz Multiple Buffer Overflow Vulnerabilities
• 06.33.16 - Globus Toolkit Multiple Local Temporary File Handling Vulnerabilities
• 06.33.17 - VMware Partition Table Deletion Denial of Service
• 06.33.18 - IBM WebSphere Application Server Prior to 6.0.2.13 Multiple Vulnerabilities
• 06.33.19 - Mozilla Firefox XML Handler Race Condition Memory Corruption
• 06.33.20 - Anti-Spam SMTP Proxy Server Unauthorized File Access
• 06.33.21 - Symantec NetBackup PureDisk Authentication Bypass
• 06.33.22 - IBM WebSphere Application Server 6.1.0 Multiple Vulnerabilities
• 06.33.23 - SAP Internet Graphics Server Remote Buffer Overflow
• 06.33.24 - Panda ActiveScan Ascan_6.ASP ActiveX Control Cross-Site Scripting
• 06.33.25 - Symantec Backup Exec Multiple Heap Overflow Vulnerabilities
• 06.33.26 - Mozilla Firefox JavaScript Handler Race Condition Memory Corruption
• 06.33.27 - Opera Web Browser IRC Chat Client Remote Denial of Service
• 06.33.28 - HP OpenView Storage Data Protector Backup Agent Remote Arbitrary Command Execution
• 06.33.29 - Novell eDirectory eMBoxClient.JAR Information Disclosure

• -
• 06.33.32 - Horde Products GETURL Parameter Cross-Site Scripting Description: Various Horde products are vulnerable to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "$_GET['url']" par
• - -

Web Application - Cross Site Scripting

• 06.33.35 - YaBB Index.PHP Cross-Site Scripting
• 06.33.36 - BlogHoster PreviewComment.PHP Cross-Site Scripting
• 06.33.37 - NetCommons Unspecified Cross-Site Scripting

Web Application - SQL Injection

• 06.33.38 - Joomla Webring Component Admin.Webring.Docs.PHP SQL Injection
• 06.33.39 - Spidey Blog Script PID Parameter SQL Injection
• 06.33.40 - Zen Cart Multiple SQL Injection Vulnerabilities
• 06.33.41 - VWar Online.PHP SQL Injection

Web Application

• 06.33.42 - phPay Nu_mail.inc.PHP Open Email Relay
• 06.33.43 - Outreach Project Tool Remote File Include
• 06.33.44 - PHP-Nuke AutoHTML Module Local File Include
• 06.33.45 - WEBInsta Mailing List Manager InitDB.PHP Remote File Include
• 06.33.46 - Discloser Multiple Remote File Include Vulnerabilities
• 06.33.47 - Lizge Index.PHP Multiple Remote File Include Vulnerabilities
• 06.33.48 - WikiWebWeaver Index.PHP Arbitrary File Upload
• 06.33.49 - Mensajeitor HTML Injection
• 06.33.50 - PHProjekt Multiple Remote File Include Vulnerabilities
• 06.33.51 - Zen Cart Multiple File Include Vulnerabilities
• 06.33.52 - FusionPHP Fusion News Index.PHP Remote File Include
• 06.33.53 - DotProject Query.Class.PHP Remote File Include
• 06.33.54 - Tiny Web Gallery Image Parameter Multiple Remote File Include Vulnerabilities
• 06.33.55 - Remository Admin.remository.PHP Remote File Include
• 06.33.56 - MyWebland miniBloggie Fname Remote File Include
• 06.33.57 - WEBinsta Mailing List Manager Install3.PHP Remote File Include
• 06.33.58 - Startpage Multiple Remote File Include Vulnerabilities
• 06.33.59 - MVCnPHP glConf[path_library] Parameter Multiple Remote File Include Vulnerabilities
• 06.33.60 - Invision Power Board Threaded View Information Disclosure
• 06.33.61 - SquirrelMail Compose.PHP Multiple Information Disclosure and Data Modification Vulnerabilities
• 06.33.62 - WEBinsta CMS Templates_Dir Remote File Include
• 06.33.63 - Joomla Webring Remote File Include
• 06.33.64 - XMB Langfilenew Local File Include
• 06.33.65 - Extreme Media Board MemCP.PHP Local File Include
• 06.33.66 - ProjectButler RootDIR Parameter Multiple Remote File Include Vulnerabilities
• 06.33.67 - WP-DB Backup For Wordpress Edit.PHP Directory Traversal
• 06.33.68 - Mambo Peoplebook Component Param.PeopleBook.PHP Remote File Include
• 06.33.69 - Mambo Email Publisher Help.MMP.PHP Remote File Include

Network Device

• 06.33.70 - Netgear FVG318 Wireless Router Denial of Service

Hardware

• 06.33.71 - Nokia Browser HTML Denial of Service

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 33, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5133 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.33.1 - CVE: Not Available
• Platform: Windows
• Title: Windows PNG File IHDR Block Denial of Service
• Description: Microsoft Windows is vulnerable to a remote denial of service issue. The PNG rendering portion of the operating system fails to properly handle malicious PNG files. See the advisory for details.
• Ref: http://www.securityfocus.com/bid/19520

• 06.33.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer CHTSKDIC.DLL Denial Of Service
• Description: Microsoft Internet Explorer is prone to a denial of service vulnerability. This issue occurs because the application fails to load a DLL library when instantiated as an ActiveX control. An attacker may exploit this issue to crash Internet Explorer.
• Ref: http://www.securityfocus.com/archive/1/443295

• 06.33.3 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer MSOE.DLL Denial of Service
• Description: Microsoft Internet Explorer is affected by a denial of service issue when it tries to instantiate the "MSOE.DLL" COM object as an ActiveX control. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19530

• 06.33.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Internet Explorer IMSKDIC.DLL Denial of Service
• Description: Microsoft Internet Explorer is affected by a denial of service issue when it tries to instantiate the "IMSKDIC.DLL" COM object as an ActiveX control. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19521

• 06.33.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: IPCheck Server Monitor Directory Traversal
• Description: IPCheck Server Monitor is a web-based application to monitor network resources and detect system failures. It is exposed to a directory traversal issue due to insufficient sanitization of user-supplied input from an HTTP request. IPCheck version 5.3.2.609 is affected.
• Ref: http://www.securityfocus.com/archive/1/442822

• 06.33.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ScatterChat ECB Mode Cryptographic Module Weakness
• Description: ScatterChat Instant Messenger is prone to a cryptographic weakness which may allow an attacker to detect patterns in encrypted client communications. Version 1.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/443038

• 06.33.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: 04WebServer Multiple Vulnerabilities
• Description: 04WebServer is a web server for the Microsoft Windows platform. It contains multiple remote vulnerabilities that result from a failure to properly sanitize user input. Versions 1.83 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/19496

• 06.33.8 - CVE: CVE-2006-4184
• Platform: Third Party Windows Apps
• Title: SmartLine DeviceLock Local Privilege Escalation
• Description: SmartLine DeviceLock is an application that controls access to various hardware devices. It is exposed to a local privilege escalation issue. SmartLine DeviceLock version 5.73 is affected.
• Ref: http://www.securityfocus.com/bid/19500

• 06.33.9 - CVE: CVE-2006-3121
• Platform: Linux
• Title: Linux-HA Heartbeat Remote Denial of Service
• Description: Linux-HA heartbeat is a utility designed to indicate the availability of a high availability Linux system. It is prone to a remote denial of service vulnerability that is caused by sending specially crafted heartbeat messages to the master control process which may cause a segmentation fault, crashing the process. Versions 2.0.6 and prior are reported to be vulnerable.
• Ref: http://linux-ha.org/_cache/SecurityIssues__sec03.txt

• 06.33.10 - CVE: CVE-2006-3634
• Platform: Linux
• Title: Linux Kernel Unspecified Socket Buffer Handling Remote Denial of Service
• Description: The Linux kernel is vulnerable to an unspecified remote denial of service due to a flaw in the kernel's network socket buffer handling code. Linux kernel versions 2.6.17-rc4 to 2.6.18-rc2 are vulnerable.
• Ref: http://rhn.redhat.com/errata/RHSA-2006-0575.html

• 06.33.11 - CVE: Not Available
• Platform: HP-UX
• Title: HP-UX Trusted Mode Local Denial of Service
• Description: HP-UX is affected by an unspecified denial of service issue when it is running in the trusted mode. Versions B.11.23 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19528

• 06.33.12 - CVE: CVE-2006-4139
• Platform: Solaris
• Title: Sun Solaris Netstat and Ifconfig Local Denial of Service
• Description: Sun Solaris is exposed to a local denial of service issue due to a race condition error between the "netstat" and "ifconfig" commands. Solaris 10 is affected by this issue. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102569-1&searchclause=

• 06.33.13 - CVE: Not Available
• Platform: Unix
• Title: GNU BinUtils GAS Buffer Overflow Vulnerability
• Description: GAS is the GNU assembler. It is included in GNU binutils. It is susceptible to a buffer overflow issue due to improper bound checks on user-supplied input prior to copying it to an insufficiently sized memory buffer. GNU Binutils versions 2.16.1 and earlier are affected.
• Ref: http://kb.sony-europe.com/kb/solutions/en/V00000_V00499/v00246.html

• 06.33.14 - CVE: CVE-2006-4185
• Platform: Novell
• Title: Novell eDirectory Unspecified Nessus Denial of Service
• Description: eDirectory is a directory services and identity management server platform distributed by Novell. The Novell eDirectory Server is prone to an unspecified denial of service vulnerability. The system experiences high CPU utilization when it is subjected to a Nessus scan. The flaw presents itself in eDirectory version 8.7.3.8.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973826.htm

• 06.33.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Libmusicbrainz Multiple Buffer Overflow Vulnerabilities
• Description: Libmusicbrainz is a set of libraries that allows developers to add MusicBrainz lookup capabilities to their applications. It is prone to multiple buffer overflow issues. Libmusicbrainz versions 2.1.2, SVN 8406, and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19508

• 06.33.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Globus Toolkit Multiple Local Temporary File Handling Vulnerabilities
• Description: Globus Toolkit is a software package providing services and libraries to aid in implementing Grid computing. It is exposd to vulnerabilities that may allow local attackers to create or corrupt arbitrary files, or view sensitive information. Globus Toolkit versions 4.0.1 and 3.0.2 are affected.
• Ref: http://www.securityfocus.com/bid/19549

• 06.33.17 - CVE: Not Available
• Platform: Cross Platform
• Title: VMware Partition Table Deletion Denial of Service
• Description: VMware is prone to a remote denial of service vulnerability. An attacker can create malicious JavaScript, instantiate ActiveX controls, and register the ActiveX control as a VMWare COM object for managing a virtual disk. The attacker may exploit this issue to destroy partition tables on the affected computer. This issue affects VMware version 5.5.1.
• Ref: http://www.securityfocus.com/archive/1/443345

• 06.33.18 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Prior to 6.0.2.13 Multiple Vulnerabilities
• Description: IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications. IBM WebSphere Application Server is exposed to multiple issues. Please refer to the advisory for further details.
• Ref: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012915

• 06.33.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox XML Handler Race Condition Memory Corruption
• Description: Mozilla Firefox is prone to a remote memory corruption vulnerability. This issue is due to a race condition that is triggered when XML components are parsed by the application. All versions of Firefox and possibly other Mozilla products are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19534

• 06.33.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Anti-Spam SMTP Proxy Server Unauthorized File Access
• Description: Anti-Spam SMTP Proxy Server is an SMTP proxy server that implements various filtering techniques to block unsolicited emails. Anti-Spam SMTP Proxy Server is prone to an unauthorized file access vulnerability because the application fails to validate URL requests. In particular an attacker can craft a URL request using the "get?file" parameter to gain access to any file residing on the server or a mapped drive. Version 1.2.3 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19545

• 06.33.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Symantec NetBackup PureDisk Authentication Bypass
• Description: Symantec NetBackup PureDisk is a backup system. It is affected by an authentication bypass vulnerability. Version 6.0 is affected. Ref: http://securityresponse.symantec.com/avcenter/security/Content/2006.08.16.html

• 06.33.22 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Application Server 6.1.0 Multiple Vulnerabilities
• Description: IBM WebSphere Application Server is affected by multiple vulnerabilities in handling SOAP requests, when using ThreadIdentitySupport and in the processing of mbeans. Version 6.1.0 is affected.
• Ref: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27007951

• 06.33.23 - CVE: CVE-2006-4134
• Platform: Cross Platform
• Title: SAP Internet Graphics Server Remote Buffer Overflow
• Description: The Internet Graphics Server (IGS) is a subcomponent of the SAP R/3 enterprise environment, which is accessible over HTTP via a minimalist web server component. IGS is susceptible to a remote buffer overflow vulnerability. The problem occurs when a specically crafted HTTP request is sent to the vulnerable application. Versions 6.4 and 7.0 of the software are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/442840

• 06.33.24 - CVE: Not Available
• Platform: Cross Platform
• Title: Panda ActiveScan Ascan_6.ASP ActiveX Control Cross-Site Scripting
• Description: Panda ActiveScan is an antivirus application, implemented as an ActiveX control. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "email" parameter of the "ascan_6.asp" script. Panda ActiveScan version 5.53.00 is affected.
• Ref: http://www.securityfocus.com/bid/19471

• 06.33.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Symantec Backup Exec Multiple Heap Overflow Vulnerabilities
• Description: Symantec Backup Exec is a network enabled backup solution. It is exposed to multiple heap overflow issues. Please refer to the link below for further details.
• Ref: http://www.symantec.com/avcenter/security/Content/2006.08.11.html

• 06.33.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox JavaScript Handler Race Condition Memory Corruption
• Description: Mozilla Firefox is vulnerable to a remote memory corruption issue when JavaScript timers or other browser events interrupt browser components while they are running. Freed memory structures are not left in an expected state. Mozilla Firefox versions 1.5 beta 2 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/443020

• 06.33.27 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser IRC Chat Client Remote Denial of Service
• Description: Opera Web Browser IRC chat client is prone to a remote denial of service vulnerability. This issue arises when the client receives malicious data from a server. This issue affects Opera Web Browser 9.
• Ref: http://www.securityfocus.com/bid/19491

• 06.33.28 - CVE: Not Available
• Platform: Cross Platform
• Title: HP OpenView Storage Data Protector Backup Agent Remote Arbitrary Command Execution
• Description: HP OpenView Storage Data Protector is a commercial data-management product for backup and recovery. The client side agent is prone to an arbitrary command-execution vulnerability, due to insufficient input-validation and weak authentication mechanisms in the proprietary OpenView Data Protector protocol. Versions 5.5 and 5.1 are reported as vulnerable.
• Ref: http://www.niscc.gov.uk/niscc/docs/br-20060811-00550.html

• 06.33.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Novell eDirectory eMBoxClient.JAR Information Disclosure
• Description: eDirectory is a directory services and identity management server platform. It is affected by an information disclosure issue because the "eMBoxClient.jar" iManager prints confidential user passwords to the log file. eDirectory version 8.7.3.8 is affected.
• Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973826.htm

• - CVE: Not Available Platform: Cross Platform Title: ImageMagickSGI Image File Remote Heap Buffer Overflow Description: ImageMagick isan image editing suite including a library and command-line utilities.It is affected by a heap overflow issue when processi

• 06.33.32 - CVE: CVE-2006-2195, CVE-2006-3548 Platform: Cross Platform
• Title: Horde Products GETURL Parameter Cross-Site Scripting Description: Various Horde products are vulnerable to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "$_GET['url']" par

• - - CVE: Not Available Platform: Web Application Cross SiteScripting Title: Horde Products Search.PHP Cross-Site Scripting
• Description: Various Horde products are exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied to parameters of various scripts. Horde IMP version 4.0.4 is affected.
• Ref: http://www.securityfocus.com/bid/19544

• 06.33.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: YaBB Index.PHP Cross-Site Scripting
• Description: YaBB (Yet Another Bulletin Board) is a web forum application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "categories" parameter of the "index.php" script. YaBB versions 1.5.5 B and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/442817

• 06.33.36 - CVE: CVE-2006-4090
• Platform: Web Application - Cross Site Scripting
• Title: BlogHoster PreviewComment.PHP Cross-Site Scripting
• Description: BlogHoster is a web-based blog application implemented in PHP. It is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input to the "nickname" parameter in the "previewcomment.php" script. This issue affects version 2.2.
• Ref: http://www.securityfocus.com/bid/19457

• 06.33.37 - CVE: CVE-2006-4165
• Platform: Web Application - Cross Site Scripting
• Title: NetCommons Unspecified Cross-Site Scripting
• Description: NetCommons is a web-based portal written in PHP. NetCommons is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to unspecified parameters and scripts. Version 1.0.8 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19497

• 06.33.38 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla Webring Component Admin.Webring.Docs.PHP SQL Injection
• Description: Joomla Webring Component allows users to submit web pages to a large web site. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "component_dir" parameter of the "admin.webring.docs.php" script. Joomla Webring Component version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19511

• 06.33.39 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Spidey Blog Script PID Parameter SQL Injection
• Description: Spidey Blog Script is a web blog application; it is written in ASP. It is prone to an SQL injection vulnerability. Specifically, the application fails to sanitize data passed through the "pid" parameter of the "proje_goster.asp" script. Spidey Blog Script 1.5 and prior versions are reported to be affected.
• Ref: http://www.securityfocus.com/bid/19518

• 06.33.40 - CVE: CVE-2006-0696, CVE-2006-0697, CVE-2006-0698
• Platform: Web Application - SQL Injection
• Title: Zen Cart Multiple SQL Injection Vulnerabilities
• Description: Zen Cart is a web-based shopping cart application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "ipn_get_stored_session", "whos_online_session_recreate", and "add_cart" functions. Zen Cart versions 1.3.0.2 and earlier are vulnerable.
• Ref: http://www.frsirt.com/english/advisories/2006/0546

• 06.33.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: VWar Online.PHP SQL Injection
• Description: VWar is a clan member tracking application. It is affected by a SQL injection issue due to insufficient sanitization of the "n" parameter of the "extra/online.php" script. Versions 1.50 R14 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19472/info

• 06.33.42 - CVE: Not Available
• Platform: Web Application
• Title: phPay Nu_mail.inc.PHP Open Email Relay
• Description: phPay is a web-based e-commerce application written in PHP. It is prone to a remote open mail relay vulnerability. The application fails to properly sanitize user-supplied input before using it to generate email messages. The vulnerability exists at the "mail_text2" parameter of the "nu_mail.inc.php" script. An attacker may leverage the issue to use web servers that are hosting the vulnerable software to send arbitrary unsolicited bulk email. Attackers may also forge email messages that originate from trusted mail servers. phPay version 2.02 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19517

• 06.33.43 - CVE: Not Available
• Platform: Web Application
• Title: Outreach Project Tool Remote File Include
• Description: Outreach Project Tool is a web-based project development application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "CRM_inc" parameter of the "urights.php" script. Outreach Project Tool version 1.2.6 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19548

• 06.33.44 - CVE: Not Available
• Platform: Web Application
• Title: PHP-Nuke AutoHTML Module Local File Include
• Description: PHP-Nuke AutoHTML Module is a addon script for displaying HTML files implemented in PHP. It is prone to a local file include vulnerability because it allows directory traversal strings in the "name" parameter of the "autohtml.php" script. Version 2.0 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19525

• 06.33.45 - CVE: Not Available
• Platform: Web Application
• Title: WEBInsta Mailing List Manager InitDB.PHP Remote File Include
• Description: WEBInsta Mailing List Manager is a mailing list application. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "absolute_path" parameter of the "initdb.php" script. Versions 1.3e and prior are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19526

• 06.33.46 - CVE: Not Available
• Platform: Web Application
• Title: Discloser Multiple Remote File Include Vulnerabilities
• Description: Discloser is a web log application. It is exposed to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "fileloc" parameter of the "content.php" and "indexhead.php" scripts. Discloser version 0.0.4 is affected.
• Ref: http://www.securityfocus.com/bid/19532

• 06.33.47 - CVE: Not Available
• Platform: Web Application
• Title: Lizge Index.PHP Multiple Remote File Include Vulnerabilities
• Description: Lizge is a web forum application. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "lizge" and "bade" parameters of the "index.php" script. Lizge version V.20 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/443309

• 06.33.48 - CVE: Not Available
• Platform: Web Application
• Title: WikiWebWeaver Index.PHP Arbitrary File Upload
• Description: WikiWebWeaver is a wiki application. Insufficient sanitization of the "upload" input box of the "index.php" script exposes the application to an arbitrary file upload issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19537

• 06.33.49 - CVE: Not Available
• Platform: Web Application
• Title: Mensajeitor HTML Injection
• Description: Mensajeitor is a web site development script. Insufficient sanitization of the "HTTP_CLIENT_IP" variable in the "mensajeitor.php" script exposes the application to an HTML injection issue. Mensajeitor version v1.8.9 r3 is affected.
• Ref: http://www.securityfocus.com/bid/19539/info

• 06.33.50 - CVE: Not Available
• Platform: Web Application
• Title: PHProjekt Multiple Remote File Include Vulnerabilities
• Description: PHProjekt is an open source PHP Groupware package. It is exposed to multiple file include issues due to insufficient sanitization of user-supplied input prior to using it in a PHP "include()" function call. PHProjekt version 5.1 is affected.
• Ref: http://www.securityfocus.com/bid/19541

• 06.33.51 - CVE: Not Available
• Platform: Web Application
• Title: Zen Cart Multiple File Include Vulnerabilities
• Description: Zen Cart is a freely available web-based shopping cart application. It is prone to both local and remote file include vulnerabilities, due to a failure to sanitize user-supplied input in several scripts. Versions 1.3.0.2 and prior are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19543

• 06.33.52 - CVE: Not Available
• Platform: Web Application
• Title: FusionPHP Fusion News Index.PHP Remote File Include
• Description: Fusion News is a news reader application. Insufficient sanitization of the "fpath" parameter of the "index.php" script exposes the application to a remote file include issue. Fusion News version 3.7 is affected.
• Ref: http://www.securityfocus.com/bid/19546/info

• 06.33.53 - CVE: Not Available
• Platform: Web Application
• Title: DotProject Query.Class.PHP Remote File Include
• Description: DotProject is a web-forum application. It is exposed to a remote file include issue due to improper sanitization of user-supplied input to the "baseDir" parameters of the "query.class.php" script. DotProject versions 2.0.4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19547/

• 06.33.54 - CVE: CVE-2006-4166
• Platform: Web Application
• Title: Tiny Web Gallery Image Parameter Multiple Remote File Include Vulnerabilities
• Description: Tiny Web Gallery is a web-based classified-ads system. It is exposed to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "image" parameter of the "image.php" and "image.php2" scripts. Tiny Web Gallery version 1.5 is affected.
• Ref: http://www.securityfocus.com/archive/1/442818

• 06.33.55 - CVE: CVE-2006-4130
• Platform: Web Application
• Title: Remository Admin.remository.PHP Remote File Include
• Description: The Remository component for Mambo CMS is a file and folder management application. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter of the "admin.remository.php" script. Mambo CMS version 3.25 is affected.
• Ref: http://www.securityfocus.com/archive/1/442869

• 06.33.56 - CVE: Not Available
• Platform: Web Application
• Title: MyWebland miniBloggie Fname Remote File Include
• Description: miniBloggie is a web log application. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "fname" parameter of the "cls_fast_template.php" script. Version 1.0 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19476

• 06.33.57 - CVE: Not Available
• Platform: Web Application
• Title: WEBinsta Mailing List Manager Install3.PHP Remote File Include
• Description: WEBinsta Mailing List Manager is a web-based centralized mailing list and news system. It is exposed to a remote file include issue due to improper sanitization of user-supplied input to the "$cabsolute_path" parameter of the "install3.php" script. Version 1.3e affected.
• Ref: http://www.securityfocus.com/bid/19477

• 06.33.58 - CVE: Not Available
• Platform: Web Application
• Title: Startpage Multiple Remote File Include Vulnerabilities
• Description: Startpage is affected by multiple remote file include issues due to insufficient sanitization of the "$cfgLanguage" parameter in the "edit.php", "functions.php", "new.php", "PageBottom.php" and "PageTop.php" scripts. Version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/19478/info

• 06.33.59 - CVE: Not Available
• Platform: Web Application
• Title: MVCnPHP glConf[path_library] Parameter Multiple Remote File Include Vulnerabilities
• Description: MVCnPHP is a version of the Model View Controller design pattern for PHP. It is vulnerable to multiple remote file include vulnerabilities due to insufficient sanitization of user-supplied input to the "glConf[path_library]" parameter of the "BaseCommand.php", "BaseLoader.php" and "BaseView.php" scripts. MVCnPHP version 3.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19481

• 06.33.60 - CVE: CVE-2006-4155
• Platform: Web Application
• Title: Invision Power Board Threaded View Information Disclosure
• Description: Invision Power Board is a message board application implemented in PHP. Invision Power Board is prone to an information disclosure vulnerability because the application fails to protect sensitive information. In particular, an attacker can perform unspecified actions while the application is in the "threaded view" mode; this can be exploited to gain access to information stored in other message posts outside of the current thread topic.
• Ref: http://forums.invisionpower.com/index.php?&showtopic=225755

• 06.33.61 - CVE: CVE-2006-4019
• Platform: Web Application
• Title: SquirrelMail Compose.PHP Multiple Information Disclosure and Data Modification Vulnerabilities
• Description: SquirrelMail is a web-based email application. It is exposed to multiple information disclosure and data modification issues due to insufficient sanitization of user-supplied input to unspecified random parameters of the "compose.php" script. SquirrelMail versions 1.4.7 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19486

• 06.33.62 - CVE: Not Available
• Platform: Web Application
• Title: WEBinsta CMS Templates_Dir Remote File Include
• Description: WEBinsta CMS is a web-based content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "templates_dir" parameter of the "index.php" script. WEBinsta CMS version 0.3.1 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/443154

• 06.33.63 - CVE: Not Available
• Platform: Web Application
• Title: Joomla Webring Remote File Include
• Description: Joomla Webring is a Joomla component allowing users to submit web pages. It is affected by a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "$component_dir" parameter of the "admin.webring.docs.php" script. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19492/info

• 06.33.64 - CVE: Not Available
• Platform: Web Application
• Title: XMB Langfilenew Local File Include
• Description: XMB is a web forum application. It is vulnerable to a local file include issue due to insufficient sanitization of user-supplied input to the "memcp.php" script. XMB Forum version 1.9.6 Final is vulnerable.
• Ref: http://retrogod.altervista.org/xmb_196_sql.html

• 06.33.65 - CVE: Not Available
• Platform: Web Application
• Title: Extreme Media Board MemCP.PHP Local File Include
• Description: Extreme Media Board is a web-based forum application. It is vulnerable to a local file include issue due to insufficient sanitization of user-supplied input to the "memcp.php" script. Extreme Media Board version 1.96 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19501

• 06.33.66 - CVE: Not Available
• Platform: Web Application
• Title: ProjectButler RootDIR Parameter Multiple Remote File Include Vulnerabilities
• Description: ProjectButler is a PHP based project management application. It is prone to multiple remote file include vulnerabilities because the application fails to properly sanitize user-supplied input in the "rootdir" parameter of serveral scripts. Version 0.8.4 is reported as vulnerable.
• Ref: http://www.securityfocus.com/bid/19503

• 06.33.67 - CVE: Not Available
• Platform: Web Application
• Title: WP-DB Backup For Wordpress Edit.PHP Directory Traversal
• Description: WP-DB Backup For Wordpress is a backup utility for Wordpress. It is prone to a directory traversal vulnerability because it fails to properly sanitize input to the "backup" parameter of the "edit.php" script. Versions 1.7 and prior are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19504

• 06.33.68 - CVE: Not Available
• Platform: Web Application
• Title: Mambo Peoplebook Component Param.PeopleBook.PHP Remote File Include
• Description: PeopleBook is a Mambo component that manages contact information and is implemented in PHP. Mambo PeopleBook component is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" of "param.peoplebook.php". Version 1.0 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19505

• 06.33.69 - CVE: Not Available
• Platform: Web Application
• Title: Mambo Email Publisher Help.MMP.PHP Remote File Include
• Description: Mambo eMail Publisher is an email publishing component for the Mambo content management system; it is implemented in PHP. Mambo eMail Publisher is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the "help.mmp.php" script. Version 1.2 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19502

• 06.33.70 - CVE: Not Available
• Platform: Network Device
• Title: Netgear FVG318 Wireless Router Denial of Service
• Description: Netgear FVG318 wireless routers are vulnerable to a remote denial of service when the device receives a flood of TCP packets with invalid checksums. Netgear FVG318 with version 1.0.40 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/442870

• 06.33.71 - CVE: CVE-2006-0797
• Platform: Hardware
• Title: Nokia Browser HTML Denial of Service
• Description: Nokia Browser is a web-browser application for phones, PDAs and other mobile devices manufactured by Nokia. It is prone to a denial of service vulnerability when handling malicious HTML files. In particular this issue occurs when attempting to process a malicious JavaScript function embedded in a HTML file. The function includes a variable being filled with excessive amounts of Unicode characters until it is large enough to trigger the vulnerability.
• Ref: http://www.securityfocus.com/archive/1/442990

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.