The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 34
August 28, 2006

SANS Newsletters Home

Two more Internet Explorer vulnerabilities this week; one of them (#1) was created by a Microsoft Hotfix; the second (#2) is like others that have been widely exploited. Also of note are the more than 60 new web application vulnerabilities found this week; that's a rate of more than 2,500 web application vulnerabilities per year.

Call for Vulnerability and Assurance Experts If you are an administrator/CSO/vulnerability researcher (or have a similar role) and are interested contributing to this years the Top-20 Internet Security Vulnerabilities project, contact the project manager, Rohit Dhamankar (dhamankar@sans.org), with your name, the organization you represent, email and phone, and a brief description of your security specialty. At the end of this issue, you'll find a description of the Top20 project.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 2 (#1, #2)
    • Other Microsoft Products
    • 3 (#5)
    • Third Party Windows Apps
    • 9 (#6, #9)
    • Mac OS
    • 2 (#8)
    • Linux
    • 3
    • BSD
    • 1 (#4)
    • Solaris
    • 4
    • AIX
    • 1
    • Unix
    • 2
    • Novell
    • 1 (#7)
    • Cross Platform
    • 16 (#3, #10)
    • Web Application - Cross Site Scripting
    • 8
    • Web Application - SQL Injection
    • 11
    • Web Application
    • 42 (#11)
    • Network Device
    • 2
    • Hardware
    • 2

**************** Sponsored By Secure Computing Corporation **************

Do you know what's hiding in your encrypted traffic? Traditional firewalls and gateway anti-virus solutions can't scan encrypted SSL traffic. That means viruses and malware could be getting in, and confidential information could get out. http://www.sans.org/info.php?id=1322

************************************************************************* How Good Are The Courses at SANS Network Security 2006? Ask the alumni.

++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense

SANS best instructors all come together at Network Security 2006 in Las Vegas, October 1-9. 37 immersion courses; big exposition; free evening classes, much more . Early registration deadline is Friday, August 18. See: http://www.sans.org/ns2006/caag.php

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
BSD
Solaris
Aix
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

************************** Sponsored Links: *****************************

1) The Hack is Back! A New On-Demand Video/Companion Guide from Fiberlink. Advanced Hacking Techniques - Implications for a Mobile Workforce. http://www.sans.org/info.php?id=1323

2) FREE SANS Ask the Expert Webcast tomorrow, featuring Johannes Ullrich "The Disappearing Patch Windows" Tuesday, August 29 at 1:00 PM EDT (1700 UTC/GMT) https://www.sans.org/webcasts/show.php?webcastid=90737&ref=1324 *************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Microsoft Internet Explorer Compressed Page Remote Buffer Overflow
  • Affected:
    • Windows 2000 with MS06-042 hotfix
    • Windows XP SP1 with MS06-042 hotfix

  • Description: Microsoft Internet Explorer contains a remotely-exploitable buffer overflow. A specially-crafted compressed web page could exploit this buffer overflow and execute code with the privileges of the current user. This flaw was introduced along with the MS06-042 hotfix. Systems without this hotfix are not vulnerable. Technical details for this vulnerability are believed to be available. Note that Windows XP SP2 is not vulnerable.

  • Status: Microsoft confirmed, updates available.

  • Council Site Actions: All reporting council site are responding. One site has already pushed the patch and the other sites plan to deploy during their next maintenance window.

  • References:
  • (2) HIGH: Multiple Microsoft Internet Explorer COM Objects Instantiation Vulnerabilities
  • Affected:
    • Windows 2000

  • Description: Microsoft Internet Explorer reportedly contains heap-memory corruption vulnerabilities while instantiating certain COM objects as ActiveX controls. A specially-crafted web page that instantiates these COM objects could trigger the memory corruption, and potentially execute arbitrary code on a client system. Note that re-usable exploit code to leverage these flaws is publicly available. Flaws similar to these have been widely exploited in the past.

  • Status: Microsoft has not confirmed, no updates available. Users may be able to mitigate the impact of these vulnerabilities by disabling the components via Microsoft's "kill bit" mechanism for the following CLSIDs: "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}", "{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}", "{8E71888A-423F-11D2-876E-00A0C9082467}", "{606EF130-9852-11D3-97C6-0060084856D4}", "{F849164D-9863-11D3-97C6-0060084856D4}".

  • Council Site Actions: All council sites are waiting on additional information form the vendor. Several sites commented that they plan to deploy the patch during their next maintenance window.

  • References:
  • (3) HIGH: Asterisk Multiple Remote Vulnerabilities
  • Affected:
    • Asterisk version 1.0.0 - 1.2.10

  • Description: Asterisk, a popular open source Voice-over-IP (VoIP) server, contains multiple remotely-exploitable vulnerabilities. The first vulnerability results from a failure to properly process "AUEP" (Audit Endpoint) MGCP response messages, and can result in remote code execution with the privileges of the Asterisk process. The second vulnerability results from the failure to validate the length of user-supplied variables when constructing a filename for the "Record()" function. If no user-controlled variables are used to construct the paths passed to this function, exploitation is not possible. The technical details for these vulnerabilities are publicly available.

  • Status: Asterisk confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) MODERATE: BSD-based Operating Systems In-Kernel PPP Buffer Overflows
  • Affected:
    • NetBSD versions 3.0 and prior
    • FreeBSD versions 6.1 and prior

  • Description: FreeBSD and NetBSD, two popular Unix-like operating systems based on the 4.4BSD-Lite code released by the University of California at Berkeley, contain a remotely-exploitable buffer overflow in their implementations of the Point-to-Point Protocol (PPP). By sending a specially-crafted Link Control Protocol packet to a vulnerable system, an attacker can cause an in-kernel buffer overflow and crash the target system. It is believed that arbitrary code execution with kernel privileges may be possible. As both FreeBSD and NetBSD are open source, technical details for this vulnerability are easily available by analyzing the fixed code. Note that systems must actively use PPP to be vulnerable.

  • Status: FreeBSD confirmed, updates available. NetBSD confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (5) UPDATE: Microsoft PowerPoint Remote Code Execution

  • Description: This issue was outlined in @RISK volume 5, number 33. It was unknown at that time whether the issue was a new 0-day vulnerability or related to the Microsoft issue patched on August 10th in Microsoft Security Bulletin MS06-012. According to new information from Microsoft, this issue has been patched by the Microsoft Security Bulletin MS06-012. Users who install the MS06-012 patch are not vulnerable to this exploit.

  • References:
Other Software
  • (6) CRITICAL: Alt-N MDaemon Remote Buffer Overflow
  • Affected:
    • Alt-N MDaemon version 9.05 and prior

  • Description: Alt-N MDaemon, a popular mail server solution for Microsoft Windows, contains a remotely-exploitable heap overflow. By sending a specially-crafted "USER" or "APOP" command to a vulnerable server, an attacker could exploit this heap overflow and execute arbitrary code with the privileges of the MDaemon process (possibly "SYSTEM"). Attackers would not need to be authenticated to exploit this vulnerability.

  • Status: Alt-N confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (7) HIGH: Novell Identity Manager Remote Command Injection
  • Affected:
    • Novell Identity Manager versions 3.0.x

  • Description: Novell Identity Manager, a comprehensive enterprise identity management solution, contains a remotely-exploitable command injection vulnerability. Failure to properly sanitize user profile information could allow an attacker to inject arbitrary Unix commands into shell scripts run by the Identity Manager. By default, the Identity Manager runs with root privileges. Attackers would need to have authenticated access and the ability to modify their profile information. Technical details and a simple proof of concept for this vulnerability are publicly available.

  • Status: Novell confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (8) HIGH: Apple Xsan Remote Buffer Overflow
  • Affected:
    • Apple Xsan versions 1.3 and prior

  • Description: Apple's Xsan, a popular enterprise-level storage and storage management solution, contains a remotely-exploitable buffer overflow. By sending a specially crafted request to an Xsan system, an authenticated attacker with write privileges could trigger this buffer overflow and execute arbitrary code with root privileges.

  • Status: Apple confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (9) MODERATE: WFTPD Remote Buffer Overflow
  • Affected:
    • WFTPD version 3.23 and possibly prior

  • Description: WFTPD, a popular FTP server application for Microsoft Windows, contains a remotely-exploitable buffer overflow. By sending an overlong SIZE command, an authenticated attacker could execute arbitrary commands with the privileges of the WFTPD process. Note that many WFTPD servers are configured to allow anonymous access. A proof-of-concept exploit for this vulnerability has been publicly posted.

  • Status: WFTPD has not confirmed, no updates available.

  • Council Site Actions: Only one of the council site responded and they are investigating to see if any one is using the software at their site.

  • References:
  • (10) MODERATE: Multiple Wireshark Protocol Dissector Vulnerabilities
  • Affected:
    • Wireshark versions 0.7.9 - 0.99.3
    • Note that Wireshark is the new name for the popular Ethereal network protocol analyzer.

  • Description: Wireshark, the continuation of the Ethereal network protocol analyzer line, contains multiple vulnerabilities in its protocol dissector modules. These modules are used to decode captured protocol information for presentation to the user. Several modules contain exploitable buffer overflows. By sending specially-crafted traffic to a network with an active Wireshark listener, or by sending a packet-capture file to be loaded into Wireshark, an attacker could execute arbitrary code with the privileges of the current user (often root). Note that, because Wireshark is open source, technical details for these vulnerabilities can easily be obtained by analyzing the fixed code.

  • Status: Wireshark confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (11) MODERATE: Zend Platform Multiple Remote Vulnerabilities
  • Affected:
    • Zend Platform version 2.2.1 and earlier

  • Description: Zend, a popular PHP application platform, contains multiple remotely-exploitable vulnerabilities. The first vulnerability is due to a failure to properly validate user-supplied session data. By sending specially-crafted session data to a vulnerable server, an attacker can crash the server process. It is believed that remote code execution may be possible with the privileges of the Zend process. The second vulnerability is due to a failure to properly sanitize user-supplied input to the Zend disk storage module. By performing a standard directory-traversal attack against this module, an attacker can write session data anywhere in the server's filesystem. The technical details for these vulnerabilities have been publicly posted.

  • Status: Zend confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 34, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5144 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.34.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows 2000 Multiple COM Object Instantiation Code Execution Vulnerabilities
  • Description: Microsoft Windows 2000 is prone to multiple memory corruption vulnerabilities that are related to the instantiation of COM objects as ActiveX controls via Internet Explorer. This issue is similar to the one addressed by MS06-013. Internet Explorer version 6.0 SP1 is reported to be vulnerable on nearly all versions of Windows 2000.
  • Ref: http://www.securityfocus.com/bid/19636
  • 06.34.2 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Internet Explorer Multiple COM Object Color Property Denial of Service Vulnerabilities
  • Description: Microsoft Internet Explorer is prone to multiple denial of service vulnerabilities when instantiating multiple Visual Studio COM objects. This issue is triggered when attackers attempt to set the "Color" property of vulnerable COM objects.
  • Ref: http://www.securityfocus.com/archive/1/443907
  • 06.34.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer TSUserEX.DLL ActiveX Control Memory Corruption
  • Description: Internet Explorer is prone to a memory corruption vulnerability. This is related to the handling of the tsuserex.dll COM object ActiveX control, which results in the corruption of heap memory. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/19570
  • 06.34.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Visual Studio COM Object Instantiation Denial of Service
  • Description: Microsoft Internet Explorer is prone to a denial of service issue when instantiating multiple Visual Studio COM objects. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/443499
  • 06.34.5 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer HTTP 1.1 and Compression Long URI Buffer Overflow
  • Description: Microsoft Internet Explorer is vulnerable to a remote buffer overflow issue when HTML content containing overly long URIs pointing to web sites using the HTTP/1.1 protocol along with compression. This issue was introduced with the patches released with Microsoft advisory MS06-042. Internet Explorer 6 SP1 running on Microsoft Windows 2000 and Windows XP SP1 are vulnerable.
  • Ref: http://www.microsoft.com/technet/security/advisory/923762.mspx
  • 06.34.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Sony SonicStage Mastering Studio Buffer Overflow
  • Description: Sony SonicStage Mastering Studio is an application that allows users to record music from tape or record and to output them to writeable removable media. It is prone to a buffer overflow vulnerability because it fails to properly check user-supplied input. This issue can be exploited by a user importing a malformed SMP file. Versions 2.2.01 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19558
  • 06.34.7 - CVE: CVE-2006-4266
  • Platform: Third Party Windows Apps
  • Title: Norton Personal Firewall SuiteOwners Registry Key Security Bypass
  • Description: Norton Personal Firewall is vulnerable to a security bypass issue because a specific Norton registry key is not properly protected and allows for modification. Symantec Norton Personal Firewall 2006 versions 9.1.0.33 and earlier are vulnerable.
  • Ref: http://www.matousec.com/info/advisories/Norton-DLL-faking-via-Sui teOwners-protection-bypass.php
  • 06.34.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WFTPD Server Multiple Buffer Overflow Vulnerabilities
  • Description: WFTPD is an FTP server. It is vulnerable to multiple buffer overflow issues with various FTP commands. WFTPD version 3.23 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19617
  • 06.34.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WebAdmin Module for MDaemon Information Disclosure
  • Description: The WebAdmin is a plugin module for the Mdaemon messaging and collaborative application suite. WebAdmin Module for MDaemon is prone to an information disclosure vulnerability because the application fails to sanitize user-supplied input. Versions 3.00 to 3.24 are reported vulnerable.
  • Ref: http://www.securityfocus.com/bid/19620
  • 06.34.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WebAdmin Module for MDaemon Unspecified Privilege Escalation Vulnerability
  • Description: The WebAdmin is a plugin module for the MDaemon messaging and collaborative application suite. It is vulnerable to an unspecified privilege escalation issue. WebAdmin versions 3.00 to 3.24 are vulnerable.
  • Ref: http://files.altn.com/WebAdmin/Release/RelNotes_en.txt
  • 06.34.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Symantec Enterprise Security Manager Denial of Service
  • Description: Symantec Enterprise Security Manager is a security assessment solution. A specially crafted invalid request can be sent to the manager server to simulate an ESM agent, which results in a denial of service condition. ESM Agent and Manager Platform versions 6.0-6.5x are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19580
  • 06.34.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Alt-N MDaemon Multiple Remote Pre-Authentication POP3 Buffer Overflow Vulnerabilities
  • Description: Alt-N MDaemon is a mailserver. It is exposed to multiple remote buffer overflow issues due to improper boundary checking. MDaemon versions 8 and 9 are affected.
  • Ref: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04
  • 06.34.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Trident Software PowerZip ZIP Archive Handling Buffer Overflow
  • Description: PowerZip is a compression utility capable of reading and writing files using zip and Bzip2 archival formats. PowerZip is prone to a remote buffer overflow vulnerability. The vulnerable code uses the "strcpy" function to store file names from a zip file into a finite sized memory buffer. Versions of PowerZip prior to 7.07 Build 3901 are vulnerable to this issue.
  • Ref: http://vuln.sg/powerzip706-en.html
  • 06.34.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: SSH Tectia Windows Path Specification Privilege Escalation
  • Description: SSH Tectia is an administration, management and communication tool based on SSH Secure Shell and other SSH technology. Tectia is affected by a pathname parsing flaw during sub-process execution.
  • Ref: http://www.ssh.com/company/news/2006/english/security/article/775/
  • 06.34.15 - CVE: CVE-2006-3506
  • Platform: Mac Os
  • Title: Apple Xsan Filesystem Path Name Buffer Overflow
  • Description: Apple Xsan filesystem is enterprise-class storage area network (SAN) for the Mac OS X and Mac OS X server operating systems. It is prone to a buffer overflow vulnerability. The vulnerability occurs at the filesystem driver when processing certain unspecified path names.
  • Ref: http://docs.info.apple.com/article.html?artnum=61798
  • 06.34.16 - CVE: Not Available
  • Platform: Mac Os
  • Title: Roxio Toast DejaVu Component PATH Variable Local Privilege Escalation
  • Description: Roxio Toast is a CD and DVD creator application for the Mac OS X operating system. Roxio Toast is prone to a local privilege escalation vulnerability. The vulnerability is due to insecure use of the "system()" function in the included setuid programs. Roxio Toast version 7 Titanium is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19596
  • 06.34.17 - CVE: CVE-2006-4093
  • Platform: Linux
  • Title: Linux Kernel PPC970 Systems Local Denial of Service
  • Description: The Linux kernel is vulnerable to a local denial of service issue. This is related to the "HID0 attention enable on PPC970 at boot time." Linux kernel versions 2.x.6 before 2.6.17.9 and 2.4.x before 2.4.33.1 on PowerPC PPC970 systems are vulnerable.
  • Ref: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.9
  • 06.34.18 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel Non-Hugemem Support Local Denial of Service
  • Description: The Linux kernel is prone to a local denial of service vulnerability. This issue is due to a design error in the code which handles support for "non-hugemem" kernels. This vulnerability allows local users to cause a kernel panic, denying further service to legitimate users.
  • Ref: http://rhn.redhat.com/errata/RHSA-2006-0617.html
  • 06.34.19 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel s/io.c/IO.C Local Denial of Service
  • Description: The Linux kernel is prone to a local denial of service issue due to a design error in the "direct-io.c" driver. Linux kernel 2.6 series prior to 2.6.10 is affected.
  • Ref: http://www.securityfocus.com/bid/19665
  • 06.34.20 - CVE: CVE-2006-4304
  • Platform: BSD
  • Title: NetBSD In-Kernel PPP Multiple Buffer Overflow Vulnerabilities
  • Description: NetBSD is vulnerable to multiple remote buffer overflow issues due to insufficient boundary checking on various PPP interfaces. See the advisory for further details.
  • Ref: http://www.freebsd.org/security/ http://www.securityfocus.com/bid/19684
  • 06.34.21 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris File System Management RBAC Profile Arbitrary Command Execution
  • Description: Solaris is prone to an arbitrary command execution vulnerability due to a flaw in the default RBAC (Role-Based Access Control) configuration associated to the "File System Management" profile. Ref: http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102514-1
  • 06.34.22 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Format(1M) Local Privilege Escalation
  • Description: Sun Solaris is exposed to a local privilege escalation issue due to a flaw in the format(1M) command. Sun Solaris versions 9.0 and 8.0 are affected.
  • Ref: http://www.securityfocus.com/bid/19647/info
  • 06.34.23 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Format(1M) Buffer Overflow
  • Description: The format command in Sun Solaris is exposed to an arbitrary code execution issue due to improper boundary checking on data before copying it into a finite sized buffer. In particular issue is due to a flaw in the format (1M) command. Sun Solaris versions 10.0 and earlier are affected. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102519-1&searchclause=
  • 06.34.24 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris UCB/PS Command Local Information Disclosure
  • Description: Sun Solaris is prone to a local information disclosure vulnerability. This issue occurs because the "/usr/ucb/ps" command does not properly secure privileged information. The command may allow local unprivileged users the ability to see environment variables and their values for processes which belong to other users.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102215-1
  • 06.34.25 - CVE: Not Available
  • Platform: Aix
  • Title: SF IBM AIX Setlocale Function Local Privilege Escalation Vulnerability
  • Description: IBM AIX is prone to a local privilege escalation vulnerability. Applications that call the setlocale() functions can trigger this vulnerability provided that the "setuid" and "setgid" bits are on. Versions 5.1, 5.2, and 5.3 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/19578
  • 06.34.26 - CVE: CVE-2006-4145
  • Platform: Unix
  • Title: Linux Kernel UDF Denial of Service
  • Description: The Linux kernel Universal Disk Format is a file module for Linux systems. It is exposed to a denial of service because the software fails to handle an error residing in UDF when truncating specific files. Linux kernel versions 2.6.17.8 and earlier are affected.
  • Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.10
  • 06.34.27 - CVE: Not Available
  • Platform: Unix
  • Title: Linux Kernel SCTP_Make_Abort_User Function Buffer Overflow
  • Description: The Linux kernel is exposed to a remote buffer overflow issue due to the kernel's improper boundary checking on user-supplied data before copying it to an insufficiently sized memory buffer. Versions prior to 2.6.17.10 of the 2.6 series and versions prior to 2.4.33.2 of the 2.4 series are affected.
  • Ref: http://www.securityfocus.com/archive/1/444066
  • 06.34.28 - CVE: Not Available
  • Platform: Novell
  • Title: Novell Identity Manager Arbitrary Command Execution
  • Description: Novell Identity Manager is prone to an arbitrary command execution vulnerability, which is due to an input validation error that allows local attackers to execute shell commands. An attacker can supply arbitrary commands that use escape characters and have them executed by the "nxdrv" process, which runs with superuser privileges. Version 3.0 is reported to be vulnerable.
  • Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974299.htm
  • 06.34.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealVNC Clipboard Update Integer Overflow
  • Description: RealVNC (Virtual Network Computing) allows users to access remote computers. Insufficient sanitization in the "readClientCutText()" function of the "rfb/SmsgReader.cxx" file and the "readServerCutText()" function in the "rfb/CMsgReader.cxx" file exposes the application to an integer overflow issue. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2006-08/0550.html
  • 06.34.30 - CVE: CVE-2006-4227,CVE-2006-4226
  • Platform: Cross Platform
  • Title: MySQL Privilege Elevation and Security Bypass Vulnerabilities
  • Description: MySQL is prone to a privilege elevation issue and to a security bypass issue. A user who has access to a database, but who is not granted privileges to create new databases, can bypass this restriction using CREATE DATABASE. The application incorrectly calculates arguments to the SUID routines in the context of the definer instead of the caller. A user with privileges to call SUID routines may be able to execute certain commands and code with the privileges of the definer, which can lead to privilege escalation. MySQL versions 5.0.24 and earlier are affected by these issues.
  • Ref: http://bugs.mysql.com/bug.php?id=17647 http://bugs.mysql.com/bug.php?id=18630
  • 06.34.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sony VAIO Media Integrated Server Unspecified Buffer Overflow
  • Description: Sony VAIO Media Integrated Server is a digital home entertainment system. It is affected by an unspecified buffer overflow issue because it fails to properly bounds check user-supplied input. Sony VAIO Media Integrated Server versions 4.x and 5.x are affecetd.
  • Ref: http://kb.sony-europe.com/kb/solutions/en/V00000_V00499/v00246.html
  • 06.34.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AOL Security Edition Local Privilege Escalation
  • Description: AOL Security Edition is affected by a local privilege escalation issue because of insecure default permissions associated with the "America Online 9.0" directory and all its child objects. The application grants the "Everyone" group "Full Control" permissions. AOL Security Edition version 9.0 is affected.
  • Ref: http://secunia.com/secunia_research/2006-8/advisory/
  • 06.34.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM DB2 Multiple Denial of Service Vulnerabilities
  • Description: DB2 Universal Database is affected by multiple denial of service vulnerabilities. The vulnerabilities occur when the application is processing an "ATTACH" or "CONNECT" command or after processing a "CONNECT" command.
  • Ref: http://www.securityfocus.com/bid/19586
  • 06.34.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Multiple Undefined Vulnerabilities
  • Description: PHP is prone to multiple undefined vulnerabilities. Successful exploits could allow an attacker to write files in unauthorized locations, cause a denial of service condition, and potentially execute code. These issues are reported to affect PHP versions 4.4.3 and 5.1.4; other versions may also be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19582
  • 06.34.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: honeyd ARP Packet Processing Denial of Service
  • Description: honeyd is honeypot software that simulates virtual hosts on IP addresses that are not in use. It is affected by a denial of service issue when the honeyd daemon processes malicious ARP packets. honeyd version 1.5b is affected.
  • Ref: http://www.securityfocus.com/bid/19614
  • 06.34.36 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apache HTTP Server Arbitrary HTTP Request Headers Security Weakness
  • Description: IBM HTTP servers are prone to a HTTP request header security weakness. This issue occurs because the application fails to sanitize specially crafted HTTP Expect headers. In particular the application does not sanitize HTTP Expect headers when it is redirected to an error message. This issue resides in the "http.protocol.c" file.
  • Ref: http://rhn.redhat.com/errata/RHSA-2006-0619.html
  • 06.34.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CGI-Rescue Mail F/W System Unspecified Email Header Injection
  • Description: CGI-Rescue Mail f/w is a common gateway interface. It is exposed to an unspecified email header injection issue due to insufficient sanitization of user-supplied input. Mail f/w version 8.2 is affected.
  • Ref: http://www.securityfocus.com/bid/19676
  • 06.34.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SSH Tectia Manager Agent Process Local Privilege Escalation
  • Description: SSH Tectia Manager is a management applicaion to ensure that ssh is running and controls its execution. It is vulnerable to a local privilege escalation issue when the management agent restarts a non-privileged process with superuser permissions. SSH Tectia Manager versions 2.1.2 and earlier are vulnerable.
  • Ref: http://www.ssh.com/company/news/2006/english/security/article/776/
  • 06.34.39 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox FTP Denial of Service
  • Description: Mozilla Firefox is prone to a denial of service vulnerability. The vulnerability exists when Mozilla Firefox attempts to connect to a malicious FTP site. After connecting to the FTP site a message with "220 Z 331 Z 500 DoS 500 Z" is sent back to the browser. Mozilla Firefox versions 1.5.0.6 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19678
  • 06.34.40 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Asterisk Multiple Remote Vulnerabilities
  • Description: Asterisk is a private branch exchange (PBX) application. It is exposed to remote buffer overflow, format string and directory traversal issues. Asterisk versions 1.2.10 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19683/info
  • 06.34.41 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CScope Cscope.Lists Multiple Buffer Overflow Vulnerabilities
  • Description: Cscope is a free C source code browsing and analysis tool. It is prone to multiple buffer overflow vulnerabilities. Cscope 15.x is affected by these vulnerabilities. Previous versions may be affected as well. Ref: http://sourceforge.net/mailarchive/forum.php?thread_id=30266761&forum_id=33500
  • 06.34.42 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CScope Reffile Local Buffer Overflow
  • Description: Cscope is a C source code browsing and analysis tool available. It is prone to a local buffer overflow vulnerability. The overflow occurs when the application is used to parse command line arguments with a maliciously supplied overly long "reffile" argument. Cscope 15.x is affected by this vulnerability.
  • Ref: http://www.securityfocus.com/bid/19687
  • 06.34.43 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Wireshark Multiple Vulnerabilities
  • Description: Wireshark is an application for analyzing network traffic. It is exposed to multiple issues. Please refer to the link below for further details. Wireshark versions 0.99.2 and earlier are affected.
  • Ref: http://www.wireshark.org/security/wnpa-sec-2006-02.html
  • 06.34.44 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ImageMagick XCF Image File Remote Unspecified Buffer Overflow
  • Description: ImageMagick is an image-editing suite that includes a library and command-line utilities supporting numerous image formats. It is prone to an unspecified remote buffer-overflow vulnerability that is due to either an integer-overflow or buffer-overflow flaw while attempting to decode XCF image files. Versions prior to 6.2.9-2 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19697
  • 06.34.45 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DieselScripts Job Site Forgot.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: Job Site is web forum software. It is affected by multiple cross-site scripting issues due to insufficient sanitization of the "uname" and "SEmail" parameters of the "forgot.php" script.
  • Ref: http://www.securityfocus.com/bid/19622
  • 06.34.46 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DieselScripts DieselPay Index.PHP Cross-Site Scripting
  • Description: DieselPay is a script designed to accept online payments. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "read" parameter of the "index.php" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19623
  • 06.34.47 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DieselScripts Diesel Paid Mail Getad.PHP Cross-Site Scripting
  • Description: Paid Mail is a script designed for paid advertisement (email and banners). It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "ps" parameter of the "getad.php" script. All versions are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/443929
  • 06.34.48 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CloudNine Internet Solutions Multiple Cross-Site Scripting Vulnerabilities
  • Description: Links Manager is affected by a cross-site scripting issue due to insufficient sanitization in the "add_url.php" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19650
  • 06.34.49 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CityForFree Indexcity Cross-Site Scripting
  • Description: CityForFree Indexcity is a small application for link index script creation. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "url" parameter of the "add_url2.php" script. CityForFree Indexcity version 1.0 is vulnerable.
  • Ref: http://evuln.com/vulns/135/summary.html
  • 06.34.50 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TikiWiki Highlight Cross-Site Scripting
  • Description: TikiWiki is a Web wiki application. The "highlight" parameter of the "tiki-searchindex.php" script is not properly sanitized and may be used to perform cross-site scripting attacks. Versions 1.9.4 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19654
  • 06.34.51 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Drupal E-commerce Module Multiple Cross-Site Scripting Vulnerabilities
  • Description: Drupal E-commerce Module is a component of the Drupal CMS. It is affected by multiple cross-site scripting issues due to insufficient sanitization of user-supplied input. Drupal versions prior to 4.7 revision 1.37.2.4 are affected.
  • Ref: http://www.securityfocus.com/bid/19675
  • 06.34.52 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP iAddressBook cat_name HTML Injection
  • Description: PHP iAddressBook is an online address book implemented in PHP. PHP iAddressBook is prone to an HTML injection vulnerability. Versions 0.94 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19698
  • 06.34.53 - CVE: CVE-2006-4238
  • Platform: Web Application - SQL Injection
  • Title: WTCom Web Torrent SQL Injection
  • Description: Web Torrent is a torrent publisher and sharing application implemented in PHP. It is vulnerable to an SQL injection vulnerability. The "cat" parameter sent to "torrent.php" is not properly sanitized and can give access to usernames, passwords, and email addresses. Version 0.2.4-alpha and all previous versions of Web Torrent are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19569
  • 06.34.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: XennoBB Icon_Topic SQL Injection
  • Description: XennoBB is a web-based bulletin board. Insufficient sanitization of the "icon_topic" parameter of the "topic_post.php" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19606
  • 06.34.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: LBlog Comments.ASP SQL Injection
  • Description: LBlog is a web-based blogging application. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input to the "id" parameter of the "comments.asp" script. LBlog versions 1.05 and earlier are affected by this issue.
  • Ref: http://www.securityfocus.com/bid/19607
  • 06.34.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: 8Pixel.net SimpleBlog Comments.ASP SQL Injection
  • Description: SimpleBlog is affected by an SQL injection issue due to insufficient sanitization of the "id" parameter of the "comments.asp" script. SimpleBlog version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/19609
  • 06.34.57 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Plume CMS Multiple Remote File Include Vulnerabilities
  • Description: Plume CMS is a CMS for managing dynamic web content, blogs and customer forums. It is exposed to multiple remote file include vulnerabilities due to insufficient sanitization of user-supplied input to the "_PX_config[manager_path" parameter of various scripts. Plume CMS versions 1.0.6 and 1.04 are affected.
  • Ref: http://www.securityfocus.com/bid/19629
  • 06.34.58 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: OSCommerce Shopping_cart.PHP SQL Injection
  • Description: OSCommerce is a web-based ecommerce application. It is exposed to an SQL injection issue due to improper sanitization of user-supplied input to unspecified parameters of the "shopping_cart.php" script. OSCommerce version 2.2 ms2 is affected.
  • Ref: http://forums.oscommerce.com/index.php?showtopic=223556
  • 06.34.59 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CloudNine Internet Solutions Links Manager SQL Injection
  • Description: Links Manager is prone to an SQL injection vulnerability. This issue is due to improper sanitization of user-supplied input to the "nick" parameter of the "admin.php" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/19649
  • 06.34.60 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CityForFree Indexcity List.PHP SQL Injection
  • Description: CityForFree Indexcity is a small application for link index script creation. It is exposed to an SQL injection issue due to insufficient sanitization of user-supplied input to the "cate_id" parameter of the "list.php" script. CityForFree indexcity version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/19653
  • 06.34.61 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: JIRAN Cool Messenger SQL Injection
  • Description: Cool Messenger is a messaging server that is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "username" parameter supplied to "Cool_CoolD.exe". Cool Messenger 5.5 (5,65,12,12) and Cool Manager 5.0 (5,60,90,27) are vulnerable to this issue.
  • Ref: http://vuln.sg/coolmessenger55-en.html
  • 06.34.62 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Drupal Easylinks Module Unspecified SQL Injection
  • Description: Drupal Easylinks is a module that provides an easy to use link suggestion feature to site visitors and registered users. It is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to an unspecified parameter and script. Any Drupal Easylinks module older than 4.7, specifically revision "easylinks.module,v 1.5.2.1 2006/08/19 12:02:27" is affected by this issue.
  • Ref: http://www.securityfocus.com/bid/19673
  • 06.34.63 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: All Topics phpBB module SQL Injection
  • Description: All Topics is a module for phpBB which is used to display all of the topic names on a bulletin board. All Topics is affected by an SQL injection vulnerability. Version 1.5.0 and all previous versions of All Topics are affected.
  • Ref: http://www.securityfocus.com/bid/19682
  • 06.34.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Reporter Mambo Component Reporter.sql.PHP Remote File Include
  • Description: Reporter Mambo is an SQL database interaction and data display component for the Mambo CMS. Insufficient sanitization of the "mosConfig_absolute_path" parameter of the "reporter.sql.php" script exposes this issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/443373
  • 06.34.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla Z00m Media Gallery Component mosConfig_absolute_path Remote File Include
  • Description: Z00m Media Gallery is a third party multimedia gallery component to extend Joomla. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" variable in various scripts. Z00m Media Gallery versions 2.5.1 RC2 and 2.5.1 RC1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19601
  • 06.34.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo AkoComment Module mosConfig_absolute_path Remote File Include
  • Description: AkoComment is a comment system module for Mambo. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" variable of the "akocomments.php" script.
  • Ref: http://www.securityfocus.com/bid/19602
  • 06.34.67 - CVE: CVE-2006-4322, CVE-2006-4321
  • Platform: Web Application
  • Title: Mambo CatalogShop Component mosConfig_absolute_path Remote File Include
  • Description: CatalogShop is a third-party e-commerce component for Mambo. The application is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" variable of the "catalogshop.php" script.
  • Ref: http://www.securityfocus.com/archive/1/443758
  • 06.34.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo CropImage Component mosConfig_absolute_path Remote File Include
  • Description: CropImage is a third party component for Mambo that provides dynamic resizing of images. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" variable of the "admin.cropcanvas.php" script.
  • Ref: http://www.securityfocus.com/bid/19605
  • 06.34.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Sonium Enterprise Address book Multiple Remote File Include Vulnerabilities
  • Description: Sonium Enterprise Address book is prone to multiple remote file include vulnerabilities because it fails to properly sanitize user-supplied input to the "folder" parameters of multiple scripts. Version 0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19597
  • 06.34.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Owl Intranet Engine Multiple Vulnerabilities
  • Description: Owl Intranet Engine is a web-based multi-user document repository. It is affected by multiple cross-site scripting and SQL injection issues due to insufficient sanitization of user-supplied input.
  • Ref: http://www.securityfocus.com/bid/19552
  • 06.34.71 - CVE: Not Available
  • Platform: Web Application
  • Title: Sony VAIO Media Integrated Server Unspecified Directory Traversal
  • Description: Sony VAIO Media Integrated Server is a digital home entertainment system. It is prone to an unspecified directory traversal vulnerability due to improper sanitization of user-supplied input.
  • Ref: http://www.securityfocus.com/bid/19560
  • 06.34.72 - CVE: CVE-2006-4268, CVE-2006-4267
  • Platform: Web Application
  • Title: CubeCart Multiple Input Validation Vulnerabilities
  • Description: CubeCart is a shopping cart application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. CubeCart versions 3.0.11 and earlier are vulnerable.
  • Ref: http://retrogod.altervista.org/cubecart_3011_adv.html
  • 06.34.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Powergap Multiple Remote File Include Vulnerabilities
  • Description: Powergap is an e-commerce application. Insufficient sanitization of the "shopid" and "sid" parameters expose the application to multiple remote file include vulnerabilities.
  • Ref: http://www.securityfocus.com/bid/19565
  • 06.34.74 - CVE: Not Available
  • Platform: Web Application
  • Title: Invisionix Roaming System Remote Pageheaderdefault.Inc.PHP Remote File Include
  • Description: Invisionix Roaming System Remote is a PHP-based meta-system which provides its users with a personal PC capability that operates in a distributed WAN environment. It fails to properly sanitize user-supplied input to the "SysSessionPath" parameters of the "pageheaderdefault.class.php" script. Versions 0.2 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19567
  • 06.34.75 - CVE: Not Available
  • Platform: Web Application
  • Title: MambelFish Mambo Component Mambelfish.Class.PHP Remote File Include
  • Description: MambelFish is a multilingual support component for the Mambo content management system. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameters of the "mambelfish.class.php" script. MambelFish versions 1.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19574
  • 06.34.76 - CVE: CVE-2006-4242
  • Platform: Web Application
  • Title: Mambo JIM Component Install.Jim.PHP Remote File Include
  • Description: JIM is a private messaging plugin for the Mambo and Joomla content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter of the "install.jim.php" script. JIM version 1.01 is vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/3313
  • 06.34.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Blog:CMS Dir_Plugins Parameter Multiple Remote File Include Vulnerabilities
  • Description: Blog:CMS is affected by multiple file include issues due to insufficient sanitization of user-supplied input. Blog:CMS version 4.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/19552
  • 06.34.78 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo a6MamboCredits Component Remote File Include
  • Description: a6MamboCredits is a plugin for the Mambo content management system. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the "admin.a6mambocredits.php" script. Versions 1.0.0 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19581
  • 06.34.79 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo LMTG Myhomepage Component Multiple Remote File Include Vulnerabilities
  • Description: lmtg_myhomepage is a Web development tool for the Mambo content management system. It is exposed to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter of the "install.lmtg_homepage.php" and the "mtg_homepage.php" scripts. Mambo version 1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/19584
  • 06.34.80 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla X-shop Remote File Include
  • Description: Joomla x-shop is an e-commerce application implemented in PHP. It is prone to a remote file include vulnerability because it fails to properly sanitize user-suppled input to the "mosConfig_absolute_path" parameter of "admin.x-shop.php". Versions 1.7 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19588
  • 06.34.81 - CVE: Not Available
  • Platform: Web Application
  • Title: PHlyMail Lite Mod.Listmail.PHP Remote File Include
  • Description: PHlyMail is a web forum application implemented in PHP. PHlyMail is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "_PM_[path][handler]" parameters of the "mod.listmail.php" script. This issue affects PHlyMail versions 3.4.4 and prior.
  • Ref: http://www.securityfocus.com/bid/19587
  • 06.34.82 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla Kochsuite Component mosConfig_absolute_path Remote File Include
  • Description: Kochsuite is a recipe publishing component for Joomla. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" variable of the "config.kochsuite.php" script. Version 0.9.4 of Kochsuite is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/19590
  • 06.34.83 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Phphop Multiple Remote File Include Vulnerabilities
  • Description: The Mambo-phphop Product Scroller component is a e-commerce tool for the Mambo content management system. Insufficient sanitization of user-supplied input exposes the application to multiple file include issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/443623
  • 06.34.84 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla Poll Component Multiple User Session Validation Vulnerabilities
  • Description: Joomla poll component is a voting component for the Joomla content management system. It is exposed to multiple user-session validation issues that reside in the "PollAddVote()" and "initSession()" functions. Joomla version 1.0.10 is affected.
  • Ref: http://www.securityfocus.com/bid/19592
  • 06.34.85 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Rssxt Component MosConfig_absolute_path Multiple Remote File Include Vulnerabilities
  • Description: The Mambo Rssxt is an RSS site content format for the Mambo and Joomla content management systems. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to various scripts. Mambo Rssxt version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/443628
  • 06.34.86 - CVE: Not Available
  • Platform: Web Application
  • Title: MamboWiki Component MamboLogin.PHP Remote File Include
  • Description: MamboWiki is a wiki for the Mambo and Joomla content management systems. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "IP" parameter of the "MamboLogin.php" script. Versions 0.9.4 and prior are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/19594
  • 06.34.87 - CVE: Not Available
  • Platform: Web Application
  • Title: Coppermine Gallery Component for Mambo cpg.PHP Remote File Include
  • Description: Coppermine Gallery for Mambo is a web-based photo gallery implemented in PHP. It fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" variable of the "cpg.php" script. Version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19589
  • 06.34.88 - CVE: Not Available
  • Platform: Web Application
  • Title: Tutti Nova Multiple Remote File Include Vulnerabilities
  • Description: Tutti Nova is a web-based news management application implemented in PHP. It fails to sanitize input for multiple parameters of several scripts. Version 1.6 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19612
  • 06.34.89 - CVE: Not Available
  • Platform: Web Application
  • Title: Fantastic Scripts Fantastic News Remote File Include
  • Description: Fantastic News is a news reader application written in PHP. The application is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "CONFIG[script_path]" parameter in the "news.php" script. Fantastic News version 2.1.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/19613
  • 06.34.90 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo BigAPE-Backup Component Remote File Include
  • Description: BigAPE-Backup is a component for the Mambo content management system. It is exposed to a remote file include issue due to insuffcient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter of the "components/com_babackup/classes/Tar.php" script. Versions 1.x and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/19616
  • 06.34.91 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPCodeGenie Core.PHP Remote File Include
  • Description: PHPCodeGenie is a code generator for PHP and MySQL; implemented in PHP. It fails to properly sanitize user-supplied input to the "BEAUT_PATH" parameter in the "core.php" script. Version 3.0.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19618
  • 06.34.92 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Display MOSBot Manager Component mosConfig_absolute_path Remote File Include
  • Description: Display MOSBot Manager is a third party component for Mambo that provides management tools for Display Mosbot. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" variable of the "toolbar.admin-copy_module.php" and "admin.admin-copy_module.php" scripts.
  • Ref: http://www.securityfocus.com/bid/19621
  • 06.34.93 - CVE: CVE-2006-3337
  • Platform: Web Application
  • Title: cPanel Multiple Cross-Site Scripting Vulnerabilities
  • Description: cPanel is a customer relations management application. It is vulnerable to multiple cross-site scripting issues due to insufficent sanitization of user-supplied input to various scripts. cPanel versions 10.8.2-118 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19624
  • 06.34.94 - CVE: CVE-2006-4322
  • Platform: Web Application
  • Title: Mambo EstateAgent Component mosConfig_absolute_path Remote File Include
  • Description: EstateAgent is a third party component for Mambo and Joomla. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" variable of the "estateagent.php" script. EstateAgent version 1.0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/443911
  • 06.34.95 - CVE: Not Available
  • Platform: Web Application
  • Title: Eichhorn Portal Multiple Input Validation Vulnerabilities
  • Description: Eichhorn Portal is a web portal application implemented in PHP. Eichhorn Portal is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/archive/1/444065
  • 06.34.96 - CVE: Not Available
  • Platform: Web Application
  • Title: PHProjekt Content Management Module Multiple Remote File Include Vulnerabilities
  • Description: PHProjekt is an open source PHP Groupware package. Multiple remote file include vulnerabilities affect the Content Management module for PHProjekt because the application fails to properly sanitize user-supplied input to the "path_pre" parameter of the "cm_navigation-33.inc.php", "cm_navigation.inc.php" and "cm_summary.inc.php" scripts. These issues affect version 0.6.1.
  • Ref: http://www.securityfocus.com/bid/19628
  • 06.34.97 - CVE: Not Available
  • Platform: Web Application
  • Title: DieselScript Smart Traffic Index.PHP Remote File Include
  • Description: Smart Traffic is a script that monitors traffic. Insufficient sanitization of the "src" parameter of the "index.php" script exposes the application to a remote file include issue.
  • Ref: http://www.securityfocus.com/bid/19630
  • 06.34.98 - CVE: Not Available
  • Platform: Web Application
  • Title: Woltlab Burning Board Attachment.php HTML Injection
  • Description: Woltlab Burning Board is prone to an HTML injection vulnerability. This issue occurs because of improper sanitization of user-supplied input to the "attachment.php" script. Version 2.3.5 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/19639
  • 06.34.99 - CVE: Not Available
  • Platform: Web Application
  • Title: Business Management Systems Dolphin Remote File Include
  • Description: Business Management Systems Dolphin is a web-based accounting system. The application is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "dir[inc]" parameter of the "templates/tmpl_dfl/scripts/index.php" script. Version 5.2 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/19648
  • 06.34.100 - CVE: Not Available
  • Platform: Web Application
  • Title: Empire CMS Checklevel.PHP Remote File Include
  • Description: Empire CMS is a web-based content management system implemented in PHP. The application is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "check_path" parameter of the "checklevel.php" script. Versions 3.7 and prior are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/19655
  • 06.34.101 - CVE: Not Available
  • Platform: Web Application
  • Title: Doika Guestbook GBook.PHP HTML Injection
  • Description: Doika Guestbook is a guest book application. It is prone to an HTML injection vulnerability because it fails to properly sanitize user-supplied input to the "page" parameter of the "gbook.php" script. Version 2.5 of Doika Guestbook is affected by this issue.
  • Ref: http://www.securityfocus.com/bid/19656
  • 06.34.102 - CVE: Not Available
  • Platform: Web Application
  • Title: RedBlog Index.PHP Remote File Include
  • Description: RedBlog is affected by a remote file include issue due to insufficient sanitization of the "root_path" parameter of the "index.php" script. RedBlog version 0.5 is affected.
  • Ref: http://www.securityfocus.com/bid/19658
  • 06.34.103 - CVE: Not Available
  • Platform: Web Application
  • Title: Headline Portal Engine HPEInc Parameter Multiple Remote File Include Vulnerabilities
  • Description: Headline Portal Engine is a news reader application written in PHP. It fails to properly sanitize user-supplied input before using it in a PHP "include()" function call. The "HPEinc" parameter of versions 0.7 and earlier are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/19663
  • 06.34.104 - CVE: Not Available
  • Platform: Web Application
  • Title: VistaBB Multiple Remote File Include Vulnerabilities
  • Description: VistaBB is a bulletin board application written in PHP. Multiple remote file include vulnerabilities affect VistaBB because the application fails to properly sanitize user-supplied input before using it in a PHP "include()" function call. These issues affect version 2.0.33.
  • Ref: http://www.nukedx.com/?viewdoc=48
  • 06.34.105 - CVE: Not Available
  • Platform: Web Application
  • Title: Integramod Portal Remote File Include
  • Description: Integramod Portal is affected by a remote file include issue due to insufficient sanitization of the "include()" function call. Integramod Portal versions 2.x are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19689
  • 06.34.106 - CVE: Not Available
  • Platform: Network Device
  • Title: AK-Systems Windows Terminals Remote Unauthorized Administrative Access
  • Description: AK-Systems Windows Terminals are thin-client devices capable of remote Citrix and RDP (Remote Desktop Protocol) access to servers. It is vulnerable to a remote unauthorized administrative access issue due to a lack of authentication requirements for remote administrative access to affected devices. Devices with firmware version 1.2.5 ExVLP are vulnerable.
  • Ref: http://www.securityfocus.com/bid/19659
  • 06.34.107 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco VPN 3000 Concentrator FTP Arbitrary File Access
  • Description: Cisco VPN 3000 concentrator products provide Virtual Private Network (VPN) services to remote users. Due to two unspecified vulnerabilities when FTP is enabled as a file management protocol, several commands may be used by unauthorized attackers. Please refer to the advisory for vulnerable versions.
  • Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080718330.s
    html
  • 06.34.108 - CVE: Not Available
  • Platform: Hardware
  • Title: 2wire Modems and Routers CRLF Denial of Service
  • Description: 2wire Modems and Routers are exposed to a remote denial of service issue. This issue occurs when the device processes a bad GET HTTP request with invalid line feed (LF) and carriage return characters (CR). Please refer to the link below for further details.
  • Ref: http://www.securityfocus.com/archive/1/443906
  • 06.34.109 - CVE: Not Available
  • Platform: Hardware
  • Title: Cisco Multiple Firewall Appliances Authentication Bypass
  • Description: Multiple Cisco Firewall appliances are prone to an authentication bypass issue when passwords are set using the commands "passwd", "username" or "enable password". Please see the referenced advisory for details.
  • Ref: http://www.securityfocus.com/bid/19681

SANS CRITICAL INTERNET THREATS 2006 =====================================

SANS Critical Internet Threats research is undertaken annually and provides the basis for the SANS "Top-20" report. The "Top-20" report describes the most serious internet security threats in detail, and provides the steps to identify and mitigate these threats.

The "Top-20" began its life as a research study undertaken jointly between the SANS Institute and the National Infrastructure Protection Centre (NIPC) at the FBI. Today thousands of organizations from all spheres of industry are using the "Top-20" as a definitive list to prioritize their security efforts.

The 2006 Top-20 will once again create the experts' consensus on threats - - the result of a process that brings together security experts, leaders, researchers and visionaries from the most security-conscious federal agencies in the US, UK and around the world; the leading security software vendors and consulting firms; the university-based security programs; many other user organizations; and the SANS Institute.

For reference a copy of the 2005 paper is available online: http://www.sans.org/top20.htm. *A list of participants may be found in the Appendix.

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS is the fastest way to go from an Information Security beginner to an Information Security guru.
-Dave Howard, Emerson

vLive! SEC560 February 16-April 1

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT