@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: SAP-DB/MySQL MaxDB WebDBM Remote Buffer Overflow
• (2) MODERATE: Microsoft Internet Explorer "DirectAnimation" Remote Integer Overflow
• (3) LOW: Lyris ListManager Privilege Escalation

Other Software

• (4) HIGH: Multiple Products PHP File Inclusion Vulnerabilities
• (5) HIGH: Compression Plus Library Remote Buffer Overflow
• (6) LOW: Fuji Xerox Printing Systems Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 06.35.1 - Internet Explorer COM Object Instantiation Daxctle.OCX Heap Buffer Overflow

Third Party Windows Apps

• 06.35.2 - Cisco NAC Agent Installation Security Bypass
• 06.35.3 - VMWare ActiveX Control Buffer Overflow

Linux

• 06.35.4 - Linux Kernel ELF File Cross Region Mapping Local Denial of Service

HP-UX

• 06.35.5 - HP OpenVMS Local Password Disclosure

BSD

• 06.35.6 - OpenBSD ISAKMPD IPsec Replay
• 06.35.7 - OpenBSD Semaphore Allocation Denial of Service

Solaris

• 06.35.8 - Solaris 10 Pkgadd Incorrect Permissions Weakness

Aix

• 06.35.9 - IBM AIX Mkvg Local Insecure Program Execution
• 06.35.10 - IBM AIX Dtterm Local Privilege Escalation

Unix

• 06.35.11 - SAPLPD/SAPSPRINT Unspecified Print Job Denial of Service

Cross Platform

• 06.35.12 - Sendmail Long Header Denial of Service
• 06.35.13 - Java System Content Delivery Server Unspecified Information Disclosure
• 06.35.14 - Streamripper HTTP Header Parsing Buffer Overflow
• 06.35.15 - SAP-DB/MaxDB WebDBM Remote Buffer Overflow
• 06.35.16 - Cybozu Multiple Products Directory Traversal Vulnerabilities
• 06.35.17 - Multiple X.Org Products SetUID Local Privilege Escalation Vulnerability
• 06.35.18 - ImageMagick Sun Bitmap Image File Remote Unspecified Buffer Overflow
• 06.35.19 - Zend Platform Multiple Remote Vulnerabilities
• 06.35.20 - Xbiff 2 Insecure Permissions Information Disclosure
• 06.35.21 - Lyris ListManager Unauthorized Administrative User Addition
• 06.35.22 - MySQL Multiupdate and Subselects Denial of Service

Web Application - Cross Site Scripting

• 06.35.23 - Yapig Thanks_comment.PHP Cross-Site Scripting
• 06.35.24 - PMWiki Table Markups Cross-Site Scripting
• 06.35.25 - Fotopholder Index.Php Cross-Site Scripting
• 06.35.26 - MyBulletinBoard Global.PHP Cross-Site Scripting
• 06.35.27 - MyBulletinBoard Functions_Post.PHP Cross-Site Scripting
• 06.35.28 - SF Nuked-Klan Nuke.PHP Cross-Site Scripting Vulnerability
• 06.35.29 - VisualShapers EzContents Loginreq2.PHP Cross-Site Scripting
• 06.35.30 - Learn.com Learncenter.ASP Cross-Site Scripting
• 06.35.31 - Membrepass Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 06.35.32 - CMS Froggs Rejestracja.PHP SQL Injection
• 06.35.33 - ProManager Note.PHP SQL Injection
• 06.35.34 - Mambo/Joomla CMS Multiple SQL Injection Vulnerabilities
• 06.35.35 - Xoops Edituser.PHP SQL Injection
• 06.35.36 - Cybozu Garoon Multiple SQL Injection Vulnerabilities
• 06.35.37 - Mambo/Joomla CMS ID SQL Injection
• 06.35.38 - IwebNegar Comments.PHP SQL Injection
• 06.35.39 - JetStat JS ASP Faq Manager Multiple SQL Injection Vulnerabilities
• 06.35.40 - Digiappz Freekot ASP SQL Injection
• 06.35.41 - osCommerce Product_info.PHP SQL Injection
• 06.35.42 - VisualShapers ezContents Headeruserdata.PHP SQL Injection
• 06.35.43 - Membrepass Recherchemembre.php SQL Injection

Web Application

• 06.35.44 - AlstraSoft Video Share Enterprise MyajaxPHP.PHP Remote File Include
• 06.35.45 - Mambo/Joomla Com_comprofiler Plugin.class.PHP Remote File Include
• 06.35.46 - Fuji Xerox Printing Systems Embedded HTTP Server Multiple Vulnerabilities
• 06.35.47 - eFiction Index.PHP Authentication Bypass
• 06.35.48 - MyBB Multiple HTML Injection Vulnerabilities
• 06.35.49 - PhpCOIN Multiple Remote File Include Vulnerabilities
• 06.35.50 - AlberT-EasySite PSA_PATH Remote File Include Vulnerability
• 06.35.51 - Jetbox CMS Search_function.PHP Remote File Include
• 06.35.52 - Bigace Globals Parameter Multiple Remote File Include Vulnerabilities
• 06.35.53 - CJ Tag Board User-Agent PHP Code Injection
• 06.35.54 - Mod_PHPAlbum Sommaire_Admin.PHP Remote File Include
• 06.35.55 - AY Systems Web Content System Multiple Remote File Include Vulnerabilities
• 06.35.56 - CliServ Web Community Multiple Remote File Include Vulnerabilities
• 06.35.57 - Interact Multiple Remote File Include Vulnerabilities
• 06.35.58 - MyBulletinBoard Multiple HTML Injection Vulnerabilities
• 06.35.59 - Web3news PHPSECURITYADMIN_PATH Remote File Include
• 06.35.60 - PSlash lvc_include_dir Remote File Include
• 06.35.61 - WikePage Index.PHP Directory Traversal
• 06.35.62 - PHP iAddressBook Multiple Input Validation Vulnerabilities
• 06.35.63 - ExBB Italia UserStop.PHP Remote File Include
• 06.35.64 - MiniBill Multiple Remote File Include Vulnerabilities
• 06.35.65 - PhpGroupWare Calendar Class.Holidaycalc.Inc.PHP Local File Include
• 06.35.66 - PHPECard Functions.PHP Remote File Include
• 06.35.67 - ModuleBased CMS Multiple Remote File Include Vulnerabilities
• 06.35.68 - Joomla! Multiple Security Vulnerabilities
• 06.35.69 - SQL-Ledger Unspecified Authentication Bypass
• 06.35.70 - EzPortal Multiple Input Validation Vulnerabilities
• 06.35.71 - LinksCaffe Authentication Bypass
• 06.35.72 - phpATM Multiple Remote File Include Vulnerabilities
• 06.35.73 - AlstraSoft Template Seller Payment_Result.PHP Remote File Include
• 06.35.74 - Lanifex Database of Managed Objects Access_manager.PHP Remote File Include
• 06.35.75 - Pheap Config.PHP Remote File Include
• 06.35.76 - EzContents GLOBALS[rootdp] Parameter Multiple Remote File Include Vulnerabilities
• 06.35.77 - Feedsplitter Multiple Input Validation Vulnerabilities
• 06.35.78 - CubeCart Multiple Security Vulnerabilities
• 06.35.79 - ExBB Home_Path Parameter Multiple Remote File Include Vulnerabilities
• 06.35.80 - Evision CMS Path Parameter Multiple Remote File Include Vulnerabilities
• 06.35.81 - Membrepass Variable.PHP Remote File Include Vulnerability

Hardware

• 06.35.82 - Fuji Xerox Printing Systems Print Engine FTP Bounce

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 35, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5151 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.35.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Internet Explorer COM Object Instantiation Daxctle.OCX Heap Buffer Overflow
• Description: Microsoft Internet Explorer is vulnerable to a heap buffer overflow issue due to the way it tries to instantiate certain COM objects ActiveX controls. In particular when the first parameter of the "DirectAnimation.PathControl" COM object is set to 0xffffffff, an invalid memory write occurs. See the advisory for further details.
• Ref: http://www.securityfocus.com/archive/1/444504

• 06.35.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Cisco NAC Agent Installation Security Bypass
• Description: The Cisco NAC Agent is a Cisco application which enforces security policy compliance on devices seeking to access network computing resources. It is vulnerable to a security bypass issue due to a design error. A malicious user could use a custom HTTPS client application and a specially modified version of the TCP/IP stack to bypass the Cisco NAC Agent's policies. Cisco Clean Access (CCA) versions 3.6.4.0.1 and earlier are vulnerable.
• Ref: http://www.cisco.com/warp/public/707/cisco-sr-20060826-nac.shtml

• 06.35.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: VMWare ActiveX Control Buffer Overflow
• Description: An ActiveX control distributed with VMWare is prone to a buffer overflow vulnerability. An attacker can trigger this issue by supplying large amounts of data to the "Initialize" method of the class with the "F76E4799-379B-4362-BCC4-68B753D10744" class ID. VMWare version 5.5.1 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19732

• 06.35.4 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel ELF File Cross Region Mapping Local Denial of Service
• Description: The Linux kernel is vulnerable to a local denial of service issue when malformed ELF executable files are executed, and a flaw in the cross-region mapping system causes a kernel crash. Linux kernel versions prior to 2.6.17.11 on IA64 and SPARC platforms are vulnerable.
• Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.11

• 06.35.5 - CVE: Not Available
• Platform: HP-UX
• Title: HP OpenVMS Local Password Disclosure
• Description: OpenVMS is a mainframe-like operating system. It is exposed to a local password disclosure issue. This issue arises in the "SYS$LOADABLE_IMAGES:NET$SESSION_CONTROL" module. OpenVMS version ALPHA V7.3-2 is affected.
• Ref: http://www.securityfocus.com/bid/19783/references

• 06.35.6 - CVE: Not Available
• Platform: BSD
• Title: OpenBSD ISAKMPD IPsec Replay
• Description: IPsec is a suite of network security protocols. OpenBSD's IPsec implementation is susceptible to remote replay attacks due to a flaw in the "ipsec_proto_init()" function in the "sbin/isakmpd/ipsec.c" source file, which may allow an attacker to replay traffic. OpenBSD versions 3.8 and 3.9 are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19712

• 06.35.7 - CVE: Not Available
• Platform: BSD
• Title: OpenBSD Semaphore Allocation Denial of Service
• Description: OpenBSD is susceptible to a local denial of service vulnerability. This issue is due to a flaw in affected kernels that results in a kernel crash when attempting to allocate more than a predefined number of semaphores. This issue allows local attackers to crash affected kernels, denying further service to legitimate users.
• Ref: http://www.openbsd.org/errata.html

• 06.35.8 - CVE: Not Available
• Platform: Solaris
• Title: Solaris 10 Pkgadd Incorrect Permissions Weakness
• Description: The Solaris pkgadd utility installs software packages and patches from distribution media. Under certain conditions the pkgadd utility may set file or directory permissions incorrectly if the pkgmap file contains a "?" in the "mode" field. SPARC Solaris 10 without patch 119254-26 and x86 Solaris 10 without patch 119255-26 are vulnerable. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102513-1&searchclause=

• 06.35.9 - CVE: Not Available
• Platform: Aix
• Title: IBM AIX Mkvg Local Insecure Program Execution
• Description: IBM AIX is prone to a local insecure program execution vulnerability. The application "mkvg" is a command used to create a new volume group on AIX servers. Since "mkvg" does not use an absolute path in program invocation, a local attacker can place a malicious application in the path and execute it with the privileges of the user running the affected application. IBM AIX versions 5.1, 5.2, and 5.3 are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19708

• 06.35.10 - CVE: Not Available
• Platform: Aix
• Title: IBM AIX Dtterm Local Privilege Escalation
• Description: IBM AIX is prone to a local privilege escalation issue due to unspecified errors in dtterm. This issue could be exploited by a malicious user to execute code with superuser privileges. Please see the referenced advisory for details.
• Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY89045

• 06.35.11 - CVE: Not Available
• Platform: Unix
• Title: SAPLPD/SAPSPRINT Unspecified Print Job Denial of Service
• Description: SAPLPD and SAPSPRINT are the line printer daemon (LPD) package used by SAP R/3 to print documents. They are prone to an unspecified denial of service vulnerability that causes LPD to crash. All known versions are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19756

• 06.35.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Sendmail Long Header Denial of Service
• Description: Sendmail is vulnerable to a denial of service issue when the application tries to handle excessively long header lines. Sendmail versions 8.13.7 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19714

• 06.35.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Java System Content Delivery Server Unspecified Information Disclosure
• Description: Sun Java System Content Delivery Server is vulnerable to an unspecified information disclosure issue. See the advisory for further details. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102593-1&searchclause=

• 06.35.14 - CVE: CVE-2006-3124
• Platform: Cross Platform
• Title: Streamripper HTTP Header Parsing Buffer Overflow
• Description: Streamripper is an application that records shoutcast style streams. The application is prone to a buffer overflow vulnerability. This issue is triggered when the application processes malicious HTTP headers. Streamripper versions prior to 1.61.26 are vulnerable.
• Ref: http://sourceforge.net/project/shownotes.php?release_id=442126

• 06.35.15 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP-DB/MaxDB WebDBM Remote Buffer Overflow
• Description: SAP-DB and MaxDB are open-source SAP-certified databases for OLTP and OLAP usage. They are prone to a remote buffer overflow that may be exploited with a malformed HTTP request with a sufficiently large database name. MaxDB version 7.6.00.22 and all known versions of SAP-DB are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19660

• 06.35.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Cybozu Multiple Products Directory Traversal Vulnerabilities
• Description: Cybozu provides various collaboration products including Cybozu Office, Garoon, Mailwise, AG, AG Pocket and Share360. Multiple Cybozu products are prone to a directory traversal vulnerability due to insufficient sanitization of the "id" parameter. Please refer to the advisory for further information.
• Ref: http://cybozu.co.jp/products/dl/notice_060901/ http://www.securityfocus.com/bid/19733

• 06.35.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple X.Org Products SetUID Local Privilege Escalation Vulnerability
• Description: Multiple X.org products are prone to a local privilege escalation vulnerability. This issue occurs when the system calls the "setuid()" function. The application presumes that setuid does not fail but a setuid call can fail if the ulimit for the user is reached. This can result in the application staying with uid 0 privileges.
• Ref: http://www.securityfocus.com/bid/19742

• 06.35.18 - CVE: CVE-2006-3744
• Platform: Cross Platform
• Title: ImageMagick Sun Bitmap Image File Remote Unspecified Buffer Overflow
• Description: ImageMagick is an image editing suite that includes a library and command line utilities. It is prone to an unspecified remote buffer overflow vulnerability while attempting to decode Sun bitmap image files. Versions of ImageMagick prior to 6.2.9-2 are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19699

• 06.35.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Zend Platform Multiple Remote Vulnerabilities
• Description: Zend Platform is prone to multiple remote vulnerabilities including buffer overflows, denial of service and directory traversal issues. Zend versions 2.2.1 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/444263

• 06.35.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Xbiff 2 Insecure Permissions Information Disclosure
• Description: Xbiff 2 is a graphical mail notification utility. Xbiff 2 is prone to an information disclosure vulnerability due to insecure file permissions. The application creates the "$HOME/.xbiff2rc" file with permissions set to 755. The file contains sensitive information such as POP and IMAP passwords for the affected user. Xbiff 2 version 1.9 for Linux is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/19762

• 06.35.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Lyris ListManager Unauthorized Administrative User Addition
• Description: Lyris ListManager is a mailing list manager application. It is vulnerable to an user addition issue due to a hidden "add administrator" form field that can be maliciously edited. Lyris ListManager version 8.95 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19784

• 06.35.22 - CVE: CVE-2006-4389
• Platform: Cross Platform
• Title: MySQL Multiupdate and Subselects Denial of Service
• Description: MySQL is prone to multiple local denial of service vulnerabilities that occur when a query with multiupdate or subselects are issued. Versions prior to 4.1.13 are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19794

• 06.35.23 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Yapig Thanks_comment.PHP Cross-Site Scripting
• Description: Yapig is an image gallery application. Insufficient sanitization of the "D_REFRESH_URL" parameter of the "thanks_comment.php" script exposes the application to multiple cross-site scripting issues. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19709

• 06.35.24 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PMWiki Table Markups Cross-Site Scripting
• Description: PMWiki is a wiki style web site builder. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to a number of table markups. PMWiki version 2.1.17 is vulnerable.
• Ref: http://www.pmichaud.com/wiki/PmWiki/ChangeLog

• 06.35.25 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Fotopholder Index.Php Cross-Site Scripting
• Description: Fotopholder is a library used to generate web pages from folders of jpegs. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied data to the "path" parameter in the "index.php" script. Fotopholder versions 1.8 and 2.5 are affected.
• Ref: http://www.securityfocus.com/bid/19736

• 06.35.26 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MyBulletinBoard Global.PHP Cross-Site Scripting
• Description: MyBulletinBoard is a bulletin board application. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "_SERVER[PHP_SELF]" parameter of the "admin/global.php" script. Versions prior to 1.1.8 are reported vulnerable.
• Ref: http://www.securityfocus.com/bid/19767

• 06.35.27 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MyBulletinBoard Functions_Post.PHP Cross-Site Scripting
• Description: MyBulletinBoard is a web-based bulletin-board application. It is exposed to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "fixjavascript()" and "htmlspecialchar_uni()" functions of the "function_post.php" script. Versions earlier to 1.1.8 are reported vulnerable.
• Ref: http://www.securityfocus.com/archive/1/444807

• 06.35.28 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SF Nuked-Klan Nuke.PHP Cross-Site Scripting Vulnerability
• Description: Nuked-Klan is a content management system implemented in PHP. The application is prone to a cross-site scripting vulnerability. Versions 1.7 SP4.3 is reported vulnerable.
• Ref: http://www.securityfocus.com/bid/19772

• 06.35.29 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: VisualShapers EzContents Loginreq2.PHP Cross-Site Scripting
• Description: EzContents is a web-based content management application. Insufficient sanitization of the "subgroupname" parameter of the "loginreq2.php" script exposes the application to a cross-site scripting issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19780

• 06.35.30 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Learn.com Learncenter.ASP Cross-Site Scripting
• Description: Learn.com Learncenter is a learning management system implemented in ASP. The application is prone to a cross-site scripting vulnerability. The application fails to properly sanitize the "id" parameter of the "learncenter.asp" script.
• Ref: http://www.securityfocus.com/archive/1/444842

• 06.35.31 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Membrepass Multiple Cross-Site Scripting Vulnerabilities
• Description: Membrepass is a web based login and member management script. It is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the "recherche" parameter of "recherchemembre.php" and the "email" parameter of "test.php". These issues affect version 1.5.
• Ref: http://www.securityfocus.com/bid/19789

• 06.35.32 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CMS Froggs Rejestracja.PHP SQL Injection
• Description: CMS Froggs is a content management system. It is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "podpis" parameter of the "rejestracja.php" script. CMS Froggs versions 0.4 and prior are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19727

• 06.35.33 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ProManager Note.PHP SQL Injection
• Description: ProManager is a project management and to-do list application. Insufficient sanitization of the "note_id" parameter of the "note.php" script exposes the application to an SQL injection issue. ProManager version 0.73 is affected.
• Ref: http://www.securityfocus.com/bid/19728

• 06.35.34 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Mambo/Joomla CMS Multiple SQL Injection Vulnerabilities
• Description: Mambo/Joomla CMS are web-based content management systems. They are vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to various scripts. Mambo version 4.6 RC2 and Joomla version 1.0.10 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/444418

• 06.35.35 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Xoops Edituser.PHP SQL Injection
• Description: Xoops is a web portal application. It is prone to a SQL injection vulnerability due to insufficient sanitization of the "user_avatar" parameter of the "edituser.php" script. Version 2.0.14 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19720

• 06.35.36 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Cybozu Garoon Multiple SQL Injection Vulnerabilities
• Description: Cybozu Garoon is a workgroup collaboration suite. It is exposed to multiple SQL injection issues due to insufficient sanitization of user-supplied input to different parameters of various functions. Versions earlier to 2.1.1 are affected.
• Ref: http://www.securityfocus.com/bid/19731

• 06.35.37 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Mambo/Joomla CMS ID SQL Injection
• Description: Mambo/Joomla CMS are web-based content management systems (CMS) based upon the same source code base, written in PHP. Mambo/Joomla CMS are prone to a common SQL injection vulnerability. The applications fail to properly sanitize user-supplied input to the "id" parameter while editing site content, before using it in an SQL query. Mambo 4.5.4/4.6 RC2 and Joomla 1.0.10 are reported vulnerable.
• Ref: http://www.hackers.ir/advisories/mambo-joomla.html

• 06.35.38 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: IwebNegar Comments.PHP SQL Injection
• Description: IwebNegar is a web log and content management system that is implemented in PHP. It is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input to the "id" parameter of the "comments.php" script. IwebNegar 1.1 is reportedly affected by this issue.
• Ref: http://www.securityfocus.com/bid/19757

• 06.35.39 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: JetStat JS ASP Faq Manager Multiple SQL Injection Vulnerabilities
• Description: JS ASP Faq Manager is a freely available web-based application that maintains FAQs. It is exposed to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "uid" and "pwd" form fields of the "admin/default.asp" script. Version 1.10 is affected.
• Ref: http://www.securityfocus.com/bid/19761

• 06.35.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Digiappz Freekot ASP SQL Injection
• Description: Digiappz Freekot is a random quotation insertion tool. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "login" and "password" parameters. Digiappz Freekot versions 1.01 and earlier are vulnerable.
• Ref: http://www.kapda.ir/advisory-410.html

• 06.35.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: osCommerce Product_info.PHP SQL Injection
• Description: osCommerce is an e-commerce application. It is exposed to an SQL injection vulnerability due to insufficient sanitization of user-supplied data to the "id[0]" parameter of the "product_info.php" script file. osCommerce version 2.2 is affected.
• Ref: http://www.securityfocus.com/bid/19774

• 06.35.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: VisualShapers ezContents Headeruserdata.PHP SQL Injection
• Description: ezContents is a content management system. It is prone to an SQL injection vulnerability due to insufficient sanitization of the "groupname" parameter of the "headeruserdata.php" script. Version 2.0.3 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19777

• 06.35.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Membrepass Recherchemembre.php SQL Injection
• Description: Membrepass is a web-based login and member management script. It is vulnerable to an SQL injection issue due to insufficient user-supplied input to the "recherche" paramter of the "recherchemembre.php" script. Membrepass version 1.5 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/444845

• 06.35.44 - CVE: Not Available
• Platform: Web Application
• Title: AlstraSoft Video Share Enterprise MyajaxPHP.PHP Remote File Include
• Description: AlstraSoft Video Share Enterprise is a web-based video sharing application. Insufficient sanitization of the "config[BASE_DIR]" variable of the "myajaxphp.php" script exposes the application to a remote file include issue. AlstraSoft version 4.0 is affected.
• Ref: http://www.securityfocus.com/bid/19724

• 06.35.45 - CVE: Not Available
• Platform: Web Application
• Title: Mambo/Joomla Com_comprofiler Plugin.class.PHP Remote File Include
• Description: The Mambo com_comprofiler is a component for Mambo CMS. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "mosConfig_absolute_path" parameter of the "plugin.class.php" script. Version 1.0 RC2 is affected.
• Ref: http://www.securityfocus.com/bid/19725

• 06.35.46 - CVE: Not Available
• Platform: Web Application
• Title: Fuji Xerox Printing Systems Embedded HTTP Server Multiple Vulnerabilities
• Description: FXPS Embedded HTTP server is part of the Print Engine firmware implemented for printers manufactured by Fuji Xerox Printing Systems. It is prone to authentication bypass and denial of service vulnerabilities.
• Ref: http://www.securityfocus.com/bid/19716

• 06.35.47 - CVE: Not Available
• Platform: Web Application
• Title: eFiction Index.PHP Authentication Bypass
• Description: eFiction is a fan appreciation application. It is affected by an authentication bypass issue due to insufficient sanitization of the "index.php" script. eFiction versions prior to 2.0.7 are affected.
• Ref: http://www.securityfocus.com/bid/19717

• 06.35.48 - CVE: Not Available
• Platform: Web Application
• Title: MyBB Multiple HTML Injection Vulnerabilities
• Description: MyBB is a web-based bulletin board application due to insufficient sanitization of user-supplied input to the "aid" variable of the "attachment.php" script. Version 1.1.7 is affected.
• Ref: http://www.securityfocus.com/bid/19718

• 06.35.49 - CVE: Not Available
• Platform: Web Application
• Title: PhpCOIN Multiple Remote File Include Vulnerabilities
• Description: PhpCOIN is a Web hosting reseller application. It is prone to multiple remote file include vulnerabilities, due to insufficient sanitization of the "_CCFG[_PKG_PATH_INCL]" parameter in multiple scripts. Version 1.2.3 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19706

• 06.35.50 - CVE: Not Available
• Platform: Web Application
• Title: AlberT-EasySite PSA_PATH Remote File Include Vulnerability
• Description: AlberT-EasySite is a web-based site generation application. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "PSA_PATH" variable of the "logout.php" script. Versions 1.0a5 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/19729

• 06.35.51 - CVE: CVE-2006-4422
• Platform: Web Application
• Title: Jetbox CMS Search_function.PHP Remote File Include
• Description: Jetbox CMS is a content management system that is implemented in PHP. Jetbox CMS is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "relative_script_path" variable, which is used in the include path in the "search_function.php" script. Jetbox CMS version 2.1 is reported vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/444422

• 06.35.52 - CVE: Not Available
• Platform: Web Application
• Title: Bigace Globals Parameter Multiple Remote File Include Vulnerabilities
• Description: Bigace is a content management application. It is prone to multiple remote file include vulnerabilities due to improper sanitization of user-supplied input to the "GLOBALS" parameter in multiple scripts. Version 1.8.2 of Bigace is known to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19723

• 06.35.53 - CVE: Not Available
• Platform: Web Application
• Title: CJ Tag Board User-Agent PHP Code Injection
• Description: CJ Tag Board is a web chat application. It is prone to a vulnerability that may allow remote attackers to inject arbitrary PHP code into the "User-Agent" HTTP header of the "tag.php" script. A successful attack may result in unauthorized access in the context of the server. CJ Tag Board version 3.0 is affected.
• Ref: http://www.securityfocus.com/bid/19748

• 06.35.54 - CVE: Not Available
• Platform: Web Application
• Title: Mod_PHPAlbum Sommaire_Admin.PHP Remote File Include
• Description: mod_phpalbum is a photo album component for the Portail content management system. This issue is due to a failure in the application to properly sanitize user-supplied input to the "chemin" parameter of the "sommaire_admin.php" scripts. Versions 2.15 and prior are reported vulnerable.
• Ref: http://www.securityfocus.com/bid/19750

• 06.35.55 - CVE: Not Available
• Platform: Web Application
• Title: AY Systems Web Content System Multiple Remote File Include Vulnerabilities
• Description: AY Systems WCS is a web-based content management system. Insufficient sanitization of user-supplied input exposes the application to multiple remote file include issues. AY Systems WCS version 2.6 is affected.
• Ref: http://www.securityfocus.com/bid/19735

• 06.35.56 - CVE: Not Available
• Platform: Web Application
• Title: CliServ Web Community Multiple Remote File Include Vulnerabilities
• Description: CliServ Web Community is a web-based community application. The application is prone to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "cl_headers" parameter of the "menu.php" and "login.php" scripts. Version 0.65 is affected.
• Ref: http://www.securityfocus.com/bid/19737

• 06.35.57 - CVE: Not Available
• Platform: Web Application
• Title: Interact Multiple Remote File Include Vulnerabilities
• Description: Interact is an online tutoring system. It is prone to multiple remote file include vulnerabilities, due to insufficient sanitization of the "CONFIG[BASE_PATH]" parameter of the "autoprompter.php" and "common.inc.php" scripts. Versions 2.2 and prior are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19739

• 06.35.58 - CVE: Not Available
• Platform: Web Application
• Title: MyBulletinBoard Multiple HTML Injection Vulnerabilities
• Description: MyBulletinBoard is a web-based bulletin board application that is implemented in PHP. MyBulletinBoard is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize the "Avatars" URL and the "Attachment" input box. MyBulletinBoard 1.1.7 is vulnerable to these issues; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/19740

• 06.35.59 - CVE: Not Available
• Platform: Web Application
• Title: Web3news PHPSECURITYADMIN_PATH Remote File Include
• Description: Web3news is a web newsletter application. Insufficient sanitization of the "PHPSECURITYADMIN_PATH" parameter of the "_class.security.php" script exposes the application to a remote file include issue. Web3news version 0.95 is affected.
• Ref: http://www.securityfocus.com/bid/19744

• 06.35.60 - CVE: Not Available
• Platform: Web Application
• Title: PSlash lvc_include_dir Remote File Include
• Description: PSlash is a modular web portal system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "lvc_include_dir" parameter in the "config.inc.php" script. PSlash version 0.7 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19693

• 06.35.61 - CVE: CVE-2006-4418
• Platform: Web Application
• Title: WikePage Index.PHP Directory Traversal
• Description: WikePage is a web-based wiki engine application. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input to the "cmd" parameter of the "index.php" script. WikePage versions V2006.2a and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19694/info

• 06.35.62 - CVE: Not Available
• Platform: Web Application
• Title: PHP iAddressBook Multiple Input Validation Vulnerabilities
• Description: PHP iAddressBook is an online address book. It is exposed to HTML injection and cross-site scripting issues due to insufficient sanitization of user-supplied input. Versions 0.93 and earlier are affected. Please refer to the link below for further details.
• Ref: http://www.securityfocus.com/bid/19700

• 06.35.63 - CVE: Not Available
• Platform: Web Application
• Title: ExBB Italia UserStop.PHP Remote File Include
• Description: ExBB Italia is a web-based forum application. It is prone to a remote file include vulnerability due to improper sanitization of user-supplied input to the "exbb['home_path']" parameter of the "userstop.php" script. ExBB Italia version 0.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19753

• 06.35.64 - CVE: Not Available
• Platform: Web Application
• Title: MiniBill Multiple Remote File Include Vulnerabilities
• Description: MiniBill is a web-based source billing application. Insufficient sanitization of the "config[plugin_dir]" parameter of the "initPlugins.php" and "ipn.php" scripts exposes it to multiple remote file include issues. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19568

• 06.35.65 - CVE: Not Available
• Platform: Web Application
• Title: PhpGroupWare Calendar Class.Holidaycalc.Inc.PHP Local File Include
• Description: phpGroupWare is a groupware suite. It is exposed to a local file include issue due to insufficient sanitization of user-supplied input to the "GLOBALS" parameter of the "class.holidaycalc.inc.php" script. Versions 0.9.16.010 and prior are affected.
• Ref: http://www.securityfocus.com/bid/19751

• 06.35.66 - CVE: Not Available
• Platform: Web Application
• Title: PHPECard Functions.PHP Remote File Include
• Description: PHPECard is a web-based greeting card application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "include_path" variable of the "functions.php" script. PHPECard versions 2.1.4 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/19752

• 06.35.67 - CVE: Not Available
• Platform: Web Application
• Title: ModuleBased CMS Multiple Remote File Include Vulnerabilities
• Description: ModuleBased CMS is a content management system. It is prone to multiple remote file include vulnerabilities because the application fails to properly sanitize user-supplied input to the "_SERVER" variable of multiple scripts. ModuleBased CMS version pre-alpha is vulnerable.
• Ref: http://www.securityfocus.com/bid/19754

• 06.35.68 - CVE: Not Available
• Platform: Web Application
• Title: Joomla! Multiple Security Vulnerabilities
• Description: Joomla! is a web-based content management application. It is prone to multiple security vulnerabilities due both to design and configuration weaknesses and a failure in the application to properly sanitize user-supplied input. All versions of Joomla! prior to version 1.0.11 are vulnerable to these issues.
• Ref: http://www.securityfocus.com/bid/19749

• 06.35.69 - CVE: Not Available
• Platform: Web Application
• Title: SQL-Ledger Unspecified Authentication Bypass
• Description: SQL-Ledger is a double entry accounting system. It is affected by an unspecified authentication bypass issue. Please check the referenced advisory for details.
• Ref: http://www.securityfocus.com/bid/19758

• 06.35.70 - CVE: Not Available
• Platform: Web Application
• Title: EzPortal Multiple Input Validation Vulnerabilities
• Description: EzPortal is a content management application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. EzPortal version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/444743

• 06.35.71 - CVE: Not Available
• Platform: Web Application
• Title: LinksCaffe Authentication Bypass
• Description: LinksCaffe is a link-indexing script with a MySQL database engine. It is prone to an authentication bypass vulnerability because the "admin1953.php" script does not require authentication. Versions 2.0 and 3.0 are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19763

• 06.35.72 - CVE: Not Available
• Platform: Web Application
• Title: phpATM Multiple Remote File Include Vulnerabilities
• Description: phpATM is an upload and download manager application implemented in PHP. It is prone to multiple remote file include vulnerabilities because it fails to properly sanitize user-supplied input to the "include_location" parameter of the "confirm.php", "index.php" and "login.php" scripts.
• Ref: http://www.securityfocus.com/bid/19765

• 06.35.73 - CVE: Not Available
• Platform: Web Application
• Title: AlstraSoft Template Seller Payment_Result.PHP Remote File Include
• Description: AlstraSoft Template Seller is a web-based application for selling template files. Insufficient sanitization of the "config[template]" parameter of the "payment_result.php" script exposes the application to a remote file include issue.
• Ref: http://www.securityfocus.com/bid/19769

• 06.35.74 - CVE: Not Available
• Platform: Web Application
• Title: Lanifex Database of Managed Objects Access_manager.PHP Remote File Include
• Description: Lanifex Database of Managed Objects is a document management application. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "_incMgr" parameter of the "access_manager.php" script. This issue affects versions 2.3 Beta and earlier.
• Ref: http://www.securityfocus.com/bid/19773

• 06.35.75 - CVE: Not Available
• Platform: Web Application
• Title: Pheap Config.PHP Remote File Include
• Description: Pheap is a web-based content management system. Insufficient sanitization of the "lpref" parameter of the "lib/config.php" script exposes the application to a remote file include issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/19775

• 06.35.76 - CVE: Not Available
• Platform: Web Application
• Title: EzContents GLOBALS[rootdp] Parameter Multiple Remote File Include Vulnerabilities
• Description: EzContents is a web-based content management system. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to the "GLOBALS[rootdp]" parameter of various scripts. VisualShapers EzContents version 2.0.3 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/444779

• 06.35.77 - CVE: Not Available
• Platform: Web Application
• Title: Feedsplitter Multiple Input Validation Vulnerabilities
• Description: Feedsplitter is a PHP script that converts RSS or RDF newsfeeds into HTML, Javascript and other formats. It is prone to multiple input-validation vulnerabilities. Version 2006-01-21 is reported vulnerable.
• Ref: http://www.securityfocus.com/bid/19779

• 06.35.78 - CVE: Not Available
• Platform: Web Application
• Title: CubeCart Multiple Security Vulnerabilities
• Description: CubeCart is a shopping cart application. It is affected by multiple cross-site scripting, SQL injection and file inclusion issues. CubeCart version 3.0.12 is affected.
• Ref: http://www.securityfocus.com/bid/19782

• 06.35.79 - CVE: Not Available
• Platform: Web Application
• Title: ExBB Home_Path Parameter Multiple Remote File Include Vulnerabilities
• Description: ExBB is a web-based bulletin board application implemented in PHP. It is prone to multiple remote file include vulnerabilities due to insufficient sanitization of the "exbb[home_path]" parameter of multiple scripts. Version 1.9.1 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/19787

• 06.35.80 - CVE: Not Available
• Platform: Web Application
• Title: Evision CMS Path Parameter Multiple Remote File Include Vulnerabilities
• Description: Evision CMS is a web-based content management system implemented in PHP. The application is prone to multiple remote file include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input to the "path" parameter of several scripts. Version 1.0 is reported vulnerable.
• Ref: http://www.securityfocus.com/bid/19788

• 06.35.81 - CVE: Not Available
• Platform: Web Application
• Title: Membrepass Variable.PHP Remote File Include Vulnerability
• Description: Membrepass is a web-based login and member management script. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "aifon" parameter of the "/include/change.php" script. Version 1.5 is affected.
• Ref: http://www.securityfocus.com/bid/19790

• 06.35.82 - CVE: CVE-2006-2112
• Platform: Hardware
• Title: Fuji Xerox Printing Systems Print Engine FTP Bounce
• Description: FXPS print engine is a firmware implementation for printers manufactured by Fuji Xerox Printing Systems. It is affected by an FTP bounce issue that can allow remote attackers to connect between the FTP server and an arbitrary port on another computer. See the advisory for details.
• Ref: http://www.securityfocus.com/bid/19711

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.