@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) CRITICAL: Microsoft Internet Explorer VML Buffer Overflow (0day)
• (2) HIGH: Mozilla Suite Multiple Vulnerabilities
• (3) MODERATE: Microsoft PowerPoint Remote Code Execution

Other Software

• (4) HIGH: Ipswitch WS_FTP Multiple Remote Buffer Overflows
• (5) MODERATE: Cisco IPS Multiple Vulnerabilities
• (6) MODERATE: Cisco IOS DOCSIS Default SNMP Community String

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 06.38.1 - Microsoft Internet Explorer Vector Markup Language Buffer Overflow
• 06.38.2 - Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow

Microsoft Office

• 06.38.3 - Microsoft PowerPoint Remote Code Execution

Third Party Windows Apps

• 06.38.4 - Ipswitch WS_FTP Server XCRC XSHA1 and XMD5 Commands Buffer Overflow Vulnerabilities
• 06.38.5 - MailEnable SMTP SPF Remote Denial of Service
• 06.38.6 - Symantec Norton Personal Firewall SymEvent Driver Local Denial of Service
• 06.38.7 - NewsGator FeedDemon Active Script Code Execution
• 06.38.8 - Ipswitch WS_FTP PASV Response Remote Buffer Overflow
• 06.38.9 - SharpReader Atom Feed Script HTML Injection
• 06.38.10 - RSSReader RSS Feeds Atom Feed Multiple HTML Injection Vulnerabilities
• 06.38.11 - SISCO OSI Stack Remote Denial of Service

Mac Os

• 06.38.12 - Apple Remote Desktop Local Authentication Bypass
• 06.38.13 - Apple Mac OS X KExtLoad Buffer Overflow Weakness

Linux

• 06.38.14 - Linux Kernel SCTP SO_LINGER Local Denial of Service

Cross Platform

• 06.38.15 - OSU HTTP Server Multiple Information Disclosure Vulnerabilities
• 06.38.16 - Mozilla Firefox/Thunderbird/Seamonkey Multiple Remote Vulnerabilities
• 06.38.17 - GNU GZip Archive Handling Multiple Remote Vulnerabilities
• 06.38.18 - Cisco IPS/IDS Fragmented Packets Inspection Bypass Vulnerability

Web Application - Cross Site Scripting

• 06.38.19 - NixieAffiliate Lostpassword.PHP Cross-Site Scripting
• 06.38.20 - MyBulletinBoard Generic_Error.PHP Multiple Cross-Site Scripting Vulnerabilities
• 06.38.21 - IDevSpot BizDirectory Multiple Cross-Site Scripting Vulnerabilities
• 06.38.22 - PT News Search.PHP Cross-Site Scripting
• 06.38.23 - MyBulletinBoard Index.PHP Cross-Site Scripting
• 06.38.24 - NextAge Cart Index.PHP Multiple Cross-Site Scripting Vulnerabilities
• 06.38.25 - Roller Multiple Cross-Site Scripting Vulnerabilities
• 06.38.26 - Nuked-Klan Query Parameter Cross-Site Scripting
• 06.38.27 - aceboard recherche.PHP Cross-Site Scripting
• 06.38.28 - Innovate Portal Index.PHP Cross-Site Scripting
• 06.38.29 - eSyndiCat Search.PHP Cross-Site Scripting
• 06.38.30 - DotNetNuke HTML Injection
• 06.38.31 - Drupal Search Keywords Module HTML Injection
• 06.38.32 - MAXdev MD-Pro PnVarCleanFromInput Cross-Site Scripting

Web Application - SQL Injection

• 06.38.33 - Charon Cart Review.ASP SQL Injection
• 06.38.34 - Moodle Edit.PHP SQL Injection
• 06.38.35 - ECardPro Search.ASP SQL Injection
• 06.38.36 - CMS.R. Index.PHP SQL Injection
• 06.38.37 - Techno Dreams Articles and Papers Package ArticlesTableview.ASP SQL Injection
• 06.38.38 - Techno Dreams FAQ Manager Package Faqview.ASP SQL Injection
• 06.38.39 - Quadcomm Q-Shop Browse.ASP SQL Injection
• 06.38.40 - EShoppingPro Search_Run.ASP SQL Injection
• 06.38.41 - GNUTurk T_ID Parameter SQL Injection
• 06.38.42 - NX5Linkx Multiple SQL Injection Vulnerabilities
• 06.38.43 - ClickBlog! Default.ASP SQL Injection
• 06.38.44 - EasyPage Default.ASPX SQL Injection
• 06.38.45 - ZilekPortal Haberdetay.ASP SQL Injection
• 06.38.46 - more.groupware Week.PHP SQL Injection
• 06.38.47 - Tekman Portal Uye_Profil.ASP SQL Injection
• 06.38.48 - MyReview Functions.PHP SQL Injection

Web Application

• 06.38.49 - WM-News Print.PHP Local File Include
• 06.38.50 - SQL-Ledger/LedgerSMB Terminal Parameter Directory Traversal
• 06.38.51 - PnphpBB2 Functions_Admin.PHP Remote File Include
• 06.38.52 - Pie Cart Pro Inc_Dir Multiple Remote File Include Vulnerabilities
• 06.38.53 - PhpLinkExchange Multiple Input Validation Vulnerabilities
• 06.38.54 - NixieAffiliate Delete.PHP Authentication Bypass
• 06.38.55 - KorviBlog Livre_or.PHP HTML Injection
• 06.38.56 - MyABraCaDaWeb Base Parameter Multiple Remote File Include Vulnerabilities
• 06.38.57 - Mambo Hotornot Component Uploadfile.PHP Arbitrary File Upload
• 06.38.58 - MiniPortal Menu.PHP Remote File Include
• 06.38.59 - ColdFusion Flash Remoting Gateway Denial of Service
• 06.38.60 - WM-News Multiple Input Validation Vulnerabilities
• 06.38.61 - Mambo Extended Registration Component mosConfig_absolute_path Remote File Include
• 06.38.62 - AlstraSoft Efriends GetStartOptions.PHP Local File Include
• 06.38.63 - AlphaMail Log File Information Disclosure
• 06.38.64 - BusyBox HTTPD Directory Traversal
• 06.38.65 - UNAK-CMS Dirroot Parameter Remote File Include
• 06.38.66 - guanxiCRM Business Solution PHPXD.PHP Remote File Include
• 06.38.67 - PHPQuiz Index.PHP Remote File Include
• 06.38.68 - PhotoPost Pro Zipndownload.PHP Remote File Include
• 06.38.69 - TeamCal Pro Footer.html.inc.PHP Remote File Include
• 06.38.70 - BolinOS GBIndex.PHP Remote File Include
• 06.38.71 - PHP DocWriter Index.PHP Remote File Include
• 06.38.72 - Limbo CMS Frontpage Arbitrary File Upload
• 06.38.73 - phpBB XS BB_Usage_Stats.PHP Remote File Include
• 06.38.74 - Jupiter CMS Multiple Input Validation Vulnerabilities
• 06.38.75 - Site@School Multiple Input Validation Vulnerabilities
• 06.38.76 - Claroline Claro_Init_Local.Inc.PHP Remote File Include
• 06.38.77 - Hitweb REP_CLASS Multiple Remote File Include Vulnerabilities
• 06.38.78 - PHP-Post Multiple Input Validation Vulnerabilities
• 06.38.79 - Artmedic Links Index.PHP Remote File Include
• 06.38.80 - PHPQuiz Multiple Input Validation Vulnerabilities
• 06.38.81 - Simple Discussion Board Multiple Remote File Include Vulnerabilities
• 06.38.82 - DigitalWebShop Multiple Remote File Include Vulnerabilities
• 06.38.83 - RSSOwl Atom Feed Script HTML Injection
• 06.38.84 - Exponent CMS Index.PHP Local File Include
• 06.38.85 - Pie Cart Pro Home_Path Remote File Include
• 06.38.86 - Redblog Multiple Remote File Include Vulnerabilities
• 06.38.87 - Business Card Web Builder Startup.Inc.PHP Remote File Include
• 06.38.88 - A.I-Pifou Choix_langue.PHP Directory Traversal
• 06.38.89 - Neon WebMail For Java Multiple Input Validation Vulnerabilities
• 06.38.90 - PHPBlueDragon CMS Index.PHP Multiple Input Validation Vulnerabilities

Network Device

• 06.38.91 - NetGear DG834GT Long Username Denial of Service
• 06.38.92 - Cisco IOS Multiple VLAN Trunking Protocol Vulnerabilities
• 06.38.93 - Citrix Access Gateway AAC LDAP Authentication Bypass
• 06.38.94 - Cisco Guard Meta-Refresh Cross-Site Scripting
• 06.38.95 - Cisco IOS DOCSIS SNMP Community String Unauthorized Access

Hardware

• 06.38.96 - Nokia Phones Firmware MMC Local Authentication Bypass
• 06.38.97 - Cisco IPS/IDS Web Administration Interface Denial Of Service

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 38, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5181 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.38.1 - CVE: CVE-2006-3866
• Platform: Windows
• Title: Microsoft Internet Explorer Vector Markup Language Buffer Overflow
• Description: Microsoft Internet Explorer is prone to a buffer overflow vulnerability due to an error in the processing of Vector Markup Language documents. Version 6.0 on a fully patched system is reported to be vulnerable. Previous versions may also be affected.
• Ref: http://www.microsoft.com/technet/security/advisory/925568.mspx

• 06.38.2 - CVE: CVE-2006-4777
• Platform: Windows
• Title: Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow
• Description: Microsoft Internet Explorer is exposed to a heap buffer overflow issue. Please refer to the link below for further details.
• Ref: http://www.microsoft.com/technet/security/advisory/925444.mspx

• 06.38.3 - CVE: Not Available
• Platform: Microsoft Office
• Title: Microsoft PowerPoint Remote Code Execution
• Description: Microsoft PowerPoint is prone to a remote code execution vulnerability. This issue is being actively exploited in the wild as Trojan.PPDropper. This issue is currently known to affect only Office 2000 (Chinese version only) on Windows XP (Chinese).
• Ref: http://www.securityfocus.com/bid/20059

• 06.38.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ipswitch WS_FTP Server XCRC XSHA1 and XMD5 Commands Buffer Overflow Vulnerabilities
• Description: Ipswitch WS_FTP Server is a file transfer and data management server. It is vulnerable to multiple stack overflow issues due to insufficient boundary checking. Ipswitch WS_FTP Server version 5.05 is vulnerable.
• Ref: http://ipswitch.com/support/ws_ftp-server/releases/wr505hf1.asp

• 06.38.5 - CVE: CVE-2006-4616
• Platform: Third Party Windows Apps
• Title: MailEnable SMTP SPF Remote Denial of Service
• Description: MailEnable is a mail server. It is vulnerable to a denial of service issue when a SPF lookup for a domain with a large number of records triggers a null pointer exception. MailEnable versions 1.116 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/20091

• 06.38.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec Norton Personal Firewall SymEvent Driver Local Denial of Service
• Description: Symantec Norton Personal Firewall is prone to a local denial of service issue when attackers send malformed data to the "SymEvent" driver. Norton Personal Firewall 2006 version 9.1.0.33 is affected.
• Ref: http://www.securityfocus.com/bid/20051

• 06.38.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: NewsGator FeedDemon Active Script Code Execution
• Description: FeedDemon is an RSS news feed reading application for Windows. It is prone an active script code execution vulnerability because it fails to sufficiently sanitize script code. NewsGator FeedDemon versions 2.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/20114

• 06.38.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ipswitch WS_FTP PASV Response Remote Buffer Overflow
• Description: Ipswitch WS_FTP Server is an FTP implementation that is available for Windows. It is prone to a remote buffer overflow that may be exploited when the PASV command is supplied with excessively long arguments. Version 5.08 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20121

• 06.38.9 - CVE: CVE-2006-4761
• Platform: Third Party Windows Apps
• Title: SharpReader Atom Feed Script HTML Injection
• Description: SharpReader is an RSS/Atom Aggregator available for Windows. It is prone to an HTML injection vulnerability due to insufficient sanitization of RSS/Atom feeds. Version 0.9.7.0 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20128

• 06.38.10 - CVE: CVE-2006-4762
• Platform: Third Party Windows Apps
• Title: RSSReader RSS Feeds Atom Feed Multiple HTML Injection Vulnerabilities
• Description: RSSReader is an application that displays any RSS and Atom news feed. RSSReader is prone to multiple HTML injection vulnerabilities. Version 1.0.96.0 beta RC3 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20129

• 06.38.11 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SISCO OSI Stack Remote Denial of Service
• Description: The SISCO (Systems Integration Specialists Company) OSI stack for Windows is software designed to implement the OSI transport protocol on top of TCP/IP. It is affected by a remote denial of service issue due to improper processing of malformed network packets. The SISCO ISO stack for Windows is utilized in other products including MMS_EASE, ICCP Toolkit for MMS_EASE, AX-S4 MMS, and the AX-S4 ICCP. SISCO OSI stack versions 3.x and earlier are affected.
• Ref: http://www.securityfocus.com/bid/20130

• 06.38.12 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Remote Desktop Local Authentication Bypass
• Description: Apple Remote Desktop (ARD) is a utility to remotely manage a computer and perform scheduled actions such as updates or remote commands. It is prone to an authentication bypass vulnerability, in which a local attacker may bypass the "LoginWindow" and gain superuser privileges. Versions 3.0, 2.1 and 2.0 are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20092

• 06.38.13 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X KExtLoad Buffer Overflow Weakness
• Description: The kextload utility is used to load kernel extensions (kext directories) into the Apple Mac OS X kernel. It is not installed with setuid privileges by default. It is exposed to a buffer overflow issue because it fails to sufficiently bounds check user-supplied data before copying it into a finite sized memory buffer. Please refer to the link below for further details. Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049452.html

• 06.38.14 - CVE: CVE-2006-4535
• Platform: Linux
• Title: Linux Kernel SCTP SO_LINGER Local Denial of Service
• Description: The Linux kernel SCTP module is prone to a local denial of service vulnerability. This issue is due to a failure of the kernel to handle certain SO_LINGER values when dealing with SCTP sockets. A local attacker that opens a socket and sets the SO_LINGER value to an unspecified value, and then sends SCTP packets may trigger a kernel crash. Multiple versions of the 2.6 kernel are reported to be vulnerable.
• Ref: http://lkml.org/lkml/2006/9/5/263

• 06.38.15 - CVE: Not Available
• Platform: Cross Platform
• Title: OSU HTTP Server Multiple Information Disclosure Vulnerabilities
• Description: OSU (Ohio State University) HTTP Server is an open source web server for the OpenVMS operating system. It is prone to multiple information disclosure vulnerabilities. Versions 3.11a and 3.10a are vulnerable.
• Ref: http://www.securityfocus.com/bid/20098

• 06.38.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox/Thunderbird/Seamonkey Multiple Remote Vulnerabilities
• Description: The Mozilla Foundation has released six security advisories regarding security vulnerabilities in Mozilla Firefox, SeaMonkey, and Thunderbird. Please refer to the link below for further details.
• Ref: http://www.securityfocus.com/bid/20042/references

• 06.38.17 - CVE:CVE-2006-4334,CVE-2006-4335,CVE-2006-4336,CVE-2006-4337,CVE-2006-4338
• Platform: Cross Platform
• Title: GNU GZip Archive Handling Multiple Remote Vulnerabilities
• Description: The GZip utility is vulnerable to multiple remote buffer overflow and denial of service issues when handling malicious archive files. See the advisory for further details.
• Ref: http://www.kb.cert.org/vuls/id/381508

• 06.38.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Cisco IPS/IDS Fragmented Packets Inspection Bypass Vulnerability
• Description: Cisco Intrusion Prevention System (IPS/IDS) is a family of devices that provide threat prevention services. They are affected by an inspection bypass issue due to improper handling of malformed packets. This issue is being tracked by Cisco bug IDs CSCse17206 and CSCsf12379.
• Ref: http://www.securityfocus.com/bid/20127

• 06.38.19 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: NixieAffiliate Lostpassword.PHP Cross-Site Scripting
• Description: NixieAffiliate is an affiliate program for paypal. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "error" parameter of the "lostpassword.php" script. NexieAffiliate version 1.9 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20084

• 06.38.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MyBulletinBoard Generic_Error.PHP Multiple Cross-Site Scripting Vulnerabilities
• Description: MyBulletinBoard is a bulletin board application implemented in PHP. The application is vulnerable to cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "message" and "code" parameters of the "generic_error.php" script. Version 1.2 is vulnerable to this issue.
• Ref: msg://bugtraq/20060917152322.1987.qmail@securityfocus.com

• 06.38.21 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IDevSpot BizDirectory Multiple Cross-Site Scripting Vulnerabilities
• Description: IDevSpot BizDirectory is a business listing directory application. Insufficient sanitization of the "stylesheet" parameter of the "Feed.php" script and the "message" parameter of the "status.php" script exposes the application to multiple cross-site scripting issues. BizDirectory versions 1.9 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/20081

• 06.38.22 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PT News Search.PHP Cross-Site Scripting
• Description: PT News is a simple news system. It is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "pgname" parameter of the "Search.php" script. PT News version 1.7.8 is affected.
• Ref: http://www.securityfocus.com/bid/20090

• 06.38.23 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MyBulletinBoard Index.PHP Cross-Site Scripting
• Description: MyBulletinBoard is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "navbits[][name]" parameter of the "archive/index.php" script. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. Versions 1.2 and earlier are reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446093

• 06.38.24 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: NextAge Cart Index.PHP Multiple Cross-Site Scripting Vulnerabilities
• Description: NextAge Cart is an online shopping cart application. It is vulnerable to multiple cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "SearchWd" and "CatId" parameters of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/20040

• 06.38.25 - CVE: CVE-2006-4856
• Platform: Web Application - Cross Site Scripting
• Title: Roller Multiple Cross-Site Scripting Vulnerabilities
• Description: Roller is an open source blog server implemented in Java. It is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "name", "email", and "url" parameters of the comments form. Version 2.3 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446133

• 06.38.26 - CVE: CVE-2006-4323
• Platform: Web Application - Cross Site Scripting
• Title: Nuked-Klan Query Parameter Cross-Site Scripting
• Description: Nuked-Klan is a content management system implemented in PHP. It is prone to a cross-site scripting vulnerability due to insufficient input sanitization of the "query" parameter of the "index.php" script. Version 1.7 SP4.3 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20032

• 06.38.27 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: aceboard recherche.PHP Cross-Site Scripting
• Description: aceboard is a web-based forum application. aceboard is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "auther" parameter of the "recherche.php" script. Version 5.3 is affected.
• Ref: http://www.securityfocus.com/bid/20063

• 06.38.28 - CVE: CVE-2006-3320
• Platform: Web Application - Cross Site Scripting
• Title: Innovate Portal Index.PHP Cross-Site Scripting
• Description: Innovate Portal is a web portal application written in PHP. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize HTML and script code from URI input before displaying it to the users of the application. The vulnerability resides in the "content" parameter of the "index.php" script. Version 2.0 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446422

• 06.38.29 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: eSyndiCat Search.PHP Cross-Site Scripting
• Description: eSyndiCat is a web portal creation application. It is vulnerable to cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "what" parameter of the "search.php" script. Version 1.5 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20106

• 06.38.30 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: DotNetNuke HTML Injection
• Description: DotNetNuke is a web-based content management system. It is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input to the "error" parameter. All versions of DotNetNuke are vulnerable.
• Ref: http://www.secureshapes.com/advisories/vuln20-09-2006.htm

• 06.38.31 - CVE: CVE-2006-4821
• Platform: Web Application - Cross Site Scripting
• Title: Drupal Search Keywords Module HTML Injection
• Description: Search Keywords is a module for the Drupal content management system that allows users to perform statistical analysis on keywords residing on a web page. Search Keywords is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input in the "Id" field. Search Keywords module versions prior to 1.15 for Drupal 4.7 are vulnerable.
• Ref: http://drupal.org/node/85050

• 06.38.32 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MAXdev MD-Pro PnVarCleanFromInput Cross-Site Scripting
• Description: MAXdev MD-Pro is a CMS application. It is prone to a cross-site scripting vulnerability because it fails to properly sanitize HTML and script code from URI input before displaying it to the users of the application. Versions earlier than 1.0.76 are affected.
• Ref: http://www.securityfocus.com/bid/20133

• 06.38.33 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Charon Cart Review.ASP SQL Injection
• Description: Charon Cart is a forum application. It is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ProductID" parameter of the "Review.asp" script file before using it in an SQL query. Version 3 is affected.
• Ref: http://www.securityfocus.com/bid/20083

• 06.38.34 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Moodle Edit.PHP SQL Injection
• Description: Moodle is an educational training application implemented in PHP. It is prone to an SQL injection vulnerability due to insufficient input sanitization of the "blogEntry" parameter of the "/blog/edit.php" script. Version 1.6.1 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20085

• 06.38.35 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ECardPro Search.ASP SQL Injection
• Description: ECardPro is an electronic greeting-card application. It is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "keyword" parameter of "search.asp". This issue affects version 2.0.
• Ref: http://www.securityfocus.com/bid/20080

• 06.38.36 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CMS.R. Index.PHP SQL Injection
• Description: CMS.R. is web forum software. Insufficient sanitization of the "adminname" and "adminpass" parameters of the "index.php" script exposes the application to an SQL injection issue.
• Ref: http://www.securityfocus.com/bid/19950

• 06.38.37 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Techno Dreams Articles and Papers Package ArticlesTableview.ASP SQL Injection
• Description: Techno Dreams produces ready to use ASP scripts. The application is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "key" parameter of the "ArticlesTableview.asp" script. Techno Dreams Articles and Papers Package version 2 is reported vulnerable.
• Ref: http://www.securityfocus.com/bid/20073

• 06.38.38 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Techno Dreams FAQ Manager Package Faqview.ASP SQL Injection
• Description: Techno Dreams FAQ Manager is affected by an SQL injection issue due to insufficient sanitization of the "key" parameter of the "faqview.asp" script. Techno Dreams FAQ Manager Package version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/20074

• 06.38.39 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Quadcomm Q-Shop Browse.ASP SQL Injection
• Description: Quadcomm Q-Shop is an online shopping package. It is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "cat" parameter of the "browse.asp" script. Quadcomm Q-Shop version 3.5 is affected.
• Ref: http://www.securityfocus.com/bid/20075

• 06.38.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: EShoppingPro Search_Run.ASP SQL Injection
• Description: EShoppingPro is an e-commerce application. Insufficient sanitization of the "order" parameter of the "search.asp" script exposes the application to an SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/20089

• 06.38.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: GNUTurk T_ID Parameter SQL Injection
• Description: GNUTURK is a web-based portal application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "t_id" parameter of the "mod.php" script. GNUTurk versions 2G and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/20069

• 06.38.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: NX5Linkx Multiple SQL Injection Vulnerabilities
• Description: NX5Linkx is a web-based publishing application. It is exposed to multiple SQL injection issues because it fails to properly sanitize user-supplied input to the "c" parameter of the "link.php" script and the "l" parameter of the "out.php" script. NX5Linkx version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/20010

• 06.38.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ClickBlog! Default.ASP SQL Injection
• Description: ClickBlog! is a web log application. Insufficient sanitization of the "Password" input field of the "default.asp" script exposes the application to an SQL injection issue. ClickBlog! versions 2.0 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/20033

• 06.38.44 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: EasyPage Default.ASPX SQL Injection
• Description: EasyPage is a content management application implemented in ASP. It is prone to an SQL injection vulnerability due to insufficient input sanitization of the "srch" input field of the "default.aspx" script. Version 7 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20049

• 06.38.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ZilekPortal Haberdetay.ASP SQL Injection
• Description: ZilekPortal is a web-based portal application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "haberdetay.asp" script. ZilekPortal version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20062

• 06.38.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: more.groupware Week.PHP SQL Injection
• Description: more.groupware is a groupware application. It is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "new_calendarid" parameter of the "/modules/calendar/week.php" script. Version 0.7.4 is affected.
• Ref: http://www.securityfocus.com/bid/20100

• 06.38.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Tekman Portal Uye_Profil.ASP SQL Injection
• Description: Tekman Portal is a web-based portal application. It is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "uye_id" parameter of the "uye_profil.asp" script.
• Ref: http://www.securityfocus.com/bid/20102

• 06.38.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MyReview Functions.PHP SQL Injection
• Description: MyReview is an application that manages paper submissions and paper reviews. Insufficient sanitization of the "email" parameter of the "function.php" script exposes the application to an SQL injection issue. MyReview version 1.9.4 is affected.
• Ref: http://www.securityfocus.com/bid/20105

• 06.38.49 - CVE: CVE-2006-4666
• Platform: Web Application
• Title: WM-News Print.PHP Local File Include
• Description: WM-News is a news article module. It is vulnerable to a local file include issue due to insufficient sanitization of user-supplied input to the "ide" parameter of the "print.php" script. WM-News version 0.5 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/445818

• 06.38.50 - CVE: Not Available
• Platform: Web Application
• Title: SQL-Ledger/LedgerSMB Terminal Parameter Directory Traversal
• Description: SQL-Ledger and LedgerSMB are double entry accounting systems. They are affected by a remote directory traversal vulnerability due to insufficient sanitization of the "../" sequence characters in the "terminal" parameter of the "login.pl" and "admin.pl" scripts. SQL-Ledger version 2.6.18 and LedgerSMB version 1.0.0 are affected.
• Ref: http://www.securityfocus.com/bid/19960

• 06.38.51 - CVE: Not Available
• Platform: Web Application
• Title: PnphpBB2 Functions_Admin.PHP Remote File Include
• Description: PnphpBB2 is a modification of the phpBB online bulletin-board system. It is implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "includes/functions_admin.php" script. Version 1.2g is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/446584

• 06.38.52 - CVE: Not Available
• Platform: Web Application
• Title: Pie Cart Pro Inc_Dir Multiple Remote File Include Vulnerabilities
• Description: Pie Cart Pro is a web development package. Insufficient sanitization of user-supplied input exposes the application to multiple remote file include issues. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/20099

• 06.38.53 - CVE: CVE-2006-3777
• Platform: Web Application
• Title: PhpLinkExchange Multiple Input Validation Vulnerabilities
• Description: PhpLinkExchange is a web-based link exchange directory application. It is vulnerable to multiple input validation issues such as cross-site scripting. PHPLinkExchange version 1.0 is vulnerable.
• Ref: http://www.frsirt.com/english/advisories/2006/2900

• 06.38.54 - CVE: Not Available
• Platform: Web Application
• Title: NixieAffiliate Delete.PHP Authentication Bypass
• Description: NixieAffiliate is an affiliate application for PayPal. It is prone to an authentication bypass vulnerability in "delete.php", which allows non-administrative users to delete any user account. Version 1.9 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20086

• 06.38.55 - CVE: Not Available
• Platform: Web Application
• Title: KorviBlog Livre_or.PHP HTML Injection
• Description: KorviBlog is a blog application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to multiple parameters of the "livre_or.php" script. Version 1.3.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19943

• 06.38.56 - CVE: Not Available
• Platform: Web Application
• Title: MyABraCaDaWeb Base Parameter Multiple Remote File Include Vulnerabilities
• Description: MyABraCaDaWeb is a web-based content management system. It is exposed to multiple remote file include issues due to a failure in the application to properly sanitize user-supplied input to the "base" parameter of the "index.php" and "pop.php" scripts. Versions 1.0.3 and 1.0 are affected.
• Ref: http://www.securityfocus.com/bid/19944

• 06.38.57 - CVE: Not Available
• Platform: Web Application
• Title: Mambo Hotornot Component Uploadfile.PHP Arbitrary File Upload
• Description: Hotornot is a picture voting component for the Mambo content management system. The application is prone to an arbitrary file upload vulnerability because it fails to sufficiently sanitize the names of user-supplied files uploaded through the "uploadfile.php" script. Version 1.2.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20077

• 06.38.58 - CVE: Not Available
• Platform: Web Application
• Title: MiniPortal Menu.PHP Remote File Include
• Description: MiniPortal is a web portal application. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "cmd" parameter of the "menu.php" script. MiniPortal version 0.1.5 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/19949

• 06.38.59 - CVE: CVE-2006-4724
• Platform: Web Application
• Title: ColdFusion Flash Remoting Gateway Denial of Service
• Description: Adobe ColdFusion is an application that allows you to create internet applications. It is vulnerable to a denial of service issue in the Flash Remoting Gateway when handling specially crafted commands. Adobe ColdFusion versions MX 7.01 and 7.00 are vulnerable.
• Ref: http://www.adobe.com/support/security/bulletins/apsb06-12.html

• 06.38.60 - CVE: Not Available
• Platform: Web Application
• Title: WM-News Multiple Input Validation Vulnerabilities
• Description: WM-News is a news article module implemented in PHP. It is prone to multiple vulnerabilities because it fails to sufficiently sanitize user-supplied input to various parameters in multiple scripts. Version 0.5 is vulnerable.
• Ref: http://www.securityfocus.com/bid/19988

• 06.38.61 - CVE: Not Available
• Platform: Web Application
• Title: Mambo Extended Registration Component mosConfig_absolute_path Remote File Include
• Description: Extended Registration is a third-party component for Mambo that provides registration details. The application is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" variable of the "registration_detailed.inc.php" script. Version 4.1 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20072

• 06.38.62 - CVE: Not Available
• Platform: Web Application
• Title: AlstraSoft Efriends GetStartOptions.PHP Local File Include
• Description: AlstraSoft Efriends is a community building application. It is prone to a local file include vulnerability due to improper sanitization of user-supplied input to the "lang" parameter of the "chat/getStartOptions.php" script. This issue affects version 4.85.
• Ref: http://www.securityfocus.com/bid/20088

• 06.38.63 - CVE: Not Available
• Platform: Web Application
• Title: AlphaMail Log File Information Disclosure
• Description: AlphaMail is an IMAP email application. It is exposed to a local information disclosure issue because the application fails to properly ensure that sensitive information is not disclosed to local users. Versions prior to 1.0.16 are affected.
• Ref: http://www.securityfocus.com/bid/19996

• 06.38.64 - CVE: Not Available
• Platform: Web Application
• Title: BusyBox HTTPD Directory Traversal
• Description: BusyBox is a utility designed to implement the functionality of "fileutils" and "shellutils" binaries. Insufficient sanitization of the "../" sequence exposes the application to a directory traversal issue. BusyBox version 1.01 is affected.
• Ref: http://www.securityfocus.com/bid/20067

• 06.38.65 - CVE: Not Available
• Platform: Web Application
• Title: UNAK-CMS Dirroot Parameter Remote File Include
• Description: UNAK-CMS is a web-based content management program implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "dirroot" parameter of "fck_link.php" and "connector.php". This issue affects version 1.5.
• Ref: http://www.securityfocus.com/bid/20070

• 06.38.66 - CVE: Not Available
• Platform: Web Application
• Title: guanxiCRM Business Solution PHPXD.PHP Remote File Include
• Description: guanxiCRM Business Solution is a web-based Customer Relationship Management (CRM) application implemented in PHP. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "rootpath" parameter of "phpXD.php" and "admin_design.inc.php". Version 0.9.1 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20071

• 06.38.67 - CVE: CVE-2006-4834
• Platform: Web Application
• Title: PHPQuiz Index.PHP Remote File Include
• Description: PHPQuiz is a content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "pagename" parameter of the "index.php" script. PHPQuiz version 0.01 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446039

• 06.38.68 - CVE: Not Available
• Platform: Web Application
• Title: PhotoPost Pro Zipndownload.PHP Remote File Include
• Description: PhotoPost Pro is a photo gallery and management application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "PP_PATH" parameter of the "zipndownload.php" script. PhotoPost Pro version 4.6 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446224

• 06.38.69 - CVE: Not Available
• Platform: Web Application
• Title: TeamCal Pro Footer.html.inc.PHP Remote File Include
• Description: TeamCal Pro is a web-based personnel absence management application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "tc_config[app_root]" parameter of the "includes/footer.html.inc.php" script. TeamCal Pro version 2.8.2001 is vulnerable.
• Ref: http://milw0rm.com/exploits/2368

• 06.38.70 - CVE: CVE-2006-4850
• Platform: Web Application
• Title: BolinOS GBIndex.PHP Remote File Include
• Description: BolinOS is a content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "gBRootPath" parameter of the "gBIndex.php" script. BolinOS versions 4.5.5 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446113

• 06.38.71 - CVE: Not Available
• Platform: Web Application
• Title: PHP DocWriter Index.PHP Remote File Include
• Description: PHP DocWriter is group of PHP classes which allows a user to create OpenOffice.org XML formatted documents. Insufficient sanitization of the "script" parameter of the "examples/index.php" script exposes the application to a remote file include issue. PHP DocWriter versions 0.3 is affected.
• Ref: http://www.securityfocus.com/bid/20041

• 06.38.72 - CVE: Not Available
• Platform: Web Application
• Title: Limbo CMS Frontpage Arbitrary File Upload
• Description: Limbo CMS is a web-based content management system (CMS). It is exposed to an arbitrary file upload vulnerability due to a failure in the application to properly sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/20044

• 06.38.73 - CVE: CVE-2006-4780
• Platform: Web Application
• Title: phpBB XS BB_Usage_Stats.PHP Remote File Include
• Description: phpBB XS is a modification of the phpBB online bulletin board system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "phpbb_root_path" parameter of the "bb_usage_stats.php" script. phpBBXS versions 058-006 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446108

• 06.38.74 - CVE: Not Available
• Platform: Web Application
• Title: Jupiter CMS Multiple Input Validation Vulnerabilities
• Description: Jupiter CMS is a content management system. It is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/20048

• 06.38.75 - CVE: Not Available
• Platform: Web Application
• Title: Site@School Multiple Input Validation Vulnerabilities
• Description: Site@School is a web-based content management system. It is vulnerable to multiple input validation issues such as directory traversal and remote file include issues. Site@School versions 2.4.02 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/20053/info

• 06.38.76 - CVE: CVE-2006-4844
• Platform: Web Application
• Title: Claroline Claro_Init_Local.Inc.PHP Remote File Include
• Description: Claroline is a course creation and management application for e-learning. This application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied data to the "extAuthSource['newUser']" parameter of the "inc/claro_init_local.inc.php" script. Version 1.7.7 is affected by this issue.
• Ref: http://www.securityfocus.com/bid/20056

• 06.38.77 - CVE: Not Available
• Platform: Web Application
• Title: Hitweb REP_CLASS Multiple Remote File Include Vulnerabilities
• Description: Hitweb is used to create a collection of websites. Insufficient sanitization of the "REP_CLASS" parameter in various scripts exposes the application to multiple remote file include issues.
• Ref: http://www.securityfocus.com/bid/20060

• 06.38.78 - CVE: Not Available
• Platform: Web Application
• Title: PHP-Post Multiple Input Validation Vulnerabilities
• Description: PHP-Post is a web-based forum application. It is exposed to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. PHP-Post Web Forum versions 1.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/20061

• 06.38.79 - CVE: Not Available
• Platform: Web Application
• Title: Artmedic Links Index.PHP Remote File Include
• Description: Artmedic links is a web-based links script implemented in PHP. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "id" parameter of "index.php". Version 5.0 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20064

• 06.38.80 - CVE: CVE-2006-4865
• Platform: Web Application
• Title: PHPQuiz Multiple Input Validation Vulnerabilities
• Description: PHPQuiz is a web-based forum application implemented in PHP. PHPQuiz is prone to multiple input validation vulnerabilities because the application fails to properly sanitize user-supplied input. Version 1.2 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446315

• 06.38.81 - CVE: Not Available
• Platform: Web Application
• Title: Simple Discussion Board Multiple Remote File Include Vulnerabilities
• Description: Simple Discussion Board is bulletin board application implemented in PHP. It is prone to multiple remote file include vulnerabilities due to insufficient input sanitization of the "env_dir" parameter of multiple scripts. Version 0.1 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20103

• 06.38.82 - CVE: Not Available
• Platform: Web Application
• Title: DigitalWebShop Multiple Remote File Include Vulnerabilities
• Description: DigitalWebShop is an e-commerce application. It is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "$_PHPLIB["libdir"]" parameter of the "prepend.php" and "rechnung.php" script files. DigitalWebShop version 1.28 and earlier affected.
• Ref: http://www.securityfocus.com/bid/20107

• 06.38.83 - CVE: Not Available
• Platform: Web Application
• Title: RSSOwl Atom Feed Script HTML Injection
• Description: RSSOwl is an RSS, RDF and Atom Newsreader. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input when adding a malicious atom feed. Versions 1.2.1 and 1.2.2 are vulnerable.
• Ref: http://www.securityfocus.com/bid/20110

• 06.38.84 - CVE: Not Available
• Platform: Web Application
• Title: Exponent CMS Index.PHP Local File Include
• Description: Exponent CMS is a community building application . It is prone to a local file include vulnerability due to insufficient sanitization of the "view" parameter of the "index.php" script. Version 0.96.3 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/20111

• 06.38.85 - CVE: Not Available
• Platform: Web Application
• Title: Pie Cart Pro Home_Path Remote File Include
• Description: Pie Cart Pro is a web development application implemented in PHP. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "Home_Path" parameter of the "content.php" script. All known versions are reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/446419

• 06.38.86 - CVE: Not Available
• Platform: Web Application
• Title: Redblog Multiple Remote File Include Vulnerabilities
• Description: Redblog is a web log application. Insufficient sanitization of the "root_path" parameter exposes the appliction to multiple remote file include issues. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/20115

• 06.38.87 - CVE: Not Available
• Platform: Web Application
• Title: Business Card Web Builder Startup.Inc.PHP Remote File Include
• Description: Business Card Web Builder is a content management system (CMS). It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root_path" parameter of "include/startup.inc.php". Versions 0.99 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/20116

• 06.38.88 - CVE: Not Available
• Platform: Web Application
• Title: A.I-Pifou Choix_langue.PHP Directory Traversal
• Description: A.I-Pifou is a guestbook application for phpBB. Insufficient sanitization of the "../" sequence in the "choix_lng" parameter of the "choix_langue.php" script exposes the application to a directory traversal issue.
• Ref: http://www.securityfocus.com/bid/20120

• 06.38.89 - CVE: Not Available
• Platform: Web Application
• Title: Neon WebMail For Java Multiple Input Validation Vulnerabilities
• Description: Neon WebMail is a mail client implemented in Java. The application is prone to multiple input validation vulnerabilities because it fails to sanitize user-supplied input. Versions 5.06 and 5.07 (build.200607050) are vulnerable to these issues.
• Ref: http://vuln.sg/neonmail506-en.html

• 06.38.90 - CVE: Not Available
• Platform: Web Application
• Title: PHPBlueDragon CMS Index.PHP Multiple Input Validation Vulnerabilities
• Description: PHPBlueDragon CMS is a content management application. Insufficient sanitization of user-supplied input exposes the application to multiple cross-site scripting and SQL injection issues. PHPBlueDragon versions 2.9 and prior are affected.
• Ref: http://www.securityfocus.com/bid/20123

• 06.38.91 - CVE: Not Available
• Platform: Network Device
• Title: NetGear DG834GT Long Username Denial of Service
• Description: Netgear DG834GT is a hub device with additional routing, packet and simple content filtering functionality. It fails to handle user-supplied input in excess of 1000 bytes to the "username" input field on the administrative login page resulting in a buffer overflow condition.
• Ref: http://www.securityfocus.com/bid/19973

• 06.38.92 - CVE: Not Available
• Platform: Network Device
• Title: Cisco IOS Multiple VLAN Trunking Protocol Vulnerabilities
• Description: Cisco IOS is vulnerable to multiple issues when handling VLAN Trunking Protocol (VTP) packets. Cisco IOS 12.1(19)is vulnerable. See the advisory for further details.
• Ref: http://www.cisco.com/warp/public/707/cisco-sr-20060913-vtp.shtml

• 06.38.93 - CVE: Not Available
• Platform: Network Device
• Title: Citrix Access Gateway AAC LDAP Authentication Bypass
• Description: Citrix Access Gateway is a SSL/VPN appliance. It is prone to an authentication bypass vulnerability when the Advanced Access Control (AAC) option is configured to use LDAP authentication. This issue only affects AAC version 4.2 when using LDAP authentication.
• Ref: http://www.securityfocus.com/bid/20066

• 06.38.94 - CVE: Not Available
• Platform: Network Device
• Title: Cisco Guard Meta-Refresh Cross-Site Scripting
• Description: Cisco Guard is a distributed denial of service appliance to mitigate against malicious traffic. It is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. When the anti-spoofing feature is enabled the device inspects all diverted HTTP traffic and then a meta-refresh is sent to the client. However, if the original link followed contains malicious HTML or script code, the meta-refresh will contain this code and it will execute in the client browser in the context of the visited site. Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060920-guardxss.shtml

• 06.38.95 - CVE: Not Available
• Platform: Network Device
• Title: Cisco IOS DOCSIS SNMP Community String Unauthorized Access
• Description: Cisco IOS devices are prone to an unauthorized access vulnerability. The devices are inadvertently configured with a hard coded SNMP community string for supporting DOCSIS (Data Over Cable Service Interface Specifications) compliant interfaces.
• Ref: http://www.securityfocus.com/archive/1/446499

• 06.38.96 - CVE: Not Available
• Platform: Hardware
• Title: Nokia Phones Firmware MMC Local Authentication Bypass
• Description: Nokia Mobile Phones are exposed to an authentication bypass issue due to a design error which allows an attacker with local access to the affected device to boot from a MMC card, bypassing the device lock mechanism.
• Ref: http://www.securityfocus.com/bid/20003/info

• 06.38.97 - CVE: Not Available
• Platform: Hardware
• Title: Cisco IPS/IDS Web Administration Interface Denial Of Service
• Description: The web administration interface of Cisco IPS/IDS is exposed to a denial of service issue due to a failure in the application to properly handle a malformed SSLv2 Client Hello packet. Please refer to the link below for further details.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060920-ips.shtml

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.