Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 39
October 2, 2006

SANS Newsletters Home

Two Microsoft zero day vulnerabilities top this week's list - one in Internet Explorer and one in PowerPoint. But Apple's OS X and OpenSSL are also in need of immediate patching. And at the end we have a bonus section from SPI Dynamics on how search engine queries can be and are being stolen.

Plus a bonus today for SANS alumni: Rohit Dhamankar painstakingly compiled a table of all 2006 Microsoft security bulletins and showed which ones already have been exploited in the wild and which ones had zero day exploits and reference urls for the exploits. He did it to help you prioritize your patching and we plan to keep it updated on the alumni section of the SANS website. It's not there yet, so right now if you want it email info@sans.org with the subject Windows Exploits. That site will verify your alumni status so make sure you use the email address you used when you registered for SANS training. We're not withholding it from others, but rather are working with the US CERT and Canadian CERT so they can add value and make available to everyone.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1 (#0)
    • Microsoft Office
    • 1 (#1)
    • Third Party Windows Apps
    • 2
    • Mac Os
    • 2 (#2)
    • Linux
    • 1
    • HP-UX
    • 1
    • BSD
    • 1
    • Solaris
    • 4
    • Aix
    • 10
    • Unix
    • 1 (#6)
    • Cross Platform
    • 8 (#3, #4, #5, #7)
    • Web Application - Cross Site Scripting
    • 12
    • Web Application - SQL Injection
    • 4
    • Web Application
    • 46
    • Network Device
    • 2
    • Hardware
    • 1

*************************************************************************

Three Big SANS Training Conferences Coming Up in the Next Three Months

Amsterdam, New Orleans, Washington, DC

See http://www.sans.org/index.php

New Orleans: November 14-26 http://www.sans.org/neworleans06/

Amsterdam: November 6-11 http://www.sans.org/amsterdam06/

Washington DC: December 9-16 http://www.sans.org/cdieast06/

How Good Are SANS Courses?

++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines

++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA

++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - Larry Anderson, Computer Sciences Corp.

++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - David Ritch, Department of Defense

Programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on demand courses) without leaving your home. Schedule: http://www.sans.org//index.php

***********************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Third Party Windows Apps
Mac Os
Linux
HP-UX
BSD
Solaris
Aix
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

************************* Sponsored Links: ****************************

1) Free SANS First Wednesday Webcast this week: "Protecting Information & Managing Risk" Wednesday, October 04 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info/1381

2) Free SANS WhatWorks in Patch and Configuration Management Webcast this Thursday "Securing Systems and Saving Money with Multifunction Management Tools" Thursday, October 05 at 1:00 PM EDT (1700 UTC/GMT) http://www.sans.org/info/1382

*************************************************************************

Part III - Stealing Search Engine Queries from Javascript by SPI Dynamics, Inc.

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Microsoft PowerPoint Remote Code Execution
  • Affected:
    • Microsoft PowerPoint 2000/2002/2003
    • Microsoft PowerPoint 2004/v.X for Mac

  • Description: Microsoft PowerPoint is vulnerable to a remotely-exploitable code execution vulnerability. A specially-crafted PowerPoint file, when opened, can execute arbitrary code with the privileges of the current user. No technical details for this vulnerability have been publicly posted but a Trojan has been seen in the wild. The Trojan is currently identified as "Trojan.PPDropper.F" by some antivirus software. It is believed that this issue is related to the issue disclosed in a previous @RISK entry (see the references below). The currently-known variant has been seen to connect to the host "mylostlove1.6600.org", though other variants may connect elsewhere. Users are advised to monitor network access logs to see if this host is being actively contacted.

  • Status: Microsoft confirmed, no updates available.

  • Council Site Actions: All of the responding council sites are waiting on a patch from the vendor. They will deploy during their next regularly schedule system update cycle.

  • References:
  • (2) HIGH: Apple Mac OS X Multiple Vulnerabilities
  • Affected:
    • Apple Mac OS X versions 10.4.7 and prior
    • Apple Mac OS X Server versions 10.4.7 and prior

  • Description: Apple Mac OS X contains multiple remotely-exploitable vulnerabilities: (1) Failure to properly validate externally-provided data at the network frame level could trigger various flaws in the AirPort wireless networking subsystem. These flaws may be exploited by remote attackers within wireless range to execute arbitrary code with root privileges. It is believed that these flaws can be exploited even if the vulnerable machine is not on the same logical IP network as the attacker. This issue may be related to one discussed in a previous @RISK entry (see below). (2) Failure to properly validate anonymous SSL connections could allow malicious sites to pose as trusted sites to any application using the CFNetwork suite (including many common applications such as Safari). (3) A specially-crafted JPEG2000 or PICT image may lead to a buffer overflow and allow attackers to execute arbitrary code with the privileges of the current user. (4) A specially-crafted web page may case a buffer overflow in the WebCore rendering framework (used by Safari and other HTML-viewing applications), leading to remote code execution with the privileges of the current user.

  • Status: Apple confirmed, updates available.

  • References:
  • (3) HIGH: OpenSSL ASN.1 Remote Buffer Overflow
  • Affected:
    • OpenSSL version 0.9.8c and prior
    • OpenSSL version 0.9.7k and prior

  • Description: OpenSSL, an open source implementation of the Secure Sockets Layer, contains a remotely-exploitable buffer overflow in its handling of ASN.1-encoded data. OpenSSL is used in a wide variety of applications; including many applications designed for security, and is installed by default on most UNIX, Linux, BSD, and Mac OS X systems. By sending a specially-crafted request to a vulnerable application using OpenSSL, an attacker could trigger this buffer overflow and execute arbitrary code with the privileges of the vulnerable application. Note that, because OpenSSL is open source, technical details for this vulnerability may be easily obtained via source code analysis.

  • Status: OpenSSL confirmed, updates available.

  • Council Site Actions: Two of the responding council sites are using the affected software and are in the process of investigating how this vulnerability affects them.

  • References: OpenSSL Security Advisory
  • (4) MODERATE: GNU gzip Multiple Remote Vulnerabilities
  • Affected:
    • GNU gzip versions 1.3.5 and prior

  • Description: GNU gzip, the GNU project's popular compression tool, contains multiple remotely-exploitable vulnerabilities. A specially crafted gzip-compressed file could trigger these vulnerabilities and execute arbitrary code with the privileges of the current user. The gzip program is installed on all Linux, BSD, and Mac OS X systems, and is common on most UNIX systems. On these systems, it is generally the preferred compression method. Note that, because gzip is open source, technical details for this vulnerability may be easily obtained via source code analysis.

  • Status: Some vendors, notably FreeBSD, have released patches for the versions of gzip included in their operating system distributions.

  • Council Site Actions: Only one of the responding council sites is using the affected software. Their Red Hat Linux systems will be updated via the Up2Date cycle. They are still investigating whether the vulnerability affects them on other O/S platforms.

  • References:
  • (5) MODERATE: Mozilla Firefox Unconfirmed Remote Code Execution
  • Affected:
    • Mozilla Firefox versions 1.5.8 and possibly prior

  • Description: An unconfirmed remote code execution vulnerability in Mozilla Firefox has been reported. A specially-crafted web page containing JavaScript could result in arbitrary code execution with the privileges of the current user. No technical details for this vulnerability have been publicly posted.

  • Status: Mozilla has not confirmed, no updates available.

  • References:
  • (6) MODERATE: HP Ignite-UX Remote Unauthorized Access and Privilege Escalation
  • Affected:
    • HP Ignite-UX for HP-UX versions B.11.00, B.11.11, B.11.23

  • Description: HP Ignite-UX, used to manage multiple HP-UX installations, contains a remotely-exploitable authentication-bypass and privilege escalation vulnerability. By sending specially-crafted commands to a vulnerable system, an attacker can log in with administrative privileges and gain complete control of the system. Note that no technical details for this vulnerability have been publicly posted.

  • Status: HP confirmed, updates available.

  • References:
  • (7) LOW: OpenSSH Remote Race Condition
  • Affected:
    • OpenSSH version 4.3 and prior
    • Portable OpenSSH versions 4.3 and prior

  • Description: OpenSSH, a popular implementation of the Secure Shell protocol, contains a remotely-exploitable race condition. OpenSSH servers configured to use GSSAPI (General Security Services Application Programming Interface) services are vulnerable to this race condition. By sending specially-crafted traffic to a vulnerable system, an attacker could theoretically execute arbitrary code with root privileges (Portable OpenSSH) or cause a denial-of-service condition (OpenSSH). Note that this vulnerability is currently believed to be only theoretical; it is not believed to be practically exploitable under normal conditions.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 39, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5191 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

****************************************************************

Errata: In @RISK volume 5, issue 38, Mozilla Firefox and Thunderbird version 1.5.0.7 and Mozilla SeaMonkey version 1.0.5 were described as containing multiple vulnerabilities. These versions are not vulnerable. The vulnerable versions are 1.5.0.6 and prior for Mozilla Firefox and Thunderbird, and versions 1.0.4 and prior for Mozilla SeaMonkey.

****************************************************************

  • 06.39.1 - CVE: Not Available
  • Platform: Windows
  • Title: xweblog Kategori.ASP SQL Injection
  • Description: xweblog is affected by an SQL injection issue due to insufficient sanitization of the "kategori" parameter of the "kategori.asp" script. xweblog version 2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/20145
  • 06.39.2 - CVE: CVE-2006-4694
  • Platform: Microsoft Office
  • Title: Microsoft PowerPoint Unspecified Remote Code Execution
  • Description: Microsoft PowerPoint is prone to an unspecified remote code execution vulnerability. This issue can allow remote attackers to execute arbitrary code on a vulnerable computer by supplying a malicious PowerPoint document to a user. This issue is being actively exploited in the wild as Trojan.PPDropper.F. This vulnerability is currently known to affect Microsoft Office 2000, Office XP and Office 2003.
  • Ref: http://www.microsoft.com/technet/security/advisory/925984.mspx
  • 06.39.3 - CVE: CVE-2006-4948
  • Platform: Third Party Windows Apps
  • Title: ProSysInfo TFTPDWIN Remote Buffer Overflow
  • Description: ProSysInfo TFTPDWIN is a multithreaded TFTP server. It is vulnerable to a remote stack based buffer overflow issue when a resource request is supplied with excessively long arguments. ProSysInfo TFTPDWIN versions 0.4.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20131/info
  • 06.39.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: NaviCOPA Web Server Remote Buffer Overflow
  • Description: NaviCOPA is a commercially available web server for Windows. It is prone to a remote buffer overflow vulnerability due to insufficient sanitization of the URI portion of an HTTP request. Version 2.01 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20250
  • 06.39.5 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X Airport Wireless Driver Multiple Buffer Overflow Vulnerabilities
  • Description: Apple's Airport wireless driver is prone to multiple unspecified buffer overflow vulnerabilities. These issues affect Apple Mac OS X versions 10.3.9 through 10.4.7.
  • Ref: http://docs.info.apple.com/article.html?artnum=61798
  • 06.39.6 - CVE: Not Available
  • Platform: Mac Os
  • Title: Skype Technologies Skype Unspecified Remote Format String
  • Description: Skype is susceptible to a remote format string vulnerability. This issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Skype version 1.5.0.79 for Apple Mac OS X is vulnerable to this issue. Ref: http://www.security-protocols.com/modules.php?name=News&file=article&sid=3259
  • 06.39.7 - CVE: CVE-2005-4798
  • Platform: Linux
  • Title: Linux Kernel NFS ReadLink Remote Denial of Service
  • Description: The Linux kernel is vulnerable to a remote denial of service issue because the NFS client code fails to properly handle unexpected conditions when an NFS client computer issues a "readlink" command and the server returns an excessively long result. Linux kernel versions 2.4 through 2.4.31 are vulnerable.
  • Ref: http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.32
  • 06.39.8 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX CIFS Unspecified Security Restriction Bypass
  • Description: HP-UX CIFS (Samba) is vulnerable to an unspecified security restriction bypass vulnerability issue affecting SMB mounted filesystems. HP CIFS Server (Samba) versions A.02.02.01 and earlier are vulnerable. Ref: http://www2.itrc.hp.com/service/cki/docDisplay.do?admit=-1335382922+1159471295326+28353475&docId=c00774481
  • - CVE: CVE-2006-4178, CVE-2006-4172
  • Platform: BSD
  • Title: FreeBSD I386_Set_LDT() Multiple Integer overflow vulnerability
  • Description: FreeBSD is exposed to multiple integer overflow issues. Please refer to the link below for further details.
  • Ref: http://www.securityfocus.com/archive/1/446946
  • 06.39.10 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris 10 Malformed IPV6 Packets Denial of Service
  • Description: Sun Solaris 10 is prone to a denial of service vulnerability. This issue arises on systems running Solaris 10 x64 without patch 118855-16. The vendor has reported that local or remote users on affected computers may trigger a denial of service condition through malformed IPV6 network packets. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102568-1&searchclause=
  • 06.39.11 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Syslog Denial of Service
  • Description: Sun Solaris is vulnerable to a denial of service vulnerability. This issue occurs due to an unspecified flaw in the syslog service, allowing local attackers to disable it. This will prevent messages to be written to the system log. Sun Solaris versions 10, 9 and 8 (both SPARC and x86) are reportedly vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102510-1
  • 06.39.12 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Kernel SSL Service Remote Denial of Service
  • Description: Sun Solaris is vulnerable to a denial of service vulnerability due to an unspecified flaw in the SSL kernel service, allowing remote attackers to act as an SSL client to crash the system. This issue only affects Solaris version 10.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102510-1
  • 06.39.13 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Malformed IPv6 Packets Remote Denial of Service
  • Description: Sun Solaris is prone to a local and remote denial of service vulnerability. Local or remote users on affected computers may trigger the condition through malformed IPv6 network packets. Versions 10 and prior (both SPARC and x86) are reportedly vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102144-1
  • 06.39.14 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX CFGMGR Local Privilege Escalation and Arbitrary File Overwrite Vulnerabilities
  • Description: IBM AIX is prone to a local privilege escalation vulnerability and a local arbitrary file overwrite vulnerability. These issues are present in the "cfgmgr" command. It is installed "setuid-superuser", and is only executable by members of the "system" group. IBM AIX versions 5.2 and 5.3 are vulnerable to these issues.
  • Ref: http://www.securityfocus.com/bid/20190
  • 06.39.15 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX Utape Privilege Escalation and Denial of Service Vulnerabilities
  • Description: AIX is vulnerable to local privilege escalation and denial of service issues in the Utape command. AIX versions 5.2 and 5.3 are affected.
  • Ref: http://www.securityfocus.com/bid/20187
  • 06.39.16 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX Slip.Login Local Privilege Escalation
  • Description: IBM AIX is an open Unix operating system. It is exposed to a local privilege escalation issue due to unspecified errors in "/etc/slip.login". IBM AIX versions 5.3 and 5.2 are affected.
  • Ref: http://www.securityfocus.com/bid/20191
  • 06.39.17 - CVE: CVE-2006-5011
  • Platform: Aix
  • Title: IBM Snappd AIX Local Arbitrary Command Execution Vulnerability
  • Description: IBM AIX is vulnerable to an arbitrary command execution issue in the snappd daemon. IBM AIX versions 5.2 and 5.3 are vulnerable to this issue.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY88820
  • 06.39.18 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX RDIST Local Arbitrary File Overwrite
  • Description: The command "/usr/bin/rdist" on IBM AIX is prone to a local arbitrary file overwrite vulnerability. This particular file is installed "setuid-root", which may allow a local attacker to overwrite arbitrary files. AIX versions 5.2 and 5.3 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20194
  • 06.39.19 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX UUCP Local Privilege Escalation
  • Description: IBM AIX is prone to a local privilege escalation vulnerability. This issue presents itself due to a flaw in the "/usr/bin/uucp" command contained in the "bos.net.uucp" fileset. This binary is normally installed with "setuid-uucp" privileges. IBM AIX versions 5.2 and 5.3 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20196
  • 06.39.20 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX Mkvg Privilege Escalation and Denial of Service Vulnerabilities
  • Description: AIX is vulnerable to a local privilege escalation and denial of service vulnerabilities which exist in the "mkvg" command. The command is used to manage volume groups and it is included with the bos.rte.lvm fileset. AIX versions 5.2 and 5.3 are affected.
  • Ref: http://www.securityfocus.com/bid/20197
  • 06.39.21 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX Named8 Local Privilege Escalation
  • Description: AIX is vulnerable to a local privilege escalation. This issue affects Name Domain 8 (named8), which is the DNS distribution included with the bos.net.tcp.server fileset. AIX versions 5.2 and 5.3 are affected.
  • Ref: http://www.securityfocus.com/bid/20198/info
  • 06.39.22 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX Inventory Scout Local Arbitrary File Overwrite
  • Description: IBM Inventory Scout is an application that gathers hardware inventory for a system. It is vulnerable to an unspecified local arbitrary file overwrite issue when performing a survey. IBM Inventory Scout 2.2 for AIX versions 5.2 and 5.3 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20199
  • 06.39.23 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX xlock Local Buffer Overflow
  • Description: The xlock command on IBM AIX is prone to an unspecified local buffer overflow vulnerability. Since xlock is installed "setuid root", a complete system compromise is possible. AIX versions 5.2 and 5.3 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20201
  • 06.39.24 - CVE: CVE-2006-3738
  • Platform: Unix
  • Title: OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow
  • Description: OpenSSL is an open source implementation of the SSL protocol. It is exposed to a buffer overflow issue due to a failure of the library to properly bounds check user-supplied input prior to copying it to an insufficiently sized memory buffer.
  • Ref: http://www.openssl.org/news/secadv_20060928.txt
  • 06.39.25 - CVE: CVE-2006-4965
  • Platform: Cross Platform
  • Title: Apple QuickTime Plug-In Arbitrary Script Execution
  • Description: Apple QuickTime Plug-In is a media player plug-in for web browsers running on Apple Mac OS or Microsoft Windows operating systems. The application is prone to an arbitrary script code execution weakness when processing QuickTime Media Link files (.qtl). Version 7.1.3 is vulnerable.
  • Ref: http://www.gnucitizen.org/blog/backdooring-mp3-files/
  • 06.39.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RSA Keon Certificate Authority Log File Verification Bypass Vulnerabilities
  • Description: RSA Keon is a commercially available certificate authority package. It is susceptible to two log file verification bypass vulnerabilities that are due to design flaws in the implementation of the log file digital signature process. Please see the advisory for further details. Versions 6.5.1 and 6.6 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20136
  • 06.39.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: CA eTrust Security Command Center and eTrust Audit Multiple Vulnerabilities
  • Description: CA eTrust Security Command Center (eSCC) is security system management application. eTrust Audit is a system auditing application for the enterprise. These applications are prone to multiple unspecified information disclosure and replay vulnerabilities. Multiple versions are reportedly vulnerable; please see the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/20139
  • 06.39.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: cPanel Local Privilege Escalation
  • Description: cPanel allows domain owners to manage and monitor their web site. It is prone to a privilege escalation vulnerability because the application fails to prevent users from gaining administrative privileges on the affected computer. cPanel versions 10.8.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20163
  • 06.39.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Portable OpenSSH GSSAPI Remote Code Execution
  • Description: OpenSSH is a freely available, open-source implementation of the Secure Shell protocol. Portable OpenSSH is the same code base with portability enhancements to enable the applications to run on a variety of platforms. Portable OpenSSH is susceptible to a remote code execution vulnerability. The issue derives from a race condition in a vulnerable signal handler.
  • Ref: http://www.openssh.com/txt/release-4.4
  • 06.39.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Portable OpenSSH GSSAPI Authentication Abort Information Disclosure
  • Description: Portable OpenSSH is susceptible to an information disclosure weakness. The issue derives from a GSSAPI authentication abort which can be used to determine the existence and validity of usernames on unspecified platforms. Portable OpenSSH versions 4.3p1 and prior exhibit this weakness.
  • Ref: http://www.securityfocus.com/bid/20245
  • 06.39.31 - CVE: CVE-2006-4343
  • Platform: Cross Platform
  • Title: OpenSSL SSLv2 Null Pointer Dereference Client Denial of Service
  • Description: OpenSSL is an implementation of the SSL protocol. It is affected by a denial of service issue which affects the SSLv2 client code.
  • Ref: http://www.securityfocus.com/bid/20246
  • 06.39.32 - CVE: CVE-2006-2940
  • Platform: Cross Platform
  • Title: OpenSSL Public Key Processing Denial of Service
  • Description: OpenSSL is an open source implementation of the SSL protocol. It is vulnerable to a denial of service issue when an attacker uses malicious public key data to connect to a vulnerable server. See the advisory for further details.
  • Ref: http://www.openssl.org/news/secadv_20060928.txt
  • 06.39.33 - CVE: CVE-2006-5060
  • Platform: Web Application - Cross Site Scripting
  • Title: Jamroom Login.php Cross-Site Scripting
  • Description: Jamroom is a media content management system implemented in PHP. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize the "forgot" parameter of the "login.php" script. Jamroom 3.0.16 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20162
  • 06.39.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Photostore Multiple Cross-Site Scripting Vulnerabilities
  • Description: Photostore is an e-commerce application that allows you to sell photos online. It is vulnerable to multiple cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "gid" parameter of the "details.php" script and the "photogid" parameter of the "view_photg.php" script.
  • Ref: http://www.securityfocus.com/bid/20172
  • 06.39.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Opieal AV Download Management Index.PHP Cross-Site Scripting
  • Description: Opieal Audio/Visual Download Management is a download manager and information database. Insufficient sanitization of the "destination" parameter of the "index.php" script exposes the application to a cross-site scripting issue. Opieal AV version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/20174
  • 06.39.36 - CVE: CVE-2006-3909
  • Platform: Web Application - Cross Site Scripting
  • Title: WWWThreads Cat Parameter Multiple Cross-Site Scripting Vulnerabilities
  • Description: WWWThreads is a web-based forum application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various scripts. WWWThreads versions 4.5.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/446911
  • 06.39.37 - CVE: CVE-2006-5063
  • Platform: Web Application - Cross Site Scripting
  • Title: Elog Log Entry HTML Injection
  • Description: Elog is an application for creating web portals. The application is prone to an HTML injection vulnerability. Version 2.6.1 is vulnerable.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=389361
  • 06.39.38 - CVE: CVE-2006-5066
  • Platform: Web Application - Cross Site Scripting
  • Title: DanPHPSupport Multiple Cross-Site Scripting Vulnerabilities
  • Description: DanPHPSupport is a support ticket system implemented in PHP. The application is vulnerable to multiple cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "page" parameter of the "index.php" script and to the "do" parameter of the "admin.php"' script. DanPHPSupport 0.5 is vulnerable to these issues.
  • Ref: http://www.securityfocus.com/archive/1/447002
  • 06.39.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Phoenix Evolution CMS Multiple Cross-Site Scripting Vulnerabilities
  • Description: Phoenix Evolution CMS is a content manager. Insufficient sanitization of the "mod" and "action" parameters of the "index.php" script and the "pageid" parameter of the "/modules/pageedit/index.php" script exposes the application to multiple cross-site scripting issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/20212
  • 06.39.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP Invoice Home.PHP Cross-Site Scripting
  • Description: PHP Invoice is a web-based billing and client management application. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input to the "msg" parameter of the "home.php" script. Version 2.2 is reported vulnerable.
  • Ref: http://www.securityfocus.com/bid/20221
  • 06.39.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Movable Type Unspecified Cross-Site Scripting
  • Description: Movable Type is a web log application written. It is prone to an unspecified cross-site scripting vulnerability due to improper sanitization of user-supplied input. Movable Type versions 3.3, 3.31, 3.32 and Movable Type Enterprise versions 1.01 and 1.02 are confirmed to be vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20228
  • 06.39.42 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MKPortal PMPopup.PHP Cross-Site Scripting
  • Description: MKPortal is a content management system (CMS). It is exposed to cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "u1" parameter of the "include/pmpopup.php" script. MKPortal versions 1.1 R1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20232
  • 06.39.43 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Zen Cart Multiple Unspecified Cross-Site Scripting Vulnerabilities
  • Description: Zen Cart is a web-based shopping cart application. It is vulnerable to multiple unspecified cross-site scripting attacks due to insufficient sanitization of user-supplied input to multiple scripts and parameters. Zen Cart 1.3.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20242
  • 06.39.44 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SAP Internet Transaction Server Cross-Site Scripting
  • Description: SAP Internet Transaction Server (ITS) facilitates communications between SAP R/3 systems and web users. It contains a cross-site scripting flaw due to insufficient sanitization of the "urlmime" parameter. Versions 6.1 and 6.2 are reportedly vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/20244
  • 06.39.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla Banner Component Index.PHP SQL Injection
  • Description: The banner component is a banner module for the Joomla content management system. The banner component is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "index.php" script. All versions of the banner component are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20159/info
  • 06.39.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: exV2 Index.PHP SQL Injection
  • Description: exV2 is a content management system. It is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "sort" parameter of the "index.php" script. Versions 2.0.4.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20143
  • 06.39.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Iyzi Forum Uye_Ayrinti.ASP SQL Injection
  • Description: Iyzi Forum is a web forum application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "uye_ayrinti.asp" script. Iyzi Forum versions 1.0 beta 3 and earlier are vulnerable.
  • Ref: http://www.milw0rm.com/exploits/2423
  • 06.39.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: VBulletin Global.PHP SQL Injection
  • Description: VBulletin is a web forum application. It is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "templatesused" parameter of the "global.php" script file before using it in an SQL query. Version 2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/20214
  • 06.39.49 - CVE: Not Available
  • Platform: Web Application
  • Title: MyPhotos Index.PHP Remote File Include
  • Description: MyPhotos is a web-based photo album implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "includesdir" parameter of the "index" script. Version 0.1.3b beta is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20160
  • 06.39.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Grayscale BandSite CMS Multiple Input Validation Vulnerabilities
  • Description: Grayscale BandSite CMS is a content management system. It is prone to multiple input validation vulnerabilities. Version 1.1 is reportedly vulnerable. Please see the advisory for details.
  • Ref: http://www.securityfocus.com/bid/20137
  • 06.39.51 - CVE: CVE-2006-5031
  • Platform: Web Application
  • Title: CakePHP Vendors.PHP Directory Traversal
  • Description: CakePHP is a content manager written in PHP. The application is prone to a directory traversal vulnerability because it fails to properly sanitize user-supplied input to the "file" parameter of "/js/vendors.php". Version 1.1.7.3633 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20150
  • 06.39.52 - CVE: CVE-2006-5028
  • Platform: Web Application
  • Title: PLESK Filemanager.PHP Directory Traversal
  • Description: PLESK is a server management application targeted at hosting providers. The application is prone to a directory traversal vulnerability because it fails to properly sanitize the "file" parameter of "filemanager.php". Versions 7.5 reload and prior, and 7.6 for Windows are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20155
  • 06.39.53 - CVE: Not Available
  • Platform: Web Application
  • Title: E-Vision CMS Multiple Input Validation Vulnerabilities
  • Description: E-Vision CMS is a content manager. It is exposed to multiple input validation issues because the application fails to sanitize user-supplied input. Evision CMS version 1.0 is affected.
  • Ref: msg://bugtraq/20060922062639.8841.qmail@securityfocus.com
  • 06.39.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Wili-CMS Multiple Input Validation Vulnerabilities
  • Description: Wili-CMS is a content management system. It is prone to multiple input validation vulnerabilities. Version 0.1.1 is vulnerable. Please see the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/20134
  • 06.39.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Sun Secure Global Desktop Unspecified Multiple Input Validation Vulnerabilities
  • Description: Sun Secure Global Desktop is a web-based server application that allows secure application access on multiple platforms. It is implemented by Sun Microsystems. Sun Secure Global Desktop is prone to multiple input validation vulnerabilities. The vulnerabilities include six cross-site scripting and information disclosure issues. Sun Secure Global Desktop 4.3 and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20135
  • 06.39.56 - CVE: Not Available
  • Platform: Web Application
  • Title: pNews Global.PHP Remote File Include
  • Description: pNews is a news submission application. Insufficient sanitization of the "nbs" parameter of the "includes/global.php" script exposes the application to a remote file include issue. pNews version 1.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/20140
  • 06.39.57 - CVE: Not Available
  • Platform: Web Application
  • Title: ProgSys RR.PHP Remote File Include Vulnerability
  • Description: ProgSys is a program support system. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "phpdns_basedir" parameter of "includes/pear/Net/DNS/RR.php". ProgSys versions 0.151 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20141
  • 06.39.58 - CVE: CVE-2006-4966
  • Platform: Web Application
  • Title: PHPQuestionnaire Ifunction.PHP Remote File Include
  • Description: PHPQuestionnaire is an online survey software tool. It is vulnerable to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "GLOBALS[phpQRootDir]" parameter of the "ifunction.php" script. PHPQuestionnaire version 3.12 is vulnerable.
  • Ref: http://xforce.iss.net/xforce/xfdb/29081
  • 06.39.59 - CVE: Not Available
  • Platform: Web Application
  • Title: exV2 Multiple Input Validation Vulnerabilities
  • Description: exV2 is a content management system. It is prone to multiple input validation vulnerabilites. Version 2.0.4.3 is reportedly vulnerable. Please see the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/20161
  • 06.39.60 - CVE: Not Available
  • Platform: Web Application
  • Title: ZoomStats MySQL.PHP Remote File Include
  • Description: ZoomStats is a web traffic analysis application. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "$GLOBALS" parameter of the "mysql.php" script. Version 1.0.2 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20165
  • 06.39.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Web-News Template.PHP Remote File Include
  • Description: Web-News is affected by a remote file include issue due to insufficient sanitization of the "content_page" parameter of the "template.php" script. Web-News version 1.6.3 is affected.
  • Ref: http://www.securityfocus.com/bid/20166
  • 06.39.62 - CVE: Not Available
  • Platform: Web Application
  • Title: AVCX MCF.PHP Remote File Include
  • Description: Advanced Clan Script (AVCX) is a web content management script. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "content" parameter of the "mcf.php" script. Versions 3.4 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20167
  • 06.39.63 - CVE: Not Available
  • Platform: Web Application
  • Title: ToendaCMS Media.PHP Directory Traversal
  • Description: ToendaCMS is an XML based content management system implemented in PHP. It is prone to a directory traversal vulnerability because it fails to sufficiently sanitize user supplied input to the "album" and "key" parameters of "media.php". Version 1.0.4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20170
  • 06.39.64 - CVE: Not Available
  • Platform: Web Application
  • Title: SyntaxCMS 0004_Init_Urls.PHP Multiple Remote File Include Vulnerabilities
  • Description: SyntaxCMS is a content management system. It is prone to a remote file include vulnerability due to insufficient sanitization of the "init_path" parameter of the "0004_init_urls.php" script. Version 1.3 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20171
  • 06.39.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Kietu Hit.PHP Directory Traversal
  • Description: Kietu is a web site statistics application. It is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "url_hit" parameter of "hit.php". Kietu Kietu versions 4.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20175
  • 06.39.66 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPartenaire Dix.PHP3 Remote File Include
  • Description: PHPartenaire is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "url_phpartenaire" parameter of the 'dix.php3" script. Versions 1.0 and prior are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20182
  • 06.39.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Polaring General.PHP Remote File Include
  • Description: Polaring is affected by a remote file include issue due to insufficient sanitization of the "_SESSION['dirMain']" parameter of the "general.php" script. Polaring version 0.04.03 is affected.
  • Ref: http://www.securityfocus.com/bid/20183
  • 06.39.68 - CVE: Not Available
  • Platform: Web Application
  • Title: PBLang Lang_NL.PHP Remote File Include
  • Description: PBLang is a bulletin board application. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "temppath" parameter of the "lang_nl.php" script. Versions 4.66z and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20184
  • 06.39.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Minerva Admin_Topic_Action_Logging.PHP Remote File Include
  • Description: Minerva is a content management system. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "phpbb_root_path" parameter of the "admin/admin_topic_action_logging.php" script. Minerva versions 2.0.21 build 238a and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20185
  • 06.39.70 - CVE: Not Available
  • Platform: Web Application
  • Title: faceStones Personal Fs_Forms_Links.PHP Remote File Include
  • Description: faceStones Personal is a data management application. It is prone to a remote file include vulnerability due to insufficient sanitization of the "GLOBALS[fsinit][objpath]" parameter of "fsl2/objects/fs_forms_links.php". Versions 2.0.42 and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20188
  • 06.39.71 - CVE: Not Available
  • Platform: Web Application
  • Title: EvoBB Path Parameter Multiple Remote File Include Vulnerabilities
  • Description: EvoBB is a web-based bulletin board implemented in PHP. The application is prone to multiple remote file include vulnerabilities because it fails to properly sanitize user-supplied input to the "path" parameter of the "track.php" and the "connect.php" scripts. Versions 0.3 and prior are vulnerable to these issues.
  • Ref: http://www.securityfocus.com/bid/20189
  • 06.39.72 - CVE: Not Available
  • Platform: Web Application
  • Title: BrudaNews/GrudaGB Index.PHP Remote File Include
  • Description: BrudaNews and GrudaGB are web-based news applications. These applications are vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "o" parameter of the "index.php" script. BrudaNews and GrudaGB versions 1.1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20192/info
  • 06.39.73 - CVE: Not Available
  • Platform: Web Application
  • Title: bbsNew Index2.PHP Remote File Include
  • Description: bbsNew is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "right" parameter of the "index2.php" script. bbsNew version 2.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/20204
  • 06.39.74 - CVE: Not Available
  • Platform: Web Application
  • Title: Exporia Common.PHP Remote File Include
  • Description: Exporia is a web-based photo album. Insufficient sanitization of the "lan" parameter of the "common.php" script exposes the application to a remote file include issue.
  • Ref: http://www.securityfocus.com/bid/20205
  • 06.39.75 - CVE: Not Available
  • Platform: Web Application
  • Title: Back-End CMS Multiple Remote File Include Vulnerabilities
  • Description: Back-End CMS is a content management system. It is exposed to multiple remote file include issues because it fails to properly sanitize user-supplied input to the "includes_path" parameter of the "index.php", "Facts.php", and the "search.php" scripts. Back-End CMS version 0.4.5 is affected
  • Ref: http://www.securityfocus.com/bid/20207
  • 06.39.76 - CVE: Not Available
  • Platform: Web Application
  • Title: My-BIC Mybic_server.PHP Remote File Include
  • Description: My-BIC is a web-based software that is used to create ajax based applications. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "file" parameter of the "mybic_server.php" script. My-BIC version 0.6.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20208
  • 06.39.77 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP_News Multiple Remote File Include Vulnerabilities
  • Description: PHP_News is a news application implemented in PHP. It is prone to multiple remote file include vulnerabilities due to insufficient input sanitization in several scripts. Version 2.0 is reportedly vulnerable. Please refer to the advisory for details.
  • Ref: http://www.securityfocus.com/bid/20209
  • 06.39.78 - CVE: Not Available
  • Platform: Web Application
  • Title: Quickblogger Remote File Include
  • Description: Quickblogger is a blog script implemented in PHP. The application is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "page" parameter of the "acc.php" script. Quickblogger version 1.4 is vulnerable to these issues.
  • Ref: http://www.securityfocus.com/archive/1/447003
  • 06.39.79 - CVE: CVE-2006-4527
  • Platform: Web Application
  • Title: CubeCart Multiple Input Validation Vulnerabilities
  • Description: CubeCart is a shopping cart application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. CubeCart versions 3.0.12 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/447009
  • 06.39.80 - CVE: Not Available
  • Platform: Web Application
  • Title: Sugar Suite Unspecified Arbitrary Command Execution
  • Description: Sugar Suite is a customer relationship management system. It is prone to an unspecified vulnerability that may allow an attacker to execute arbitrary commands with the privileges of the webserver process. Versions 4.2.1 and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20217
  • 06.39.81 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPMyChat Index.PHP Connected_Users.Lib.PHP3 Local File Include
  • Description: phpMyChat is a web messaging application. It is exposed to a local file include issue because it fails to properly sanitize user-supplied input of URL encoded directory traversal sequences ('../') to the "ChatPath" parameter of the "connected_users_lib.php3" script. Version 0.1 affected.
  • Ref: http://www.securityfocus.com/bid/20219
  • 06.39.82 - CVE: Not Available
  • Platform: Web Application
  • Title: PABugs Class.MySQL.PHP Remote File Include
  • Description: PABugs is a Bugtracker application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "path_to_bt_dir" parameter of the "class.mysql.php" script. PABugs versions 2.0 beta 3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20222
  • 06.39.83 - CVE: Not Available
  • Platform: Web Application
  • Title: JAF CMS Multiple HTML Injection Vulnerabilities
  • Description: JAF CMS is a content management application that is implemented in PHP. It is prone to multiple HTML injection vulnerabilities due to insufficient sanitization of the "shoutbox" input box of "/module/shout/jafshout.php" and in the "message body" input box of "module/forum/topicwin.php". Version 4.0RC1 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20225
  • 06.39.84 - CVE: Not Available
  • Platform: Web Application
  • Title: Kietu Url_Hit.PHP Remote File Include
  • Description: Kietu is a website statistics application. Insufficient sanitization of the "url_hit" parameter of the "hit.php" script exposes the application to a remote file include issue. Kietu version 4.0.0b2 is affected.
  • Ref: http://www.securityfocus.com/bid/20229
  • 06.39.85 - CVE: Not Available
  • Platform: Web Application
  • Title: A-Blog Menu.PHP Remote File Include Vulnerability
  • Description: A-Blog is a blogging system. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "navigation_start" parameter of "menu.php". A-Blog version 2 is affected.
  • Ref: http://www.securityfocus.com/bid/20230
  • 06.39.86 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPSelect Web Development Index.PHP3 Remote File Include
  • Description: PHPSelect Web Development is a content management application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "Application_Root" parameter of the "index.php3" script. PHPSelect Web Development Division version 0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/447177
  • 06.39.87 - CVE: Not Available
  • Platform: Web Application
  • Title: Pixel Motion Config.PHP Remote Command Execution
  • Description: Pixel Motion is a blog application implemented in PHP. It is prone to a command execution vulnerability due to insufficient sanitization of the "nom_blog" parameter of the "config.php" script. Version 2.1.1 reportedly is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20235
  • 06.39.88 - CVE: CVE-2006-4263
  • Platform: Web Application
  • Title: VirtueMart Joomla ECommerce Edition Multiple Input Validation Vulnerabilities
  • Description: VirtueMart is an ecommerce application and Joomla eCommerce Edition is a content management application implemented in PHP. It is affected by an HTML injection vulnerability and a cross-site scripting vulnerability in the "Itemid" parameter of the "index.php" script. VirtueMart Joomla eCommerce Edition version 1.0.11 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/447168
  • 06.39.89 - CVE: Not Available
  • Platform: Web Application
  • Title: Newswriter Editfunc.inc..PHP Remote File Include
  • Description: Newswriter is a web log application. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "NWCONF_SYSTEM[server_path]" parameter of "editfunc.inc.php". Newswriter version 1.42 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20237
  • 06.39.90 - CVE: Not Available
  • Platform: Web Application
  • Title: A-Blog Multiple Remote File Include Vulnerabilities
  • Description: A-Blog is a blogging application. Insufficient sanitization of user supplied input exposes the application to multiple remote file include issues. A-Blog version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/20238
  • 06.39.91 - CVE: Not Available
  • Platform: Web Application
  • Title: Web//News Parser.PHP Remote File Include
  • Description: Web//News is a web-based news application. It is exposed to a remote file include issue due to a failure in the application to properly sanitize user-supplied input to the "WN_BASEDIR" variable of the "parse/parser.php" script. Versions 1.4 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/20239
  • 06.39.92 - CVE: Not Available
  • Platform: Web Application
  • Title: Red Mombin Multiple Cross-Site Scripting Vulnerabilities
  • Description: Red Mombin is a web-based task manager. It is exposed to multiple cross-site scripting issues because the application fails to sanitize user-supplied input to unspecified parameters of the "index.php" and the "process_login.php" scripts. Red Mombin version 0.7 is affected.
  • Ref: http://www.securityfocus.com/bid/20243
  • 06.39.93 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB-ES Functions_KB.PHP Remote File Include
  • Description: phpBB-Es is a fork of phpBB that has been translated to Spanish. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "includes/functions_kb.php" script. phpBB-Es version 2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/447292
  • 06.39.94 - CVE: Not Available
  • Platform: Web Application
  • Title: KGB Kgcall.php Local File Include
  • Description: KGB CMS is a content management application. It is prone to a local file include vulnerability due to insufficient sanitization of the "engine" parameter of the "kgcall.php" script. Version 1.8 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20258
  • 06.39.95 - CVE: Not Available
  • Platform: Network Device
  • Title: ContentKeeper Accounts Password Information Disclosure
  • Description: ContentKeeper is a network appliance designed to monitor and control employee use of the internet. It is prone to a local information disclosure vulnerability because the application fails to protect sensitive information from unprivileged users. In particular, the application discloses username and password information from other accounts by placing it in plaintext in the account management page before sending it to the user. ContentKeeper 123.25 and prior versions are reportedly vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20152
  • 06.39.96 - CVE: Not Available
  • Platform: Network Device
  • Title: Google Mini Search Appliance Information Disclosure
  • Description: The Google Mini Search Appliance is vulnerable to an information disclosure issue because sensitive information appears in the error page. Google Mini Search Appliance version 4.4.102.M.36 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/446728
  • 06.39.97 - CVE: Not Available
  • Platform: Hardware
  • Title: FiWin SS28S WiFi VoIP SIP/Skype Phone Default Administrator Password
  • Description: The FiWin SS28S WiFi VoIP SIP/Skype Phone is an internet enabled telephony device. It is affected by an authentication bypass issue because the administrator password is hardcoded into the device. All current devices are affected.
  • Ref: http://www.securityfocus.com/bid/20154

*****************************************************************************

Part III Stealing Search Engine Queries from JavaScript by SPI Dynamics, Inc.

*************************************************************************

Stealing Search Engine Queries from JavaScript

SPI Labs has discovered a practical method of using JavaScript to detect the search queries a user has entered into arbitrary search engines. As seen with the recent leakage of 36 million search queries made by half-a-million America Online subscribers, there are enormous privacy concerns when a user's search queries are made public. All the code needed to steal a user's search queries is written in JavaScript and uses Cascading Style Sheets (CSS). This code could be embedded into any website either by the website owner or by a malicious third party through a Cross-site Scripting (XSS) attack. There it would harvest information about every visitor to that site. For example, an HMO's website could determine whether a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers. Government websites could determine whether a visitor has been searching for bomb-making instructions.

The methodology to steal search engine queries from JavaScript is based upon techniques that were presented at Black Hat USA 2006, and that used JavaScript and CSS to determine if a user had visited an arbitrary link [1]. CSS is used to define styles for visited and unvisited hyperlinks. JavaScript is used to dynamically create hyperlinks hidden from the user's view. The browser applies the appropriate visited or unvisited style and JavaScript is then used to read the style and detect if the user has visited the hyperlink. Essentially, JavaScript can now be used to determine whether a user has visited a specific URL.

To steal search engine queries, JavaScript simply checks to see if a user has visited a URL that returns the results page for a given search query. If a user has visited the results page, then the user has searched for that query. Comparing the search results page for each search query reveals that the URLs are very similar. It is trivial for JavaScript to substitute different search queries to determine which ones the user visited.

Stealing queries is not as simple as plugging a search query into a URL and checking it. There are several factors such as letter case, query word order, and search engine used that can generate hundreds if not thousands of permutations that must be checked. More information about these barriers and how they can be overcome is discussed in great detail in the full whitepaper [2]. In short, JavaScript code is used to generate all these combinations in the client's browser. For a 4-word search query, over 1000 URLs can be generated and checked in just a few seconds, making this a viable attack vector against modern desktops.

To protect yourself from this threat, end users should routinely clear their browser's history. Developers can reduce the risk of exposing the privacy of their users by securing the site against XSS. More information is available in the full whitepaper.

SPI Labs has created SearchTheft as a proof of concept for the techniques described above. It is written in JavaScript and has been tested against both Mozilla/Firefox and Internet Explorer. SearchTheft automatically generates all letter casing and word order permutations of a given search query and checks if the user has searched for some variation of that query on a wide variety of search engines. A demonstration of using SearchTheft, as well as the source code, is available to the public [3].

References

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf

[2] http://www.spidynamics.com/assets/documents/JS_SearchQueryTheft.pdf

[3] http://www.spidynamics.com/spilabs/js-search/index.html

*************************************************************************

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Absolutely wonderful, both in presentation and content
-Don Seymour, TerpSys

Security 760

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage