Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 4
January 30, 2006

SANS Newsletters Home

Major new vulnerabilities in Oracle and CA iTechnology. Plus problems in WinAmp and lots of new exploits this week. If there ever was a lull, it is over.

Are you looking for ways to contribute to the overall security of the Internet? And do you serve as a senior security person at an organization with responsibility for at least 10,000 systems, we would love to have your help as a (confidential) member of the Council that advises the 125,000 readers of @RISK about which vulnerabilities need immediate action and which can be put off until the next update cycle. If you are qualified and interested, email info@sans.org with the subject "@RISK Council" with a few words about what you do.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 0 #10
    • Third Party Windows Apps
    • 8 (#1)
    • Linux
    • 2 (#4, #5)
    • BSD
    • 2
    • Unix
    • 1
    • Cross Platform
    • 11 (#2, #3, #6, #8, #9, #11)
    • Web Application - Cross Site Scripting
    • 8
    • Web Application - SQL Injection
    • 8
    • Web Application
    • 10
    • Network Device
    • 2 (#7)

*************** SPONSORED BY SANS TRAINING *****************************

World-Class Security Training Opportunities in the Next Four Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program. Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa

Or you can take SANS training anytime, anywhere with the new SANS On Demand. Details on these and other programs: www.sans.org

And the SCADA Security Summit is 76% full. If you want to attend, register this week. http://www.sans.org/scadasummit06/ *************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
BSD
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Winamp Playlist File Computer Name Handling Overflow
  • Affected:
    • Winamp all 5.x versions

  • Description: Winamp, a popular Windows media player, contains a buffer overflow. The overflow can be triggered by a malformed playlist file (a file with an ".pls" extension) that contains an overlong "computer name". In order to exploit the flaw, an attacker can post the malicious playlist file on a webpage, shared folder or send it in an email. In a web attack scenario, Winamp may automatically open the crafted playlist file. The flaw can be leveraged to execute arbitrary code on the user's system. Exploit code has been publicly posted.

  • Status: No patch yet available from Winamp. A workaround is to disable Winamp as the default media player.

  • References:
  • (2) HIGH: Oracle PL/SQL Gateway Security Bypass
  • Affected:
    • Oracle PL/SQL Gateway present in Oracle Application Server, Oracle HTTP
    • Server and Oracle Internet Application Server

  • Description: NGSSoftware has reported that Oracle PL/SQL gateway contains a flaw in processing user-input that can be exploited to gain access to the restricted packages and procedures. This can result in the backend database server compromise via HTTP (a common configuration). The flaw can be triggered by a specially crafted query with an unmatched right parenthesis ")".

  • Status: Oracle has been informed of this high rated flaw but has still not announced patches. NGSSoftware has published workarounds using "mod_rewrite" Apache module that is a part of the Oracle HTTP server.

  • References:
  • (3) HIGH: CA iTechnology iGateway Buffer Overflow Affected iGateway component prior to version 4.0.051230

  • Description: Computer Associate's iGateway, a HTTP/HTTPS server that runs on port 5250/tcp, is a component present in a number of CA products including BrightStor, eTrust and UniCenter product lines . This server contains a overflow that can be triggered by declaring a negative value for "content length" in an HTTP request. On Windows platforms, the flaw can be exploited to execute arbitrary code with SYSTEM privileges.

  • Status: CA has posted fix for the iGateway component. Vulnerable products can be located by checking the version number in the "iGateway.conf" file.

  • References:
  • (4) MODERATE: Red Hat Certificate and Directory Server Remote Compromise
  • Affected:
    • Red Hat Directory Server prior to version 7.1 SP1
    • Red Hat Certificate Server prior to version 7.1 SP1
    • Netscape Directory Server

  • Description: Red Hat Directory (formerly Netscape Directory Server) and Red Hat Certificate server contain a stack-based overflow in their management console. The flaw can be triggered by a specially crafted input to the "help" button on the management console, and possibly exploited to execute arbitrary code. Note that the discoverers claim that under certain circumstances an unauthenticated attacker can exploit the overflow whereas Red Hat advisory states that only local privilege escalation is possible.

  • Status: Red Hat has fixed these flaws in version 7.1 SP1 for the affected products. Firewall the access to the management console.

  • References:
  • (5) MODERATE: SuSE Linux RPC mountd Remote Code Execution
  • Affected:
    • SuSE Linux 9.1, 9.2, 9.3, 10.0

  • Description: SuSE Linux contains a buffer overflow vulnerability in its "rpc.mountd" service that is responsible for mounting file shares. The problem occurs because "realpath()" function does not allocate enough buffer space for processing mountd requests. The overflow can be exploited by a user and potentially an unauthenticated attacker to execute arbitrary code with "root" privileges. Note that the affected package "nfs-server" is obsolete and has been replaced by "nfs-utils" that is not vulnerable.

  • Status: SuSE has released a fix for nfs-server package. Please upgrade to nfs-utils package whenever possible.

  • References:
Other Software
  • (7) LOW: Cisco VPN 3000 Concentrator HTTP Request DoS
  • Affected:
    • Cisco VPN 3000 series concentrators running software versions 4.7.0
    • through 4.7.2.A

  • Description: Cisco VPN concentrators' HTTP service contains a denial of service that can be triggered by specially crafted HTTP requests. The HTTP service is enabled by default on the concentrators. Hence, repeated malicious requests can cause the VPN device to reload. The technical details required to craft the malicious HTTP requests have not been posted.

  • Status: Cisco has released a fixed software version 4.7.2B. A workaround is to either block access to the HTTP service or switch to the HTTPS service on the VPN concentrators.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 4, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4841 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.4.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: E-Post MailServer Multiple Remote Vulnerabilities
  • Description: E-Post MailServer is an email server. It is vulnerable to multiple remote issues such as a buffer overflow in the STMP, POP3 and IMAP service. Please see the advisory for further details including a list of vulnerable versions.
  • Ref: http://secunia.com/advisories/18480/
  • 06.4.2 - CVE: CVE-2006-0336
  • Platform: Third Party Windows Apps
  • Title: WinRoute Firewall Web Browsing Unspecified Denial of Service
  • Description: Kerio WinRoute Firewall is an enterprise level firewall. It is vulnerable to a remote denial of service issue by unknown vectors involving "browsing the web". Kerio WinRoute Firewall versions 6.1.4 Patch 1 and earlier are vulnerable.
  • Ref: http://www.kerio.com/kwf_history.html
  • 06.4.3 - CVE: CVE-2005-3683
  • Platform: Third Party Windows Apps
  • Title: Sami FTP Server User Command Buffer Overflow
  • Description: Sami FTP Server is an FTP server for various Microsoft Windows platforms. It is prone to a buffer overflow vulnerability due to a failure in the application to do proper bounds checking of user-supplied data. An attacker can exploit this issue to execute arbitrary machine code in the context of the affected server application. Sami FTP server version 2.0.1 is affected by this issue.
  • Ref: http://www.securityfocus.com/archive/1/423148
  • 06.4.4 - CVE: CVE-2006-0342
  • Platform: Third Party Windows Apps
  • Title: Rockliffe MailSite HTTP Mail Management Agent Denial of Service
  • Description: MailSite is an application that provides access to email accounts. The HTTP mail management agent is vulnerable to a denial of service issue due to an error in the input validation routines that causes the svchost to consume excessive amounts of the CPU resources. Rockliffe MailSite versions 7.0.3.1 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/0284
  • 06.4.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Tftpd32 SEND / GET Remote Format String
  • Description: Tftpd32 includes DHCP, TFTP, SNTP and Syslog servers as well as a TFTP client. A remote format string vulnerability affects Tftpd32. This issue is due to improper sanitization of user-supplied input data prior to using it in a formatted-printing function. Tftpd32 version 2.81 is reported to be vulnerable; other versions may be affected as well.
  • Ref: http://www.securityfocus.com/bid/16333/exploit
  • 06.4.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Intervations FileCopa FTP Server Directory Traversal
  • Description: Intervations FileCopa FTP Server is a file transfer application designed for use on Microsoft Windows systems. It is prone to a directory traversal vulnerability due to insufficient sanitization of user-supplied input to the arguments of the "STOR" and "RETR" FTP commands. Intervations FileCopa FTP Server version 1.01 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16335
  • 06.4.7 - CVE: CVE-2005-4411
  • Platform: Third Party Windows Apps
  • Title: Mercury Mail Remote Mailbox Name Service Buffer Overflow
  • Description: Mercury Mail is a Mail Transfer Agent (MTA) server for Microsoft Windows operating systems. It is prone to a remote buffer overflow vulnerability in its mailbox name service due to improper bounds checking on user-supplied input. Mercury Mail version 4.01b is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/16396/exploit
  • 06.4.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Shareaza Multiple Remote Integer Overflow Vulnerabilities
  • Description: Shareaza is a P2P file sharing application. It is prone to multiple integer overflow vulnerabilities. These issues are due to a failure of the application to properly ensure that user-supplied input does not result in the overflowing of integer values. Shareaza version 2.2.1.0 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/16399
  • 06.4.9 - CVE: Not Available
  • Platform: Linux
  • Title: Red Hat Server Management Console Buffer Overflow
  • Description: Red Hat Directory Server and Certificate Server are prone to buffer overflow issues because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers.
  • Ref: http://www.securityfocus.com/archive/1/422934
  • 06.4.10 - CVE: CVE-2006-0043
  • Platform: Linux
  • Title: SUSE NFS-SERVER Remote Buffer Overflow
  • Description: SUSE nfs-server is prone to a remote buffer overflow vulnerability present in the "realpath()" function of the rpc.mountd service in nfs-server. A remote attacker with the ability to create symlinks on any of the file systems on an affected computer running rpc.mountd can exploit this issue to execute arbitrary code. For a list of vulnerable versions, see the reference below.
  • Ref: http://www.securityfocus.com/bid/16388
  • 06.4.11 - CVE: CVE-2006-0379, CVE-2006-0380
  • Platform: BSD
  • Title: FreeBSD Multiple Local Kernel Memory Disclosure
  • Description: FreeBSD is vulnerable to multiple local kernel memory disclosure issues. This is due to the failure of the kernel to initialize previously used memory buffers and incorrect calculation of memory buffer lengths. FreeBSD kernel versions 6.0 and 5.4-STABLE are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16373
  • 06.4.12 - CVE: CVE-2006-0381
  • Platform: BSD
  • Title: OpenBSD PF IP Fragment Remote Denial Of Service
  • Description: PF is a packet filtering package that is integrated into the operating system's kernel. OpenBSD's PF is susceptible to a remote denial of service vulnerability. This issue is due to a flaw in affected kernels that results in a kernel crash when attempting to normalize IP fragments. For a list of vulnerable versions, see the reference below.
  • Ref: http://www.securityfocus.com/bid/16375
  • 06.4.13 - CVE: Not Available
  • Platform: Unix
  • Title: Eterm LibAST Library Local Buffer Overflow
  • Description: Eterm is a color vt102 terminal emulator intended as a replacement for xterm. Insufficient sanitization of the "conf_find_file()" function in the "conf.c" file exposes the library to a buffer overflow issue. LibAST versions 0.6.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/423207
  • 06.4.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: BEA WebLogic Multiple Vulnerabilities
  • Description: BEA has released 10 advisories identifying various vulnerabilities affecting BEA WebLogic Server, WebLogic Portal and WebLogic Express. These issues present remote and local threats and may facilitate attacks affecting the integrity, confidentiality, and availability of vulnerable computers. For a list of vulnerable versions, see the reference below.
  • Ref: http://www.securityfocus.com/bid/16358
  • 06.4.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: 123 Flash Chat Remote Code Injection
  • Description: 123 Flash Chat includes a chat server implemented in Java and a chat client implemented in Flash. Insufficient sanitization of the "openOneAVWindow" function exposes the application to a remote code injection issue. 123 Flash Chat versions 5.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/16360/info
  • 06.4.16 - CVE: CVE-2005-3653
  • Platform: Cross Platform
  • Title: iTechnology iGateway Service Content-Length Heap Overflow
  • Description: Computer Associates iTechnology iGateway is a component of various Computer Associates products. It allows remote attackers to execute arbitrary code by exploiting a heap overflow vulnerability. This issue arises because the application fails to perform boundary checks prior to copying user-supplied data into sensitive process buffers. Products containing iGateway version 4.0.051230 are vulnerable to this issue.
  • Ref: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376
  • 06.4.17 - CVE: CVE-2006-0353
  • Platform: Cross Platform
  • Title: lsh Seed File File Descriptor Leakage
  • Description: lsh is a free software implementation of the ssh version 2 protocol. It may leak file descriptors that may allow a local attacker to access sensitive information or cause a denial of service condition. lsh version 2.0.1 is reportedly vulnerable.
  • Ref: http://lists.lysator.liu.se/pipermail/lsh-bugs/2006q1/000467.html
  • 06.4.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle PL/SQL Gateway PLSQLExclusion Access Control List Bypass
  • Description: The Oracle PL/SQL gateway is a component of Internet Application Server, Oracle Application Server and Oracle HTTP Server. It is prone to a vulnerability that permits the bypassing of the "PLSQLExclusion" list due to improper sanitization of user-supplied input. Successful exploitation may faciliate a compromise of the database server and enable an attacker to gain full DBA access. Please refer to the following link for a list of vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/16384/info
  • 06.4.19 - CVE: CVE-2006-0225
  • Platform: Cross Platform
  • Title: OpenSSH Local SCP Shell Command Execution
  • Description: OpenSSH is an open source implementation of the Secure Shell protocol. It is susceptible to a local SCP shell command execution issue due to a failure of the application to properly sanitize user-supplied input prior to utilizing it in a "system()" function call. OpenSSH version 4.2 is affected.
  • Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168167
  • 06.4.20 - CVE: CVE-2006-0321
  • Platform: Cross Platform
  • Title: Fetchmail Bounced Message Denial of Service
  • Description: Fetchmail is a freely available, open source mail retrieval utility. It is prone to a denial of service vulnerability due to improper handling of bounced messages. Specifically, the problem occurs when fetchmail tries to clear the array of failed message addresses by issuing a "free()" call to an invalid pointer. Fetchmail versions 6.3.1-rc1 and earlier are affected by this issue.
  • Ref: http://www.securityfocus.com/bid/16365/discuss
  • 06.4.21 - CVE: CVE-2006-0019
  • Platform: Cross Platform
  • Title: KDE KJS Encodeuri / Decodeuri Remote Heap Overflow
  • Description: KJS is the JavaScript interpreter engine used by Konqueror and KDE. It is prone to a remote heap overflow vulnerability. The issue presents itself when the application decodes specially-crafted UTF-8 encoded URI sequences. KDE versions 3.2.0 up to and including KDE 3.5.0 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/16325
  • 06.4.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi JP1/NetInsight II - Port Discovery Denial of Service
  • Description: Hitachi JP1/NetInsight II - Port Discovery is prone to a denial of service vulnerability. This issue is due to a failure in the application to handle exceptional conditions. Please refer to the advisory below for a list of vulnerable versions.
  • Ref: http://www.hitachi-support.com/security_e/vuls_e/HS05-027_e/index-e.html
  • 949-1 - CVE: DSA
  • Platform: Cross Platform
  • Title: Linley Henzell Dungeon Crawl Unspecified Command Execution
  • Description: Linley Henzell Dungeon Crawl is a console based game. It is vulnerable to an unspecified command execution vulnerability due to a design error. Local attackers can trigger this vulnerability to execute arbitrary commands to gain group games privileges. Linley Henzell Crawl versions 4.0 and earlier are vulnerable.
  • Ref: http://www.debian.org/security/2006/dsa-949
  • 06.4.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Exiv2 Corrupted EXIF Data Denial of Service
  • Description: Exiv2 is an EXIF and IPTC image metadata library. Improper bounds checking in the "sscanf()" function of the "src/value.cpp" file exposes the application to a denial of service issue. Exiv2 versions 0.9 and earlier are affeceted.
  • Ref: http://www.securityfocus.com/bid/16400
  • 06.4.25 - CVE: CVE-2006-0407
  • Platform: Web Application - Cross Site Scripting
  • Title: AZ Bulletin Board Multiple Cross-Site Scripting Vulnerabilities
  • Description: AZ Bulletin Board is a web-based bulletin board application. It is vulnerable to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "name" parameter and the "topic" field of the "post.php" script. AZ Bulletin Board versions 1.0.8 and earlier are vulnerable.
  • Ref: http://www.kapda.ir/advisory-236.html
  • 06.4.26 - CVE: CVE-2006-0415
  • Platform: Web Application - Cross Site Scripting
  • Title: SleeperChat Index.PHP Cross-Site Scripting
  • Description: SleeperChat is a Web chat application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "pseudo" parameter of the "index.php" script. SleeperChat version 0.3f is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16363
  • 06.4.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Rockliffe MailSite HTTP Mail Management Cross-Site Scripting
  • Description: MailSite provides access to email accounts. Insufficient sanitization of user-supplied input supplied through "wconsole.dll" exposes the application to a cross-site scripting issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/16330/info
  • 06.4.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Gallery User Name HTML Injection
  • Description: Gallery is an image gallery application. It is vulnerable to an HTML injection issue due to improper sanitization of user-supplied input to the user's full name field. Gallery version 1.5.2 is vulnerable.
  • Ref: http://gallery.menalto.com/page/gallery_1_5_2_release
  • 06.4.29 - CVE: CVE-2005-4305
  • Platform: Web Application - Cross Site Scripting
  • Title: Edgewall Software Trac Cross-Site Scripting
  • Description: Trac is a wiki and bug-tracking system. It is prone to a cross-site scripting vulnerability due to improper sanitization of user-supplied input. Trac versions 0.9.2 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16386/info
  • 06.4.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBB Multiple Cross-Site Scripting Vulnerabilities
  • Description: MyBB is a web-based bulletin board application. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of user-supplied input to the "sortby" and "sortordr" parameters of the "search.php" script. MyBB version 1.0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16387/exploit
  • 06.4.31 - CVE: CVE-2005-3787
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities
  • Description: PHPMyAdmin is a tool that provides a web interface for handling MySQL administrative tasks. Insufficient sanitization of the "title" parameter exposes the application to multiple cross-site scripting issues.
  • Ref: http://www.securityfocus.com/bid/16389
  • 06.4.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: My Little Homepage Products BBCode Link Tag Script Injection
  • Description: The My Little Homepage products are web log software, guestbook software, and forum software. They are prone to a script injection vulnerability. This issue is due to improper sanitization of user-supplied input in "[link]" BBCode tags of the web log, guestbook, and forum applications before using it in dynamically generated content.
  • Ref: http://www.securityfocus.com/bid/16395/exploit
  • 06.4.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: e-moBLOG Multiple SQL Injection Vulnerabilities
  • Description: e-moBLOG is a web blog application implemented in PHP. It is prone to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "monthly" parameter of the "index.php" script and the "login" parameter of the "admin/index.php" script. e-moBLOG version 1.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16344
  • 06.4.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Zoph Unspecified SQL Injection
  • Description: Zoph is a Web based photo album application. It is vulnerable to an unspecified SQL injection issue due to a failure in the application to properly sanitize user-supplied input. Zoph versions earlier than 0.5 pre1 are vulnerable.
  • Ref: http://www.nother.net/zoph/
  • 06.4.35 - CVE: CVE-2006-0410
  • Platform: Web Application - SQL Injection
  • Title: ADOdb PostgreSQL SQL Injection
  • Description: ADOdb is a database abstraction library for PHP. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to unspecified parameters. ADOdb versions 4.70 and earlier that implement PostgreSQL are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16364/info
  • 06.4.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: miniBloggie Login.PHP SQL Injection
  • Description: miniBloggie is a web log application. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "Username" and "password" input fields of the "login.php" script.
  • Ref: http://www.securityfocus.com/bid/16367
  • 06.4.37 - CVE: NOT SET YET
  • Platform: Web Application - SQL Injection
  • Title: Hitachi HITSENSER Data Mart Server Multiple SQL Injection Vulnerabilities
  • Description: HITSENSER Data Mart Server is affected by multiple SQL injection issues due to a lack of sanitization of user-supplied input passed to parameters in the configuration section of the application. All current versions are affected.
  • Ref: http://www.hitachi-support.com/security_e/vuls_e/HS05-026_e/index-e.html
  • 06.4.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NewsPHP Index.PHP Multiple SQL Injection Vulnerabilities
  • Description: NewsPHP is a web-based portal. Insufficient sanitization of the "discuss", "tim", "id" and "words" parameters of the "index.php" script exposes the application to multiple SQL injection issues.
  • Ref: http://www.securityfocus.com/archive/1/423129
  • 06.4.39 - CVE: CVE-2006-0372
  • Platform: Web Application - SQL Injection
  • Title: BlogPHP Multiple SQL Injection Vulnerabilities
  • Description: BlogPHP is a web blog application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of the "blogphp_username" and "blogphp_password" parameters. Insane Visions BlogPHP version 1.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/422483
  • 06.4.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AndoNET Blog Comentarios.PHP SQL Injection
  • Description: AndoNET Blog is a web blog application. It is prone to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "entrada" parameter of "commentarios.php" before using it in an SQL query. Successful exploitation could allow an attacker to compromise the application. AndoNET Blog version 2004.09.02 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423162
  • 06.4.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Pixelpost User Comment HTML Injection
  • Description: Pixelpost is an image gallery and web blog application. It is vulnerable to an HTML injection issue due to improper sanitization of user-supplied input to the user comment field of the application. Pixelpost version 1.4.3 is vulnerable.
  • Ref: http://evuln.com/vulns/45/summary.html
  • 06.4.42 - CVE: Not Available
  • Platform: Web Application
  • Title: RCBlog Index.PHP Directory Traversal
  • Description: RCBlog is a web blog application written in PHP. It is prone to a directory traversal vulnerability due to insufficient sanitization of user-supplied input to the "post" parameter of the "index.php" script. RCBlog version 1.0.3 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/422499
  • 06.4.44 - CVE: Not Available
  • Platform: Web Application
  • Title: CheesyBlog Multiple HTML Injection Vulnerabilities
  • Description: CheesyBlog is a web based blog application. It is prone to multiple HTML injection vulnerabilities due to a improper sanitization of user-supplied input before using it in dynamically generated content. Specifically, input to the "name" "email address", "URI" and "comment" fields of "archive.php" are not properly sanitized; other fields may also be vulnerable.
  • Ref: http://www.securityfocus.com/bid/16376/exploit
  • 06.4.45 - CVE: Not Available
  • Platform: Web Application
  • Title: PMachine ExpressionEngine HTTP Referrer HTML Injection
  • Description: ExpressionEngine is a web site management application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the HTTP "Referer" header. ExpressionEngine version 1.4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/16377/exploit
  • 06.4.46 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBB Notepad UserCP.PHP HTML Injection
  • Description: MyBB is a bulletin board application. It is prone to an HTML injection vulnerability due to improper sanitization of user-supplied input to the "notepad" parameter of the "usercp.php" script. MyBB versions 1.0.2 and 1.0.1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16361/exploit
  • 06.4.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Etomite Arbitrary Code Execution
  • Description: Etomite is a content management system. Insufficient sanitization of the "cij" parameter in the "manager/includes/todo.inc.php" file exposes the application to an arbitrary code execution issue. Etomite CMS version 0.6 is affected.
  • Ref: http://www.securityfocus.com/bid/16336/info
  • 06.4.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Claroline E-Learning Session Hijacking
  • Description: Claroline is a web-based e-learning application. It is prone to session hijacking vulnerability due to the way the application creates cookie session data. The application uses the value of the "ssoCookieValue" to validate the current session of a user. However, the application uses the "mktime()" function to create that cookie value, leaving it easy for an attacker to guess the cookie value and hijack other user's accounts.
  • Ref: http://www.securityfocus.com/archive/1/422482
  • 06.4.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Phpclanwebsite Multiple Input Validation Vulnerabilities
  • Description: Phpclanwebsite is a web site creation and management application. It is prone to multiple input validation issues due to a failure in the application to properly sanitize user-supplied input. Successful exploitation of these vulnerabilities could result in a compromise of the application. Phpclanwebsite version 1.23.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423145
  • 06.4.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Elido Face Control Multiple Directory Traversal Vulnerabilities
  • Description: Face Control is Web content management software. It is prone to multiple directory traversal issues due to improper sanitization of user-supplied input to the "s" and "p" parameters of the "vis.pl" script. All current versions are vulnerable.
  • Ref: http://www.hackerscenter.com/archive/view.asp?id=22236
  • 06.4.51 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS TCLSH AAA Command Authorization Bypass
  • Description: Cisco IOS has support for the TCL (Tool Command Language) scripting language. It is susceptible to a remote AAA (Authentication, Authorization, and Accounting) command authorization bypass issue to a failure of the software to properly enforce command authorization restrictions in a "IOS EXEC" TCL command.
  • Ref: http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml
  • 06.4.52 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco VPN 3000 Concentrator Remote Denial of Service
  • Description: Cisco VPN 3000 Concentrator products provide Virtual Private Network services. They are vulnerable to a remote denial of service issue when handling an unspecified specially crafted HTTP packet. Cisco VPN 3000 series concentrators running software versions 4.7.0 through 4.7.2.A are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16394

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

I learned more at this conference than 2 other training conferences I have attended combined.
-Steve Farmer, LANL

SANS Golden Gate 2013 - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc