Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 40
October 9, 2006

SANS Newsletters Home

This is a week for security flaws in security vendors' software: McaFee, Symantec, Computer Associates and TrendMicro. If you thought you were seeing an increasing number of flaws in security vendor's products, you are correct. The flaws may have always been there, but the trend attacker community has targeted these products because they (and back-up products) are so often trusted and so rarely updated. They provide fertile territory for circumventing firewalls.

One of the more interesting elements of this issue is the Xerox vulnerability and the lack of any way to fix them. Printers, especially dual-homed printers are one of the most effective attack vectors for penetrating sensitive areas of companies. Most printers with network interface cards have multiple vulnerabilities, but most sited don't even try to patch them.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 6 (#1, #2, #3, #4, #5)
    • Mac Os
    • 1
    • HP-UX
    • 1
    • Novell
    • 1
    • Cross Platform
    • 9
    • Web Application - Cross Site Scripting
    • 9
    • Web Application - SQL Injection
    • 5
    • Web Application
    • 38 (#6)
    • Network Device
    • 2 (#7)
    • Hardware
    • 3

******** SPONSORED BY PROFESSIONAL DEVELOPMENT TRAINING *****************

Immersion, hands-on training on Hacker Exploits, Firewalls, Intrusion Detection, Security Essentials, CISSP Preparation and more. Attend in New Orleans, Washington or one of 50 other cities around the world. The best teachers in security - for twelve years in a row. For a schedule and course selection see:

www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Mac Os
HP-UX
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

************************ SPONSORED LINK *********************************

1) Maximize your Training Budget! Save 15-30% on SANS training & certification! SANS Program that pays you credits and delivers flexibility. Are you looking for a creative way to finance training?

http://www.sans.org/info/1393

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: McAfee ePolicy Orchestrator/ProtectionPilot Remote Buffer Overflow
  • Affected:
    • McAfee ePolicy Orchestrator versions 3.0 SP2a and prior
    • McAfee ProtectionPilot versions 1.1.1 patch 2 and prior

  • Description: The web server component used in both McAfee ePolicy Orchestrator (used to monitor and maintain enterprise policy) and McAfee Protection Pilot (used to monitor and maintain threat protection software) contains an exploitable buffer overflow. By sending a specially-crafted request to this server component, an attacker could trigger this buffer overflow and execute arbitrary code with the privileges of the process - often SYSTEM. Note that multiple working exploits have been publicly posted for these vulnerabilities. Users are advised to block access to port 81/TCP at the network perimeter, if possible.

  • Status: McAfee confirmed, updates available.

  • Council Site Actions: Only one of the responding council sites is using the affected software and they plan to deploy the patch during their next regularly scheduled system maintenance cycle. Technical Explanation by BackTrack http://www.remote-exploit.org/advisories/mcafee-epo.pdf Proofs-of-Concept http://www.milw0rm.com/exploits/2467 http://downloads.securityfocus.com/vulnerabilities/exploits/20228.py McAfee Home Page http://www.mcafee.com/ SecurityFocus BID http://www.securityfocus.com/bid/20288

  • (2) HIGH: Computer Associates Multiple Products Multiple Vulnerabilities
  • Affected:
    • BrightStor ARCserve Backup R11.5 Client
    • BrightStor ARCserve Backup R11.5 Server
    • BrightStor Enterprise Backup 10.5
    • BrightStor ARCserve Backup v9.01
    • CA Server Protection Suite r2
    • CA Business Protection Suite r2

  • Description: Several Computer Associates products suffer from multiple vulnerabilities: (1) An exploitable heap overflow exists in the Message Engine RPC service. (2) An exploitable stack-based buffer overflow exists in the Discovery Service, running on ports 41524/UDP and 41523/TCP. By exploiting either or both of these vulnerabilities, an attacker could execute arbitrary code with the privileges of the vulnerable process - often SYSTEM. No authentication is required to exploit either of these vulnerabilities. Some technical details for both of these vulnerabilities have been publicly posted.

  • Status: Computer Associates confirmed, updates available.

  • References:
  • (3) HIGH: Symantec Automated Support Tool ActiveX Control Remote Buffer Overflow
  • Affected:
    • The following products are known to include a vulnerable version of the
    • ActiveX control. Other products may also be vulnerable.
    • Symantec Norton SystemWorks versions 2005/2006
    • Symantec Norton Internet Security versions 2005/2006
    • Symantec Norton AntiVirus versions 2005/2006
    • Symantec Automated Support Assistant

  • Description: The Symantec Automated Support Tool ActiveX control, used by multiple Symantec products to provide diagnostic information for problem resolution, contains an exploitable buffer overflow. A specially crafted web page that instantiates this control could exploit this buffer overflow and execute arbitrary code with the privileges of the current user. Note that re-usable exploit code to leverage these flaws is publicly available. Flaws similar to these have been widely exploited in the past.

  • Status: Symantec confirmed, updates available.

  • Council Site Actions: Two of the responding council sites are using the affected software. The first site is already in the process of patching their systems. The second site has a few hundred installations, but on systems that are not supported by their central IT department. They have no immediate plans to respond because they have no realistic way to identify the affected user population.

  • References:
  • (4) MODERATE: MailEnable NTLM Authentication Remote Code Execution
  • Affected:
    • MailEnable Professional and Enterprise versions 2.0 and possibly prior

  • Description: MailEnable, a popular email solution for Microsoft Windows, contains several exploitable vulnerabilities in its handling of authentication requests. By sending specially-crafted NTLM (NT Login Manager) authentication requests to the SMTP server, an attacker could execute arbitrary code with the privileges of the server process - often SYSTEM. Currently, it is believed that authentication is not required to exploit this vulnerability. NTLM authentication is disabled by default in MailEnable.

  • Status: MailEnable confirmed, updates available.

  • Council Site Actions: affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary. Mu Security Advisory http://labs.musecurity.com/advisories/MU-200609-01.txt MailEnable Home Page http://www.mailenable.com SecurityFocus BID http://www.securityfocus.com/bid/20290

  • (5) MODERATE: Trend Micro OfficeScan ActiveX Format String Vulnerability
  • Affected:
    • The following products are known to include a vulnerable version of the
    • ActiveX control. Other products may also be vulnerable.
    • Trend Micro OfficeScan Corporate Edition version 7.3

  • Description: Tend Micro OfficeScan Corporate Edition, a popular antivirus and anti-spyware suite, contains an exploitable format string vulnerability. By sending a specially-crafted string to the Remote Client Install search function of the ActiveX component, an attacker could exploit this vulnerability and potentially execute arbitrary code with the privileges of the OfficeScan process. Note that some technical details for this vulnerability have been publicly posted.

  • Status: Trend Micro, confirmed, updates available.

  • Council Site Actions: affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary. Layered Defense Security Advisory http://www.layereddefense.com/TREND01OCT.html Trend Micro Home Page http://www.trendmicro.com SecurityFocus BID http://www.securityfocus.com/bid/20284

  • (6) MODERATE: phpBB Remote Code Execution Vulnerability
  • Affected:
    • phpBB versions 2.0.21 and possibly prior

  • Description: phpBB, a popular PHP-based bulletin board system, contains an remote code execution vulnerability. By sending a specially-formatted value to the phpBB instance via the "Avatar_Path" variable, an attacker could execute arbitrary PHP code with the privileges of the web server process. Becuase phpBB is open source, technical details of this vulnerability are easily available via source code analysis.

  • Status: phpBB has not confirmed, no updates available.

  • References:
  • (7) LOW: Xerox Multiple Product Authentication Bypass and Code Injection
  • Affected:
    • Xerox WorkCentre and WorkCentre Pro models 232, 238, 245, 255, 265, and 275

  • Description: Xerox WorkCentre and WorkCentre Pro multi-function copier/printers contain an exploitable authentication-bypass vulnerability. By sending a specially-crafted request to the administration web interface, an attacker could bypass the configured authentication systems and potentially gain complete control of the vulnerable system.

  • Status: Xerox confirmed, updates available.

  • Council Site Actions: Only one of the responding council sites is using the affected software/models. They sent the vulnerability information to their printer support group. They have a dozen or so Xerox systems, but they do not have accurate information about device ownership or location. They considered passing along the information by e-mail to departmental system administrators, but this is of limited value because many departments do not consider the device to be computing equipment, and the person who maintains the device does not maintain any (other)computer systems.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 40, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5181 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.40.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Trend Micro OfficeScan ATXCONSOLE.OCX ActiveX Control Format String
  • Description: Trend Micro OfficeScan is an antivirus solution for Windows. It is prone to a remote format string vulnerability. This issue affects the "ATXCONSOLE.OCX" ActiveX control, which ships as part of the management console of OfficeScan. Trend Micro OfficeScan Corporate Edition version 7.3 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20284
  • 06.40.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MailEnable SMTP NTLM Authentication Multiple Vulnerabilities
  • Description: MailEnable is prone to multiple remote vulnerabilities. These issues result from insufficient boundary checks prior to copying user-supplied data into sensitive process buffers. These issues arise in the SMTP server during NTLM authentication. MailEnable Professional 2.0 and MailEnable Enterprise 2.0 are reported to be vulnerable to these issues.
  • Ref: http://labs.musecurity.com/advisories/MU-2006090-01.txt
  • 06.40.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ProRat Remote Login Authentication Bypass
  • Description: ProRat is a remote administration tool that allows users to access their computers remotely and is available for Windows. The application is prone to an authentication bypass vulnerability. ProRat Server version 1.9 Fix2 is affected.
  • Ref: http://www.securityfocus.com/bid/20293
  • 06.40.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Sunbelt Kerio Personal Firewall Multiple Local Denial of Service Vulnerabilities
  • Description: Sunbelt Kerio Personal Firewall is a firewall for Windows. It is prone to multiple local denial of service vulnerabilities due to insufficient input sanitization of the functions used while hooking SSDT functions in the operating system. Versions 4.2.3.912 through 4.3.268 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20299
  • 06.40.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IBM Client Security Password Manager Design Error
  • Description: IBM Client Security Password Manager is an application that ships with IBM laptops. It is prone to a design error that degrades the integrity of client side web security. Because the Password Manager relies on "Window Title" information as part of the authentication routine it performs on behalf of the user, a malicious web site can establish a web page that spoofs the same window title that the application expects to map.
  • Ref: http://www.securityfocus.com/bid/20308
  • 06.40.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Trend Micro OfficeScan Client Removal and File Deletion Vulnerabilities
  • Description: Trend Micro OfficeScan is prone to a denial of service via software removal, and arbitrary file deletion vulnerabilities. A successful exploit allows a remote attacker to forcibly remove the OfficeScan client or delete arbitrary files from an OfficeScan server. Trend Micro OfficeScan Corporate Edition version 7.3 and prior are reported vulnerable.
  • Ref: http://www.securityfocus.com/bid/20330
  • 06.40.7 - CVE: CVE-2006-4387, CVE-2006-4390,CVE-2006-4391
  • Platform: Mac Os
  • Title: Apple Mac OS X Pre 10.4.8 Multiple Security Vulnerabilities
  • Description: Apple Mac OS X is exposed to multiple security vulnerabilities. These issues affect Mac OS X and various applications including CFNetwork, Safari, Kernel, ImageIO, LoginWindow, System Preferences, QuickDraw Manager, and Workgroup Manager. An attacker can exploit these issues to execute arbitrary code, gain elevated privileges, cause denial of service conditions, and gain unauthorized access. Please refer to the link below for further details.
  • Ref: http://docs.info.apple.com/article.html?artnum=304460
  • 06.40.8 - CVE: Not Available
  • Platform: HP-UX
  • Title: HP-UX Ignite-UX Remote Unauthorized Access and Privilege Escalation Vulnerabilities
  • Description: HP-UX is prone to remote unauthorized access and privilege-escalation vulnerabilities. These issues occur when HP-UX is running the Ignite-UX server. HP-UX versions B.11.00, B.11.11 and B.11.23 are affected.
  • Ref: http://www.securityfocus.com/bid/20269
  • 06.40.9 - CVE: CVE-2006-4511
  • Platform: Novell
  • Title: Novell GroupWise Messenger Server Nmma.EXE Denial of Service
  • Description: Novell GroupWise Messenger is a corporate instant messaging application for multiple platforms. It is prone to a denial of service vulnerability due to insufficient error handling for an unspecified HTTP POST request containing an altered "val" parameter. Versions 2.0 and prior are reported to be vulnerable.
  • Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974440.htm
  • 06.40.10 - CVE: CVE-2006-2937
  • Platform: Cross Platform
  • Title: OpenSSL ASN.1 Structures Denial of Service
  • Description: OpenSSL is prone to a denial of service vulnerability. This issue exists when the library parses certain unspecified "ASN.1" structures and fails to properly handle error conditions. This may result in an infinite loop consuming excessive systems resources.
  • Ref: http://www.securityfocus.com/bid/20248
  • 06.40.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox Unspecified Javascript Remote Code Execution
  • Description: Mozilla Firefox is prone to an unspecified remote denial of service vulnerability that was initially reported to be a remote code execution vulnerability. Little information is available at this time. All known versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20282
  • 06.40.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: McAfee EPolicy Orchestrator and ProtectionPilot HTTP Server Remote Buffer Overflow Vulnerability
  • Description: The HTTP server component of McAfee ePolicy Orchestrator and ProtectionPilot is exposed to a remote stack buffer overflow issue that can lead to complete system compromise. McAfee ePolicy Orchestrator version 3.5.0 and ProtectionPilot version 1.1.0 are affected. Ref: http://metasploit.com/projects/Framework/exploits.html#mcafee_epolicy_source
  • 06.40.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox Multiple Unspecified Javascript Vulnerabilities
  • Description: Mozilla Firefox is prone to multiple unspecified Javascript issues due to failure of the application to properly sanitize user-supplied input. Please see the attached advisory for details.
  • Ref: http://www.securityfocus.com/bid/20294
  • 06.40.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Web Scripts Easy Banner Functions.PHP Remote File Include
  • Description: Easy Banner is website-banner exchange application. It is exposed to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "s[phppath]" parameter of "functions.php". Easy Banner Free version is affected.
  • Ref: http://www.securityfocus.com/bid/20295
  • 06.40.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Informix Dynamic Server Installer Insecure Temporary File Creation
  • Description: The installation process for IBM Informix Dynamic Server creates temporary files in an insecure manner. An attacker with local access could potentially exploit this issue to perform symbolic link attacks upon the "/tmp/installserver.txt" file, overwriting it in the context of the affected application. IBM Informix Dynamic Server version 10.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/447501
  • 06.40.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Symbolic Link Open_Basedir Bypass
  • Description: PHP is exposed to an "open_basedir" restriction-bypass vulnerability. Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations. PHP versions 4 and 5 are affected.
  • Ref: http://www.securityfocus.com/archive/1/447649
  • 06.40.17 - CVE: CVE-2006-5072
  • Platform: Cross Platform
  • Title: Mono System.CodeDom.Compiler Class Insecure Temporary File Creation
  • Description: The Mono System is a platform for running and developing applications based on the ECMA/ISO Standards. The Mono "System.CodeDom.Compiler" class creates temporary files in an insecure manner, potentially allowing an attacker to overwrite or corrupt sensitive files. Versions 1.0 and 2.0 are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20340
  • 06.40.19 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Sun Secure Global Desktop Multiple Unspecified Cross-Site Scripting Vulnerabilities
  • Description: Sun Secure Global Desktop is a web-based server application that allows secure application access on multiple platforms. It is implemented by Sun Microsystems. The application is prone to multiple unspecified cross-site scripting vulnerabilities. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102650-1&searchclause=
  • 06.40.20 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: FacileForms Unspecified Cross-Site Scripting
  • Description: FacileForms is a user-management module for Mambo and Joomla. It is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. FacileForms versions 1.4.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20254
  • 06.40.21 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PowerPortal Register User Cross-Site Scripting
  • Description: PowerPortal is a web portal application. It is exposed to a cross-site scripting attack because it fails to sufficiently sanitize user-supplied input when registering a new user. PowerPortal version 1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20279
  • 06.40.22 - CVE: CVE-2006-5146
  • Platform: Web Application - Cross Site Scripting
  • Title: Yblog Multiple Cross-Site Scripting Vulnerabilities
  • Description: Yblog is a web log application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to multiple scripts and parameters. All versions of Yblog are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/447427
  • 06.40.23 - CVE: CVE-2006-3820
  • Platform: Web Application - Cross Site Scripting
  • Title: Loudblog Message Comment HTML Injection
  • Description: Loudblog is a content management system. It is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input to the "comment" field in the "index.php" script. All versions of Loudblog are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20296
  • 06.40.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Digishop Cart.PHP Cross-Site Scripting
  • Description: Digishop is a web-based ecommerce solution implemented in PHP. It is prone to a cross-site scripting vulnerability due to insufficient input sanitization of the "sortby" and "search" parameters of "cart.php". Version 4.0.0 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20297
  • 06.40.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Net2FTP Index.PHP Cross-Site Scripting
  • Description: net2ftp is an FTP application. It is exposed to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "username" parameter of "index.php". Version 0.93 is affected.
  • Ref: http://www.securityfocus.com/bid/20313
  • 06.40.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ASPPlayGround.NET Forum Calendar.ASP Cross-Site Scripting
  • Description: ASPPlayground.NET Forum Advanced Edition is an online forum system. Insufficient sanitization of the "calendarID" parameter of the "calendar.asp" script exposes the application to a cross-site scripting issue. ASPPlayground.NET version 2.4.5 is affected.
  • Ref: http://www.securityfocus.com/bid/20335
  • 06.40.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: osCommerce Multiple Cross-Site Scripting Vulnerabilities
  • Description: osCommerce is a web-based shopping cart application, implemented in PHP. The application is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data to the "HTTP_GET_VARS['page']" parameter of several scripts.
  • Ref: http://www.oscommerce.com/community/bugs,4303
  • 06.40.28 - CVE: CVE-2006-5121
  • Platform: Web Application - SQL Injection
  • Title: PostNuke Admin.PHP SQL Injection
  • Description: PostNuke is a content management system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied data to the "hits" parameter of the "modules/Downloads/admin.php" script. PostNuke version 0.7.62 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20317
  • 06.40.29 - CVE: CVE-2006-2202
  • Platform: Web Application - SQL Injection
  • Title: Invision Gallery Index.PHP SQL Injection
  • Description: Invision Gallery is a gallery system that can be used as a plug-in for Invision Power Board. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "album" parameter of the "index.php" script. Invision Gallery versions 2.0.7 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20327
  • 06.40.30 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Taskjitsu Key Parameter SQL Injection
  • Description: Taskjitsu is a web-based application. Insufficient sanitization of the "key" parameter exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/20332
  • 06.40.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Yener Haber Script SQL Injection
  • Description: Yener Haber Script is an ASP script. It is exposed to an SQL injection issue. This issue is due to a failure in the application to properly sanitize user-supplied input. Yener Haber Script versions 2.0 and 1.0 are affected.
  • Ref: http://www.securityfocus.com/bid/20333
  • 06.40.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Civica Display.ASP SQL Injection
  • Description: Civica is a modular content management system. It is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "Entry" parameter of the "press/display.asp" script.
  • Ref: http://www.securityfocus.com/bid/20354
  • 06.40.33 - CVE: CVE-2006-5141
  • Platform: Web Application
  • Title: Geotarget Script.PHP Remote File Include
  • Description: Geotarget is an application designed to assist webmasters with locating the origin of web site requests. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "anp_path" parameter of the "script.php" script. Geotarget version 0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20272
  • 06.40.34 - CVE: Not Available
  • Platform: Web Application
  • Title: Mercury SiteScope Unspecified HTML Injection
  • Description: Mercury SiteScope is a system monitoring tool used by IT departments to ensure availability and performance. It is exposed to an HTML injection issue because it fails to properly sanitize user supplied input before using it in dynamically generated content. Version 8.2 is affected.
  • Ref: http://www.securityfocus.com/bid/20275
  • 06.40.35 - CVE: Not Available
  • Platform: Web Application
  • Title: ConPresso CMS Multiple Input Validation Vulnerabilities
  • Description: ConPresso CMS is a content manager implemented in PHP. It is prone to multiple input validation vulnerabilities due to insufficient input sanitization of several parameters of several scripts. Both cross-site scripting and SQL injection attacks are reported to be possible. Version 4.0.4a is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20273
  • 06.40.36 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB XS Multiple Remote File Include Vulnerabilities
  • Description: phpBB XS is a modification of the phpBB online bulletin-board system. It is prone to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "functions_kb.php" and "bbcb_mg.php" scripts. Versions 0.58 and prior are affected by these issues.
  • Ref: http://www.securityfocus.com/bid/20277
  • 06.40.37 - CVE: CVE-2006-5123
  • Platform: Web Application
  • Title: PHProjekt Include Path Multiple Remote File Include Vulnerabilities
  • Description: PHProjekt is an opensource PHP Groupware package. It is vulnerable to multiple remote file include issues due to insufficient sanitization of user-supplied input to various scripts. PHProjekt version 5.1.1 is vulnerable.
  • Ref: http://www.hardened-php.net/advisory_062006.129.html
  • 06.40.38 - CVE: Not Available
  • Platform: Web Application
  • Title: UBB.threads Multiple Input Validation Vulnerabilities
  • Description: UBB.threads is a web-based forum application implemented in PHP. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "GLOBALS[thispath]" and "GLOBALS[configdir]" variables of "ubbt.inc.php". Version 6 (6.5.1.1) is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/447359
  • 06.40.39 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Krazy Image Host Script Display.PHP SQL Injection
  • Description: PHP Krazy Image Host Script is an application for hosting images. Insufficient sanitization of the "id" parameter in the "display.php" script exposes the application to an SQL injection issue. PHP Krazy Image Host Script version 0.7 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20270
  • 06.40.40 - CVE: Not Available
  • Platform: Web Application
  • Title: PPA Gallery Functions_Inc.PHP Remote File Include
  • Description: PPA Gallery is a photo album application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "phpbb_root_path" parameter of the "inc/functions_inc.php" script. PPA Gallery versions 1.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20255
  • 06.40.41 - CVE: Not Available
  • Platform: Web Application
  • Title: DocuWiki With ImageMagick Remote Command Execution and Denial of Service Vulnerabilities
  • Description: DocuWiki is prone to a denial of service vulnerability and an arbitrary command execution vulnerability. These issues present themselves in the "fetch.php" script, when DocuWiki is configured to utilize ImageMagick. DokuWiki version 2006-03-09 is vulnerable to these issues.
  • Ref: http://www.securityfocus.com/bid/20257
  • 06.40.42 - CVE: Not Available
  • Platform: Web Application
  • Title: Les Visiteurs Config.Inc.PHP Remote File Include
  • Description: Les Visiteurs is a hit-counter application implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "lvc_include_dir" parameter of the "config.inc.php" script. Les Visiteurs versions 2.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20259
  • 06.40.43 - CVE: Not Available
  • Platform: Web Application
  • Title: Tagmin Control Center Index.PHP Remote File Include
  • Description: Tagmin Control Center is a web administration application for TagIt!. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "page" parameter of the "index.php" script. Tagmin Control Center version 2.1.B is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20260
  • 06.40.44 - CVE: Not Available
  • Platform: Web Application
  • Title: PowerPortal Index.PHP Remote File Include
  • Description: PowerPortal is a content management system. Insufficient sanitization of the "file_name" parameter of the "index.php" script exposes the application to a remote file include issue. PowerPortal version 1.3a is affected.
  • Ref: http://www.securityfocus.com/bid/20262
  • 06.40.45 - CVE: Not Available
  • Platform: Web Application
  • Title: phpMyWebmin Remote File Include and Information Disclosure Vulnerabilities
  • Description: phpMyWebmin is a web-based file management tool. It is affected by a remote file include and information disclosure vulnerability. These issues are due to a failure of the application to properly sanitize user-supplied input. phpMyWebmin version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/20264
  • 06.40.46 - CVE: CVE-2006-5155
  • Platform: Web Application
  • Title: VideoDB PDF.PHP Remote File Include
  • Description: VideoDB is a database application for managing personal video collections. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "config[pdf_module]" parameter of the "core/pdf.php" script. VideoDB versions 2.2.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20265
  • 06.40.47 - CVE: Not Available
  • Platform: Web Application
  • Title: BSQ Sitestats Joomla Component Multiple Input Validation Vulnerabilities
  • Description: BSQ Sitestats is a site visitor statistics component for Joomla. It is exposed to multiple input validation errors because it fails to sufficiently sanitize user-supplied data. Version 1.8.0 is affected.
  • Ref: http://www.securityfocus.com/bid/20267
  • 06.40.48 - CVE: Not Available
  • Platform: Web Application
  • Title: OlateDownload Multiple Input Validation Vulnerabilities
  • Description: OlateDownload is a download manager. Insufficient sanitization of the "description_small" parameter of the "userupload.php" script and the "page" field parameter of the "details.php" script exposes the application to multiple input validation issues. OlateDownload version 3.4.0 is affected.
  • Ref: http://www.securityfocus.com/bid/20278
  • 06.40.49 - CVE: CVE-2006-5124
  • Platform: Web Application
  • Title: phpMyWebmin Multiple Remote File Include Vulnerabilities
  • Description: phpMyWebmin is a web-based file management tool. phpMyWebmin is affected by multiple remote file include vulnerabilities. The file include problem presents itself specifically when an attacker passes the location of a potentially malicious remote script through the "target" parameter of the multiple scripts. phpMyWebmin versions 1.0 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20281
  • 06.40.50 - CVE: Not Available
  • Platform: Web Application
  • Title: BasiliX Multiple Remote File Include Vulnerabilities
  • Description: BasiliX is a webmail application. Insufficeint sanitization of user-supplied input exposes the application to multiple file include issues. BasiliX version 1.1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/20287
  • 06.40.51 - CVE: CVE-2006-5147
  • Platform: Web Application
  • Title: VAMP Webmail Yesno.PHTML Remote File Include
  • Description: VAMP Webmail is a Webmail application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input in the "no_url" parameter of the "yesno.phtml" script. VAMP Webmail versions 2.0 beta1 and earlier are vulnerable.
  • Ref: http://www.milw0rm.com/exploits/2461
  • 06.40.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Forum82 Multiple Remote File Include Vulnerabilities
  • Description: Forum82 is a web forum application. It is prone to multiple remote file include vulnerabilities due to insufficient input sanitization of the "repertorylevel" parameter of multiple scripts. Versions 2.5.2 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20291
  • 06.40.53 - CVE: Not Available
  • Platform: Web Application
  • Title: DeluxeBB Sig.PHP Remote File Include
  • Description: DeluxeBB is a bulletin board application, implemented in PHP. DeluxeBB is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user supplied input to the "templatefolder" parameter of the "sig.php" script. This issue affects version 1.09.
  • Ref: http://www.deluxebb.com/community/topic.php?tid=420
  • 06.40.54 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenBiblio Multiple Input Validation Vulnerabilities
  • Description: OpenBiblio is an automated library system. Insufficient sanitization of user-supplied input exposes the application to multiple SQL injection and local file include issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/20301
  • 06.40.55 - CVE: Not Available
  • Platform: Web Application
  • Title: BBaCE Functions.PHP Remote File Include
  • Description: BBaCE is a bulletin board application. The application is exposed to a remote file include issue due to a failure in the application to properly sanitize user-supplied input to the "phpbb_root_path" parameter of the "functions.php" script. BBaCE version 3 is affected.
  • Ref: http://www.securityfocus.com/bid/20302
  • 06.40.56 - CVE: CVE-2006-4993
  • Platform: Web Application
  • Title: AllMyGuests SignIn.PHP Remote File Include
  • Description: AllMyGuests is a guest book application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "_AMGconfig[cfg_serverpath]" parameter of the "signin.php" script. AllMyGuests version 0.4.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20303
  • 06.40.57 - CVE: Not Available
  • Platform: Web Application
  • Title: WheatBlog Multiple HTML Injection Vulnerabilities
  • Description: WheatBlog is a blogging system implemented in PHP. It is prone to multiple HTML injection vulnerabilities due to insufficient input sanitization of unspecified fields of the "Commentary" and "Registry of Users" pages. Versions 1.1 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20306
  • 06.40.58 - CVE: Not Available
  • Platform: Web Application
  • Title: JAF CMS Forum.PHP Remote File Include
  • Description: JAF CMS is a content management application. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "website" parameter of the "forum.php" script. Versions 4.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20310
  • 06.40.59 - CVE: Not Available
  • Platform: Web Application
  • Title: HAMweather Template.PHP Script Code Injection
  • Description: HAMweather is a weather reporting application. Insufficient sanitization of user-supplied input exposes the application to multiple script code injection issues. HAMweather version 3.9.8.4 is affected.
  • Ref: http://www.securityfocus.com/bid/20311
  • 06.40.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal IMCE Module Arbitrary File Deletion
  • Description: IMCE is a module for the Drupal content management system. The IMCE module is vulnerable to an arbitrary file deletion issue due to insufficient sanitization of user-supplied input. Drupal IMCE version 4.6 is vulnerable.
  • Ref: http://drupal.org/node/87101
  • 06.40.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Travelsized CMS Frontpage.PHP Remote File Include
  • Description: Travelsized CMS is a content manager implemented in PHP. The application is prone to a remote file include vulnerability because it fails to properly sanitize user supplied input to the "setup_folder" parameter of the "frontpage.php" script. This issue affects versions 0.4 and earlier.
  • Ref: http://www.securityfocus.com/bid/20321
  • 06.40.62 - CVE: Not Available
  • Platform: Web Application
  • Title: klinza professional CMS Show_Hlp.PHP Remote File Include
  • Description: klinza professional CMS is a content managment system. klinza is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "appl[APPL]" parameter of "funzioni/lib/show_hlp.php". Klinza 5.0.1 and prior versions are vulnerable. klinza professional CMS version 5.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/20323
  • 06.40.63 - CVE: Not Available
  • Platform: Web Application
  • Title: phpMyProfiler Functions.PHP Remote File Include
  • Description: phpMyProfiler is a movie database application. Insufficient sanitization of the "pmp_rel_path" parameter of the "functions.php" script exposes the application to a remote file include issue. phpMyProfiler version 0.9.6 is affected.
  • Ref: http://www.securityfocus.com/bid/20324
  • 06.40.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Gallery Index.PHP Directory Traversal
  • Description: Invision Gallery is a gallery system that can be used as a plug-in for Invision Power Board. Invision Gallery is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input to the "dir" parameter of the "index.php" script. Invision Gallery versions 2.0.7 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20328
  • 06.40.65 - CVE: Not Available
  • Platform: Web Application
  • Title: JAF CMS Multiple Remote File Include Vulnerabilities
  • Description: JAF CMS is a content management system implemented in PHP. JAF CMS is prone to multiple remote file include vulnerabilities due to insufficient input sanitization of the "main_dir" parameter of "main.php" and "headlines.php". Versions 4.0 RC1 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20329
  • 06.40.66 - CVE: Not Available
  • Platform: Web Application
  • Title: WEBGENEius GOOP Gallery Directory Traversal
  • Description: GOOP Gallery is a directory based photo gallery. It is prone to a directory traversal vulnerability due to improper sanitization of user-supplied input. GOOP Gallery version 2.0.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20331
  • 06.40.67 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Avatar_Path PHP Code Execution
  • Description: phpBB application is bulletin board software. Insufficient sanitization of the "avatar_path" parameter of the "admin/admin_board" script exposes the application to a code execution issue. phpBB version 2.0.21 is affected.
  • Ref: http://www.securityfocus.com/bid/20347
  • 06.40.68 - CVE: Not Available
  • Platform: Web Application
  • Title: WikyBlog Index.PHP Remote File Include
  • Description: WikyBlog is a wiki blog application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "includeDir" parameter of the "index.php" script. WikyBlog versions 1.2.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/447735
  • 06.40.69 - CVE: Not Available
  • Platform: Web Application
  • Title: phpGreetz Footer.PHP Remote File Include
  • Description: phpGreetz is a greeting card website application. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "PHPGREETZ_INCLUDE_DIR" of "includes/footer.php". Versions 0.99 and prior are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20352
  • 06.40.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Nivisec Static Topics Module Functions_Static_Topics.PHP Remote File Include
  • Description: Nivisec Static Topics is a module for phpBB that makes topics in a forum static; implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "functions_static_topics.php" script. Versions 1.0 and prior are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20353
  • 06.40.71 - CVE: Not Available
  • Platform: Network Device
  • Title: Xerox Multiple Product Arbitrary Command Execution
  • Description: Multiple Xerox products are vulnerable to an arbitrary command issue. These include ESS/Network Controller and MicroServer Web Server. This occurs because the device allows an attacker to inject commands through the tcp/ip hostname resulting in the execution of arbitrary commands.
  • Ref: http://www.xerox.com/downloads/usa/en/c/cert_XRX06_005.pdf
  • 06.40.72 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys SPA921 VoIP Phone HTTP Server Denial of Service Vulnerabilities
  • Description: Linksys SPA921 VoIP phones are susceptible to a denial of service vulnerability because the devices fail to properly handle large user supplied input values in HTTP traffic. A long username or password in a basic HTTP authentication field will also crash and reboot the phone.
  • Ref: http://www.securityfocus.com/bid/20346
  • 06.40.73 - CVE: Not Available
  • Platform: Hardware
  • Title: Motorola SB4200 Remote Denial of Service
  • Description: Motorola SB4200 is an external cable modem. The device is prone to a denial of service vulnerability. This issue occurs when excessively large data packets are transmitted to the affected device. In particular this issue occurs when handling HTTP requests with an excessively large "mfcisapicommand" parameter.
  • Ref: http://www.securityfocus.com/bid/20309
  • 06.40.74 - CVE: Not Available
  • Platform: Hardware
  • Title: PolyCom IP-301 VoIP Desktop Phone HTTP Server Denial of Service
  • Description: PolyCom IP-301 is a voice over IP (VoIP) desktop telephone. It is affected by multiple denial of service issues. Please see the attached advisory for details.
  • Ref: http://www.securityfocus.com/bid/20351/info
  • 06.40.75 - CVE: Not Available
  • Platform: Hardware
  • Title: GrandStream GXP-2000 VoIP Phone Denial of Service
  • Description: GrandStream GXP-2000 is a voice over IP (VoIP) desktop telephone. It is exposed to a denial of service issue because the device fails to properly handle excessive amounts of UDP traffic. Firmware 1.1.0.5 is affected.
  • Ref: http://www.securityfocus.com/bid/20356

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Provided more depth on available tools than any other conference!
-Eric Moriak, Flowserve

CyberTalent Assessments

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc