@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed software

• (1) HIGH: Broadcom Wireless Device Driver Buffer Overflow
• (2) HIGH: Mozilla Products Multiple Vulnerabilities Vulnerable: Mozilla Firefox versions prior to 1.5.0.8 Mozilla Thunderbird versions prior to 1.5.0.8 Mozilla SeaMonkey versions prior to 1.0.6
• (3) HIGH: HP OpenView Client Configuration Manager Remote Command Execution Vulnerable: HP OpenView Client Configuration Manager 1.0
• (4) MODERATE: ProFTPD Unspecified Remote Code Execution Vulnerable: ProFTPD version 1.3 and possibly prior
• (5) MODERATE: Citrix MetaFrame IMA Management Module Multiple Vulnerabilities Vulnerable: Citrix MetaFrame XP versions 1.0 and 2.0 Citrix MetaFrame Presentation Server versions 3.0 and 4.0
• (6) LOW: OpenSSH Authentication Signature Weakness

Other Software

• (7) HIGH: Xlink Omni-NFS Server Buffer Overflow Vulnerable: Xlink Technologies Omni-NFS Server

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 06.45.1 - Microsoft Internet Explorer 6 Unspecified Code Execution
• 06.45.2 - Microsoft Windows GDI Kernel Local Privilege Escalation
• 06.45.3 - Citrix Presentation Server IMA Service Multiple Remote Vulnerabilities

Third Party Windows Apps

• 06.45.4 - Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution
• 06.45.5 - Xenis.creator CMS Multiple Input Validation Vulnerabilities
• 06.45.6 - America Online ICQ ActiveX Control Remote Code Execution
• 06.45.7 - Omni-NFS Server NFSD.EXE Stack Buffer Overflow
• 06.45.8 - WFTPD Server APPE Command Buffer Overflow
• 06.45.9 - WarFTPD Multiple Format String Vulnerabilities
• 06.45.10 - Cisco Secure Desktop Multiple Vulnerabilities
• 06.45.11 - War FTP Daemon CWD Command Remote Denial of Service

Mac Os

• 06.45.12 - Apple Mac OS X FPathConf System Call Local Denial of Service
• 06.45.13 - Intego VirusBarrier Filter Bypass

Linux

• 06.45.14 - Linux Kernel ISO9660 Denial of Service
• 06.45.15 - Linux Kernel SquashFS Double Free Denial of Service
• 06.45.16 - librpm Query Report Arbitrary Code Execution
• 06.45.17 - Linux Kernel Multiple IPV6 Packet Filtering Bypass Vulnerabilities
• 06.45.18 - Texinfo File Handling Buffer Overflow

BSD

• 06.45.19 - FreeBSD UFS Filesystem Local Integer Overflow
• 06.45.20 - FreeBSD LibArchive Remote Denial of Service

Solaris

• 06.45.21 - Sun Solaris 10 UFS Local Denial of Service

Unix

• 06.45.22 - imlib2 Library Multiple Image Format Arbitrary Code Execution
• 06.45.23 - OpenLDAP Server Bind Request Denial of Service
• 06.45.24 - Network Administration Visualized Local Directory Traversal

Cross Platform

• 06.45.25 - Essentia Web Server GET and HEAD Requests Remote Buffer Overflow
• 06.45.26 - ELOG EL_Submit Function Remote Format String
• 06.45.27 - Acme thttpd Insecure Temporary Logfile Creation
• 06.45.28 - OWFS Owserver File Path Denial of Service
• 06.45.29 - OpenSSH Privilege Separation Key Signature Weakness
• 06.45.30 - Mozilla Client Products Multiple Remote Vulnerabilities
• 06.45.31 - IBM Lotus Notes User.ID File Key Information Disclosure
• 06.45.32 - IBM Lotus Domino Multiple TuneKrnl Local Privilege Escalation Vulnerabilities
• 06.45.33 - GNU GV Stack Buffer Overflow
• 06.45.34 - Unicore Client Keystore File Insecure File Permissions

Web Application - Cross Site Scripting

• 06.45.35 - IP-Atlas Plot.PHP Cross-Site Scripting
• 06.45.36 - Arkoon SSL360 Unspecified Cross-Site Scripting
• 06.45.37 - Simplog Archive.PHP PID Parameter Cross-Site Scripting
• 06.45.38 - admin.tool CMS Multiple Cross-Site Scripting Vulnerabilities
• 06.45.39 - IpManager Index.PHP Cross-Site Scripting
• 06.45.40 - Kayako SupportSuite Index.PHP Cross-Site Scripting
• 06.45.41 - Immediacy .NET CMS Logon.ASPX Cross-Site Scripting

Web Application - SQL Injection

• 06.45.42 - Article Script RSS.PHP SQL Injection
• 06.45.43 - PHPKIT Popup.PHP SQL Injection
• 06.45.44 - Webdrivers Simple Forum Message_details.PHP SQL Injection
• 06.45.45 - Portix-PHP Multiple SQL Injection Vulnerabilities
• 06.45.46 - ASPired2Poll MoreInfo.ASP SQL Injection
• 06.45.47 - OmniStar Article Manager Multiple SQL Injection Vulnerabilities

Web Application

• 06.45.48 - EggBlog Multiple HTML Injection Vulnerabilities
• 06.45.49 - @cid Stats Install.PHP3 Remote File Include
• 06.45.50 - Xoops NewList.PHP Cross-Site Scripting
• 06.45.51 - PHPDynaSite Multiple Remote File Include Vulnerabilities
• 06.45.52 - SazCart CART.PHP Remote File Include
• 06.45.53 - OpenSolution Quick.Cms.Lite Local File Include
• 06.45.54 - NewP News Publishing System Class.Database.PHP Remote File Include
• 06.45.55 - ELOG Multiple Cross-Site Scripting Vulnerabilities
• 06.45.56 - FreeWebShop Index.PHP Directory Traversal
• 06.45.57 - Yazd Discussion Forum Insecure Default Permission Handling
• 06.45.58 - RapidKill Arbitrary File Upload
• 06.45.59 - PostNuke PNUser.PHP Local File Include
• 06.45.60 - Modx CMS Thumbnail.PHP Remote File Include
• 06.45.61 - Simplog BlogID Parameter Multiple SQL Injection Vulnerabilities
• 06.45.62 - Advanced GuestBook Admin.PHP Remote File Include
• 06.45.63 - MDPro PNSVLang Parameter Local File Include
• 06.45.64 - e107 GSitemap.PHP Local File Include
• 06.45.65 - Drake CMS XHTML.PHP Remote File Include
• 06.45.66 - AIOCP Multiple Input Validation Vulnerabilities
• 06.45.67 - DeltaScripts PHP Classifieds Detail.PHP SQL Injection
• 06.45.68 - Ultimate PHP Board Header_simple.PHP Remote File Include
• 06.45.69 - phpComasy CMS Multiple HTML Injection Vulnerabilities
• 06.45.70 - FunkBoard Profile.PHP HTML Injection
• 06.45.71 - iWare Professional Remote Code Execution
• 06.45.72 - GreenBeast CMS Up_Loader.PHP Arbitrary File Upload
• 06.45.73 - iPrimal Forums Index.PHP Remote File Include
• 06.45.74 - FreeWebShop Multiple Input Validation Vulnerabilities
• 06.45.75 - Abarcar Realty Portal Multiple SQL Injection Vulnerabilities
• 06.45.76 - KnowledgeBuilder visEdit_Control.Class.PHP Remote File Include
• 06.45.77 - Portix-PHP Multiple HTML Injection Vulnerabilities
• 06.45.78 - Speedywiki Multiple Input Validation
• 06.45.79 - GimeScripts Shopping Catalog Index.PHP Remote File Include

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 45, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5247 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.45.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Internet Explorer 6 Unspecified Code Execution
• Description: Microsoft Internet Explorer is reportedly prone to an unspecified vulnerability that results in arbitrary code execution. Researchers report that minimal user interaction is required to carry out a successful attack. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the vulnerable application. All versions of Internet Explorer 6 are reported vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/20886

• 06.45.2 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows GDI Kernel Local Privilege Escalation
• Description: Microsoft Windows is exposed to a local privilege escalation issue because data structures mapped to global memory by the GDI Kernel can be re-mapped as read-write by other processes. Please refer to the link below for further details.
• Ref: http://projects.info-pull.com/mokb/MOKB-06-11-2006.html

• 06.45.3 - CVE: Not Available
• Platform: Windows
• Title: Citrix Presentation Server IMA Service Multiple Remote Vulnerabilities
• Description: Citrix Presentation Server uses the IMA (Independent Management Architecture) service for inter-server and management communications. It is affecetd by buffer overflow issues in the "IMA_SECURE_DecryptData1()" decryption routine of the "ImaSystem.dll". It is also affected by a unspecified denial of service issue.
• Ref: http://support.citrix.com/article/CTX111186

• 06.45.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution
• Description: Microsoft XML Core Service is vulnerable to a remote code execution issue due to a memory corruption error in the XMLHTTP ActiveX control when processing specially crafted arguments passed to the "setRequestHeader()" function. See the advisory for further details.
• Ref: http://www.microsoft.com/technet/security/advisory/927892.mspx

• 06.45.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Xenis.creator CMS Multiple Input Validation Vulnerabilities
• Description: Xenis.creator CMS is a content management system. It is prone to multiple input validation issues because it fails to sanitize user-supplied input to various scripts. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/20908

• 06.45.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: America Online ICQ ActiveX Control Remote Code Execution
• Description: The America Online ICQ ActiveX Control is a conferencing application for Microsoft Windows. It is prone to a remote code execution vulnerability. An attacker could exploit this issue simply by sending a message to a victim ICQ user. The issue resides in the "DownloadAgent" function URI parameter of the ICQPhone.SipxPhoneManager ActiveX control. The ICQPhone.SipxPhoneManager ActiveX control with a CLSID of 54BDE6EC-F42F-4500-AC46-905177444300 is affected.
• Ref: http://www.securityfocus.com/bid/20930

• 06.45.7 - CVE: CVE-2006-5780
• Platform: Third Party Windows Apps
• Title: Omni-NFS Server NFSD.EXE Stack Buffer Overflow
• Description: Omni-NFS Server is an application that allows users to share directories and files over a network. It is vulnerable to a stack based buffer overflow issue because it fails to properly bounds check user-supplied network data to the "nfsd.exe" application before copying it into an insufficiently sized memory buffer. Omni-NFS Server version 5.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20941/

• 06.45.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: WFTPD Server APPE Command Buffer Overflow
• Description: WFTPD is an FTP server. It is prone to a buffer overflow issue because it fails to do bounds checking on user-supplied data before storing it in a finite sized buffer. WFTPD version 3.23 is susceptible, while others may also be affected.
• Ref: http://www.securityfocus.com/bid/20942

• 06.45.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: WarFTPD Multiple Format String Vulnerabilities
• Description: WarFTPd is an FTP server application. It is prone to multiple remote format string vulnerabilities due to insufficient input sanitization of commands such as "CWD", "CDUP", "DELE", "NLST", "LIST" and "SIZE". Version 1.82.00-RC11 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20944

• 06.45.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Cisco Secure Desktop Multiple Vulnerabilities
• Description: Cisco Secure Desktop is an application which validates and protects the security of SSL VPN client. The application is susceptible to multiple vulnerabilities. These vulnerabilities are documented by Cisco in bug cisco-sa-20061108-csd. Cisco Secure Desktop versions 3.1.1.33 and prior are affected.
• Ref: http://www.securityfocus.com/archive/1/450921

• 06.45.11 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: War FTP Daemon CWD Command Remote Denial of Service
• Description: War FTP Daemon is a FTP server. It is prone to a remote denial of service vulnerability when the server handles specially crafted "CWD" commands. Version 1.82.00-RC11 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20973

• 06.45.12 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X FPathConf System Call Local Denial of Service
• Description: Apple Mac OS X is susceptible to a local denial of service vulnerability. The kernel fails to properly handle the execution of the "fpathconf()" system call. Specifically, when this system call is called with a file descriptor of a file of an unsupported type, the kernel panics. This issue is demonstrated with a semaphore file type as returned by "sem_open()".
• Ref: http://www.securityfocus.com/bid/20982

• 06.45.13 - CVE: Not Available
• Platform: Mac Os
• Title: Intego VirusBarrier Filter Bypass
• Description: Intego VirusBarrier is an antivirus application for the Apple MacOS operating system. It is exposed to a filter-bypass issue. This issue occurs because the application fails to filter malicious virus files properly. VirusBarrier Version X4 is affected.
• Ref: http://www.securityfocus.com/bid/20983

• 06.45.14 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel ISO9660 Denial of Service
• Description: The Linux kernel is prone to a local denial of service vulnerability due to a race condition in which the "isofs_get_blocks()" function enters an infinite loop when the "__find_get_block_slow()" callback from "sb_getblk()" fails. Multiple kernel versions are reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/20920

• 06.45.15 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel SquashFS Double Free Denial of Service
• Description: The Linux kernel is prone to a local denial of service vulnerability. This issue occurs because the kernel fails to handle corrupt file system structures. Specifically, a specially crafted "squashfs" file would cause the kernel to double free a buffer when a read operation is performed.
• Ref: http://www.securityfocus.com/bid/20870

• 06.45.16 - CVE: CVE-2006-5466
• Platform: Linux
• Title: librpm Query Report Arbitrary Code Execution
• Description: librpm is a library for the Red Hat Package Manager. It is vulnerable to an arbitrary code execution issue because the library fails to handle malicious query reports. librpm versions 4.4.9 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/20906

• 06.45.17 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel Multiple IPV6 Packet Filtering Bypass Vulnerabilities
• Description: The Linux kernel is prone to multiple IPv6 packet filtering bypass vulnerabilities because of improper handling of fragmented packets. These issues could be exploited by an attacker to bypass ip6_table filtering rules.
• Ref: http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.19-rc4

• 06.45.18 - CVE: CVE-2006-4810
• Platform: Linux
• Title: Texinfo File Handling Buffer Overflow
• Description: Texinfo is the official documentation format of the GNU project. It is exposed to a buffer overflow issue because the application fails to properly bounds check user-supplied input before copying it to an insufficiently sized buffer.
• Ref: http://rhn.redhat.com/errata/RHSA-2006-0727.html

• 06.45.19 - CVE: CVE-2006-5679
• Platform: BSD
• Title: FreeBSD UFS Filesystem Local Integer Overflow
• Description: FreeBSD UFS filesystem is vulnerable to a local integer overflow via a crafted UFS filesystem that causes invalid or large size parameters to the "kmem_alloc" function. FreeBSD version 6.1 is vulnerable.
• Ref: http://secunia.com/advisories/22736/

• 06.45.20 - CVE: CVE-2006-5680
• Platform: BSD
• Title: FreeBSD LibArchive Remote Denial of Service
• Description: libarchive is FreeBSD's interface library for reading and writing streaming archive files. FreeBSD is prone to a remote denial of service vulnerability because libarchive fails to handle corrupted archive files when the end of an archive is reached at the same time that libarchive is attempting to "skip" past an archive region. FreeBSD 6-STABLE is affected.
• Ref: http://www.securityfocus.com/bid/20961

• 06.45.21 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris 10 UFS Local Denial of Service
• Description: Sun Solaris 10 is prone to a local denial of service issue because the kernel fails to handle corrupted data structures during the mount operation which results in a kernel page fault and subsequently leads to a loss of data or corruption of the local filesystem. Solaris 10 on the ia32/x86 architecture is susceptible, while previous versions may be affected as well.
• Ref: http://projects.info-pull.com/mokb/MOKB-04-11-2006.html

• 06.45.22 - CVE: CVE-2006-4806,CVE-2006-4807,CVE-2006-4808,CVE-2006-4809
• Platform: Unix
• Title: imlib2 Library Multiple Image Format Arbitrary Code Execution
• Description: imlib2 is a library to view and render various types of images. It is prone to an arbitrary code execution issue due to insufficient sanitization of ARGB, JPG, LBM, PNG, PBM, TGA and TIFF images. imlib2 versions 1.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/20903/info

• 06.45.23 - CVE: CVE-2006-5779
• Platform: Unix
• Title: OpenLDAP Server Bind Request Denial of Service
• Description: OpenLDAP server is prone to denial of service issue because the server fails to handle malicious bind requests. OpenLDAP version 2.2.29 rev 1.134 fixes the issue.
• Ref: http://www.securityfocus.com/bid/20939

• 06.45.24 - CVE: Not Available
• Platform: Unix
• Title: Network Administration Visualized Local Directory Traversal
• Description: Network Administration Visualized (NAV) is a computer network monitoring application. It is prone to a local unspecified directory traversal issue. NAV versions prior to 3.1.1 are affected.
• Ref: http://sourceforge.net/project/shownotes.php?release_id=461986

• 06.45.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Essentia Web Server GET and HEAD Requests Remote Buffer Overflow
• Description: Essentia Web Server is an HTTP server. Insufficient sanitization of the "GET" and "HEAD" requests larger than 6000 bytes exposes the application to a remote buffer overflow issue. Essentia Web Server version 2.15 is affected.
• Ref: http://www.securityfocus.com/bid/20910/info

• 06.45.26 - CVE: Not Available
• Platform: Cross Platform
• Title: ELOG EL_Submit Function Remote Format String
• Description: ELOG is a web log application written for use multiple platforms. The application is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before including it in the "el_submit()" function. ELOG version 2.0.2 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/20876

• 06.45.27 - CVE: Not Available
• Platform: Cross Platform
• Title: Acme thttpd Insecure Temporary Logfile Creation
• Description: thttpd is a tiny Web server written for Unix platforms. It creates temporary log files in an insecure manner. An attacker with local access could potentially exploit this issue to overwrite files in the context of the Web server process. Versions prior to 2.23 beta 1 are vulnerable.
• Ref: http://www.securityfocus.com/bid/20891

• 06.45.28 - CVE: Not Available
• Platform: Cross Platform
• Title: OWFS Owserver File Path Denial of Service
• Description: OWFS Owserver allows 1-wire devices to appear as if they were files in a directory on Linux and POSIX systems. It is prone to a denial of service issue because it fails to handle invalid file paths passed to "owshell" shell code applications. OWFS Owserver version 2.5p5 is susceptible, while others may also be affected.
• Ref: http://www.securityfocus.com/bid/20953

• 06.45.29 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenSSH Privilege Separation Key Signature Weakness
• Description: OpenSSH is susceptible to a weakness that may allow attackers to authenticate without proper key signatures. This issue is due to a design error between privileged processes and their child processes. OpenSSH versions 4.4 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/20956

• 06.45.30 - CVE: CVE-2006-5463,CVE-2006-5464,CVE-2006-5747,CVE-2006-5748
• Platform: Cross Platform
• Title: Mozilla Client Products Multiple Remote Vulnerabilities
• Description: The Mozilla Foundation has released two security advisories specifying security vulnerabilities in Mozilla Firefox, SeaMonkey, and Thunderbird. Please refer to the links below for further details.
• Ref: http://www.mozilla.org/security/announce/2006/mfsa2006-65.html http://www.mozilla.org/security/announce/2006/mfsa2006-66.html http://www.mozilla.org/security/announce/2006/mfsa2006-67.html

• 06.45.31 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Notes User.ID File Key Information Disclosure
• Description: IBM Lotus Notes is an email client/server application. It is vulnerable to a local information disclosure issue because unauthenticated remote attackers may retrieve sensitive User.ID keyfile information from an unencrypted "names.nsf" database. IBM Lotus Notes versions prior to 6.5.5 FP2 and 7.0.2 are vulnerable.
• Ref: http://www.fortconsult.net/images/pdf/lotusnotes_keyfiles.pdf

• 06.45.32 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Domino Multiple TuneKrnl Local Privilege Escalation Vulnerabilities
• Description: Lotus Domino is a client/server product designed for collaborative working environments. Domino is designed for email, scheduling, instant messaging, and data-driven applications. It is exposed to multiple local privilege escalation issues. These issues are due to a failure of the application to properly bounds check user-supplied input prior to copying it to insufficiently sized memory buffers. IBM Lotus Domino versions earlier than 6.5.5 Fix Pack 2 and 7.0.2 are affected.
• Ref: http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21249173

• 06.45.33 - CVE: Not Available
• Platform: Cross Platform
• Title: GNU GV Stack Buffer Overflow
• Description: GNU GV is a PostScript and PDF file viewer. It is prone to a stack based buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized memory buffer. GNU GV version 3.6.2 is susceptible, while others may also be affected.
• Ref: http://www.securityfocus.com/bid/20978

• 06.45.34 - CVE: Not Available
• Platform: Cross Platform
• Title: Unicore Client Keystore File Insecure File Permissions
• Description: Unicore Client is a client side component for the Uniform Interface to Computing Resources (UNICORE). Unicore Client is prone to an insecure file permission vulnerability. The issue is caused due to the use of insecure file permissions on the "keystore" file. Versions prior to 5.6 build 5 are vulnerable to this issue.
• Ref: http://sourceforge.net/project/shownotes.php?release_id=461942

• 06.45.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IP-Atlas Plot.PHP Cross-Site Scripting
• Description: IP-Atlas is a geographical DNS tool written in PHP. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied URI input to the "address" parameter of the "plot.php" script. IP-Atlas version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20884

• 06.45.36 - CVE: CVE-2006-5771
• Platform: Web Application - Cross Site Scripting
• Title: Arkoon SSL360 Unspecified Cross-Site Scripting
• Description: Arkoon SSL360 is a VPN security appliance available for various operating systems. It is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Versions 2.0/2 and prior are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/20890

• 06.45.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Simplog Archive.PHP PID Parameter Cross-Site Scripting
• Description: Simplog is a web log application. It is prone to a cross-site scripting vulnerability due to insufficient input sanitization of the "pid" parameter of the "archive.php" script. Version 0.9.3 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20900

• 06.45.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: admin.tool CMS Multiple Cross-Site Scripting Vulnerabilities
• Description: admin.tool is a content manager. It is exposed to multiple cross-site scripting issues because the application fails to sanitize user-supplied input to the "fSid" and "FSrcBegriffe" parameters before being returned to the user. Version 3 is affected by this issue.
• Ref: http://www.securityfocus.com/bid/20905

• 06.45.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IpManager Index.PHP Cross-Site Scripting
• Description: IpManager is a DNS management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "errno" parameter of the "index.php" script. IpManager version 2.3 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20952/

• 06.45.40 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Kayako SupportSuite Index.PHP Cross-Site Scripting
• Description: Kayako SupportSuite is a web-based customer service application. It is prone to a cross-site scripting vulnerability due to insufficient input sanitization of the "index.php" script. Version 3.00.32 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20954

• 06.45.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Immediacy .NET CMS Logon.ASPX Cross-Site Scripting
• Description: Immediacy CMS is a content management system implemented in ASP. The application is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input to the "lang" parameter of the "logon.aspx" script. Version 5.2 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/20965

• 06.45.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Article Script RSS.PHP SQL Injection
• Description: Article Script is an application that allows users to add content to their website. The application is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "category" parameter of the "rss.php" script. Article Script 1.6.3 and prior versions are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/450678

• 06.45.43 - CVE: CVE-2006-1773
• Platform: Web Application - SQL Injection
• Title: PHPKIT Popup.PHP SQL Injection
• Description: PHPKIT is a web-based e-learning and course management application implemented in PHP. PHPKIT is prone to an SQL injection vulnerability from failing to properly sanitize the "path" parameter of the "path.php" script. Version 1.6 RC2 and prior versions are vulnerable.
• Ref: http://www.securityfocus.com/bid/20911

• 06.45.44 - CVE: CVE-2006-5802
• Platform: Web Application - SQL Injection
• Title: Webdrivers Simple Forum Message_details.PHP SQL Injection
• Description: Webdrivers Simple Forum is a web forum implemented in PHP. The application is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "message_details.php" script.
• Ref: http://www.securityfocus.com/bid/20937

• 06.45.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Portix-PHP Multiple SQL Injection Vulnerabilities
• Description: Portix-PHP is a content management application implemented in PHP. The application is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input to the "username" and "password" parameters of the login page. Portix version 0.4.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20974

• 06.45.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ASPired2Poll MoreInfo.ASP SQL Injection
• Description: ASPired2Poll is a web-based polling application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "MoreInfo.asp" script. ASPired2Poll versions 1.0 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/20987

• 06.45.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: OmniStar Article Manager Multiple SQL Injection Vulnerabilities
• Description: OmniStar Article Manager is a content management application. It is prone to multiple SQL injection vulnerabilities due to insufficient input sanitization of several parameters and scripts. All known versions are reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/20990

• 06.45.48 - CVE: Not Available
• Platform: Web Application
• Title: EggBlog Multiple HTML Injection Vulnerabilities
• Description: EggBlog is a web log application. It is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. These issues affect version 3.1.0.
• Ref: http://www.securityfocus.com/bid/20924

• 06.45.49 - CVE: Not Available
• Platform: Web Application
• Title: @cid Stats Install.PHP3 Remote File Include
• Description: @cid Stats program is a website statistics application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "repertoire" parameter of the "install.php3" script. @cid Stats version 2.3 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/450676

• 06.45.50 - CVE: Not Available
• Platform: Web Application
• Title: Xoops NewList.PHP Cross-Site Scripting
• Description: Xoops is portal software. It is prone to a cross site scripting issue because it fails to sanitize user-supplied input to the "newdownloadshowdays" parameter of the "modules/wfdownloads/newlist.php" script. Xoops version 1.0 is vulnerable. Other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/20927

• 06.45.51 - CVE: CVE-2006-5760
• Platform: Web Application
• Title: PHPDynaSite Multiple Remote File Include Vulnerabilities
• Description: PHPDynaSite is a content manager implemented in PHP. Multiple remote file include vulnerabilities affect PHPDynaSite because it fails to sufficiently sanitize user-supplied input to the "racine" parameter of several scripts.
• Ref: http://www.securityfocus.com/bid/20921

• 06.45.52 - CVE: Not Available
• Platform: Web Application
• Title: SazCart CART.PHP Remote File Include
• Description: SazCart is a shopping cart implemented in PHP. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "_saz[settings][shippingfolder]" parameter of the "cart.php" script. SazCart 1.5 and prior versions are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/20922

• 06.45.53 - CVE: Not Available
• Platform: Web Application
• Title: OpenSolution Quick.Cms.Lite Local File Include
• Description: Quick.Cms.Lite is a content manager application. Insufficient sanitization of the "sLanguage" cookie parameter of the "index.php" script exposes the application to a local file include issue. Quick.Cms.Lite versions 0.3 and earlier are affected. Ref: http://downloads.securityfocus.com/vulnerabilities/exploits/quick-cms-lite-lfi.txt

• 06.45.54 - CVE: Not Available
• Platform: Web Application
• Title: NewP News Publishing System Class.Database.PHP Remote File Include
• Description: NewP News Publishing System is a news manager for websites. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "path" parameter of "class.Database.php". NewP version 1.0.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20893

• 06.45.55 - CVE: Not Available
• Platform: Web Application
• Title: ELOG Multiple Cross-Site Scripting Vulnerabilities
• Description: ELOG is a web log application. It is prone to multiple cross-site scripting issues because it fails to sanitize user-supplied URI input to the "Type" and "Category" parameters. ELOG version 2.6.2 is vulnerable. Other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/20882

• 06.45.56 - CVE: Not Available
• Platform: Web Application
• Title: FreeWebShop Index.PHP Directory Traversal
• Description: FreeWebShop is a web-based shopping cart application. It is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "page" parameter of "index.php". Version 2.2 is affected.
• Ref: http://www.securityfocus.com/bid/20888

• 06.45.57 - CVE: Not Available
• Platform: Web Application
• Title: Yazd Discussion Forum Insecure Default Permission Handling
• Description: Yazd Discussion Forum is a Java based online forum application. It is vulnerable to multiple insecure default permission handling vulnerabilities due to a design issue. Yazd Discussion Forum versions 2.9 and earlier are vulnerable.
• Ref: http://sourceforge.net/project/shownotes.php?release_id=460547

• 06.45.58 - CVE: Not Available
• Platform: Web Application
• Title: RapidKill Arbitrary File Upload
• Description: RapidKill is a web-based download application. It is affected by an arbitrary file upload vulnerability because it fails to verify the content of uploaded files which are placed in the document root of the webserver. RapidKill version 5.7 is affected.
• Ref: http://www.securityfocus.com/bid/20896/info

• 06.45.59 - CVE: Not Available
• Platform: Web Application
• Title: PostNuke PNUser.PHP Local File Include
• Description: PostNuke is a content management system. It is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "lang" parameter of the "includes/pnUser.php" script. Versions 0.763 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/20897

• 06.45.60 - CVE: Not Available
• Platform: Web Application
• Title: Modx CMS Thumbnail.PHP Remote File Include
• Description: Modx CMS is a content manager application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "filename" parameter of the "gestion/savebackup.php" script. Modx CMS versions 0.9.2.1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/20898

• 06.45.61 - CVE: Not Available
• Platform: Web Application
• Title: Simplog BlogID Parameter Multiple SQL Injection Vulnerabilities
• Description: Simplog is a web log application. It is prone to multiple SQL injection issues because it fails to sanitize user-supplied input to the "blogid" parameter of "archive.php" and "index.php". Simplog version 0.9.3 is vulnerable. Other versions may also be vulnerable.
• Ref: http://www.securityfocus.com/bid/20899

• 06.45.62 - CVE: Not Available
• Platform: Web Application
• Title: Advanced GuestBook Admin.PHP Remote File Include
• Description: Advanced GuestBook for phpBB is a guestbook application, implemented in PHP. It is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "include_path" variable of "admin.php". Version 2.3.1 is vulnerable.
• Ref: http://www.securityfocus.com/bid/20902

• 06.45.63 - CVE: Not Available
• Platform: Web Application
• Title: MDPro PNSVLang Parameter Local File Include
• Description: MDPro is a content management system implemented in PHP. The application is prone to a local file include vulnerability because it fails to properly sanitize user-supplied input to the "PNSVlang" parameter of the "error.php" script. Versions 1.0.76 and prior are vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/20912

• 06.45.64 - CVE: Not Available
• Platform: Web Application
• Title: e107 GSitemap.PHP Local File Include
• Description: e107 is a content management system. Insufficient sanitization of the "e107language_e107cookie" parameter of the "gsitemap.php" script exposes the application to a local file include issue. e107 versions 0.7.5 and prior are affected. Ref: http://downloads.securityfocus.com/vulnerabilities/exploits/20913.pl

• 06.45.65 - CVE: Not Available
• Platform: Web Application
• Title: Drake CMS XHTML.PHP Remote File Include
• Description: Drake CMS is a content manager. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "d_root" parameter of the "xhtml.php". Versions 0.2.2.846 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/20914

• 06.45.66 - CVE: Not Available
• Platform: Web Application
• Title: AIOCP Multiple Input Validation Vulnerabilities
• Description: All In One Control Panel (AIOCP) is a content management system. Insufficient sanitization of user-supplied data exposes the application to multiple cross-site scripting, SQL injection, information disclosure and file include issues. AIOCP versions 1.3.007 and prior are affected.
• Ref: http://www.securityfocus.com/archive/1/450701

• 06.45.67 - CVE: Not Available
• Platform: Web Application
• Title: DeltaScripts PHP Classifieds Detail.PHP SQL Injection
• Description: DeltaScripts PHP Classifieds is an application for posting classified ads on the web. It is prone to an SQL injection issue because it fails to sanitize user-supplied data to the "user_id" parameter of the "detail.php" script file before using it in an SQL query. DeltaScripts PHP Classifieds version 7.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/20935

• 06.45.68 - CVE: Not Available
• Platform: Web Application
• Title: Ultimate PHP Board Header_simple.PHP Remote File Include
• Description: Ultimate PHP Board is a bulletin board. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "_CONFIG[skin_dir]" parameter of the "header_simple.php" script. Versions 2.0 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/20936

• 06.45.69 - CVE: Not Available
• Platform: Web Application
• Title: phpComasy CMS Multiple HTML Injection Vulnerabilities
• Description: phpComasy CMS is a content manager implemented in PHP. It is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input to the "Username" and "password" input boxes on the "index.php" script. These issues affect phpComasy CMS version 0.7.9pre and earlier versions.
• Ref: http://www.securityfocus.com/bid/20938

• 06.45.70 - CVE: CVE-2006-5775
• Platform: Web Application
• Title: FunkBoard Profile.PHP HTML Injection
• Description: FunkBoard is an open source bulletin board and message system implemented in PHP. It is prone to an HTML injection vulnerability because it fails to sufficiently sanitize user-supplied input to the "name" parameter of the "profile.php" script. FunkBoard 0.71 is reported to be vulnerable.
• Ref: http://www.funkboard.co.uk/forum/thread.php?id=312

• 06.45.71 - CVE: Not Available
• Platform: Web Application
• Title: iWare Professional Remote Code Execution
• Description: iWare Professional CMS is a web-based content manager implemented in PHP. iWare Professional CMS is prone to an arbitrary code execution vulnerability because it fails to properly sanitize user-supplied input to the "$message" variable of "chat_log.php" script. iWare Professional 5.0.4 is affected.
• Ref: http://www.securityfocus.com/bid/20947

• 06.45.72 - CVE: Not Available
• Platform: Web Application
• Title: GreenBeast CMS Up_Loader.PHP Arbitrary File Upload
• Description: GreenBeast CMS is a content management system. Insufficient sanitization in the "gbcms_php_file/up_loader.php" script exposes the application to an arbitrary file upload issue. GreenBeast CMS versions 1.3 and prior are affected.
• Ref: http://newhack.org/advisories/GreenBeastCMS.txt

• 06.45.73 - CVE: Not Available
• Platform: Web Application
• Title: iPrimal Forums Index.PHP Remote File Include
• Description: iPrimal Industries iPrimal Forums is a web forum application. Insufficient sanitization of the "p" parameter in the "/admin/index.php" script exposes the application to a remote file include issue.
• Ref: http://www.securityfocus.com/bid/20966/exploit

• 06.45.74 - CVE: CVE-2006-5772, CVE-2006-5773
• Platform: Web Application
• Title: FreeWebShop Multiple Input Validation Vulnerabilities
• Description: FreeWebShop is a shopping cart application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied data to various scripts. FreeWebShop versions 2.2 and earlier are vulnerable.
• Ref: http://secunia.com/advisories/22786/ http://secunia.com/advisories/22664/

• 06.45.75 - CVE: Not Available
• Platform: Web Application
• Title: Abarcar Realty Portal Multiple SQL Injection Vulnerabilities
• Description: Abarcar Realty Portal is a web portal application. It is prone to multiple SQL injection issues because it fails to sanitize user-supplied input to the "neid" parameter in the "newsdetails.php" script and the "slid" parameter in the "slistl.php" script. Abarcar Realty Portal versions 6.0.1 and 5.1.5 are affected.
• Ref: http://www.securityfocus.com/bid/20970

• 06.45.76 - CVE: Not Available
• Platform: Web Application
• Title: KnowledgeBuilder visEdit_Control.Class.PHP Remote File Include
• Description: KnowledgeBuilder is a web-based faq and solution application implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "visEdit_root" parameter of the "visEdit_control.class.php" script. Version 2.2 is vulnerable to this issue.
• Ref: http://www.securityfocus.com/bid/20857

• 06.45.77 - CVE: Not Available
• Platform: Web Application
• Title: Portix-PHP Multiple HTML Injection Vulnerabilities
• Description: Portix-PHP is a content manager. Insufficient sanitization of the "titre" and "auteur" input boxes exposes the application to an HTML injection issue. Portix-PHP version 0.4.2 is affected.
• Ref: http://www.securityfocus.com/archive/1/450935

• 06.45.78 - CVE: Not Available
• Platform: Web Application
• Title: Speedywiki Multiple Input Validation
• Description: Speedwiki is a wiki. It is exposed to multiple input validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input. Version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/20976

• 06.45.79 - CVE: Not Available
• Platform: Web Application
• Title: GimeScripts Shopping Catalog Index.PHP Remote File Include
• Description: Shopping Catalog is a web-based shopping cart application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "custom" parameter of the "index.php" script. Shopping Catalog versions 0.9.1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/20979/info

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.