Last Day to Save $250 on SANS Chicago 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 45
November 13, 2006

Windows laptops with wireless cards that use Broadcom device drivers (Broadcom chips are used in machines from HP, Dell, Gateway, and eMachines) are directly vulnerable to the attack that has gotten so much press on Macintosh wireless. You are vulnerable if your wireless card is turned on, even if you are not connected to a wireless access point. Also this week, Firefox users should move to version 1.5.0.8 or version 2 right away, and, separately, updates should be installed for OpenView Configuration Manager V. 1.0.

Alan

PS The annual update to the SANS Top20 will be announced Wednesday morning. Readers of @RISK will be familiar with most of the new patterns, but there are a couple of big ones that may be surprising. It will be posted at http://www.sans.org/top20/ by Wednesday morning.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 3
    • Third Party Windows Apps
    • 8 (#3, #7)
    • Mac Os
    • 2
    • Linux
    • 5
    • BSD
    • 2
    • Solaris
    • 1
    • Unix
    • 3
    • Cross Platform
    • 10 (#1, #2, #4, #5, #6)
    • Web Application - Cross Site Scripting
    • 7
    • Web Application - SQL Injection
    • 6
    • Web Application
    • 32

*********** Sponsored By SANS WhatWorks In Encryption Summit ************

User-to-user discussions will focus on mistakes to avoid and the things that work to protect data at rest - whether it is on a laptop or a back up tape. That plus a chance to meet the main successful vendors at the SANS Secure Storage & Encryption Summit, December 6-7. There will be ample opportunity to get your questions answered by those who have already fought the war and by the vendors who claim to be able to help. Special sessions on encryption built into drives for laptops and on freeware, too. Special emphasis on VISTA's new built in encryption. http://www.sans.org/info/1789

*************************************************************************

TRAINING Update: Full schedule at http://www.sans.org/index.php

This just came in -- we thought you might identify with it, at least a little.

"This work is not just about finding the right firewall rule set, or using Group Policy effectively, or being able to distinguish between MACs and DACs. It's about bringing a level of dedication to your work that gives you, a. the technical expertise to recognize insecure practices; and b. the courage to question entrenched business processes that are putting the organization at risk. Being an information security professional is not the pathway to popularity. If you're doing your job well, you can earn respect, and maybe even gratitude, but there's a good chance you're going to generate resentment and resistance. The willingness to engage your colleagues in ways that often challenges them requires a firm commitment to the values of the profession. And I can honestly say that the SANS instructors I've worked with have fostered and exemplified those values. I don't know how you go about branding that, but it's worth a lot!"

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Mac Os
Linux
BSD
Solaris
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

************************* Sponsored Link: *****************************

1) FREE WEBCAST: Best Practices For A Robust Vulnerability Management Lifecycle Program Click here to register: http://www.sans.org/info/1790

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: Mozilla Products Multiple Vulnerabilities Vulnerable: Mozilla Firefox versions prior to 1.5.0.8 Mozilla Thunderbird versions prior to 1.5.0.8 Mozilla SeaMonkey versions prior to 1.0.6
  • Description: Several products based on the Mozilla suite of applications, including the Mozilla Firefox web browser, the Mozilla Thunderbird email client, and the Mozilla SeaMonkey integrated suite, contain multiple vulnerabilities. These vulnerabilities could allow a malicious web page or email message to execute arbitrary code with the privileges of the current user, or execute arbitrary JavaScript code. Several denial-of-service cases are also reported. Note that all of the affected applications are open source; technical details can be obtained via source code analysis.

  • Status: Mozilla Foundation confirmed, updates available.

  • Council Site Actions: Only two of the reporting council sites are responding to this item. One site is already distributing the updates. The other site plans to update their IT maintained systems later this month. Most of their non-IT-supported users have the product configured to automatically check and install updates.

  • References:
  • (3) HIGH: HP OpenView Client Configuration Manager Remote Command Execution Vulnerable: HP OpenView Client Configuration Manager 1.0
  • Description: HP OpenView Client Configuration Manager, used to centrally manage client configuration, contains a remote command execution vulnerability. Due to a logic error in the programming, correct authentication is not required to execute files inside the "radexecd.exe" install directory. Additionally, due to the available programs in this directory, it is possible to create additional, arbitrary executables. No authentication is required to exploit this vulnerability.

  • Status: HP confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) MODERATE: ProFTPD Unspecified Remote Code Execution Vulnerable: ProFTPD version 1.3 and possibly prior
  • Description: ProFTPD, a popular multiplatform open source FTP server, contains an unspecified vulnerability. Attackers could exploit this vulnerability to execute arbitrary code with the privileges of the server process. The exact nature of this vulnerability is currently unknown, though it is believed to involve the "CommandBufferSize" configuration directive. Although technical details for this vulnerability have not been publicly posted, because ProFTPD is open source, technical details can be obtained via source code analysis.

  • Council Site Actions: Have seen conflicting severity ratings for this (Moderate Critical), still reviewing

  • References:
  • (5) MODERATE: Citrix MetaFrame IMA Management Module Multiple Vulnerabilities Vulnerable: Citrix MetaFrame XP versions 1.0 and 2.0 Citrix MetaFrame Presentation Server versions 3.0 and 4.0
  • Description: Citrix MetaFrame contains multiple vulnerabilities: (1) By sending a specially-crafted authentication messages to the server, an attacker could trigger a heap overflow. This overflow can be exploited to execute arbitrary code with the privileges of the server process. (2) Specially-crafted messages sent to the server can cause the server to crash, leading to a denial-of-service condition.

  • Status: Citrix confirmed, updates available.

  • Council Site Actions: Only one of the reporting council sites is responding to this item. Their desktop support team is currently investigating the impact at their organization.

  • References:
  • (6) LOW: OpenSSH Authentication Signature Weakness
  • Affected:
    • OpenSSH versions prior to 4.5
  • Description: OpenSSH, an open source implementation of the SSH protocol, contains a weakness in its authentication mechanisms. It may be possible to authenticate to an OpenSSH process with an invalid key signature. It is currently believed that this vulnerability is not exploitable without the presence of other vulnerabilities. OpenSSH is open source software; technical details for this vulnerability may be obtained via source code analysis.

  • Status: OpenSSH confirmed, updates available.

  • References:
Other Software
  • (7) HIGH: Xlink Omni-NFS Server Buffer Overflow Vulnerable: Xlink Technologies Omni-NFS Server
  • Description: Xlink Technologies Omni-NFS server, a popular NFS (Network Filesystem) server for Microsoft Windows, contains a remotely-exploitable buffer overflow. By sending specially-crafted NFS requests to the server, an attacker could exploit this buffer overflow and execute arbitrary code with the privileges of the server process. Technical details and an exploit for this vulnerability are publicly available.

  • Status: Xlink has not confirmed, no updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 45, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5247 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 06.45.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Internet Explorer 6 Unspecified Code Execution
  • Description: Microsoft Internet Explorer is reportedly prone to an unspecified vulnerability that results in arbitrary code execution. Researchers report that minimal user interaction is required to carry out a successful attack. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the vulnerable application. All versions of Internet Explorer 6 are reported vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20886

  • 06.45.2 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows GDI Kernel Local Privilege Escalation
  • Description: Microsoft Windows is exposed to a local privilege escalation issue because data structures mapped to global memory by the GDI Kernel can be re-mapped as read-write by other processes. Please refer to the link below for further details.
  • Ref: http://projects.info-pull.com/mokb/MOKB-06-11-2006.html

  • 06.45.3 - CVE: Not Available
  • Platform: Windows
  • Title: Citrix Presentation Server IMA Service Multiple Remote Vulnerabilities
  • Description: Citrix Presentation Server uses the IMA (Independent Management Architecture) service for inter-server and management communications. It is affecetd by buffer overflow issues in the "IMA_SECURE_DecryptData1()" decryption routine of the "ImaSystem.dll". It is also affected by a unspecified denial of service issue.
  • Ref: http://support.citrix.com/article/CTX111186

  • 06.45.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution
  • Description: Microsoft XML Core Service is vulnerable to a remote code execution issue due to a memory corruption error in the XMLHTTP ActiveX control when processing specially crafted arguments passed to the "setRequestHeader()" function. See the advisory for further details.
  • Ref: http://www.microsoft.com/technet/security/advisory/927892.mspx

  • 06.45.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Xenis.creator CMS Multiple Input Validation Vulnerabilities
  • Description: Xenis.creator CMS is a content management system. It is prone to multiple input validation issues because it fails to sanitize user-supplied input to various scripts. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/20908

  • 06.45.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: America Online ICQ ActiveX Control Remote Code Execution
  • Description: The America Online ICQ ActiveX Control is a conferencing application for Microsoft Windows. It is prone to a remote code execution vulnerability. An attacker could exploit this issue simply by sending a message to a victim ICQ user. The issue resides in the "DownloadAgent" function URI parameter of the ICQPhone.SipxPhoneManager ActiveX control. The ICQPhone.SipxPhoneManager ActiveX control with a CLSID of 54BDE6EC-F42F-4500-AC46-905177444300 is affected.
  • Ref: http://www.securityfocus.com/bid/20930

  • 06.45.7 - CVE: CVE-2006-5780
  • Platform: Third Party Windows Apps
  • Title: Omni-NFS Server NFSD.EXE Stack Buffer Overflow
  • Description: Omni-NFS Server is an application that allows users to share directories and files over a network. It is vulnerable to a stack based buffer overflow issue because it fails to properly bounds check user-supplied network data to the "nfsd.exe" application before copying it into an insufficiently sized memory buffer. Omni-NFS Server version 5.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20941/

  • 06.45.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WFTPD Server APPE Command Buffer Overflow
  • Description: WFTPD is an FTP server. It is prone to a buffer overflow issue because it fails to do bounds checking on user-supplied data before storing it in a finite sized buffer. WFTPD version 3.23 is susceptible, while others may also be affected.
  • Ref: http://www.securityfocus.com/bid/20942

  • 06.45.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WarFTPD Multiple Format String Vulnerabilities
  • Description: WarFTPd is an FTP server application. It is prone to multiple remote format string vulnerabilities due to insufficient input sanitization of commands such as "CWD", "CDUP", "DELE", "NLST", "LIST" and "SIZE". Version 1.82.00-RC11 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20944

  • 06.45.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Cisco Secure Desktop Multiple Vulnerabilities
  • Description: Cisco Secure Desktop is an application which validates and protects the security of SSL VPN client. The application is susceptible to multiple vulnerabilities. These vulnerabilities are documented by Cisco in bug cisco-sa-20061108-csd. Cisco Secure Desktop versions 3.1.1.33 and prior are affected.
  • Ref: http://www.securityfocus.com/archive/1/450921

  • 06.45.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: War FTP Daemon CWD Command Remote Denial of Service
  • Description: War FTP Daemon is a FTP server. It is prone to a remote denial of service vulnerability when the server handles specially crafted "CWD" commands. Version 1.82.00-RC11 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20973

  • 06.45.12 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X FPathConf System Call Local Denial of Service
  • Description: Apple Mac OS X is susceptible to a local denial of service vulnerability. The kernel fails to properly handle the execution of the "fpathconf()" system call. Specifically, when this system call is called with a file descriptor of a file of an unsupported type, the kernel panics. This issue is demonstrated with a semaphore file type as returned by "sem_open()".
  • Ref: http://www.securityfocus.com/bid/20982

  • 06.45.13 - CVE: Not Available
  • Platform: Mac Os
  • Title: Intego VirusBarrier Filter Bypass
  • Description: Intego VirusBarrier is an antivirus application for the Apple MacOS operating system. It is exposed to a filter-bypass issue. This issue occurs because the application fails to filter malicious virus files properly. VirusBarrier Version X4 is affected.
  • Ref: http://www.securityfocus.com/bid/20983

  • 06.45.14 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel ISO9660 Denial of Service
  • Description: The Linux kernel is prone to a local denial of service vulnerability due to a race condition in which the "isofs_get_blocks()" function enters an infinite loop when the "__find_get_block_slow()" callback from "sb_getblk()" fails. Multiple kernel versions are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20920

  • 06.45.15 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel SquashFS Double Free Denial of Service
  • Description: The Linux kernel is prone to a local denial of service vulnerability. This issue occurs because the kernel fails to handle corrupt file system structures. Specifically, a specially crafted "squashfs" file would cause the kernel to double free a buffer when a read operation is performed.
  • Ref: http://www.securityfocus.com/bid/20870

  • 06.45.16 - CVE: CVE-2006-5466
  • Platform: Linux
  • Title: librpm Query Report Arbitrary Code Execution
  • Description: librpm is a library for the Red Hat Package Manager. It is vulnerable to an arbitrary code execution issue because the library fails to handle malicious query reports. librpm versions 4.4.9 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20906

  • 06.45.17 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel Multiple IPV6 Packet Filtering Bypass Vulnerabilities
  • Description: The Linux kernel is prone to multiple IPv6 packet filtering bypass vulnerabilities because of improper handling of fragmented packets. These issues could be exploited by an attacker to bypass ip6_table filtering rules.
  • Ref: http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.19-rc4

  • 06.45.18 - CVE: CVE-2006-4810
  • Platform: Linux
  • Title: Texinfo File Handling Buffer Overflow
  • Description: Texinfo is the official documentation format of the GNU project. It is exposed to a buffer overflow issue because the application fails to properly bounds check user-supplied input before copying it to an insufficiently sized buffer.
  • Ref: http://rhn.redhat.com/errata/RHSA-2006-0727.html

  • 06.45.19 - CVE: CVE-2006-5679
  • Platform: BSD
  • Title: FreeBSD UFS Filesystem Local Integer Overflow
  • Description: FreeBSD UFS filesystem is vulnerable to a local integer overflow via a crafted UFS filesystem that causes invalid or large size parameters to the "kmem_alloc" function. FreeBSD version 6.1 is vulnerable.
  • Ref: http://secunia.com/advisories/22736/

  • 06.45.20 - CVE: CVE-2006-5680
  • Platform: BSD
  • Title: FreeBSD LibArchive Remote Denial of Service
  • Description: libarchive is FreeBSD's interface library for reading and writing streaming archive files. FreeBSD is prone to a remote denial of service vulnerability because libarchive fails to handle corrupted archive files when the end of an archive is reached at the same time that libarchive is attempting to "skip" past an archive region. FreeBSD 6-STABLE is affected.
  • Ref: http://www.securityfocus.com/bid/20961

  • 06.45.21 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris 10 UFS Local Denial of Service
  • Description: Sun Solaris 10 is prone to a local denial of service issue because the kernel fails to handle corrupted data structures during the mount operation which results in a kernel page fault and subsequently leads to a loss of data or corruption of the local filesystem. Solaris 10 on the ia32/x86 architecture is susceptible, while previous versions may be affected as well.
  • Ref: http://projects.info-pull.com/mokb/MOKB-04-11-2006.html

  • 06.45.22 - CVE: CVE-2006-4806,CVE-2006-4807,CVE-2006-4808,CVE-2006-4809
  • Platform: Unix
  • Title: imlib2 Library Multiple Image Format Arbitrary Code Execution
  • Description: imlib2 is a library to view and render various types of images. It is prone to an arbitrary code execution issue due to insufficient sanitization of ARGB, JPG, LBM, PNG, PBM, TGA and TIFF images. imlib2 versions 1.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20903/info

  • 06.45.23 - CVE: CVE-2006-5779
  • Platform: Unix
  • Title: OpenLDAP Server Bind Request Denial of Service
  • Description: OpenLDAP server is prone to denial of service issue because the server fails to handle malicious bind requests. OpenLDAP version 2.2.29 rev 1.134 fixes the issue.
  • Ref: http://www.securityfocus.com/bid/20939

  • 06.45.24 - CVE: Not Available
  • Platform: Unix
  • Title: Network Administration Visualized Local Directory Traversal
  • Description: Network Administration Visualized (NAV) is a computer network monitoring application. It is prone to a local unspecified directory traversal issue. NAV versions prior to 3.1.1 are affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=461986

  • 06.45.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Essentia Web Server GET and HEAD Requests Remote Buffer Overflow
  • Description: Essentia Web Server is an HTTP server. Insufficient sanitization of the "GET" and "HEAD" requests larger than 6000 bytes exposes the application to a remote buffer overflow issue. Essentia Web Server version 2.15 is affected.
  • Ref: http://www.securityfocus.com/bid/20910/info

  • 06.45.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ELOG EL_Submit Function Remote Format String
  • Description: ELOG is a web log application written for use multiple platforms. The application is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before including it in the "el_submit()" function. ELOG version 2.0.2 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20876

  • 06.45.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Acme thttpd Insecure Temporary Logfile Creation
  • Description: thttpd is a tiny Web server written for Unix platforms. It creates temporary log files in an insecure manner. An attacker with local access could potentially exploit this issue to overwrite files in the context of the Web server process. Versions prior to 2.23 beta 1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20891

  • 06.45.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OWFS Owserver File Path Denial of Service
  • Description: OWFS Owserver allows 1-wire devices to appear as if they were files in a directory on Linux and POSIX systems. It is prone to a denial of service issue because it fails to handle invalid file paths passed to "owshell" shell code applications. OWFS Owserver version 2.5p5 is susceptible, while others may also be affected.
  • Ref: http://www.securityfocus.com/bid/20953

  • 06.45.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenSSH Privilege Separation Key Signature Weakness
  • Description: OpenSSH is susceptible to a weakness that may allow attackers to authenticate without proper key signatures. This issue is due to a design error between privileged processes and their child processes. OpenSSH versions 4.4 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20956


  • 06.45.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Notes User.ID File Key Information Disclosure
  • Description: IBM Lotus Notes is an email client/server application. It is vulnerable to a local information disclosure issue because unauthenticated remote attackers may retrieve sensitive User.ID keyfile information from an unencrypted "names.nsf" database. IBM Lotus Notes versions prior to 6.5.5 FP2 and 7.0.2 are vulnerable.
  • Ref: http://www.fortconsult.net/images/pdf/lotusnotes_keyfiles.pdf

  • 06.45.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Domino Multiple TuneKrnl Local Privilege Escalation Vulnerabilities
  • Description: Lotus Domino is a client/server product designed for collaborative working environments. Domino is designed for email, scheduling, instant messaging, and data-driven applications. It is exposed to multiple local privilege escalation issues. These issues are due to a failure of the application to properly bounds check user-supplied input prior to copying it to insufficiently sized memory buffers. IBM Lotus Domino versions earlier than 6.5.5 Fix Pack 2 and 7.0.2 are affected.
  • Ref: http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21249173

  • 06.45.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GNU GV Stack Buffer Overflow
  • Description: GNU GV is a PostScript and PDF file viewer. It is prone to a stack based buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized memory buffer. GNU GV version 3.6.2 is susceptible, while others may also be affected.
  • Ref: http://www.securityfocus.com/bid/20978

  • 06.45.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Unicore Client Keystore File Insecure File Permissions
  • Description: Unicore Client is a client side component for the Uniform Interface to Computing Resources (UNICORE). Unicore Client is prone to an insecure file permission vulnerability. The issue is caused due to the use of insecure file permissions on the "keystore" file. Versions prior to 5.6 build 5 are vulnerable to this issue.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=461942

  • 06.45.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IP-Atlas Plot.PHP Cross-Site Scripting
  • Description: IP-Atlas is a geographical DNS tool written in PHP. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied URI input to the "address" parameter of the "plot.php" script. IP-Atlas version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20884

  • 06.45.36 - CVE: CVE-2006-5771
  • Platform: Web Application - Cross Site Scripting
  • Title: Arkoon SSL360 Unspecified Cross-Site Scripting
  • Description: Arkoon SSL360 is a VPN security appliance available for various operating systems. It is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Versions 2.0/2 and prior are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20890

  • 06.45.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Simplog Archive.PHP PID Parameter Cross-Site Scripting
  • Description: Simplog is a web log application. It is prone to a cross-site scripting vulnerability due to insufficient input sanitization of the "pid" parameter of the "archive.php" script. Version 0.9.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20900

  • 06.45.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: admin.tool CMS Multiple Cross-Site Scripting Vulnerabilities
  • Description: admin.tool is a content manager. It is exposed to multiple cross-site scripting issues because the application fails to sanitize user-supplied input to the "fSid" and "FSrcBegriffe" parameters before being returned to the user. Version 3 is affected by this issue.
  • Ref: http://www.securityfocus.com/bid/20905

  • 06.45.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IpManager Index.PHP Cross-Site Scripting
  • Description: IpManager is a DNS management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "errno" parameter of the "index.php" script. IpManager version 2.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20952/

  • 06.45.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Kayako SupportSuite Index.PHP Cross-Site Scripting
  • Description: Kayako SupportSuite is a web-based customer service application. It is prone to a cross-site scripting vulnerability due to insufficient input sanitization of the "index.php" script. Version 3.00.32 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20954

  • 06.45.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Immediacy .NET CMS Logon.ASPX Cross-Site Scripting
  • Description: Immediacy CMS is a content management system implemented in ASP. The application is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input to the "lang" parameter of the "logon.aspx" script. Version 5.2 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20965

  • 06.45.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Article Script RSS.PHP SQL Injection
  • Description: Article Script is an application that allows users to add content to their website. The application is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "category" parameter of the "rss.php" script. Article Script 1.6.3 and prior versions are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/450678

  • 06.45.43 - CVE: CVE-2006-1773
  • Platform: Web Application - SQL Injection
  • Title: PHPKIT Popup.PHP SQL Injection
  • Description: PHPKIT is a web-based e-learning and course management application implemented in PHP. PHPKIT is prone to an SQL injection vulnerability from failing to properly sanitize the "path" parameter of the "path.php" script. Version 1.6 RC2 and prior versions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20911

  • 06.45.44 - CVE: CVE-2006-5802
  • Platform: Web Application - SQL Injection
  • Title: Webdrivers Simple Forum Message_details.PHP SQL Injection
  • Description: Webdrivers Simple Forum is a web forum implemented in PHP. The application is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "message_details.php" script.
  • Ref: http://www.securityfocus.com/bid/20937

  • 06.45.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Portix-PHP Multiple SQL Injection Vulnerabilities
  • Description: Portix-PHP is a content management application implemented in PHP. The application is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input to the "username" and "password" parameters of the login page. Portix version 0.4.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20974

  • 06.45.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ASPired2Poll MoreInfo.ASP SQL Injection
  • Description: ASPired2Poll is a web-based polling application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "MoreInfo.asp" script. ASPired2Poll versions 1.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20987

  • 06.45.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: OmniStar Article Manager Multiple SQL Injection Vulnerabilities
  • Description: OmniStar Article Manager is a content management application. It is prone to multiple SQL injection vulnerabilities due to insufficient input sanitization of several parameters and scripts. All known versions are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/20990

  • 06.45.48 - CVE: Not Available
  • Platform: Web Application
  • Title: EggBlog Multiple HTML Injection Vulnerabilities
  • Description: EggBlog is a web log application. It is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. These issues affect version 3.1.0.
  • Ref: http://www.securityfocus.com/bid/20924

  • 06.45.49 - CVE: Not Available
  • Platform: Web Application
  • Title: @cid Stats Install.PHP3 Remote File Include
  • Description: @cid Stats program is a website statistics application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "repertoire" parameter of the "install.php3" script. @cid Stats version 2.3 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/450676

  • 06.45.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Xoops NewList.PHP Cross-Site Scripting
  • Description: Xoops is portal software. It is prone to a cross site scripting issue because it fails to sanitize user-supplied input to the "newdownloadshowdays" parameter of the "modules/wfdownloads/newlist.php" script. Xoops version 1.0 is vulnerable. Other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/20927

  • 06.45.51 - CVE: CVE-2006-5760
  • Platform: Web Application
  • Title: PHPDynaSite Multiple Remote File Include Vulnerabilities
  • Description: PHPDynaSite is a content manager implemented in PHP. Multiple remote file include vulnerabilities affect PHPDynaSite because it fails to sufficiently sanitize user-supplied input to the "racine" parameter of several scripts.
  • Ref: http://www.securityfocus.com/bid/20921

  • 06.45.52 - CVE: Not Available
  • Platform: Web Application
  • Title: SazCart CART.PHP Remote File Include
  • Description: SazCart is a shopping cart implemented in PHP. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "_saz[settings][shippingfolder]" parameter of the "cart.php" script. SazCart 1.5 and prior versions are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20922

  • 06.45.53 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenSolution Quick.Cms.Lite Local File Include
  • Description: Quick.Cms.Lite is a content manager application. Insufficient sanitization of the "sLanguage" cookie parameter of the "index.php" script exposes the application to a local file include issue. Quick.Cms.Lite versions 0.3 and earlier are affected. Ref: http://downloads.securityfocus.com/vulnerabilities/exploits/quick-cms-lite-lfi.txt

  • 06.45.54 - CVE: Not Available
  • Platform: Web Application
  • Title: NewP News Publishing System Class.Database.PHP Remote File Include
  • Description: NewP News Publishing System is a news manager for websites. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "path" parameter of "class.Database.php". NewP version 1.0.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20893

  • 06.45.55 - CVE: Not Available
  • Platform: Web Application
  • Title: ELOG Multiple Cross-Site Scripting Vulnerabilities
  • Description: ELOG is a web log application. It is prone to multiple cross-site scripting issues because it fails to sanitize user-supplied URI input to the "Type" and "Category" parameters. ELOG version 2.6.2 is vulnerable. Other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/20882

  • 06.45.56 - CVE: Not Available
  • Platform: Web Application
  • Title: FreeWebShop Index.PHP Directory Traversal
  • Description: FreeWebShop is a web-based shopping cart application. It is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input to the "page" parameter of "index.php". Version 2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/20888

  • 06.45.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Yazd Discussion Forum Insecure Default Permission Handling
  • Description: Yazd Discussion Forum is a Java based online forum application. It is vulnerable to multiple insecure default permission handling vulnerabilities due to a design issue. Yazd Discussion Forum versions 2.9 and earlier are vulnerable.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=460547

  • 06.45.58 - CVE: Not Available
  • Platform: Web Application
  • Title: RapidKill Arbitrary File Upload
  • Description: RapidKill is a web-based download application. It is affected by an arbitrary file upload vulnerability because it fails to verify the content of uploaded files which are placed in the document root of the webserver. RapidKill version 5.7 is affected.
  • Ref: http://www.securityfocus.com/bid/20896/info

  • 06.45.59 - CVE: Not Available
  • Platform: Web Application
  • Title: PostNuke PNUser.PHP Local File Include
  • Description: PostNuke is a content management system. It is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "lang" parameter of the "includes/pnUser.php" script. Versions 0.763 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20897

  • 06.45.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Modx CMS Thumbnail.PHP Remote File Include
  • Description: Modx CMS is a content manager application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "filename" parameter of the "gestion/savebackup.php" script. Modx CMS versions 0.9.2.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20898

  • 06.45.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Simplog BlogID Parameter Multiple SQL Injection Vulnerabilities
  • Description: Simplog is a web log application. It is prone to multiple SQL injection issues because it fails to sanitize user-supplied input to the "blogid" parameter of "archive.php" and "index.php". Simplog version 0.9.3 is vulnerable. Other versions may also be vulnerable.
  • Ref: http://www.securityfocus.com/bid/20899

  • 06.45.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Advanced GuestBook Admin.PHP Remote File Include
  • Description: Advanced GuestBook for phpBB is a guestbook application, implemented in PHP. It is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "include_path" variable of "admin.php". Version 2.3.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/20902

  • 06.45.63 - CVE: Not Available
  • Platform: Web Application
  • Title: MDPro PNSVLang Parameter Local File Include
  • Description: MDPro is a content management system implemented in PHP. The application is prone to a local file include vulnerability because it fails to properly sanitize user-supplied input to the "PNSVlang" parameter of the "error.php" script. Versions 1.0.76 and prior are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20912

  • 06.45.64 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 GSitemap.PHP Local File Include
  • Description: e107 is a content management system. Insufficient sanitization of the "e107language_e107cookie" parameter of the "gsitemap.php" script exposes the application to a local file include issue. e107 versions 0.7.5 and prior are affected. Ref: http://downloads.securityfocus.com/vulnerabilities/exploits/20913.pl

  • 06.45.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Drake CMS XHTML.PHP Remote File Include
  • Description: Drake CMS is a content manager. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "d_root" parameter of the "xhtml.php". Versions 0.2.2.846 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20914

  • 06.45.66 - CVE: Not Available
  • Platform: Web Application
  • Title: AIOCP Multiple Input Validation Vulnerabilities
  • Description: All In One Control Panel (AIOCP) is a content management system. Insufficient sanitization of user-supplied data exposes the application to multiple cross-site scripting, SQL injection, information disclosure and file include issues. AIOCP versions 1.3.007 and prior are affected.
  • Ref: http://www.securityfocus.com/archive/1/450701

  • 06.45.67 - CVE: Not Available
  • Platform: Web Application
  • Title: DeltaScripts PHP Classifieds Detail.PHP SQL Injection
  • Description: DeltaScripts PHP Classifieds is an application for posting classified ads on the web. It is prone to an SQL injection issue because it fails to sanitize user-supplied data to the "user_id" parameter of the "detail.php" script file before using it in an SQL query. DeltaScripts PHP Classifieds version 7.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/20935

  • 06.45.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Ultimate PHP Board Header_simple.PHP Remote File Include
  • Description: Ultimate PHP Board is a bulletin board. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "_CONFIG[skin_dir]" parameter of the "header_simple.php" script. Versions 2.0 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20936

  • 06.45.69 - CVE: Not Available
  • Platform: Web Application
  • Title: phpComasy CMS Multiple HTML Injection Vulnerabilities
  • Description: phpComasy CMS is a content manager implemented in PHP. It is prone to multiple HTML injection vulnerabilities because it fails to properly sanitize user-supplied input to the "Username" and "password" input boxes on the "index.php" script. These issues affect phpComasy CMS version 0.7.9pre and earlier versions.
  • Ref: http://www.securityfocus.com/bid/20938

  • 06.45.70 - CVE: CVE-2006-5775
  • Platform: Web Application
  • Title: FunkBoard Profile.PHP HTML Injection
  • Description: FunkBoard is an open source bulletin board and message system implemented in PHP. It is prone to an HTML injection vulnerability because it fails to sufficiently sanitize user-supplied input to the "name" parameter of the "profile.php" script. FunkBoard 0.71 is reported to be vulnerable.
  • Ref: http://www.funkboard.co.uk/forum/thread.php?id=312

  • 06.45.71 - CVE: Not Available
  • Platform: Web Application
  • Title: iWare Professional Remote Code Execution
  • Description: iWare Professional CMS is a web-based content manager implemented in PHP. iWare Professional CMS is prone to an arbitrary code execution vulnerability because it fails to properly sanitize user-supplied input to the "$message" variable of "chat_log.php" script. iWare Professional 5.0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/20947

  • 06.45.72 - CVE: Not Available
  • Platform: Web Application
  • Title: GreenBeast CMS Up_Loader.PHP Arbitrary File Upload
  • Description: GreenBeast CMS is a content management system. Insufficient sanitization in the "gbcms_php_file/up_loader.php" script exposes the application to an arbitrary file upload issue. GreenBeast CMS versions 1.3 and prior are affected.
  • Ref: http://newhack.org/advisories/GreenBeastCMS.txt

  • 06.45.73 - CVE: Not Available
  • Platform: Web Application
  • Title: iPrimal Forums Index.PHP Remote File Include
  • Description: iPrimal Industries iPrimal Forums is a web forum application. Insufficient sanitization of the "p" parameter in the "/admin/index.php" script exposes the application to a remote file include issue.
  • Ref: http://www.securityfocus.com/bid/20966/exploit

  • 06.45.74 - CVE: CVE-2006-5772, CVE-2006-5773
  • Platform: Web Application
  • Title: FreeWebShop Multiple Input Validation Vulnerabilities
  • Description: FreeWebShop is a shopping cart application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied data to various scripts. FreeWebShop versions 2.2 and earlier are vulnerable.
  • Ref: http://secunia.com/advisories/22786/ http://secunia.com/advisories/22664/

  • 06.45.75 - CVE: Not Available
  • Platform: Web Application
  • Title: Abarcar Realty Portal Multiple SQL Injection Vulnerabilities
  • Description: Abarcar Realty Portal is a web portal application. It is prone to multiple SQL injection issues because it fails to sanitize user-supplied input to the "neid" parameter in the "newsdetails.php" script and the "slid" parameter in the "slistl.php" script. Abarcar Realty Portal versions 6.0.1 and 5.1.5 are affected.
  • Ref: http://www.securityfocus.com/bid/20970

  • 06.45.76 - CVE: Not Available
  • Platform: Web Application
  • Title: KnowledgeBuilder visEdit_Control.Class.PHP Remote File Include
  • Description: KnowledgeBuilder is a web-based faq and solution application implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "visEdit_root" parameter of the "visEdit_control.class.php" script. Version 2.2 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/20857

  • 06.45.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Portix-PHP Multiple HTML Injection Vulnerabilities
  • Description: Portix-PHP is a content manager. Insufficient sanitization of the "titre" and "auteur" input boxes exposes the application to an HTML injection issue. Portix-PHP version 0.4.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/450935

  • 06.45.78 - CVE: Not Available
  • Platform: Web Application
  • Title: Speedywiki Multiple Input Validation
  • Description: Speedwiki is a wiki. It is exposed to multiple input validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input. Version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/20976

  • 06.45.79 - CVE: Not Available
  • Platform: Web Application
  • Title: GimeScripts Shopping Catalog Index.PHP Remote File Include
  • Description: Shopping Catalog is a web-based shopping cart application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "custom" parameter of the "index.php" script. Shopping Catalog versions 0.9.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/20979/info

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.