Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 47
November 27, 2006

SANS Newsletters Home

A lot of security problems this week that the vendors have not confirmed or patched: Safari (Apple OS/X) users are vulnerable to a remote exploit that gives the attacker kernel level privileges. (#1) Even though it would be a little inconvenient, Safari users probably should turn off "Open Safe Files" until Apple acknowledges and fixes the problem. Another buffer overflow was found in CA BrightStor ARCserve. See #3 below to find a list of ports to block. European and Asian organizations that are using ACER computers should set the killbit for the LunchApp.APlunch ActiveX control. (See #2 for instructions) Also, another Netgear wireless card buffer overflow - allowing computers to be taken over even if hey are not connected to a router. (#7) Exploit code has been posted.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 2
    • Third Party Windows Apps
    • 3 (#2, #6)
    • Mac OS
    • 2 (#1)
    • Linux
    • 3
    • BSD
    • 1
    • Unix
    • 1 (#5)
    • Cross Platform
    • 5 (#3, #4, #7)
    • Web Application - Cross Site Scripting
    • 5
    • Web Application - SQL Injection
    • 6
    • Web Application
    • 23
    • Network Device
    • 3

****************** TRAINING QUOTE OF THE WEEK *************************

"This program really taught me the skills I needed to immediately improve the processes where I work." Karissa Truitt, AT&T Government Solutions

Find the full schedule of upcoming SANS training programs at http://www.sans.org/training_events/?ref=1433

************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Mac Os
Linux
BSD
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

************************ SPONSORED LISTINGS ***************************

1) The SANS Secure Storage & Encryption Summit, December 6-7, provides you with concrete, actionable information you can deploy as soon as you return to work. http://www.sans.org/info/1936

2) Disk encryption with SafeGuard®Easy software provides the ultimate in laptop security. http://www.sans.org/info/1941

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Mac OS X Disk Image Kernel Memory Corruption
  • Affected:
    • Mac OS X current version and possibly all prior versions

  • Description: The "Month of Kernel Bugs (MoKB)" project has discovered a memory corruption flaw in the Mac OS X that can be triggered when the OS X loads a specially crafted "disk image (DMG)" file. The vulnerability can be exploited to execute arbitrary code with kernel privileges. Note that the flaw can be exploited remotely via Safari browser. Safari, in its default configuration, treats disk image files as safe and opens them automatically. Hence, a website containing a malicious disk image file can compromise a Mac OS X client. A proof-of-concept exploit has been publicly posted.

  • Status: Apple has not confirmed, no updates available. The remote attack vector via Safari can be mitigated by turning off the "Open Safe Files" feature in Safari. However, by turning this feature off, the user would be prompted every time before opening files such as movies and PDFs. Council Site actions: Only one of the responding council sites is using the affected software. They have Safari configured with "Open safe files" turned off. They will deploy they patches when they become available

  • References:
  • (2) HIGH: Acer Notebooks ActiveX Control Arbitrary Command Execution
  • Affected:
    • All Acer Notebooks running Windows

  • Description: Acer, a Taiwan based company, is a leading Notebook producer with a dominant presence in the Europe, Asia and Africa (EMEA) market. Acer Notebooks ship with "LunchApp.APlunch" ActiveX control that is marked as safe for scripting. This ActiveX control supports "Run" method that can be used to run any command (with arbitrary parameters) on an Acer notebook remotely. A specially crafted webpage or an HTML email can exploited this flaw to compromise Acer Notebooks. The discoverer has posted a proof-of-concept exploit, and tested the presence of this ActiveX control on an older as well as a more recent Acer model.

  • Status: Acer has not confirmed. A workaround is to set the kill bit for the LunchApp.APlunch ActiveX control's UUID: D9998BD0-7957-11D2-8FED-00606730D3AA.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (4) MODERATE: RealNetworks Helix DNA Server Unspecified Buffer Overflow
  • Affected:
    • Helix DNA Server versions 11.0 and 11.1

  • Description: Real Network Helix DNA Server, a popular media streaming server, contains a heap-based buffer overflow. According to the discoverer, the flaw can be exploited to execute arbitrary code with the privileges of the server process, often root. No technical details about the vulnerability have been publicly released yet. The exploit details are reportedly available to the users of the "vulndisco" pack.

  • Status: Vendor not confirmed.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Other Software
  • (5) HIGH: GNU Radius Format String Vulnerability
  • Affected:
    • GNU Radius versions prior to 1.4

  • Description: GNU Radius is a server for user authentication and accounting. The server supports SQL databases for authentication and accounting. The Radius server contains a format string vulnerability when it is compiled with a SQL back-end, and the SQL accounting is turned on. The flaw can be exploited by unauthenticated attackers to execute arbitrary code on the server with typically root privileges. The technical details can be extracted by examining the fixed and the vulnerable versions of the server code.

  • Status: GNU has released version 1.4 to fix this flaw. Note that the FreeBSD and Gentoo Linux versions are vulnerable in their default configuration.

  • References:
  • (7) HIGH: NetGear WG311v1 Wireless Driver SSID Buffer Overflow
  • Affected:
    • NetGear WG311v1 wireless driver version 2.3.1 10 and possibly prior

  • Description: The NetGear WG311v1 device driver, used to control NetGear wireless cards, contains a buffer overflow vulnerability. By sending a specially-crafted 802.11 (WiFi) frame containing an overly long SSID, an attacker could exploit this buffer overflow and take complete control of the vulnerable system. No authentication is required, and attackers need only be within wireless range of the vulnerable system. Because this vulnerability lies within the processing of probe response packets, the victim does not need to explicitly connect to a malicious wireless network to be exploited. This driver is primarily designed for Microsoft Windows systems, but it is believed to be compatible with the "NdisWrapper" cross-platform driver framework, making it possible to run this driver under Linux (and possibly other operating systems) on the Intel platform. This vulnerability was discovered as part of a project to discover bugs in various operating systems' kernels. A working exploit is available for this vulnerability. This vulnerability is similar to several discovered for other NetGear wireless device drivers that were documented in a previous issue of @RISK.

  • Status: NetGear has not confirmed, no updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 47, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5283 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.47.1 - CVE: Not Available
  • Platform: Windows
  • Title: XMPlay Playlist Files Remote Buffer Overflow
  • Description: XMPlay is a media player. It is vulnerable to a buffer overflow due to insufficient sanitization of user-supplied data. XMPlayer 3.3.0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/21206/info
  • 06.47.2 - CVE: Not Available
  • Platform: Windows
  • Title: Novell Client Unspecified NWSPOOL.DLL Buffer Overflow
  • Description: Novell Client is vulnerable to an unspecified buffer overflow issue with the NWSPOLL.DLL. Novell Client version 4.91 is vulnerable. See the advisory for further details.
  • Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974765.h tm
  • 06.47.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Conti FTP Insecure Default Accounts and Directory Traversal Vulnerabilities
  • Description: Conti FTP is a file transfer protocol server. It is vulnerable to directory traversal and insecure default account issues. Conti FTP version 1.0 is vulnerable. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/21174
  • 06.47.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Tftpd32 Filename Remote Buffer Overflow
  • Description: Tftpd32 is a TFTP server for Windows. It is prone to a buffer overflow vulnerability because it fails to do bounds checking on user-supplied filenames. Tftpd32 version 3.01 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21148
  • 06.47.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Knownsoft Turbo Searcher ARJ File Handling Buffer Overflow
  • Description: Turbo Searcher is a utility that can search for files on the local machine or machines accessible over a local area network. It is prone to a buffer overflow vulnerability when handling malformed ARJ archives. Version 3.30 build 052705 of Turbo Searcher Standard and Network Editions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21208
  • 06.47.6 - CVE: CVE-2006-4413
  • Platform: Mac Os
  • Title: Apple Remote Desktop Insecure Default Package Permission
  • Description: Apple Remote Desktop is a commercially available package designed to allow administrators to remotely configure and control Apple computers. It is prone to insecure default permissions, as attackers with local access to the server computer may modify the contents of the packages. Version 3.0 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21139
  • 06.47.8 - CVE: Not Available
  • Platform: Linux
  • Title: Dovecot IMAP Server Mapped Pages Off-By-One Buffer Overflow
  • Description: Dovecot is an opensource IMAP server. It is vulnerable to an off by one buffer overflow issue when updating the "mapped pages" bitmask buffer under certain conditions. Dovecot IMAP server versions 1.0test53 to 1.0.rc14 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/452081
  • 06.47.9 - CVE: Not Available
  • Platform: Linux
  • Title: Kile Backup File Insecure File Permissions
  • Description: Kile is a Tex/LaTeX editor for the KDE destop. The application is prone to an insecure file permission vulnerability. Specifically, backup files are created with default permissions regardless of the restrictions given to the original file. Versions prior to 1.9.3 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/21200
  • 06.47.10 - CVE: Not Available
  • Platform: Linux
  • Title: Apache mod_auth_kerb Off By One Denial of Service
  • Description: The mod_auth_kerb module is prone to an off by one buffer overflow condition that results in a denial of service condition. mod_auth_kerb versions 5.0, 5.1, and 5.2 are vulnerable.
  • Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206736
  • 06.47.11 - CVE: Not Available
  • Platform: BSD
  • Title: OpenBSD LD.SO Local Environment Variable Clearing
  • Description: OpenBSD is prone to a local vulnerability that may allow attackers to pass malicious environment variables to applications, bypassing expected security restrictions. Specifically, the "ld.so" library fails to properly sanitize environment variables in certain circumstances. This issue affects OpenBSD 3.9 and 4.
  • Ref: http://www.securityfocus.com/bid/21188
  • 06.47.12 - CVE: Not Available
  • Platform: Unix
  • Title: IBM OS/400 ASN.1 Parser Multiple Unspecified Vulnerabilities
  • Description: IBM OS/400 is prone to multiple unspecified vulnerabilities in the ASN.1 parsing mechanism. OS/400 V5R3M0 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21189
  • 06.47.13 - CVE: CVE-2006-5868
  • Platform: Cross Platform
  • Title: ImageMagick SGI Image File Unspecified Remote Heap Buffer Overflow
  • Description: ImageMagick is a cross-platform image-editing suite. It is prone to an unspecified remote heap buffer overflow. Versions in the 6.x series, up to version 6.2.8, are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21185
  • 06.47.14 - CVE: CVE-2006-3093
  • Platform: Cross Platform
  • Title: Acrobat Reader DLL Multiple Denial Of Service Vulnerabilities
  • Description: Adobe Acrobat Reader is a document viewer for PDF and PostScript files. It is vulnerable to multiple unspecified denial of service issues. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/21155/info
  • 06.47.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server Multiple Vulnerabilities
  • Description: IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications. IBM WebSphere Application Server is exposed to multiple unspecified issues. For example, there is a security exposure with an unknown impact and an unauthorized access issue affecting the registering of response operations. IBM WebSphere Application Server versions prior to 6.1.0.3 are affected.
  • Ref: http://www.securityfocus.com/bid/21204
  • 06.47.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Fuzzball MUCK Message Parsing Interpreter Buffer Overflow
  • Description: Fuzzball MUCK is a networked multi user MUD chat server. It is prone to a buffer overflow vulnerability because the application fails to bounds check user-supplied input to the Message Parsing Interpreter. Versions prior to 6.07 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21217
  • 06.47.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GNU Tar GNUTYPE_NAMES Remote Directory Traversal
  • Description: GNU Tar is a file archiving/compression application for various Unix platforms. It is prone to a directory traversal vulnerability when processing malicious "TAR" archives. The vulnerability exists in the "extract_archive()" function of the "extract.c" source file and the "extract_mangle()" function of the "mangle.c" source file. An attacker may trigger this issue by manipulating the "GNUTYPE_NAMES" legacy record type. Versions 1.15 and 1.16 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21235
  • 06.47.18 - CVE: CVE-2006-2311
  • Platform: Web Application - Cross Site Scripting
  • Title: CPanel DNSlook.HTML Cross-Site Scripting
  • Description: Cpanel is a web-hosting control panel implemented in PHP. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of the "dns" parameter of the "dnslook.html" page. Cpanel version 10 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/451931
  • 06.47.19 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Travelsized CMS Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: Travelsized CMS is a database free content management system. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user supplied data to the "page", "page_id" and "language" parameters of the "index.php" script. Version 0.4.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/452007
  • 06.47.20 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: vBulletin Admin Control Panel Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: vBulletin is a web forum application implemented in PHP. It is prone to multiple cross-site scripting vulnerabilities due to insufficient sanitization of the "prefs" and "navprefs" parameters of the "admincp/index.php" script. Versions 3.6.0 to 3.6.3 are affected.
  • Ref: http://www.securityfocus.com/bid/21157
  • 06.47.21 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Bloo Googlespell_Proxy.PHP Cross-Site Scripting
  • Description: Bloo is a blog application. The application is vulnerable to a cross-site scripting issue because it fails to properly sanitize the "lang" parameter of the "googlespell_proxy.php" script. Version 1.00 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/451777
  • 06.47.22 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Eggblog Multiple Cross-Site Scripting Vulnerabilities
  • Description: Eggblog is a web-based application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input. Eggblog version 3.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/451863
  • 06.47.23 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Powie's PHP Forum EditPoll.PHP SQL Injection
  • Description: Powie PHP Forum (pForum) is a web forum application. It is exposed to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "editpoll.php" script file before using it in an SQL query. Versions 1.29a and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21144
  • 06.47.24 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Image Gallery with Access Database Multiple SQL Injection Vulnerabilities
  • Description: Image gallery with Access Database is a web-based application. It is prone to multiple SQL injection vulnerabilities because it fails to sanitize user-supplied data to multiple scripts. All versions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21131
  • 06.47.25 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Oxygen O2PHP Bulletin Board ViewThread.PHP SQL Injection
  • Description: O2PHP Bulletin Board is exposed to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "pid" parameter of the "viewthread.php" script file before using it in an SQL query. Versions 1.1.3 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21172
  • 06.47.26 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Enthrallweb EClassifieds Multiple SQL Injection Vulnerabilities
  • Description: eClassifieds is an application implemented in ASP. The insufficient sanitization of user-supplied data exposes this application to multiple SQL injection issues. Enthrallweb eClassifieds 0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/452102
  • 06.47.27 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Gnews Publisher Multiple SQL Injection Vulnerabilities
  • Description: Gnews Publisher is a web-based publishing application. It is vulnerable to multiple SQL injection issues due to various scripts. All versions are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/452116
  • 06.47.28 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Klf-Realty Multiple SQL Injection Vulnerabilities
  • Description: Klf-Realty is a web-based publishing application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input. Klf-Design Klf-Realty 2.0 is affected.
  • Ref: http://klf-design.com/
  • 06.47.29 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPMyAdmin Multiple Input Validation Vulnerabilities
  • Description: PHPMyAdmin is a web-based database administration tool for MySQL databases. It is prone to multiple input validation vulnerabilities because the application fails to sanitize user-supplied input. All versions of PHPMyAdmin are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21137
  • 06.47.30 - CVE: Not Available
  • Platform: Web Application
  • Title: BirdBlog Multiple Cross-Site Scripting Vulnerabilities
  • Description: BirdBlog is a web log application. It is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input to the following various parameters of numerous scripts. BirdBlog version 1.4.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21184
  • 06.47.31 - CVE: CVE-2006-5767
  • Platform: Web Application
  • Title: MyAlbum Language.Inc.PHP Remote File Include
  • Description: MyAlbum is a content manager application. Insufficient sanitization of "langs_dir" parameter of the "language.inc.php" script exposes this application to a remote file include issue. MyAlbum version 3.02 is affected.
  • Ref: http://www.securityfocus.com/archive/1/452140
  • 06.47.32 - CVE: Not Available
  • Platform: Web Application
  • Title: Boonex Dolphin Index.php Remote File Include
  • Description: Dolphin is an online community application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input. Dolphin versions 5.1.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21182/info
  • 06.47.33 - CVE: Not Available
  • Platform: Web Application
  • Title: dev4U CMS Index.PHP Multiple Input Validation Vulnerabilities
  • Description: dev4u CMS is a content management system. It is prone to multiple input validation vulnerabilities because it fails to sanitize user-supplied data to multiple parameters of the "index.php" script. All versions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21170
  • 06.47.34 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB2 PlusXL Functions.PHP Remote File Include
  • Description: phpBB2 PlusXL is a prepackaged fork of phpBB2. It is vulnerable to a remote file include issue due to insufficient sanitization of the "phpbb_root_path" parameter of the "includes/functions.php" script. phpBB2 PlusXL version 2.72 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/452012
  • 06.47.35 - CVE: Not Available
  • Platform: Web Application
  • Title: ActiveNews Manager Multiple Input Validation
  • Description: ActiveNews Manager is a content management system (CMS). The application is prone to multiple input validation issues because it fails to sanitize user-supplied data. Also a cross site scripting vulnerability affects the "query" parameter of the "activenews_search.asp" script.
  • Ref: http://www.securityfocus.com/bid/21167
  • 06.47.36 - CVE: Not Available
  • Platform: Web Application
  • Title: MosReporter Component Remote File Include
  • Description: The MosReporter component is a web-based component for the Mambo and Joomla content management system. It is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the "reporter.logic.php" script.
  • Ref: http://www.securityfocus.com/bid/21160
  • 06.47.37 - CVE: Not Available
  • Platform: Web Application
  • Title: Dicshunary Check_Status.PHP Remote File Include
  • Description: Dicshunary is a web-based dictionary application. It is vulnerable to a remote file include issue due to insufficient sanitization of the "dischsunary_root_path" parameter of the "check_status.php" script. Dicshunary version 0.1 alpha is affected.
  • Ref: http://www.securityfocus.com/bid/21162/info
  • 06.47.38 - CVE: Not Available
  • Platform: Web Application
  • Title: Sage IMG Element Input Validation
  • Description: Sage is a newsfeed aggregator plugin for the Firefox browser. It is exposed to an input validation issue that allows malicious HTML and script code to be injected before it is used in dynamically generated content. Sage versions 1.3.8 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21164
  • 06.47.39 - CVE: Not Available
  • Platform: Web Application
  • Title: DoSePa Information Disclosure
  • Description: DoSePa is a download management application. It is vulnerable to an information disclosure issue due to insufficient sanitization of the "file" parameter of the "textview.php" script. DoSePa version 1.0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/21149
  • 06.47.40 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Upload Tool Arbitrary File Upload and Directory Traversal Vulnerabilities
  • Description: PHP Upload Tool is a web-based file management interface application. It is exposed multiple issues. Version 1.0 is affected. Please refer to the link below for further details.
  • Ref: http://www.securityfocus.com/bid/21150
  • 06.47.41 - CVE: Not Available
  • Platform: Web Application
  • Title: 20/20 Auto Gallery Multiple SQL Injection Vulnerabilities
  • Description: 20/20 Auto Gallery is a web-based vehicle catalogue. It is prone to multiple SQL injection vulnerabilities because it fails to sanitize user-supplied input to various parameters of the "vechiclelisting.asp" script. 20/20 Applications Auto Gallery version 3.2 is affected.
  • Ref: http://www.securityfocus.com/bid/21154
  • 06.47.42 - CVE: Not Available
  • Platform: Web Application
  • Title: mxBB Calsnails Module MX_Common.PHP Remote File Include
  • Description: The mxBB calsnails module is a module for the mxBB bulletin board. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "module_root_path" parameter of the "mx_common.php" script. mxBB version 1.06 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21143
  • 06.47.43 - CVE: Not Available
  • Platform: Web Application
  • Title: MG.Applanix APX_Root_Path Parameter Multiple Remote File Include Vulnerabilities
  • Description: MG.Applanix is a web-based rental property management application. It is vulnerable to a remote file include issue due to insufficient sanitization of user input to the "apx_root_path" parameter. MG.Applanix version 1.3.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/452138
  • 06.47.44 - CVE: Not Available
  • Platform: Web Application
  • Title: ASPNuke Register.ASP SQL Injection
  • Description: ASPNuke is web portal software. It is exposed to an SQL injection issue because it fails to sanitize user-supplied input to the "StateCode" parameter of "register.asp" before using it in an SQL query. ASPNuke versions 0.80 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/21195
  • 06.47.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Alt-N MDaemon Local Insecure Default Directory Permissions
  • Description: MDaemon is an email server developed for the Microsoft Windows operating system. It is exposed a local insecure default directory permissions issue. Versions 9.0.5, 9.0.6, 9.51, and 9.53 are affected.
  • Ref: http://www.securityfocus.com/bid/21127
  • 06.47.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Etomite CMS Multiple Input Validation Vulnerabilities
  • Description: Etomite CMS is a content management system. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. Etomite CMS version 0.6.1.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/451838
  • 06.47.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Xtreme ASP Photo Gallery Multiple Input Validation Vulnerabilities
  • Description: Xtreme ASP Photo Gallery is a web-based photo gallery. It is prone to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. XtremeASP PhotoGallery version 2.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/451786
  • 06.47.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Oliver LoginForm Inc.PHP Remote File Include
  • Description: Oliver is an FTP front-end. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "conf[motdfile]" parameter of the "loginform-inc.php" script. Version 1.2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/21202
  • 06.47.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Rapid Classified Multiple Input Validation Vulnerabilities
  • Description: Rapid Classified is a web-based application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. Rapid Classified version 3.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/452088
  • 06.47.50 - CVE: Not Available
  • Platform: Web Application
  • Title: phpQuickGallery Remote File Include
  • Description: phpQuickGallery is a web gallery application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "textFile" parameter of the "gallery_top.inc.php" script. phpQuickGallery version 1.9 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/452012
  • 06.47.51 - CVE: CVE-2006-5733
  • Platform: Web Application
  • Title: PostNuke Error.PHP Local File Include
  • Description: PostNuke is a content manager. It is prone to a local file include issue because it fails to sanitize user-supplied input to the "PNSVlang" parameter of the "error.php" script. PostNuke 0.763 and prior versions are affected.
  • Ref: http://community.postnuke.com/Article2787.htm
  • 06.47.52 - CVE: Not Available
  • Platform: Network Device
  • Title: NetGear MA521 Wireless Driver Long Beacon Probe Buffer Overflow
  • Description: NetGear MA521 Wireless device is affected by a stack based buffer overflow issue because the driver fails to bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Version 5.148.724.2003 of the MA521nd5.SYS driver is affected.
  • Ref: http://www.kb.cert.org/vuls/id/395496
  • 06.47.53 - CVE: Not Available
  • Platform: Network Device
  • Title: NetGear WG111v2 Wireless Driver Long Beacon Buffer Overflow
  • Description: NetGear WG111v2 Wireless device is vulnerable to a stack based buffer overflow issue when the driver attempts to process 802.11 Beacon frames containing excessively long information elements. Netgear version 5.1213.6.316 of the WG111v2.SYS driver is vulnerable.
  • Ref: http://www.kb.cert.org/vuls/id/445753
  • 06.47.54 - CVE: Not Available
  • Platform: Network Device
  • Title: RealNetworks Helix DNA Server Unspecified Buffer Overflow
  • Description: RealNetworks Helix DNA Server is a freely available network server for multimedia content. It is vulnerable to a buffer overflow issue due to insufficient sanitization of user-supplied input. Helix DNA Server versions 11.0 and 11.1 are affected.
  • Ref: http://www.securityfocus.com/bid/21141/info

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

This instructor had an impressive, solid background and does an excellent job presenting the material in a way that geek wannabes can understand
-Julie Stroud, U.S. Department of Energy

Community SANS Training

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP