Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 5
February 6, 2006

SANS Newsletters Home

Last week was quiet for most sites, but Firefox and Mozilla had substantial vulnerabilities announced as did Sygate Management Server, a security management system from Symantec. In addition, details that can be used to exploit elements of Oracle and Cisco products were published last week.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1
    • Other Microsoft Products
    • 2 (#1, #4, #8)
    • Third Party Windows Apps
    • 4
    • Linux
    • 3
    • BSD
    • 1
    • Solaris
    • 1
    • Tru64
    • 1
    • Unix
    • 2
    • Cross Platform
    • 10 (#2, #5, #6)
    • Web Application - Cross Site Scripting
    • 16
    • Web Application - SQL Injection
    • 8 (#3)
    • Web Application
    • 7
    • Network Device
    • 1 (#7)
    • Hardware
    • 1

****************** SPONSORED BY SANS TRAINING **************************

World-Class Security Training Opportunities in the Next Few Weeks

SANS 2006 in Orlando (Feb 24- March 4) 36 tracks of extraordinary training - the best instructors in the world, and a great security tools exposition. Lots of people are bringing their families to Orlando to join them at the end of the program. Plus: San Francisco, Phoenix, St. Louis, Brisbane, Tokyo, Ottawa

Or you can take SANS training anytime, anywhere with the new SANS On Demand. Details on these and other programs: www.sans.org

And the SCADA Security Summit is 76% full. If you want to attend, register this week. An amazing program. If you have any responsibility for control systems in industry or utilities - don't miss this program. http://www.sans.org/scadasummit06/

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
BSD
Solaris
Tru64
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

******************** SPONSORED LINKS *********************************

1) Free Webcast this week - WhatWorks in Intrusion Prevention Systems: "Guarding Sensitive Data with Financial Profiles Inc." Wednesday, February 08 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1014

2) Get a Free Online Demo Now! SANS On Demand - Online Security Training and Assessments http://www.sans.org/info.php?id=1015

***********************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohit Dhamankar and Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
Other Software
  • (3) HIGH: Symantec Sygate Management Server SQL Injection
  • Affected:
    • Sygate Management Server (SMS) version 4.1 build 1417 and prior

  • Description: Symantec Sygate Management server, an enterprise product, is used to push security policies as well as software updates to workstations and servers. The SMS HTTP server contains a SQL injection vulnerability in its authentication servlet. An unauthenticated attacker can exploit this flaw to overwrite passwords for any SMS accounts (including Administrator) via a crafted HTTP request, and obtain control over the SMS server. Gaining access to the SMS server can be further leveraged to compromise the managed systems resulting in an enterprise wide compromise. The technical details required to craft the malicious HTTP request have not been posted.

  • Status: Symantec has released fixes for the SMS server. Access to the SMS server should be blocked from the Internet.

  • References:
  • (5) HIGH: CommuniGate Pro Server LDAP Multiple Vulnerabilities
  • Affected:
    • Communigate Pro Server version 5.06 and prior

  • Description: The Communigate Pro is a multi-platform server that supports multiple protocols such as LDAP, RADIUS, IMAP, SIP, OP, HTTP etc. The LDAP component contains multiple vulnerabilities that can be exploited by an unauthenticated attacker to crash the LDAP server and possibly execute arbitrary code. The test suite used for discovering the bugs is not publicly available.

  • Status: The vendor has released a new version 5.07 with the fix.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 5, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4857 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.5.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Internet Explorer Flash ActionScript JScript Handling Denial of Service
  • Description: Microsoft Internet Explorer is vulnerable to a denial of service issue when it handles a specially crafted call to the "document.write()" method that is executed through a VBScript procedure contained in ActionScript code of a Flash animation. A remote attacker may trigger a crash in the browser by enticing users to visit a malicious Web site. All current versions are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423675
  • 06.5.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer ActiveX Control Kill Bit Bypass
  • Description: Microsoft Internet Explorer does not properly check the kill bit on ActiveX controls. A remote attacker could construct an HTML page that bypasses the kill bit check on any embedded ActiveX controls within the page. This could allow an unsafe ActiveX control with a known vulnerability to be invoked. The impact of the vulnerability is dependent on the ActiveX control being invoked, however consequences may range from denial of service to arbitrary code execution.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx
  • 06.5.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer URLMon.DLL Denial of Service
  • Description: Internet Explorer is prone to a remote denial of service vulnerability. This issue is due to improper handling of user-supplied data. The problem occurs when the "urlmon.dll" attempts to parse a malformed HTML file containing a "BGSOUND SRC=file://----" where the "-" is repeated approximately 344 times. This issue affects version Internet Explorer 7.0 beta 2.
  • Ref: http://www.securityfocus.com/bid/16463
  • 06.5.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Nullsoft Winamp Malformed Playlist File Handling Remote Buffer Overflow
  • Description: Winamp is susceptible to a buffer overflow vulnerability. This issue presents itself when the application handles a specially-crafted playlist (.pls) file. A successful attack can corrupt process memory and facilitate arbitrary code execution. Winamp versions 5.12 and earlier are reportedly affected.
  • Ref: http://www.securityfocus.com/archive/1/423436
  • 06.5.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Adobe Multiple Unspecified Local Privilege Escalation Vulnerabilities
  • Description: Multiple unspecified Adobe products are susceptible to privilege escalation vulnerabilities. These issues are due to insecure permissions on unspecified executable files allowing unprivileged users to write to them. These issues allow unprivileged local users to execute arbitrary machine code with elevated privileges. Please visit the referenced link for a list of vulnerable products.
  • Ref: http://www.securityfocus.com/bid/16451/references
  • 06.5.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MailEnable Professional EXAMINE Command Remote Denial of Service
  • Description: MailEnable is a commercially available mail server. It is prone to a remote denial of service vulnerability. The cause of this issue is not known. The vendor has reported that this vulnerability arises when the server handles the "EXAMINE" command. MailEnable Professional versions earlier than 1.72 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16457/
  • 06.5.7 - CVE: CVE-2005-3188
  • Platform: Third Party Windows Apps
  • Title: Nullsoft Winamp Malformed Playlist File WMA Extension Remote Buffer Overflow
  • Description: Winamp is a freely available media player from Nullsoft. It is susceptible to a buffer-overflow vulnerability. It fails to properly bounds-check input data before copying it into a fixed-size memory buffer. This issue presents itself when the application handles a specially crafted playlist (.pls, or .m3u) file containing excessively long filenames that have a ".wma" extension. Winamp version 5.094 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423685
  • 06.5.8 - CVE: CVE-2006-0035, CVE-2006-0036, CVE-2006-0037
  • Platform: Linux
  • Title: Linux Kernel Multiple Security Vulnerabilities
  • Description: The Linux kernel is prone to multiple vulnerabilities. These issues can allow attackers to trigger denial of service conditions or corrupt memory to potentially execute arbitrary code. If an attacker is able to execute arbitrary code due to memory corruption, a complete compromise is possible.
  • Ref: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git; a=commit;h=15db34702cfafd24acc60295cf14861e497502ab
  • 06.5.9 - CVE: Not Available
  • Platform: Linux
  • Title: GIT Remote Buffer Overflow
  • Description: GIT is a directory content manager. It is vulnerable to a remote buffer overflow issue when a large symbolic link in an index file is processed in the "git-checkout-index" utility. GIT versions 1.1.4 and earlier are vulnerable.
  • Ref: http://lwn.net/Articles/169623/
  • 06.5.10 - CVE: Not Available
  • Platform: Linux
  • Title: Fcron Convert-FCronTab Local Buffer Overflow
  • Description: Fcron is a command scheduler daemon which comes with a utility named "convert-fcrontab" which performs crontab file format conversions. It is affected by a local buffer overflow issue due to a failure of the application to properly bounds check user-supplied data. Fcron version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/16467
  • 06.5.11 - CVE: CVE-2006-0433
  • Platform: BSD
  • Title: FreeBSD TCP SACK Remote Denial of Service
  • Description: FreeBSD is susceptible to a remote denial of service vulnerability. This issue is due to a flaw in affected kernels that potentially results in an infinite loop condition when handling TCP SACK packets. Various releases of FreeBSD versions 5.3 and 5.4 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16466
  • 06.5.12 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Unspecified x86 64 Bit Local Denial of Service
  • Description: Sun Solaris is prone to a local denial of service issue which can cause a system panic. The issue affects Sun Solaris 10 running on 64 bit x86 computers.
  • Ref: http://www.securityfocus.com/bid/16460
  • 06.5.13 - CVE: Not Available
  • Platform: Tru64
  • Title: HP Tru64 DNS BIND Unspecified Remote Unauthorized Access
  • Description: HP Tru64 DNS BIND is prone to an unspecified remote unauthorized access vulnerability. The vendor has reported that this vulnerability can be exploited by attackers to gain remote unauthorized privileged access. Further details are not currently available.
  • Ref: http://www.securityfocus.com/bid/16455
  • 06.5.14 - CVE: CVE-2006-0528
  • Platform: Unix
  • Title: GNOME Evolution Inline XML File Attachment Buffer Overflow
  • Description: GNOME Evolution is an email client for the GNOME desktop. Evolution is prone to a remote denial of service vulnerability when processing email messages with excessively long strings in an inline XML file attachment. Due to the nature of this issue, arbitrary code execution could also arise, although this has not been confirmed.
  • Ref: http://www.securityfocus.com/bid/16408
  • 06.5.15 - CVE: CVE-2006-0351
  • Platform: Unix
  • Title: MyDNS DNS Query Denial of Service
  • Description: MyDNS is prone to a remote denial of service vulnerability. This issue is due to a failure in the application to properly handle malformed DNS queries. MyDNS versions prior to 1.1.0 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/16431
  • 06.5.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Communigate Pro Server LDAP Denial of Service
  • Description: CommuniGate Pro is an Internet messaging server. CommuniGate Pro Server is prone to a remote denial of service vulnerability due to an integer overflow in the LDAP Basic Encoding Rules (BER), however this has not been confirmed. Arbitrary code execution may also be possible through exploitation of this issue. CommuniGate Pro Server version 5.0.6 is vulnerable; earlier versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/16407/exploit
  • 06.5.17 - CVE: CVE-2006-0496
  • Platform: Cross Platform
  • Title: Firefox XBL -MOZ-BINDING Property Cross-Domain Scripting
  • Description: Mozilla Firefox "-MOZ-BINDING" property is vulnerable to a security issue that could let a web page execute malicious script code in the context of an arbitrary domain. This is due to the browser Same Origin Policy is not enforced on the "-moz-binding" property. Mozilla Firefox versions 1.5 beta 2 and earlier are vulnerable.
  • Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=324253
  • 06.5.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Pioneers Chat Buffer Denial of Service
  • Description: Pioneers is an Internet game acting as both client and server. It is prone to a remote denial of service vulnerability due to a failure in the application to handle exceptional conditions. The problem occurs when the server attempts to handle an excessively large chat buffer coming from a connected client. The server will either crash or send the buffer to other clients, causing vulnerable versions to crash. Pioneers version 0.9.40 is affected; other versions may also be vulnerable.
  • Ref: http://www.securityfocus.com/bid/16429
  • 06.5.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Grid Engine Local Privilege Escalation
  • Description: Sun Grid Engine is an open-source, distributed computing and resource management package. It is vulnerable to a local privilege-escalation issue due to an unspecified issue with the "utilbin/<arch>/rsh" binary. This issue allows local users to gain superuser privileges, facilitating the complete compromise of affected computers. Sun Grid Engine versions prior to 6.0u7_1 are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/16366/info
  • 06.5.20 - CVE: CVE-2005-4536
  • Platform: Cross Platform
  • Title: Mail-Audit Insecure Temporary File Creation
  • Description: Mail-Audit is a Perl library. With the logging feature enabled, Mail-Audit creates temporary files in an insecure manner which could cause local users to overwrite arbitrary files. Mail-Audit version 2.1 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/0378
  • 06.5.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AOL Client Software Unspecified Local Privilege Escalation
  • Description: AOL Client Software is used by subscribers of AOL's network service. It is affected by a local privilege escalation issue due to insecure permissions on an registry key. AOL client versions 8.0 and 9.0 are affected.
  • Ref: http://www.securityfocus.com/bid/16453
  • 06.5.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Autodesk Multiple Products Remote Unauthorized Access
  • Description: Autodesk is a suite of 3D mechanical design software. Multiple Autodesk products are prone to a remote unauthorized access vulnerability. The cause of this issue was not specified. The vendor has reported that this issue allows remote attackers to compromise a computer running an affected application. For more information please visit the referenced link.
  • Ref: http://www.securityfocus.com/bid/16472
  • 06.5.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Access Manager Local Authentication Bypass
  • Description: Sun Java System Access Manager is a security product that provides an authentication and authorization framework for various network services. It is susceptible to a local authentication bypass vulnerability. This issue is due to a failure of the application to require proper credentials prior to allowing local users to administer the application. Sun Java System Access Manager version 7.0 2005Q4 is vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102140-1
  • 06.5.24 - CVE: CVE-2006-0529, CVE-2006-0530
  • Platform: Cross Platform
  • Title: Computer Associates Multiple Message Queuing Denial of Service
  • Description: Computer Associates Message Queuing software (CAM) is a messaging sub-component that provides a "store and forward" messaging framework for applications. It is affected by two remote denial of service issues due to a failure of the application to properly handle specially crafted packets on tcp port 4105.
  • Ref: http://www.securityfocus.com/bid/16475
  • 06.5.25 - CVE: CVE-2006-0292, CVE-2006-0293, CVE-2006-0294,CVE-2006-0295, CVE-2006-0296, CVE-2006-0297, CVE-2006-0298,CVE-2006-0299
  • Platform: Cross Platform
  • Title: Multiple Mozilla Products Memory Corruption/Code Injection/Access Restriction Bypass Vulnerabilities
  • Description: Multiple Mozilla products are prone to multiple vulnerabilities. These issues include various memory corruption, code injection and access restriction bypass vulnerabilities. Please refer to the link below for a list of vulnerable software.
  • Ref: http://www.securityfocus.com/bid/16476
  • 06.5.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PunctWeb MyCO Name Field Cross-Site Scripting
  • Description: MyCO is a guestbook application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of the "Name" field. PunctWeb MyCO Guestbook version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423565
  • 06.5.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ASPThai Forums Login.ASP SQL Injection
  • Description: ASPThai Forums is a web-log application. It is prone to an SQL injection vulnerability due to a failure in the application to properly sanitize user-supplied input to the "username" field of "login.asp" before using it in an SQL query. ASPThai Forums version 8.0 and earlier are reported to be vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/16404/exploit
  • 06.5.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: sPaiz-Nuke Modules.PHP Cross-Site Scripting
  • Description: sPaiz-Nuke is a web-based content management application. Insufficient sanitization of the "query" parameter in the "modules.php" script exposes the application to a cross-site scripting issue. All current versions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16412
  • 06.5.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBB UserCP2.PHP Referer Header HTML Injection
  • Description: MyBB is a bulletin-board application implemented in PHP. MyBB is prone to an HTML-injection vulnerability. The HTTP referer header passed to the "url" parameter of "usercp2.php" is not properly sanitized.
  • Ref: http://www.securityfocus.com/archive/1/423443
  • 06.5.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Nuked-klaN Index.PHP Cross-Site Scripting
  • Description: Nuked-klaN is a web-based content management application. Insufficient sanitization of the "letter" parameter in the "index.php" script exposes the application to a cross-site scripting issue. Nuked-Klan version 1.7 is affected.
  • Ref: http://www.securityfocus.com/bid/16424
  • 06.5.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Ashwebstudio Ashnews Cross-Site Scripting
  • Description: Ashnews is a Web portal application written in PHP. It is vulnerable to a cross-site scripting vulnerability due to improper sanitization of the 'id' parameter of the 'ashnews.php' script. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. Ashnews version 0.83 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16426/info
  • 06.5.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MiniGal MG2 Image Gallery Name Field Cross-Site Scripting
  • Description: MG2 Image Gallery is an image gallery application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "url" parameter of the "usercp2.php" script. MiniGal MG2 version 0.5.1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423477
  • 06.5.33 - CVE: CVE-2006-0507
  • Platform: Web Application - Cross Site Scripting
  • Title: EasyCMS Multiple Cross-Site Scripting Vulnerabilities
  • Description: EasyCMS is a web content management application written in PHP. Unspecified parameters and scripts are prone to a cross-site scripting vulnerability. All current versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/423442
  • 06.5.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: BrowserCRM Results.PHP Cross-Site Scripting
  • Description: BrowserCRM is a web content management application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of the "query" parameter of the "results.php" script. All versions of BrowserCRM are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423546
  • 06.5.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Cerberus Helpdesk Clients.PHP Cross-Site Scripting
  • Description: Cerberus Helpdesk is a web-based helpdesk application written in PHP. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of user-supplied input to the "contact_search" parameter of the "clients.php" script. Cerberus Helpdesk version 2.7 is affected.
  • Ref: http://www.securityfocus.com/archive/1/423547
  • 06.5.36 - CVE: CVE-2006-0499
  • Platform: Web Application - Cross Site Scripting
  • Title: phpBB Rlink Module Rlink.PHP Cross-Site Scripting
  • Description: The phpBB Rlink module is designed to enhance the functionality of phpBB. The phpBB Rlink module is prone to a cross-site scripting vulnerability. This issue is due to a failure in the module to properly sanitize user-supplied input to the "url" parameter of the "rlink.php" script.
  • Ref: http://www.securityfocus.com/bid/16448
  • 06.5.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SPIP Index.PHP3 Cross-Site Scripting
  • Description: SPIP is a Web publishing application. SPIP is prone to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "lang" parameter of the "index.php3" script. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
  • Ref: http://www.securityfocus.com/archive/1/423655
  • 06.5.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Tachyondecay Vanilla Guestbook Multiple Input Validation Vulnerabilities
  • Description: Tachyondecay Vanilla is a guest book application. It is vulnerable to multiple unspecified cross-site scripting and SQL injection issues due to insufficient sanitization of user-supplied input. Tachyondecay Vanilla Guestbook 1.0 Beta is vulnerable.
  • Ref: http://evuln.com/vulns/54/summary.html
  • 06.5.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SoftMaker Shop Multiple Cross-Site Scripting Vulnerabilities
  • Description: SoftMaker Shop is a customer relations management application. Insufficient sanitization of the "strSok" parameter in the "resultat.asp" script exposes the application to multiple cross-site scripting issues.
  • Ref: http://www.securityfocus.com/bid/16471
  • 06.5.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CyberShop Ultimate E-commerce Multiple Cross-Site Scripting Vulnerabilities
  • Description: CyberShop Ultimate E-commerce is a web-based shopping cart application written in ASP. The "ortak" and "kat" parameters of the "default.asp" script are prone to cross-site scripting vulnerabilities. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site.
  • Ref: http://www.securityfocus.com/archive/1/423787
  • 06.5.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Community Server Multiple Cross-Site Scripting Vulnerabilities
  • Description: Community Server is a platform for rapidly enabling online communities. Insufficient sanitization of user-supplied parameters in the "ShowThread.aspx", "alowe.aspx" and "default.aspx" scripts exposes the application to multiple cross-site scripting issues.
  • Ref: http://www.securityfocus.com/bid/16478
  • 06.5.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MyBB Index.PHP Referrer Cookie SQL Injection
  • Description: MyBB is Web forum software implemented in PHP utilizing a MySQL backend. It is prone to an SQL injection vulnerability. The vulnerability presents itself when user-supplied input via cookie data is passed to the "referrer" parameter of the "index.php" script permitting remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. MyBB 1.2 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/16443
  • 06.5.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Invision Power Board Portal Plugin Index.PHP SQL Injection
  • Description: Portal is a plugin module for Invision Power Board, a web bulletin board application. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input to the "site" parameter of "index.php" before using it in an SQL query. Portal version 1.3 is affected.
  • Ref: http://www.securityfocus.com/bid/16447/exploit
  • 06.5.44 - CVE: CVE-2005-4334
  • Platform: Web Application - SQL Injection
  • Title: ZixForum Multiple SQL Injection Vulnerabilities
  • Description: ZixForum is a web log application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "pageid" parameter of the "forum.asp", "Headforums.asp" and "Subject.asp" scripts. Zixforum version 1.12 is vulnerable.
  • Ref: http://www.osvdb.org/22096
  • 06.5.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Daffodil CRM Userlogin.ASP SQL Injection
  • Description: Daffodil CRM is a web-log application. Insufficient sanitization in the "userlogin.jsp" script exposes the application to an SQL injection issue. Daffodil CRM version 1.5 is affected.
  • Ref: http://www.securityfocus.com/bid/16433
  • 06.5.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SZUserMgnt Username Parameter SQL Injection
  • Description: SZUserMgnt is a set of tools for managing user logins and passwords, it is implemented in PHP. It is vulnerable to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input to the "username" parameter of "login.php" before using it in an SQL query. An attacker could exploit this issue to compromise the application. SZUserMgnt version 1.4 is vulnerable.
  • Ref: http://evuln.com/vulns/53/summary.html
  • 06.5.47 - CVE: CVE-2006-0492
  • Platform: Web Application - SQL Injection
  • Title: Calendarix Multiple SQL Injection Vulnerabilities
  • Description: Calendarix is a web-based calendar application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "catview" parameter of the "cal_functions.inc.php" script and the "login" input field of the "admin/cal_login.php" script. Calendarix version 0.6.20050830 is vulnerable.
  • Ref: http://www.evuln.com/vulns/52/summary.html
  • 06.5.48 - CVE: CVE-2006-0522
  • Platform: Web Application - SQL Injection
  • Title: Symantec Sygate Management Server SMS Authentication Servlet SQL Injection
  • Description: Symantec Sygate Management Server is prone to an SQL injection vulnerability. The vulnerability specifically affects the SMS Authentication Servlet component of the server. A remote attacker can pass malicious input to database queries through HTTP GET requests, resulting in modification of query logic or other attacks. Sygate Management Server (SMS) versions 4.1 build 1417 and prior are affected.
  • Ref: http://securityresponse.symantec.com/avcenter/security/Content/2006.02.01.html
  • 06.5.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SPIP Multiple SQL Injection Vulnerabilities
  • Description: SPIP is a web publishing application. It is prone to multiple SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "id_forum", "id_article", "id_breve" and other unspecified parameters of the "forum.php3" script. SPIP versions prior to 1.8.2-e and 1.9 alpha 2 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423655
  • 06.5.50 - CVE: Not Available
  • Platform: Web Application
  • Title: UebiMiau HTML Email HTML Injection
  • Description: UebiMiau is a Webmail client. It is vulnerable to an HTML injection issue due to a lack of proper sanitization of user-supplied input before using it in dynamically generated content. An attacker could exploit this issue to control how the site is rendered to the user. UebiMiau version 2.7.9 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/423437
  • 06.5.51 - CVE: Not Available
  • Platform: Web Application
  • Title: CRE Loaded Files.PHP Access Validation
  • Description: CRE Loaded is a Web content management application. It is prone to an access validation vulnerability. This issue is due to a failure in the application to perform proper access validation before granting access to the "/admin/htmlarea/popups/file/files.php" administration script. CRE Loaded version 6.15 is vulnerable; other versions may also be vulnerable.
  • Ref: http://www.securityfocus.com/bid/16415
  • 06.5.52 - CVE: Not Available
  • Platform: Web Application
  • Title: PmWiki Multiple Input Validation Vulnerabilities
  • Description: PmWiki is prone to multiple input validation vulnerabilities. These issues are due to failures in the application to properly sanitize user-supplied input. PmWiki version 2.1 beta20 is affected.
  • Ref: http://www.securityfocus.com/bid/16421
  • 06.5.53 - CVE: Not Available
  • Platform: Web Application
  • Title: AshWebStudio AshNews Remote File Include
  • Description: Ashnews is a web portal application. Ashnews is prone to a remote file include vulnerability due to improper sanitization of user-supplied input to the "pathtoashnews" parameter of "ashnews.php". Ashnews version 0.83 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16436/exploit
  • 06.5.54 - CVE: CVE-2006-0511
  • Platform: Web Application
  • Title: Blackboard Learning System Access Validation
  • Description: The Blackboard Learning System is an online education system, which is part of the Blackboard Application Suite. The problem presents itself in the authentication mechanism during a session timeout. When a timeout occurs, the user can reenter their username and password to gain access. However, if a second user enters their credentials, they gain access to the first user's account.
  • Ref: http://www.securityfocus.com/bid/16438
  • 06.5.55 - CVE: Not Available
  • Platform: Web Application
  • Title: FarsiNews Loginout.PHP Remote File Include
  • Description: FarsiNews is a Persian translation of CutePHP web forum software. Insufficient sanitization of the "cutepath" parameter of the "loginout.php" script exposes the application to a remote file include issue. FarsiNews version 2.5 is affetced.
  • Ref: http://www.securityfocus.com/bid/16440
  • 06.5.56 - CVE: Not Available
  • Platform: Web Application
  • Title: @Mail Compose.PL Directory Traversal
  • Description: @Mail is a web-based application used to access email. It is vulnerable to a directory traversal issue because it fails to properly sanitize user-supplied input to the "unique" parameter of the "compose.pl" script. An attacker could successfully exploit this issue to compromise the underlying system. @Mail version 4.3 is vulnerable.
  • Ref: http://secunia.com/secunia_research/2006-2/advisory/
  • 06.5.57 - CVE: Not Available
  • Platform: Network Device
  • Title: CipherTrust IronMail Remote Denial Of Service
  • Description: IronMail is a gateway appliance to filter and block unwanted email traffic. It is prone to a remote denial of service vulnerability. This issue is due to an error in the device when dealing with SYN flood attacks. By design the device blocks denial of service (SYN flood) attacks at the gateway. However, if the device is configured with "Denial of Service Window (secs)" and "Denial of Service Count" set at 100 or greater, the anti-denial of service feature fails, resulting in a false sense of security.
  • Ref: http://www.securityfocus.com/bid/16465
  • 06.5.58 - CVE: Not Available
  • Platform: Hardware
  • Title: Powersave Unspecified Local Privilege Escalation
  • Description: Powersave provides battery, temperature, ac, and cpufreq control and monitoring. Powersave is prone to an unspecified local privilege-escalation vulnerability. The cause of this issue is not known. This issue is triggered when a client sends a powersave action string to the server running on a computer where the superuser has started an X session. Powersave versions prior to stable version 0.10.15.2 and unstable version 0.11.2 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16469/

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS Training should be attended by all IT staff as they have a wealth of knowledge to give.
-Leigh Lopez, CSVN

Securing the Internet of Things - San Francisco

Latest Whitepapers

Building and Maintaining a &quot;Certifiable&quot; Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee