@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Internet Explorer WMF Handling Vulnerability
• (2) HIGH: Sun Java JRE and Java Web Start Security Bypass
• (3) HIGH: IBM Lotus Notes Multiple Vulnerabilities

Exploits

• (4) Mozilla Firefox Remote Code Execution

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 06.6.1 - Microsoft Windows Graphics Rendering Engine Unspecified Memory Corruption

Other Microsoft Products

• 06.6.2 - Microsoft February Advance Notification Multiple Vulnerabilities

Third Party Windows Apps

• 06.6.3 - Ritlabs The Bat! Message Header Spoofing Weakness
• 06.6.4 - Kinesphere Corporation Exchange POP3 Remote Buffer Overflow
• 06.6.5 - WiredRed e/pop Web Conferencing HTML Injection
• 06.6.6 - HP Systems Insight Manager Unspecified Directory Traversal

Linux

• 06.6.7 - Linux Kernel ICMP_Send Remote Denial Of Service
• 06.6.8 - OProfile Local Privilege Escalation
• 06.6.9 - Adzapper Squid_Redirect URI Handling Remote Denial of Service
• 06.6.10 - Linux Kernel NFS ACL Access Control Bypass
• 06.6.11 - SUSE LD Insecure RPATH / RUNPATH Arbitrary Code Execution

HP-UX

• 06.6.12 - HP PSC 1210 All-in-One Driver Vulnerability

Aix

• 06.6.13 - IBM AIX ARP Local Buffer Overflow Vulnerability

Unix

• 06.6.14 - Heimdal RSHD Local Privilege Escalation
• 06.6.15 - ProFTPD Mod_Radius Buffer Overflow
• 06.6.16 - GnuTLS Libtasn1 DER Decoding Denial of Service Vulnerabilities

Cross Platform

• 06.6.17 - Trend Micro ServerProtect Extracted File Count Exceed Scan Bypass
• 06.6.18 - PeopleSoft PeopleTools PSCipher Password Encryption Weakness
• 06.6.19 - Lotus Domino LDAP Denial of Service
• 06.6.20 - EyeOS Session Remote Command Execution
• 06.6.21 - QNX Neutrino Multiple Local Privilege Escalation and Denial Of Service Vulnerabilities
• 06.6.22 - Sun Java Web Start Untrusted Application Unauthorized Access
• 06.6.23 - Sun ONE Directory Server Remote Denial of Service
• 06.6.24 - PAM-MySQL Code Execution And Denial Of Service
• 06.6.25 - IBM Lotus Notes File Attachment Handling Multiple Remote Vulnerabilities
• 06.6.26 - PowerD Remote Format String

Web Application - Cross Site Scripting

• 06.6.27 - cPanel Multiple Cross-Site Scripting Vulnerabilities
• 06.6.28 - PHP-Fusion Multiple Cross-Site Scripting Vulnerabilities
• 06.6.29 - CPAINT TYPE.PHP Cross-Site Scripting
• 06.6.30 - Mantis Config_Defaults_Inc.PHP Cross-Site Scripting
• 06.6.31 - DataparkSearch Engine Search Template Cross-Site Scripting
• 06.6.32 - Papoo Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 06.6.33 - UBB.Threads Showflat.PHP SQL Injection
• 06.6.34 - Loftin Applications ASPSurvey Login.ASP SQL Injection
• 06.6.35 - Beehive Forum Index.PHP SQL Injection
• 06.6.36 - MyBB Moderation.PHP SQL Injection
• 06.6.37 - Domain Shoutbox Multiple Input Validation Vulnerabilities
• 06.6.38 - Webeveyn Whomp! Real Estate Manager Login SQL Injection
• 06.6.39 - vwdev Index.PHP SQL Injection
• 06.6.40 - GuestBookHost Multiple SQL Injection Vulnerabilities
• 06.6.41 - SPIP Spip_acces_doc.PHP SQL Injection
• 06.6.42 - GA's Forum Light Archive.ASP SQL Injection
• 06.6.43 - PwsPHP Index.PHP SQL Injection
• 06.6.44 - 2200net Calendar Multiple SQL Injection Vulnerabilities

Web Application

• 06.6.45 - IBM Tivoli Access Manager Plugin Directory Traversal
• 06.6.46 - Loudblog Backend_settings.PHP Remote File Include
• 06.6.47 - phpBB HTTP Referer Information Disclosure
• 06.6.48 - vBulletin Showthread.PHP Input Validation
• 06.6.49 - PHP MySQLI Error Logging Remote Format String
• 06.6.50 - Gallery Data Unspecified Code Execution
• 06.6.51 - Hinton Design phphg Guestbook Multiple Input Validation Vulnerabilities
• 06.6.52 - CPG Dragonfly CMS Remote Command Execution
• 06.6.53 - SPIP Spip_RSS.PHP Remote Command Execution
• 06.6.54 - PHP ICalendar Template.PHP Remote File Include
• 06.6.55 - WHMCompleteSolution Resellers Group Information Disclosure
• 06.6.56 - Hinton Design phpht Multiple Input Validation Vulnerabilities
• 06.6.57 - indexu Application.PHP Remote File Include
• 06.6.58 - Lotus Domino iNotes Multiple HTML and Script Injection Vulnerabilities
• 06.6.59 - RunCMS Remote Code Execution
• 06.6.60 - FarsiNews Directory Traversal and Local File Include Vulnerabilities
• 06.6.61 - Multiple Scriptme Applications BBCode URL Tag Script Injection Vulnerabilities

Network Device

• 06.6.62 - Sony Ericsson Multiple Phones Remote Denial of Service Vulnerabilities

Hardware

• 06.6.63 - Samsung E730 Phone Remote Denial of Service
• 06.6.64 - Nokia N70 Remote Denial of Service
• 06.6.65 - Lexmark X1185 Local Privilege Escalation

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohit Dhamankar and Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 6, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4879 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 06.6.1 - CVE: CVE-2006-0020
• Platform: Windows
• Title: Microsoft Windows Graphics Rendering Engine Unspecified Memory Corruption
• Description: Microsoft Windows WMF graphics-rendering engine is affected by an unspecified memory-corruption vulnerability. This issue is allegedly due to an integer-overflow flaw that leads to corrupted heap memory. This issue could potentially be exploited remotely through any means that would allow an attacker to transmit the malicious image to a user, including through a malicious website and HTML email or embedding it in an Office document.
• Ref: http://www.microsoft.com/technet/security/advisory/913333.mspx

• 06.6.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft February Advance Notification Multiple Vulnerabilities
• Description: Microsoft has released advanced notification that they will be releasing seven security bulletins for Windows on February 14, 2006. The highest severity rating for these issues is Critical.
• Ref: http://www.securityfocus.com/bid/16575

• 06.6.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ritlabs The Bat! Message Header Spoofing Weakness
• Description: The Bat! is a commercially available email client, distributed and maintained by RITLabs. It is prone to a message header spoofing weakness. This issue arises due to a design error. The Bat! versions 2.0 3 Beta and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16515

• 06.6.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Kinesphere Corporation Exchange POP3 Remote Buffer Overflow
• Description: The Kinesphere Corporation Exchange POP3 application is vulnerable to a remote buffer overflow issue due to insufficient boundry checks when the SMTP service attempts to process "RCTP TO" command. Kinesphere Corporation Exchange POP3 version 5.0 build 050203 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16485

• 06.6.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: WiredRed e/pop Web Conferencing HTML Injection
• Description: WiredRed e/pop applications provide web and desktop video conferencing. These applications are vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input to a topic name of a public or private Web conference. WiredRed e/pop Web Conferencing 4.1.0.755 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/424419

• 06.6.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: HP Systems Insight Manager Unspecified Directory Traversal
• Description: HP Systems Insight Manager (SIM) provides hardware level management. HP SIM is vulnerable to an unspecified directory traversal issue when the appliaction uses the "Lang" parameter of the ".namazurc" resource file. HP SIM on Microsoft Windows 2000, 2003 and Windows XP are vulnerable.
• Ref: http://www.securityfocus.com/bid/16571/info

• 06.6.7 - CVE: CVE-2006-0454
• Platform: Linux
• Title: Linux Kernel ICMP_Send Remote Denial Of Service
• Description: The Linux kernel is vulnerable to a remote denial-of-service issue when certain malformed ICMP packets are processed by the "icmp_send()" function in the "net/ipv4/icmp.c" source file. Linux kernel versions 2.6.15.2 and earlier in the 2.6 series are vulnerable.
• Ref: http://www.securityfocus.com/bid/16532

• 06.6.8 - CVE: CVE-2006-0576
• Platform: Linux
• Title: OProfile Local Privilege Escalation
• Description: OProfile is a system-wide profiler application. It is vulnerable to a privilege escalation issue because the "opcontrol" shell script fails to properly specify the full path to the "which" or "dirname" commands. OProfile versions 0.9.1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/424325

• 06.6.9 - CVE: CVE-2006-0046
• Platform: Linux
• Title: Adzapper Squid_Redirect URI Handling Remote Denial of Service
• Description: The adzapper squid redirection script is used to block advertisement banners from Web pages and replace them with placeholder images. It is vulnerable to a remote denial of service issue when installed as a plug-in. Adzapper versions prior to 2006-01-29 are vulnerable.
• Ref: http://www.securityfocus.com/bid/16558

• 06.6.10 - CVE: CVE-2005-3623
• Platform: Linux
• Title: Linux Kernel NFS ACL Access Control Bypass
• Description: The Linux kernel contains support for ACLs (Access Control Lists) in NFSv2 and NFSv3 filesystems. The Linux kernel's NFS implementation is susceptible to a remote access control bypass vulnerability. This issue is due to a failure to validate the privileges of remote users before setting ACLs. Linux Kernel versions prior to 2.6.14.5 in the 2.6 kernel series are vulnerable to this issue.
• Ref: http://lkml.org/lkml/2005/12/23/171

• 06.6.11 - CVE: Not Available
• Platform: Linux
• Title: SUSE LD Insecure RPATH / RUNPATH Arbitrary Code Execution
• Description: LD is the GNU linker application. SUSE LD is susceptible to an insecure RPATH / RUNPATH vulnerability. This can allow attackers to place malicious libraries in a directory and trick users to execute an application from that directory, which would be dynamically linked at run-time when the application is executed. This would result in the execution of arbitrary code with the privileges of the user who executes the application.
• Ref: http://www.securityfocus.com/bid/16581

• 06.6.12 - CVE: Not Available
• Platform: HP-UX
• Title: HP PSC 1210 All-in-One Driver Vulnerability
• Description: HP has released a fix for its PSC 1210 All-in-One printer driver for an unspecified vulnerability. HP PSC 1210 All-in-One driver versions prior to 1.0.06 are affected.
• Ref: http://www.securityfocus.com/bid/16583

• 06.6.13 - CVE: Not Available
• Platform: Aix
• Title: IBM AIX ARP Local Buffer Overflow Vulnerability
• Description: IBM AIX ARP command is vulnerable to a local buffer overflow issue due to insufficient boundary checks through the "iftype" argument when large string values are sent. IBM released APAR numbers IY81476 and IY81424 to address this issue.
• Ref: http://www-1.ibm.com/support/docview.wss?rs=0&q1=IY81424&uid=isg1IY81476
  &loc=en_US&cs=utf-8&cc=us?=en http://www-1.ibm.com/support/docview.wss?rs=0&q1=IY81424&uid=isg1IY81424
  &loc=en_US&cs=utf-8&cc=us?=en

• 06.6.14 - CVE: CVE-2006-0582
• Platform: Unix
• Title: Heimdal RSHD Local Privilege Escalation
• Description: Heimdal is an implementation of the Kerberos 5 network authentication protocol. Heimdal "rshd" is vulnerable to a local privilege escalation issue due to a design error that allows files to be overwritten in its credential cache. Heimdal versions 0.7.2 and 0.6.6 resolves this issue.
• Ref: http://www.securityfocus.com/bid/16524/info

• 06.6.15 - CVE: Not Available
• Platform: Unix
• Title: ProFTPD Mod_Radius Buffer Overflow
• Description: ProFTPD is an FTP server. ProFTPD's mod_radius is vulnerable to a buffer overflow issue due to insufficient boundry checking of the "radius_add_password" function. ProFTPD versions 1.3 .0rc2 and earlier are vulnerable.
• Ref: http://bugs.proftpd.org/show_bug.cgi?id=2658

• 06.6.16 - CVE: Not Available
• Platform: Unix
• Title: GnuTLS Libtasn1 DER Decoding Denial of Service Vulnerabilities
• Description: GNU Transport Layer Security Library (GnuTLS) is a library that implements the TLS 1.0 and SSL 3.0 protocols. Libtasn1 library is vulnerable to multiple denial of service issues which can be triggered through specifically crafted data. Libtasn1 versions earlier than 0.2.18 are vulnerable.
• Ref: http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001059. html

• 06.6.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Trend Micro ServerProtect Extracted File Count Exceed Scan Bypass
• Description: Trend Micro ServerProtect is an antivirus scanner for servers. It is vulnerable to a scan bypass issue resulting from a design error. Trend Micro ServerProtect version 5.58 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16483/info

• 06.6.18 - CVE: Not Available
• Platform: Cross Platform
• Title: PeopleSoft PeopleTools PSCipher Password Encryption Weakness
• Description: PeopleTools is a runtime architecture and integrated development environment for PeopleSoft financial management software. PeopleTools uses PSCipher to provide encryption and hashing using DES. PSCipher uses a fixed string as a DES key when encrypting passwords. Knowledge of this key would reduce the amount of time an attacker would need to perform dictionary attacks against a password hash. PeopleTools versions 8.4 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/16507

• 06.6.19 - CVE: CVE-2006-0580
• Platform: Cross Platform
• Title: Lotus Domino LDAP Denial of Service
• Description: IBM Lotus Domino Server is a web-based collaborative framework application. It is vulnerable to an unspecified denial of service issue when a malformed packet is sent to TCP port 389. Lotus Domino version 7.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16523/info

• 06.6.20 - CVE: Not Available
• Platform: Cross Platform
• Title: EyeOS Session Remote Command Execution
• Description: EyeOS personal content management system is free, cross-platform software based on the style of a desktop operating system. It is prone to a remote command execution vulnerability due to insufficient sanitization of user-supplied data. The problem occurs because of how the application handles the "_SESSION" array parameter. The application fails to properly initialize the array allowing an attacker to inject arbitrary input. EyeOS versions 0.8.9 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/16537/exploit

• 06.6.21 - CVE: CAN-2005-1528
• Platform: Cross Platform
• Title: QNX Neutrino Multiple Local Privilege Escalation and Denial Of Service Vulnerabilities
• Description: QNX Neutrino is a realtime operating system distributed and maintained by QNX Software Systems Limited. It is vulnerable to multiple local vulnerabilities. QNX Neutrino versions 6.3, 6.2.1 and 6.2 are affected.
• Ref: http://www.securityfocus.com/bid/16539

• 06.6.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java Web Start Untrusted Application Unauthorized Access
• Description: Sun Java Web Start is a utility included in the Java Runtime Environment. It is affected by an issue that may allow remote attackers to gain unauthorized access to a vulnerable computer due to access-validation errors. Java Web Start in Java 2 Platform Standard Edition (J2SE) versions 5.0 Update 5 and earlier are affetced.
• Ref: http://www.securityfocus.com/bid/16540

• 06.6.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun ONE Directory Server Remote Denial of Service
• Description: Sun ONE Directory Server is a LDAP directory server. It is vulnerable to a remote denial of service issue due to insufficient handling of malformed network traffic. Sun ONE Directory Server versions 5.2 patch 4 and earlier are vulnerable.
• Ref: http://archives.neohapsis.com/archives/dailydave/2006-q1/0129.html

• 06.6.24 - CVE: CVE-2006-0056
• Platform: Cross Platform
• Title: PAM-MySQL Code Execution And Denial Of Service
• Description: PAM-MySQL is a PAM (pluggable authentication module) module that allows system administrators to setup authentication schemes using MySQL databases as a back-end. PAM-MySQL is susceptible to two vulnerabilities. The first issue is a denial of service vulnerability in the module's SQL logging facility. The second issue is a double-free vulnerability in the "pam_get_item()" function. Applications that execute the PAM module with superuser privileges will allow attackers to completely compromise affected computers.
• Ref: http://pam-mysql.sourceforge.net/News/00005.php

• 06.6.25 - CVE: CAN-2005-2618, CAN-2005-2619
• Platform: Cross Platform
• Title: IBM Lotus Notes File Attachment Handling Multiple Remote Vulnerabilities
• Description: IBM Lotus Notes is vulnerable to multiple remote vulnerabilities when handling file attachments which allow arbitrary code execution. Lotus Notes versions 6.5.4 and 7.0 are vulnerable.
• Ref: http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229918

• 06.6.26 - CVE: Not Available
• Platform: Cross Platform
• Title: PowerD Remote Format String
• Description: PowerD is a daemon to monitor Uninteruptable Power Supply (UPS) and has the ability to notify remote hosts of a power failure. It is affected by a remote format string vulnerability due to insufficient sanitization of user-supplied input to the formatted printing function. PowerD version 2.0.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16582

• 06.6.27 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: cPanel Multiple Cross-Site Scripting Vulnerabilities
• Description: cPanel is a customer relations management application. Insufficient sanitization of user-supplied input exposes the application to multiple cross-site scripting issues. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/16482

• 06.6.28 - CVE: CVE-2006-0593
• Platform: Web Application - Cross Site Scripting
• Title: PHP-Fusion Multiple Cross-Site Scripting Vulnerabilities
• Description: PHP-Fusion is a web site management application. Insufficient sanitization of the "comment_name" parameter of the "includes/comments_include.php" script and the "shout_name" parameter of the "infusions/shoutbox_panel/shoutbox_panel.php" script exposes the application to a cross-site scripting issue. PHP-Fusion versions 6.00.303 and earlier are affetced.
• Ref: http://www.securityfocus.com/bid/16548

• 06.6.29 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CPAINT TYPE.PHP Cross-Site Scripting
• Description: CPAINT is an AJAX (Asynchronous JavaScript+XML) and JSRS (JavaScript Remote Scripting) implementation. Insufficient sanitization of the "cpaint_response_type" parameter of the "type.php" script exposes the application to a cross-site scripting issue. CPAINT versions 2.0.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16559

• 06.6.30 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Mantis Config_Defaults_Inc.PHP Cross-Site Scripting
• Description: Mantis is a bug tracking application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to an unspecified parameter of the "config_defaults_inc.php" script. Mantis versions 1.0 .0RC4 and earlier are vulnerable.
• Ref: http://sourceforge.net/project/shownotes.php?release_id=390744&group_id=1496
  3

• 06.6.31 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: DataparkSearch Engine Search Template Cross-Site Scripting
• Description: DataparkSearch Engine is freely available, open-source HTML-search software. It is prone to a cross-site scripting vulnerability.
• Ref: http://www.dataparksearch.org/ChangeLog

• 06.6.32 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Papoo Multiple Cross-Site Scripting Vulnerabilities
• Description: Papoo is a website management application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various parameters in different scripts. Papoo version 2.1.2 is affected.
• Ref: http://www.securityfocus.com/bid/16573

• 06.6.33 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: UBB.Threads Showflat.PHP SQL Injection
• Description: UBB.Threads is a web-based forum application. Insufficient sanitization of the "number" parameter in the "showflat.php" script exposes the application to an SQL injection issue. UBB.Threads version 6.3 is affected.
• Ref: http://www.securityfocus.com/bid/16520

• 06.6.34 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Loftin Applications ASPSurvey Login.ASP SQL Injection
• Description: ASPSurvey is a web-based user survey application written in ASP. It is prone to an SQL-injection vulnerability due to insufficient sanitization of user-supplied input to the "Password" input field of the "login.asp" script.
• Ref: http://www.securityfocus.com/bid/16496

• 06.6.35 - CVE: CVE-2005-4461
• Platform: Web Application - SQL Injection
• Title: Beehive Forum Index.PHP SQL Injection
• Description: Beehive Forum is web-forum software implemented in PHP using a MySQL backend. It is vulnerable to an SQL-injection issue due to insufficient sanitization of user-supplied input. Beehive Forum version 0.6.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16521/info

• 06.6.36 - CVE: CVE-2006-0638
• Platform: Web Application - SQL Injection
• Title: MyBB Moderation.PHP SQL Injection
• Description: MyBB is a bulletin-board application implemented in PHP using a MySQL backend. MyBB is prone to an SQL-injection vulnerability due to improper sanitization of user-supplied input via the "posts" variable to the "moderation.php" script. MyBB version 1.0.3 is reported to be vulnerable.
• Ref: http://www.securityfocus.com/archive/1/424335

• 06.6.37 - CVE: Not Available2005.07.21 is vulnerable.
• Platform: Web Application - SQL Injection
• Title: Domain Shoutbox Multiple Input Validation Vulnerabilities
• Description: Shoutbox is a web-based message board. It is vulnerable to multiple unspecified SQL injection and HTML injection issues due to insufficient sanitization of user-supplied input. Shoutbox version
• Ref: http://evuln.com/vulns/55/summary.html

• 06.6.38 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Webeveyn Whomp! Real Estate Manager Login SQL Injection
• Description: Whomp! Real Estate Manager is a web-based application to display, organize and sell real estate. It is prone to an SQL-injection vulnerability due to improper sanitization of user-supplied input in the administrator login panel.
• Ref: http://www.securityfocus.com/bid/16544/exploit

• 06.6.39 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: vwdev Index.PHP SQL Injection
• Description: vwdev is a content management application. It is vulnerable to an SQL-injection issue due to insufficient sanitization of user-supplied input to the "UID" parameter of the "index.php" script. All versions of vwdev are vulnerable.
• Ref: http://www.securityfocus.com/bid/16547

• 06.6.40 - CVE: CVE-2006-05422005.04.25 is vulnerable.
• Platform: Web Application - SQL Injection
• Title: GuestBookHost Multiple SQL Injection Vulnerabilities
• Description: GuestBookHost is a website management application. It is vulnerable to multiple SQL injection issues as the application fails to properly sanitize user-supplied input. GuestBookHolst version
• Ref: http://evuln.com/vulns/56/summary.html

• 06.6.41 - CVE: CVE-2006-0517
• Platform: Web Application - SQL Injection
• Title: SPIP Spip_acces_doc.PHP SQL Injection
• Description: SPIP is a content management application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "spip_acces_doc.php" script. SPIP versions 1.8.2-d, 1.8.2-d, and 1.8.2-g are vulnerable.
• Ref: http://www.securityfocus.com/bid/16551

• 06.6.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: GA's Forum Light Archive.ASP SQL Injection
• Description: GA's Forum Light is web-based forum software. It is prone to an SQL injection vulnerability due to improper sanitization of user-supplied input to the "forum" parameter of the "archive.asp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/16563/exploit

• 06.6.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PwsPHP Index.PHP SQL Injection
• Description: PwsPHP is a web-based content management system. Insufficient sanitization of the "id" parameter in the "index.php" script exposes the application to an SQL injection issue. PwsPHP version 1.2.3 is affected.
• Ref: http://www.securityfocus.com/bid/16567

• 06.6.44 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: 2200net Calendar Multiple SQL Injection Vulnerabilities
• Description: 2200net Calendar is a web-based calendar application. It is prone to multiple SQL injection vulnerabilities due to improper sanitization of user-supplied input to the "fm_data[id]" of "program/calendar/calendar.php" and the "ad[acc]" parameter of "class/classlogin/adminlogin.php" scripts. 2200net version 1.2 is vulnerable; other versions may also be vulnerable.
• Ref: http://evuln.com/vulns/62/summary.html

• 06.6.45 - CVE: CVE-2006-0513
• Platform: Web Application
• Title: IBM Tivoli Access Manager Plugin Directory Traversal
• Description: Tivoli Access Manager is a policy-based access-control plugin for web servers. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input to the "filename" parameter of the "pkmslogout" script. IBM Tivoli Access Manager Plugin versions 5.1.0.10 and 6.0.0 are vulnerable.
• Ref: http://www.vsecurity.com/bulletins/advisories/2006/tam-file-retrieval.txt

• 06.6.46 - CVE: Not Available
• Platform: Web Application
• Title: Loudblog Backend_settings.PHP Remote File Include
• Description: Loudblog is a content management application. It is prone to a remote file include vulnerability due to improper sanitization of user-supplied input to the "cmd" parameter of the "backend_settings.php" script. Loudblog versions 0.4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16495/exploit

• 06.6.47 - CVE: Not Available
• Platform: Web Application
• Title: phpBB HTTP Referer Information Disclosure
• Description: phpBB is a web bulletin board application. The application fails to secure the session ID when accessing an external avatar image or external BBCode image which exposes it to an information disclosure issue. phpBB versions 2.0.19 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/16509

• 06.6.48 - CVE: Not Available
• Platform: Web Application
• Title: vBulletin Showthread.PHP Input Validation
• Description: vBulletin is a bulletin board application. It is vulnerable to an unspecified input validation issue due to insufficient sanitization of user-supplied input to the "showthread.php" script. vBulletin versions 3.0.7 through 3.5.3 are vulnerable.
• Ref: http://www.securityfocus.com/bid/16514

• 06.6.49 - CVE: CVE-2006-0200
• Platform: Web Application
• Title: PHP MySQLI Error Logging Remote Format String
• Description: PHP is susceptible to a remote format string vulnerability in the "mysqli" extension. If PHP is configured to log failed SQL queries, attackers may exploit latent SQL injection vulnerabilities in web applications to include sufficient data in the error log to exploit this format string vulnerability. This issue affects PHP versions 5.1.0 and 5.1.1.
• Ref: http://www.php.net/release_5_1_2.php

• 06.6.50 - CVE: Not Available
• Platform: Web Application
• Title: Gallery Data Unspecified Code Execution
• Description: Gallery is a photo gallery application which is affected by a code execution issue. The vulnerability presents itself when an attacker crafts a malicious URI and entices an administrative user to visit a site containing malicious code. Gallery version 1.5.2 is affected.
• Ref: http://www.securityfocus.com/bid/16533

• 06.6.51 - CVE: Not Available
• Platform: Web Application
• Title: Hinton Design phphg Guestbook Multiple Input Validation Vulnerabilities
• Description: The phphg Guestbook is a web-based guestbook application. It is vulnerable to multiple input validation issues that could allow an attacker to compromise the application. phphg Guestbook version 1.2 is vulnerable.
• Ref: http://evuln.com/vulns/58/summary.html

• 06.6.52 - CVE: Not Available
• Platform: Web Application
• Title: CPG Dragonfly CMS Remote Command Execution
• Description: CPG Dragonfly CMS is a content management system. CPG Dragonfly CMS is prone to a remote command execution vulnerability. This problem presents itself in the "install.php" script. A local file include issue is present in the "installlang" cookie value that allows attackers to include arbitrary local files, and execute PHP content contained in them. CPG Dragonfly CMS version 9.0.6.1 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/424335

• 06.6.53 - CVE: Not Available
• Platform: Web Application
• Title: SPIP Spip_RSS.PHP Remote Command Execution
• Description: SPIP is a web content management system (CMS). It is prone to a remote command execution vulnerability due to a lack of proper sanitization of user-supplied input. This problem presents itself in the "spip_rss.php" script. A local file include issue is present in the "GLOBALS[type_urls]" parameter that allows attackers to include arbitrary local files and to execute PHP content contained in them. SPIP versions 1.8.2g and earlier are vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/16556/exploit

• 06.6.54 - CVE: CVE-2005-3366
• Platform: Web Application
• Title: PHP ICalendar Template.PHP Remote File Include
• Description: PHP iCalendar is prone to a remote file include vulnerability. The "file" parameter of "template.php" is not properly sanitized, as well as the "getdate" parameter of the "search.php" script. In combination, these vulnerabilities allow attackers to specify remotely-hosted script files to be executed in the context of the Web server hosting the vulnerable software.
• Ref: http://www.securityfocus.com/archive/1/424424

• 06.6.55 - CVE: Not Available
• Platform: Web Application
• Title: WHMCompleteSolution Resellers Group Information Disclosure
• Description: WHMCompleteSolution is a web hosting management application. It is vulnerable to an information disclosure issue due to insecure permissions associated with the reseller's group. WHMCompleteSolution versions 2.2 and earlier are vulnerable.
• Ref: http://www.whmcs.com/changelog.php

• 06.6.56 - CVE: Not Available
• Platform: Web Application
• Title: Hinton Design phpht Multiple Input Validation Vulnerabilities
• Description: Hinton Design phpht is an application that lists topsites. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to scripts such as "check.php" and "link_edited.php". Hinton Design phpht version 1.3 is vulnerable.
• Ref: http://evuln.com/vulns/59/summary.html

• 06.6.57 - CVE: Not Available
• Platform: Web Application
• Title: indexu Application.PHP Remote File Include
• Description: indexu is a software for indexing web sites through managing and organizing links. It is vulnerable to a remote file-include issue due to insufficient sanitization of user-supplied input to the "base_path" parameter of the "application.php" script. indexu versions 5.0.0 and 5.0.1 are affected.
• Ref: http://www.securityfocus.com/bid/16565

• 06.6.58 - CVE: Not Available
• Platform: Web Application
• Title: Lotus Domino iNotes Multiple HTML and Script Injection Vulnerabilities
• Description: IBM Lotus Domino iNotes allows users to access their Domino based mail from the web. It is vulnerable to multiple HTML and script injection issues due to insufficient sanitization of email attachment file names and the email subject field. IBM released iNotes and Domino Web Access versions 6.5.5 and 7.0.1 to address these issues.
• Ref: http://www.securityfocus.com/archive/1/424627

• 06.6.59 - CVE: Not Available
• Platform: Web Application
• Title: RunCMS Remote Code Execution
• Description: RunCMS is a content management application. It is vulnerable to a remote code execution issue because the "connector.php" script allows for remote ".php3" and ".php5" script execution. RunCMS versions 1.3a2 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/16578/info

• 06.6.60 - CVE: Not Available
• Platform: Web Application
• Title: FarsiNews Directory Traversal and Local File Include Vulnerabilities
• Description: FarsiNews is a news publishing system that uses flat files to store data. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input. An attacker could execute arbitrary code on the web server. FarsiNews versions 2.5 and earlier are vulnerable.
• Ref: http://www.hamid.ir/security/farsinews2-5.txt

• 06.6.61 - CVE: Not Available
• Platform: Web Application
• Title: Multiple Scriptme Applications BBCode URL Tag Script Injection Vulnerabilities
• Description: Scriptme Blog and Guest book are web-based applications. Both are vulnerable to multiple script injection issues due to insufficient sanitization of user-supplied input to the BBCode "[URL]" tag. Scriptme SmE GB Host version 1.21 and SmE Blog Host are vulnerable.
• Ref: http://evuln.com/vulns/65/summary.html

• 06.6.62 - CVE: Not Available
• Platform: Network Device
• Title: Sony Ericsson Multiple Phones Remote Denial of Service Vulnerabilities
• Description: Multiple Phones by Sony Ericsson are vulnerable to a remote denial of service issue that affects the Bluetooth stack of the devices. The vulnerability presents itself when the devices handle a specially crafted raw L2CAP packet. Sony Ericsson devices K600i, V600i, W800i and T68i are reported to be vulnerable.
• Ref: http://www.securityfocus.com/bid/16512/info

• 06.6.63 - CVE: Not Available
• Platform: Hardware
• Title: Samsung E730 Phone Remote Denial of Service
• Description: Samsung E730 is vulnerable to a remote denial of service issue when the device parses unspecified network data.
• Ref: http://www.securityfocus.com/bid/16517

• 06.6.64 - CVE: Not Available
• Platform: Hardware
• Title: Nokia N70 Remote Denial of Service
• Description: Nokia N70 is a mobile telephone. It is vulnerable to a remote denial of service issue when the device parses unspecified network data. Nokia model N70 is vulnerable.
• Ref: http://www.securityfocus.com/bid/16513/info

• 06.6.65 - CVE: Not Available
• Platform: Hardware
• Title: Lexmark X1185 Local Privilege Escalation
• Description: Lexmark X1185 is an all-in-one printer, copier, and scanner. It is vulnerable to a local privilege escalation issue due to a design error.
• Ref: http://www.securityfocus.com/archive/1/424322

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.