The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: V, Issue: 7
February 20, 2006

SANS Newsletters Home

A big week for media file vulnerabilities: Rapid remediation is needed for both Internet Explorer users and Firefox users (#1, #2, #3, and a few more). The Winamp vulnerability does not yet have a patch; see #4 below for a work around.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 3 (#5, #6)
    • Other Microsoft Products
    • 3 (#1, #2, #3, #7, #8)
    • Third Party Windows Apps
    • 4 (#4)
    • Mac Os
    • 1
    • Linux
    • 4
    • Solaris
    • 1
    • Aix
    • 1
    • Unix
    • 3
    • Cross Platform
    • 10
    • Web Application - Cross Site Scripting
    • 7
    • Web Application - SQL Injection
    • 12
    • Web Application
    • 30
    • Network Device
    • 6
    • Hardware
    • 2

"What is The Real Threat to SCADA and PCS Systems?" --Wednesday, February 22 at 1:00 PM EST (1800 UTC/GMT) -- http://www.sans.org/info.php?id=1032

SCADA and process control systems manage nuclear power plants, manufacturing plants, railroads, pipelines and many other important parts of the critical infrastructure. Join us for this unique SANS web cast that will show you where control systems are vulnerable, how exploitation techniques are changing, and what can you do about it. The webcast is being provided primarily for the 390 people coming to the SCADA Security Summit on March 1-3 ( http://www.sans.org/scadasummit06) But we have opened it up to all @RISK readers, too. Register an sign on early to be sure of getting connected. http://www.sans.org/info.php?id=1032

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Solaris
Aix
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

Other Software Items 06.7.21, 06.7.49, 06.7.84 from Part II

Note: The number of web application vulnerabilities, such as file include, SQL injection and others, has sky rocketed in the last few years. To keep Part I of @RISK to a manageable size, we limit part I coverage to critical vulnerabilities in widely-deployed web packages such as phpBB. If you use less widely-deployed web applications, please be sure to review part II to find their vulnerabilities.

*********************** Sponsored Links: ********************************

1) Enhance security and reduce IT cost with "Efficient Event Management" - listen to this webinar today! http://www.sans.org/info.php?id=1033

2) WhatWorks in Intrusion Prevention Systems: "Monitoring Unique Traffic with Retail Decisions" Tuesday, February 21 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1034

3) SANS Tool Talk Webcast: "How to Create and Audit Defensible Security Compliance Controls" Thursday, February 23 at 1:00 PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=1035

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohit Dhamankar and Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Windows Media Player Bitmap Handling Overflow
  • Affected:
    • Windows Media Player versions 7.1 through 10

  • Description: Windows Media Player contains a heap-based buffer overflow that can be triggered by a specially crafted bitmap(BMP) file. The problem arises because Windows Media Player does not properly process a bitmap file that declares its size as 0 bytes. In this case, the Media Player allocates 0 bytes of heap memory prior to copying the file into heap memory. Hence, a malicious bitmap file can execute arbitrary code with the privileges of the logged-on user. The bitmap file can be embedded in any media format such as ".asx" or ".wmv" or media player skin file. Such a media or skin file can then be posted on a web page, a shared folder or a peer-to-peer file share. Windows systems having Windows Media Player as their default media player are at greatest risk from this vulnerability. Exploit code has been publicly posted.

  • Status: Microsoft Security Bulletin MS06-005 contains the patch as well as workarounds to mitigate this vulnerability.

  • Council Site Actions: All reporting council sites are in the process of responding to this item. Some are rolling out the patches on an expedited basis, and some during their next regularly scheduled system update process. One site commented they were patching workstations and Citrix servers on an expedited basis, but non-Citrix servers on a standard scheduled. One site is using the automated Update feature from Microsoft, and thus the patches are already installed. Many of the sites also have gateway anti-virus for both web and mail.

  • References:
  • (2) HIGH: Internet Explorer WMF Handling Vulnerability
  • Affected:
    • Internet Explorer version 5.01 SP4 on Windows 2000 SP4 and
    • Internet Explorer version 5.5 SP2 on Windows ME

  • Description: Microsoft has released a cumulative patch MS06-004 for Internet Explorer that fixes another WMF file handling vulnerability. This flaw was discussed in the last issue of the @RISK newsletter. As a general security practice Internet Explorer should be upgraded to the latest available version.

  • Council Site Actions: All reporting council sites are in the process of responding to this item. Some are rolling out the patches on an expedited basis, and some during their next regularly scheduled system update process. One site commented they were patching workstations and Citrix servers on an expedited basis, but non-Citrix servers on a standard schedule. One site is using the automated Updates feature from Microsoft and thus the patches are already installed. Many of the sites also have gateway anti-virus for both web and mail.

  • References:
  • (3) HIGH: Windows Media Player Plug-in Buffer Overflow
  • Affected:
    • Windows Media Player versions 9 and 10 when invoked by browsers other
    • than Internet Explorer such as Mozilla Firefox or Netscape

  • Description: Windows Media Player plug-in component is automatically installed when the Media player is installed. Popularly used browsers as alternatives to Internet Explorer such as Firefox and Netscape can detect this plug-in, and open files associated with Windows media player automatically. This plug-in contains a stack-based buffer overflow when launched by browsers other than Internet Explorer. The overflow is triggered by an HTML page containing an "EMBED" tag with an overlong "SRC" attribute. The flaw can be exploited to execute arbitrary code with the privileges of the logged-on user. Exploit code has been publicly posted. Enterprises with Firefox installations should apply this patch on a priority basis.

  • Status: Microsoft Security Bulletin MS06-006 contains the patch. A workaround is to disable the Windows Media Player plug-in in Firefox by visiting "Tools->Options->Downloads->Plug-ins" menu.

  • Council Site Actions: All reporting council sites are in the process of responding to this item. Some are rolling out the patches on an expedited basis, and some during their next regularly scheduled system update process. One site commented they were patching workstations and Citrix servers on an expedited basis, but non-Citrix servers on a standard scheduled. One site is using the automated Updates feature from Microsoft, and thus the patches are already installed. Many of the sites also have gateway anti-virus for both web and mail.

  • References:
  • (4) HIGH: Winamp Playlist File Processing Overflows
  • Affected:
    • Winamp version 5.13 and prior

  • Description: Winamp, a popular media player, contains the following buffer overflows in handling certain playlist files i.e. files with ".m3u" or ".pls" extensions. (a) An overflow that can be triggered by a playlist file containing an overlong filename with ".wma" extension. (b) An overflow that can be triggered by a playlist file containing an overlong filename beginning with "cda://". (c) An overflow that can be triggered by an overlong name of ".m3u" file. A web page containing a malicious playlist file can exploit these vulnerabilities to execute arbitrary code.

  • Status: No patch available from the vendor yet. Go to "Tools->Folder-Options->FileTypes" and remove Winamp as the default handler for "M3U" and "PLS" files. This will prevent a malicious web page from automatically launching Winamp.

  • Council Site Actions: The affected software is not officially supported at any of the reporting council sites. Several sites have advised their users to apply appropriate patches or remove it from their systems.

  • References:
  • (5) MODERATE: Windows IGMPv3 Processing Denial of Service
  • Affected:
    • Windows XP SP1 and SP2
    • Windows 2003 including SP1

  • Description: IGMP protocol allows IP hosts to participate in multicasting. Windows XP and 2003, which support version 3 of the IGMP protocol, contain a DoS vulnerability that can be triggered by a specially crafted IGMP packet. A vulnerable Windows system will stop responding to any further requests after receiving such a packet. The technical details required to craft a malicious IGMP packet have not been posted yet.

  • Status: Microsoft Security Bulletin MS06-007 contains the patch as well as workarounds to mitigate this vulnerability.

  • Council Site Actions: The affected software is in use at a few of the reporting council sites. They plan to deploy the patches during their next regularly scheduled maintenance cycle. One site uses the automated Updates feature from Microsoft.

  • References:
  • (6) MODERATE: Microsoft Web Client Service Remote Code Execution
  • Affected:
    • Windows XP SP1 and SP2
    • Windows 2003 including SP1

  • Description: The Web Client Service on Windows XP/2003 systems allows users to create and modify files on web servers via WebDAV protocol. The service can be reached via "DAV RPC SERVICE" named pipe on ports 139/tcp and 445/tcp. This service contains a flaw that can be exploited by authenticated users to execute arbitrary code. Note that this service is enabled by default on Windows XP, and if the "Guest" access is enabled the flaw can be exploited by any user. No technical details regarding how to trigger the vulnerability have been disclosed yet.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS06-008. Block ports 139/tcp and 445/tcp at the network perimeter to prevent access to this service from the Internet.

  • Council Site Actions: The affected software is in use at a few of the reporting council sites. They plan to deploy the patches during their next regularly scheduled maintenance cycle. One site uses the automated Updates feature from Microsoft.

  • References:
  • (7) LOW: Microsoft PowerPoint 2000 Information Disclosure
  • Affected:
    • PowerPoint 2000

  • Description: This vulnerability in PowerPoint 2000 allows an attacker to access objects in the Temporary Internet Files folder on a client system. This folder contains objects like cookies that may be used by the attacker to obtain unauthorized access to websites visited by the logged-on user. In order to exploit this flaw, an attacker has to set up a web page containing a Powerpoint presentation and entice a victim to view this presentation. If the victim views the presentation using Internet Explorer, the attacker's script can read contents from the temporary internet files folder.

  • Status: Apply the update referenced in Microsoft Security Bulletin MS06-010.

  • Council Site Actions: Only a few of the council sites plan to address this issue. They plan to deploy the patches during their next regularly scheduled maintenance cycle. One site is using the automated Updates feature from Microsoft and the patches are already installed.

  • References:
  • (8) LOW: Internet Explorer Multiple Vulnerabilities
  • Affected:
    • Internet Explorer versions 5.01, 5.5 and 6.0

  • Description: (a) Another 0-day "drag and drop" vulnerability has been reported in Internet Explorer. A specially crafted HTML page can exploit this flaw to install malware on a client system. Exploitation proceeds as follows: The user is enticed to drag and drop an object from a Window opened by Internet Explorer. By carefully timing when the drag and drop operation is initiated, a malicious file object from the pop-under window of the original window can be dropped to a folder such as "SharedDocs" or "Scheduled Tasks" on the user's system. The probability of successful exploitation is believed to be low since the exploit vector critically depends on correctly timing the user's actions. A proof-of-concept exploit has been created but not publicly posted. Microsoft plans to fix this issue in a service pack and not a security bulletin unless further research shows that the remote compromise can be easily achieved. (b) Internet Explorer Javascript and VBscript engines contain a vulnerability that can be exploited to exhaust the process stack memory. Viewing a malicious web page, which exploits this flaw, crashes IE. Remote code execution may be possible but is believed to be difficult.

  • Status: A suggested workaround for the drag and drop issue is to set the kill bit for "Shell.Explorer" control. Note that the workaround will stop Internet Explorer from displaying any "folder" views for local/network file shares and web folders. Further details and the tool, which can be used to set this kill-bit, are available in the Securiteam Advisory. Microsoft has not acknowledged the DoS flaw in script engines.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 7, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 4894 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 06.7.1 - CVE: CVE-2006-0013
  • Platform: Windows
  • Title: Microsoft Windows Web Client Buffer Overflow
  • Description: The Microsoft Windows Web Client is a service that allows applications to access documents on the Internet using the WebDAV protocol. It is vulnerable to a buffer overflow issue that could allow a remote, authenticated attacker to execute arbitrary code on a vulnerable computer with System level privileges. Please refer to the underlying link for a list of vulnerable systems.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms06-008.mspx
  • 06.7.2 - CVE: CVE-2006-0008
  • Platform: Windows
  • Title: Windows Korean Input Method Editor Privilege Escalation
  • Description: Microsoft Windows Korean Input Method Editor (IME) identifies keystrokes pressed by a user and converts them into Korean characters. It is vulnerable to a local privilege escalation issue because the application insecurely exposes some functionality that runs with SYSTEM privileges. See the Microsoft advisory for further details.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms06-009.mspx
  • 06.7.3 - CVE: CVE-2006-0021
  • Platform: Windows
  • Title: Microsoft Windows IGMPv3 Denial of Service
  • Description: The Internet Group Management Protocol (IGMP) is used to provide multicast group information for a physical subnet. This information is used by routers to properly forward multicast datagrams between subnets. IGMP is part of the IP network layer, similar to ICMP. A vulnerability in the handling of IGMPv3 packets could result in a denial of service.
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms06-007.mspx
  • 06.7.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer Drag And Drop File Installation Vulnerability Variant
  • Description: Microsoft Internet Explorer is affected by an issue that may allow unauthorized installation of malicious executables. It is reported that drag and drop along with browser style functionality may be employed by an attacker to install a file onto a victim's system with some degree of user interaction.
  • Ref: http://www.securityfocus.com/bid/16590
  • 06.7.5 - CVE: CVE-2006-0006
  • Platform: Other Microsoft Products
  • Title: Windows Media Player Bitmap Handling Buffer Overflow
  • Description: Microsoft Windows Media Player is prone to a remote buffer overflow vulnerability. The issue arises when the application handles a specially crafted Bitmap image. Microsoft Windows 2000 Service Pack 4 with Windows Media Player 7.1 and Windows XP Service Pack 1 with Windows Media Player 8 are not vulnerable to direct web-based attacks, however, exploitation is still possible if the file is downloaded and opened using Windows Media Player. All other versions are affected.
  • Ref: http://www.securityfocus.com/bid/16633
  • 06.7.6 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Script Engine Buffer Overflow
  • Description: Microsoft Internet Explorer is prone to a remote buffer overflow vulnerability. This issue exists in the VBScript and JScript engines. This vulnerability affects Internet Explorer 6 running on Windows 2000 SP4, Windows XP Professional, and Windows 98SE.
  • Ref: http://www.securityfocus.com/archive/1/425283
  • 06.7.7 - CVE: CVE-2006-0708
  • Platform: Third Party Windows Apps
  • Title: Winamp M3U File Denial of Service
  • Description: Nullsoft Winamp is a media player. It is vulnerable to a denial of service issue due to insufficient handling of "m3u" files with long names. Nullsoft Winamp version 5.13 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/424903
  • 06.7.8 - CVE: CVE-2006-0705
  • Platform: Third Party Windows Apps
  • Title: AttachmateWRQ Reflection for Secure IT Remote Format String
  • Description: AttachmateWRQ Reflection for Secure IT Windows Server is a commercial SSH server for Microsoft Windows platforms. A remote format-string vulnerability affects AttachmateWRQ Reflection for Secure IT. A remote attacker may leverage this issue to execute arbitrary machine code, possibly allowing for privilege escalation, and the bypassing of SFTP-only access controls on affected SSH servers. Versions 3.0.1 through 3.1.0 of the software are affected.
  • Ref: http://www.kb.cert.org/vuls/id/419241
  • 06.7.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: eStara Softphone Multiple Denial of Service Vulnerabilities
  • Description: eStara Softphone is commercial SIP-VOIP phone software. It is affected by multiple denial of service issues. The software will crash when processing a negative integer value in the "Expires" field of a SIP header. It will stop responding when processing format string specifiers in SDP headers. The software also crashes when processing the "Content-Length" field in SIP headers with a value longer than 9 characters. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/16629
  • 06.7.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Rockliffe MailSite Multiple Unspecified Remote LDAP Vulnerabilities
  • Description: Rockliffe MailSite is a program for providing access to email accounts. It is prone to multiple unspecified vulnerabilities which may be triggered by malformed LDAP data. The exact impact of these vulnerabilities is not known at this time. Rockliffe MailSite 7.0.3 1 is vulnerable.
  • Ref: http://lists.immunitysec.com/pipermail/dailydave/2006-February/002926.html
  • 06.7.11 - CVE: CVE-2006-0382
  • Platform: Mac Os
  • Title: Apple Mac OS X Undocumented System Call Local Denial of Service
  • Description: Apple Mac OS X is susceptible to a local denial of service vulnerability. This issue is do to the failure of the kernel to properly handle the execution of an undocumented system call. Apple has released security advisory APPLE-SA-2006-02-14 along with fixes dealing with this issue. Please see the referenced advisory for more information.
  • Ref: http://lists.apple.com/archives/security-announce/2006/Feb/msg00000.html
  • 06.7.12 - CVE: CVE-2006-0481
  • Platform: Linux
  • Title: LibPNG Graphics Library PNG_Set_Strip_Alpha Buffer Overflow
  • Description: LibPNG is the official Portable Network Graphics (PNG) reference library. It susceptible to a buffer overflow vulnerability due to improper bounds checking of user-supplied input. This issue presents itself in the "png_set_strip_alpha()" function when the library is called to strip the alpha channel out of a malicious PNG file.
  • Ref: http://rhn.redhat.com/errata/RHSA-2006-0205.html
  • 06.7.13 - CVE: CVE-2005-3342
  • Platform: Linux
  • Title: Noweb Insecure Temporary File Creation
  • Description: Noweb is an application designed to automate the process of preparing the source of a program for human readers. Noweb creates temporary files in an insecure manner. An attacker with local access could potentially exploit this issue to overwrite files in the context of the application. Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack.
  • Ref: http://www.securityfocus.com/bid/16610
  • 06.7.14 - CVE: CVE-2006-0717
  • Platform: Linux
  • Title: Tivoli Directory Server Unspecified LDAP Memory Corruption
  • Description: IBM Tivoli Directory Server is vulnerable to an unspecified memory corruption due to malfored LDAP data on the service on TCP port 389. IBM Tivoli Directory Server version 6.0 on the Linux platform is reported to be vulnerable.
  • Ref: http://lists.immunitysec.com/pipermail/dailydave/2006-February/002921.html
  • 06.7.15 - CVE: CVE-2006-0451, CVE-2006-0452, CVE-2006-0453
  • Platform: Linux
  • Title: Fedora Directory Server Multiple Remote Denial of Service Vulnerabilities
  • Description: Fedora Directory Server is a LDAP directory server. It is vulnerable to multiple remote denial of service issues which are triggered by malformed LDAP data. See the service advisory for further details. Fedora Directory Server version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16677
  • 06.7.16 - CVE: Not Available
  • Platform: Solaris
  • Title: Solaris in.rexecd Daemon Local Privilege Escalation
  • Description: The Sun Solaris in.rexecd service is vulnerable to an unspecified local privilege escalation issue. Sun Solaris version 10 with systems configured to reference pam_krb5(5) in their pam.conf(4) file are vulnerable.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102186-1
  • 06.7.17 - CVE: CVE-2006-0666
  • Platform: Aix
  • Title: IBM AIX Local Kernel Denial of Service
  • Description: IBM AIX is prone to a local denial of service vulnerability. This issue affects the AIX 5300-03 "unix_mp" and "unix_64" kernels. These kernels are part of the "bos.mp" and "bos.mp64" filesets. The exact nature of this issue is not known; this BID will be updated as further information becomes available. IBM AIX 5.3L and 5.3 are affected.
  • Ref: http://www.securityfocus.com/bid/16624
  • 06.7.18 - CVE: Not Available
  • Platform: Unix
  • Title: Honeyd IP Reassembly Remote Virtual Host Detection
  • Description: Honeyd is honeypot software that simulates virtual hosts on IP addresses that are not in use. It is prone to a virtual host detection vulnerability due to a design error in the IP reassembly code and allows remote attackers to detect IP addresses simulated by the application. Honeyd versions prior to 1.5 are affected.
  • Ref: http://www.securityfocus.com/archive/1/425112
  • 06.7.19 - CVE: Not Available
  • Platform: Unix
  • Title: GnuPG Detached Signature Verification Bypass
  • Description: GnuPG is an encryption utility. It is affected by a detached signature verification bypass issue due to the failure of the application to properly notify scripts that an invalid detached signature was presented, and that the verification process has failed. This issue allows attackers to bypass the signature verification process used in some automated scripts and potentially run attacker-supplied code. GNU Privacy Guard versions earlier than 1.4.2.1 are vulnerable.
  • Ref: http://www.debian.org/security/2006/dsa-978
  • 06.7.20 - CVE: CVE-2006-0730
  • Platform: Unix
  • Title: Dovecot Double Free Denial of Service
  • Description: Dovecot is a mail-server application for Linux and Unix-like operating systems. Dovecot is prone to a double-free vulnerability that may allow attackers to trigger a denial of service condition. Dovecot versions prior to 1.0 beta3 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16672
  • 06.7.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Metamail Message Processing Remote Buffer Overflow
  • Description: Metamail parses and decodes MIME encoded email. Insufficient sanitization of user-supplied data exposes the application to a buffer overflow issue. Metamail version 2.7 is affected.
  • Ref: http://www.securityfocus.com/bid/16611
  • 06.7.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Valve Software Half-Life CSTRIKE Server Remote Denial of Service
  • Description: Half-Life is a game distributed and maintained by Valve Software. It is affected by a denial of service issue due to insufficient sanitization of malformed UDP packets received on port 27015. Half-Life CSTRIKE version 1.6 Dedicated Server for Windows and Linux is affected.
  • Ref: http://www.securityfocus.com/bid/16619
  • 06.7.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Isode M-Vault Server LDAP Memory Corruption
  • Description: Isode M-Vault Server is a commercial LDAP server that is available for multiple platforms. It is prone to a memory corruption. The affected service listens on TCP port 389. This issue was discovered using the ProtoVer Sample LDAP test suite. Running one of the tests caused an abort during a "free()" call. This issue is conjectured to be a double-free vulnerability in the "/opt/isode/sbin/isode.eddy" binary. The vulnerability was reported for version 11.3 on the Linux platform; other versions and platforms may also be affected.
  • Ref: http://www.securityfocus.com/bid/16635/exploit
  • 06.7.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SSH Tectia Server Remote Format String
  • Description: SSH Tectia Server is a commercial implementation of the SSH protocol. It is affected by a remote format string vulnerability due to insufficient sanitization of user-supplied input to the formatted printing function. A remote attacker may leverage this issue to execute arbitrary machine code, possibly allowing for privilege escalation, and the bypassing of SFTP-only access controls on affected SSH servers.
  • Ref: http://www.ssh.com/company/newsroom/article/715/
  • 06.7.25 - CVE: CVE-2006-0553
  • Platform: Cross Platform
  • Title: PostgreSQL Remote SET ROLE Privilege Escalation
  • Description: PostgreSQL is susceptible to a remote privilege escalation vulnerability. This issue is due to a flaw in the error path of the "SET ROLE" function and it allows remote attackers with database access to gain administrative access to affected database servers.
  • Ref: http://www.securityfocus.com/archive/1/425037
  • 06.7.26 - CVE: CVE-2006-0553
  • Platform: Cross Platform
  • Title: PostgreSQL Set Session Authorization Denial of Service
  • Description: PostgreSQL is a relational database suite. It is vulnerable to a remote denial of service issue due to an unspecified error in "SET SESSION AUTHORIZATION". PostgreSQL versions 8.1.0 through 8.1.2 are reported to be vulnerable.
  • Ref: http://archives.postgresql.org/pgsql-announce/2006-02/msg00008.php
  • 06.7.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: NeoMail Neomail-prefs.PL Security Bypass
  • Description: NeoMail is a web-based email client written in the CGI/Perl programming language. NeoMail is prone to a security-bypass vulnerability. The application does not validate the session id in the "addfolder()" and "deletefolder()" functions; this can be exploited to create and delete arbitrary mail folder files.
  • Ref: http://www.securityfocus.com/bid/16651
  • 06.7.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mirabilis ICQ File Transfer Extension Hiding
  • Description: Mirabilis ICQ is an instant messaging application that also allows users to transfer files. It is prone to an issue that could allow the file extension of a transferred file to be hidden. If the name of the directory and a file contained within it are between 30 and 31 characters long and the names are all in capitals, the file extension will not be displayed to the receiving user during the file transfer. ICQ versions 2003 and ICQ Lite versions 4.0 and 4.1 are affected.
  • Ref: http://www.securityfocus.com/bid/16655
  • 06.7.29 - CVE: CVE-2006-0732
  • Platform: Cross Platform
  • Title: SAP Business Connector Unspecified Remote Arbitrary File Access And Deletion
  • Description: SAP Business Connector is a middleware application based on an integration server from webMethods. SAP Business Connector is prone to an unspecified file-access-and-deletion vulnerability. Exploitation of this issue will result in the disclosure of sensitive or privileged information. An attacker may also delete arbitrary files.
  • Ref: http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Arbitrary_File_Read_or_D
    elete_in_SAP_BC.pdf
  • 06.7.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Heimdal TelnetD Denial of Service
  • Description: Heimdal is a free implementation of the Kerberos 5 network authentication protocol. It contains several Kerberos-enabled network server applications. The "telnetd" program provides remote access. It is prone to a remote denial of service vulnerability due to a design error in the application during the initial connection to telnetd before authentication. The resulting NULL pointer de-reference causes telnetd to crash.
  • Ref: http://www.us.debian.org/security/2006/dsa-977
  • 06.7.31 - CVE: CVE-2006-0627
  • Platform: Web Application - Cross Site Scripting
  • Title: Clever Copy Multiple HTML Injection Vulnerabilities
  • Description: Clever Copy is a website portal and news-posting application. It is vulnerable to multiple HTML injection issues due to insufficient sanitization of user-supplied input to the "HTTP_REFERER" and "HTTP_X_FORWARDED_FOR" parameters. Clever Copy versions 3.0 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2006/0495
  • 06.7.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHPNuke Header.PHP Pagetitle Parameter Cross-Site Scripting
  • Description: PHPNuke is a web-based content management system. It is prone to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "pagetitle" parameter of the "header.php" script. PHPNuke 7.8 and prior versions are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/16608/exploit
  • 06.7.33 - CVE: CVE-2006-0682
  • Platform: Web Application - Cross Site Scripting
  • Title: E107 Website System BBCode HTML Injection
  • Description: E107 Website System is a web-based content management system. It is vulnerable to an unspecified HTML injection issue due to insufficient sanitization of user-supplied input to the BBCode system. E107 Website System versions 0.6171 and earlier are vulnerable.
  • Ref: http://e107.org/comment.php?comment.news.776
  • 06.7.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Gastebuch Cross-Site Scripting
  • Description: Gastebuch is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input prior to including it in dynamically generated HTML content. This issue reportedly affects the URI processing functionality of the application. Gastebuch versions 1.3.2 and earlier are vulnerable to this issue.
  • Ref: http://www.securityfocus.com/bid/16615/exploit
  • 06.7.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Siteframe Beaumont Search.PHP Q Parameter Cross-Site Scripting
  • Description: Siteframe Beaumont is a content management system. It is vulnerable to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "q" parameter of the "search.php" script. An attacker may leverage this issue to steal cookie-based authentication credentials as well as perform other attacks. Siteframe Beaumont 5.0.1 and earlier versions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16596/info
  • 06.7.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: QwikiWiki Search.php Cross-Site Scripting
  • Description: QwikiWiki is a freely available Wiki application implemented in PHP. QwikiWiki is prone to a cross-site scripting vulnerability. This issue affects the "query" URI parameter of the "search.php" script. QwikiWiki version 1.5 is vulnerable.
  • Ref: http://insecurity.altervista.org/index.php?m=02&y=06&entry=entry060213-2
    21217
  • 06.7.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MyBB Managegroup.PHP Cross-Site Scripting
  • Description: MyBB is a web-based bulletin board application. It is prone to a cross-site scripting vulnerability. This issue is due to a lack of proper sanitization of user-supplied input. The "gid" parameter is not properly sanitized when submitted to the "managegroup.php" script. MyBB version 1.0.3 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/16692/exploit
  • 06.7.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: IPB Army System Army.PHP SQL Injection
  • Description: IPB Army System is a support module for Invision Power Board, written in PHP/MySQL. It is prone to an SQL injection vulnerability. Versions 2.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/424846
  • 06.7.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Scriptme SmE GB Host Login.PHP SQL Injection
  • Description: SmE GB Host is web-based guestbook software implemented in PHP. It is prone to an SQL injection vulnerability. The application fails to properly sanitize user-supplied input to the "username" parameter of the "admin/login.php" script before using it in an SQL query.
  • Ref: http://evuln.com/vulns/66/summary.html
  • 06.7.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Lawrence Osiris DB_eSession Class SQL Injection
  • Description: Lawrence Osiris DB_eSession Class is a session data manager application. The DB_eSession is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied cookie data to the "deleteSession()" function. Lawrence Osiris DB_eSession version 1.0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/424819
  • 06.7.41 - CVE: CVE-2006-0693
  • Platform: Web Application - SQL Injection
  • Title: CALimba RB_auth.PHP Multiple SQL Injection Vulnerabilities
  • Description: CALimba is a web-based timesheet application. It is vulnerable to multiple SQL injection issues due to insufficient sanitization of user-supplied input to the "login" and "password" parameters of the "rb/cls/rb_auth.php" script. CALimba versions 0.99.1 and 0.99.2 are vulnerable.
  • Ref: http://evuln.com/vulns/68/summary.html
  • 06.7.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DeltaScripts PHP Classifieds Member_Login.PHP SQL Injection
  • Description: PHP Classifieds is a web-based classified ads script. Insufficient sanitization of the "email" parameter in the "member_login.php" script exposes the application to an SQL injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/16642
  • 06.7.43 - CVE: CVE-2006-0673
  • Platform: Web Application - SQL Injection
  • Title: Magic Calendar Lite Index.PHP Multiple SQL Injection Vulnerabilities
  • Description: Magic Calendar Lite is a web-based timesheet application written in PHP. It is prone to multiple SQL injection vulnerabilities. The application fails to properly sanitize user-supplied input to the "total_login" and "total_password" parameters of the "cms/index.php" script.
  • Ref: http://insecurity.altervista.org/index.php?m=02&y=06&entry=entry060213-2
    21217
  • 06.7.44 - CVE: CVE-2006-0721
  • Platform: Web Application - SQL Injection
  • Title: RunCMS PMLite.PHP SQL Injection
  • Description: RunCMS is a Web content management system based on Xoops. RunCMS is prone to an SQL-injection vulnerability.
  • Ref: http://hamid.ir/security/runcms.txt
  • 06.7.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: webSPELL Search.PHP SQL Injection
  • Description: webSPELL application is a web-based content management system. Insufficient sanitization of the "title_op" parameter in the "search.php" script exposes the application to an SQL injection issue. webSPELL versions 4.0 and 4.1 are affected.
  • Ref: http://www.securityfocus.com/bid/16673
  • 06.7.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MyBB Private.PHP Multiple SQL Injection Vulnerabilities
  • Description: MyBB is a bulletin board application. It is prone to multiple SQL-injection vulnerabilities. The vulnerabilities present themselves when user-supplied input via the "folder" and "check" variables is passed to the "private.php" script, permitting remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. MyBB version 1.0.3 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/16678/exploit
  • 06.7.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Teca Diary Personal Edition Functions.PHP SQL Injection
  • Description: Teca Diary Personal Edition is an online diary application. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input to the "yy", "mm" and "dd" parameters of the "functions.php" script before using it in an SQL query. Teca Diary Personal Edition 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/16686
  • 06.7.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: BirthSys Multiple SQL Injection Vulnerabilities
  • Description: BirthSys is a PHP script that works in conjunction with a MySQL database. It is prone to SQL injection vulnerabilities due to insufficient sanitization of user-supplied input to the "month" and "date" parameters of the "show.php" script. BirthSys version 3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/16684
  • 06.7.49 - CVE: CVE-2006-0679
  • Platform: Web Application - SQL Injection
  • Title: PHPNuke Modules.PHP SQL Injection
  • Description: PHPNuke is a web-based content management system written in PHP. It is prone to an SQL injection vulnerability due to insufficient sanitization of user-supplied input to the "Nickname" parameter of the "Your Account" module. PHPNuke versions 7.0 to 7.8 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/425173
  • 06.7.50 - CVE: Not Available
  • Platform: Web Application
  • Title: WebGUI User Creation Security Bypass
  • Description: WebGUI is a Web application framework and Web content management system. It is vulnerable to a security bypass issue that could grant an attacker the ability to create an anonymous user regardless of the security settings. WebGUI versions earlier than 6.8.6 are vulnerable.
  • Ref: http://www.plainblack.com/getwebgui/advisories/webgui-6.8.6-gamma-released
  • 06.7.51 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board User Registration Denial of Service
  • Description: Invision Power Board (IPB) is a web-based bulletin board application implemented in PHP. IPB is prone to a remote denial of service vulnerability. This issue is due to a failure in the user registration mechanism to handle multiple consecutive registration requests. This issue is reported to affect Invision Power Board version 2.0.1.
  • Ref: http://www.milw0rm.com/id.php?id=1489
  • 06.7.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Flyspray ADODBPath Remote File Include
  • Description: Flyspray is a web-based bug tracking system implemented in PHP. It is prone to a remote file include vulnerability due to insufficient sanitization of user-supplied input to the "adodbpath" session variable of "install-0.9.7.php" script. Flyspray version 0.9.7 is affected. EGS Enterprise Groupware System version 1.0rc4 ships with a vulnerable version of Flyspray and is also vulnerable to this issue.
  • Ref: http://retrogod.altervista.org/egs_10rc4_php5_incl_xpl.html
  • 06.7.53 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP/MYSQL Timesheet Multiple SQL Injection Vulnerabilities
  • Description: PHP/MYSQL Timesheet is a web-based timesheet application. It is prone to multiple SQL injection issues due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query. Successful exploitation could allow an attacker to compromise the application. Timesheet versions 1 and 2 are vulnerable.
  • Ref: http://evuln.com/vulns/67/summary.html
  • 06.7.54 - CVE: CVE-2006-0570, CVE-2006-0571, CVE-2006-0572
  • Platform: Web Application
  • Title: PHPStatus Multiple Input Validation Vulnerabilities
  • Description: The "phpstatus" script is used to display system status and uptime in a Web page; it is implemented in PHP. The application is prone to multiple cross-site scripting and SQL injection vulnerabilities. These issues are reported to affect multiple unspecified parameters of the administrator's control panel. It is also prone to an authentication bypass issue.
  • Ref: http://evuln.com/vulns/61/summary.html
  • 06.7.55 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Event Calendar HTML Injection
  • Description: PHP Event Calendar is a web-based application used to create calendars. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the "username" and "password" fields of the login page. PHP Event Calendar version 1.5 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/16588
  • 06.7.56 - CVE: Not Available
  • Platform: Web Application
  • Title: HiveMail Multiple Vulnerabilities
  • Description: HiveMail is a web-based email application. It is vulnerable to multiple issues including SQL injection and cross-site scripting due to improper validation of user input data. HiveMail versions 1.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/424726
  • 06.7.57 - CVE: Not Available
  • Platform: Web Application
  • Title: LinPHA Multiple Local File Inclusion and PHP Code Injection Vulnerabilities
  • Description: LinPHA is a web-based photo gallery application. It is prone to multiple local file inclusion and PHP code injection vulnerabilities. Versions 0.93 through 1.0 are affected.
  • Ref: http://www.securityfocus.com/archive/1/424729
  • 06.7.58 - CVE: CAN-2005-3058
  • Platform: Web Application
  • Title: Fortinet FortiGate URL Filtering Bypass
  • Description: Fortinet FortiGate is a series of antivirus firewall devices. It is reportedly prone to a URL filtering bypass vulnerability. If an HTTP request is submitted with each line terminated by a CR rather than a CRLF or if there is no host name in an HTTP/1.0 request, the device's URL filtering will be bypassed. In order to comply with RFC 2616, most Web servers will parse these malformed HTTP requests, thus returning the requested content to the user. FortiGate devices running FortiOS v2.8MR10 and v3beta are vulnerable to this issue; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/16599/exploit
  • 06.7.59 - CVE: CVE-2006-0687
  • Platform: Web Application
  • Title: DocMGR Process.PHP Remote File Include
  • Description: DocMGR is a document management system implemented in PHP. DocMGR is prone to a remote file include vulnerability. The application fails to properly sanitize user-supplied input to the "includeModule" parameter of the "process.php" script. An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This issue is reported to affect versions 0.54.2 and earlier.
  • Ref: http://www.securityfocus.com/archive/1/424818
  • 06.7.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Ansilove Multiple Input Validation Vulnerabilities
  • Description: Ansilove is a set of tools to convert ANSI and artscene-related file formats into PNG images. It is prone to multiple input validation vulnerabilities due to insufficient sanitization of user-supplied input. Ansilove versions prior to 1.03 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16603
  • 06.7.61 - CVE: Not Available
  • Platform: Web Application
  • Title: XMB Forum Multiple Input Validation Vulnerabilities
  • Description: XMB Forum is a web-based message board application. Insufficient sanitization of "GPC" in the "u2u" feature exposes the application to multiple input valadation and SQL injection issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/16604
  • 06.7.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Hitachi Business Logic Multiple Input Validation Vulnerabilities
  • Description: Hitachi Business Logic - Container is a commercial Web application. It is vulnerable to multiple input validation issues due to a failure in the application to properly sanitize user-supplied input. Successful exploitation of these vulnerabilities could result in a compromise of the application. Versions of Hitachi Business Logic - - Container earlier than 03-01 are vulnerable.
  • Ref: http://www.hitachi-support.com/security_e/vuls_e/HS06-002_e/index-e.html
  • 06.7.63 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBBoard Multiple Input Validation Vulnerabilities
  • Description: MyBBoard is web-based bulletin board software. It is vulnerable to multiple input validation issues due to a failure in the application to properly sanitize user-supplied input. Successful exploitation of these vulnerabilities could allow an attacker to compromise the application. MyBulletinBoard version 1.0.3 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/424942
  • 06.7.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Time Tracking Software Multiple Input Validation Vulnerabilities
  • Description: Time Tracking Software is a web-based resource management application. Insufficient sanitization of user-supplied input exposes the application to multiple HTML and SQL injection issues. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/16630
  • 06.7.65 - CVE: Not Available
  • Platform: Web Application
  • Title: PyBlosxom PATH_INFO File Disclosure Vulnerability
  • Description: PyBlosxom is a web log application written in Python. It is prone to a file disclosure vulnerability due to insufficient sanitization of user-supplied input to the "PATH_INFO" variable. A remote attacker may exploit this vulnerability to reveal files that contain potentially sensitive information. PyBlosxom versions 1.3 and 1.3.1 are affected.
  • Ref: http://www.securityfocus.com/bid/16641
  • 06.7.66 - CVE: Not Available
  • Platform: Web Application
  • Title: sNews Multiple Input Validation Vulnerabilities
  • Description: sNews is a web-based news article management application. Insufficient saniitzation of the "category" and "id" parameters of the "index.php" script exposes the application to an SQL injection issue. Insufficient sanitization of the "comment" field exposes the application to an HTML injection issue. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/16633
  • 06.7.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Dotproject Multiple Remote File Include Vulnerabilities
  • Description: Dotproject is a web-based project management application. It is vulnerable to multiple remote file include issues due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit these issues to compromise the application and the underlying system. Dotproject versions 2.0 and 2.1 are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/424957
  • 06.7.68 - CVE: Not Available
  • Platform: Web Application
  • Title: WordPress Comment Post HTML Injection
  • Description: WordPress is a Web log application written in PHP. It is prone to an HTML injection issue due to a failure in the application to properly sanitize user-supplied input to the "Author's Website" comment field before using it in dynamically generated content. WordPress version 2.0.0 is reportedly vulnerable.
  • Ref: http://myimei.com/security/2006-02-15/wordpress200autors-websitexss-attack.html#
    more-14
  • 06.7.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Mantis Multiple Input Validation Vulnerabilities
  • Description: Mantis is bug-tracking software implemented in PHP. It is prone to multiple input-validation vulnerabilities due to insufficient sanitization of user-supplied input. Successful exploitation of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Mantis versions prior to 1.0 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16657
  • 06.7.70 - CVE: Not Available
  • Platform: Web Application
  • Title: My Blog BBCode HTML Injection
  • Description: My Blog is a web log application. It is prone to an HTML injection vulnerability. The application fails to properly sanitize user-supplied input before using it in dynamically generated content. This issue affects the BBCode system in "img" and "url" tags.
  • Ref: http://www.securityfocus.com/bid/16659/exploit
  • 06.7.71 - CVE: CVE-2006-0723
  • Platform: Web Application
  • Title: Reamday Enterprises Magic News Lite Preview.PHP Remote File Include
  • Description: Magic News Lite is a web-based news management application implemented in PHP. It is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input to the "php_script_path" variable of "preview.php". This issue affects version 1.2.3.
  • Ref: http://evuln.com/vulns/72/summary.html
  • 06.7.72 - CVE: Not Available
  • Platform: Web Application
  • Title: Plume CMS Prepend.PHP Remote File Include
  • Description: Plume CMS is a web-based content management system. Insufficient sanitization of the "_PX_config[manager_path]" variable in the "prepend.php" script exposes the application to a file include issue. Plume CMS version 1.0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/16662
  • 06.7.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Multiple Reamday Enterprises Products Multiple Variable Overwrite Vulnerabilities
  • Description: Multiple Reamday Enterprises products are prone to multiple vulnerabilities regarding the overwriting of application variables. These issues are due to a failure in the applications to properly initialize various application variables prior to use. Successful exploitation may result in the attacker gaining administrative access to the vulnerable application. Please visit the reference link for a list of vulnerable products.
  • Ref: http://www.securityfocus.com/bid/16665
  • 06.7.74 - CVE: Not Available
  • Platform: Web Application
  • Title: Squishdot Mail HTML CRLF Injection
  • Description: Squishdot is a news publishing and discussion application written for the Zope application server. Squishdot is prone to a CRLF injection vulnerability. Squishdot version 1.5 is vulnerable.
  • Ref: http://www.squishdot.org/1139510883
  • 06.7.75 - CVE: Not Available
  • Platform: Web Application
  • Title: SAP Business Connector Unspecified Input Validation
  • Description: SAP Business Connector is a middleware application based on an integration server from webMethods. It is susceptible to an unspecified input-validation vulnerability. The application fails to properly sanitize user-supplied input. This issue is conjectured to be a cross-site scripting vulnerability, since the reporter states that attackers can create a URI that will cause an attacker-specified web page to be loaded into an HTML frame contained in the administrative web pages of the SAP Business Connector application. SAP Business Connector versions 4.6 and 4.7 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16671
  • 06.7.76 - CVE: Not Available
  • Platform: Web Application
  • Title: HTML::BBCode HTML Injection
  • Description: HTML::BBCode is a Perl script that converts BBCode to HTML. It is prone to an HTML injection vulnerability due to insufficient sanitization of user-supplied input to the "img" and "url" tags. HTML::BBCode versions 1.03 and 1.04 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/16680
  • 06.7.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Clever Copy Private Message HTML Injection
  • Description: Clever Copy is a website portal and news-posting system. Insufficient sanitization of the "subject" field exposes the application to an HTML injection issue. Clever Copy version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/16681
  • 06.7.78 - CVE: Not Available
  • Platform: Web Application
  • Title: DreamCost HostAdmin Index.PHP Remote File Include
  • Description: HostAdmin is a web-based shopping cart and site administration tool. It is prone to a remote file include issue due to a failure in the application to properly sanitize user-supplied input to the "path" parameter of "index.php". An attacker can exploit this issue to compromise the application and the underlying system. Dreamcost HostAdmin version 3.0 is vulnerable.
  • Ref: http://www.xorcrew.net/xpa/XPA-HostAdmin.txt
  • 06.7.79 - CVE: Not Available
  • Platform: Web Application
  • Title: @Mail IMG tag HTML Injection
  • Description: @Mail is a web-based interface to an existing mail server. It is prone to an HTML injection vulnerability due to improper sanitization of email messages containing HTML image tags before using it in dynamically generated content. HTML image tags of the form "<img src = "java&amp;#09;script[code]">" allow an attacker to send malicious code to a victim user in an HTML email message. @Mail version 4.3 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/16683
  • 06.7.80 - CVE: CVE-2006-0718
  • Platform: Network Device
  • Title: Avaya VSU/CSU Products ISAKMP IKE Traffic Denial of Service
  • Description: Avaya VSU 100, 200, 7500, 10000, and CSU 5000, along with Avaya SG5/5X, 200, 203 and 208 are network security solutions offering a firewall, VPN, antivirus, and intrusion detection. These Avaya VSU products are prone to a denial of service when handling malformed IKE traffic.
  • Ref: http://support.avaya.com/elmodocs2/security/ASA-2006-043.htm
  • 06.7.81 - CVE: Not Available
  • Platform: Network Device
  • Title: Multiple D-Link Products IP Fragment Denial of Service
  • Description: Multiple D-Link devices are susceptible to a remote denial of service vulnerability. This issue is due to a flaw in affected devices that causes them to fail when attempting to reassemble certain IP packets. D-Link DI-524, DI-624 and Di-784 devices are affected by this issue. US Robotics USR8054 devices are also affected.
  • Ref: http://www.securityfocus.com/bid/16621
  • 06.7.82 - CVE: Not Available
  • Platform: Network Device
  • Title: BlackBerry Enterprise Server Malformed Word Attachment Buffer Overflow
  • Description: BlackBerry Enterprise Server is prone to a buffer overflow in its attachment service. This issue is likely due to insufficient bounds checking of fields in Word document.
  • Ref: http://www.securityfocus.com/bid/16590
  • 06.7.83 - CVE: CAN-2005-3057
  • Platform: Network Device
  • Title: Fortinet FortiGate Antivirus Engine Bypass
  • Description: Fortinet FortiGate is a series of antivirus firewall devices. FortiGate is reportedly prone to an antivirus engine scanning bypass. This issue is said to exist when files are transferred using the FTP protocol under certain conditions. Transferring a file in this manner will allow it to bypass a virus scan, potentially allowing a malicious file to be downloaded and executed by a client behind the affected device. FortiGate devices running FortiOS v2.8MR10 and v3beta are vulnerable to this issue. Other versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/424857
  • 06.7.84 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco Multiple Products TACACS+ Authentication Bypass
  • Description: Cisco Anomaly Detection and Mitigation appliances and service modules are prone to an authentication bypass vulnerability. This vulnerability presents itself when the devices have been configured to authenticate users against an external TACACS+ server but an external TACACS+ server is not specified in the configuration using the "tacacs-server host" command. Depending on the privileges gained by the attacker, they may obtain sensitive information about a network by sniffing traffic and inspecting configuration policies. Denial of service attacks are also possible.
  • Ref: http://www.securityfocus.com/bid/16661
  • 06.7.85 - CVE: Not Available
  • Platform: Network Device
  • Title: D-Link DWL-G700AP HTTPD Denial of Service
  • Description: D-Link DWL-G700AP is a wireless access point which has a built-in webserver named "cameo". It is affected by a denial of service issue when the webserver handles malformed GET reques such as "GET nn". DWL-G700AP version 2.00 and 2.01 is affected.
  • Ref: http://www.securityfocus.com/bid/16690
  • 06.7.86 - CVE: Not Available
  • Platform: Hardware
  • Title: Nokia N70 L2CAP Packets Remote Denial of Service
  • Description: The Nokia N70 is a mobile telephone. It is vulnerable to a remote denial of service issue when the device parses multiple malicious L2CAP packets. Nokia model N70 is reported to be vulnerable.
  • Ref: http://www.secuobs.com/news/15022006-nokia_n70.shtml#english
  • 06.7.87 - CVE: Not Available
  • Platform: Hardware
  • Title: Kyocera 3830 Printer Unauthorized Access
  • Description: Kyocera 3830 printer is vulnerable to unauthorized access due to improper authentication over TCP port 9100. Kyocera model 3830 printer is vulnerable
  • Ref: http://evader.wordpress.com/2006/02/16/kyocera-printers/

(c) 2006. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS delivers the best training I have seen in the industry.
-Brian Hughes, Idaho State University

MGT525@ SANS 2010-sky

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT