@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Apple QuickTime RTSP URL Handler Buffer Overflow
• (2) CRITICAL: Novell NetMail Multiple Buffer Overflows

Other Software

• (3) CRITICAL: Cacti cmd.php Remote Command Execution and SQL Injection Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 07.1.1 - FTPRush Host Field Local Buffer Overflow
• 07.1.2 - LANMessenger Information Request Mechanism Denial of Service
• 07.1.3 - WikiReader URL Field Local Buffer Overflow
• 07.1.4 - acFTP Server Multiple Remote Denial of Service Vulnerabilities

Linux

• 07.1.5 - KSirc IRC Client Remote PRIVMSG Buffer Overflow

Novell

• 07.1.6 - Novell Netmail IMAP Verb Literal Heap Overflow
• 07.1.7 - Novell Netmail IMAP APPEND Denial of Service

Cross Platform

• 07.1.8 - OpenSER Parse_Expression Remote Buffer Overflow
• 07.1.9 - Novell Netmail IMAP APPEND Buffer Overflow
• 07.1.10 - Novell Netmail IMAP SUBSCRIBE Buffer Overflow
• 07.1.11 - W3M SSL Certificate Format String
• 07.1.12 - GConf Temporary Directory Creation Denial of Service
• 07.1.13 - Novell Netmail Multiple Services Unspecified Stack Buffer Overflow Vulnerabilities
• 07.1.14 - DB Hub Remote Denial of Service
• 07.1.15 - OpenSER OSP Module Validateospheader Function Buffer Overflow

Web Application - Cross Site Scripting

• 07.1.16 - a-blog Unspecified Cross-Site Scripting Vulnerability
• 07.1.17 - TimberWolf ShowNews.PHP Cross Site Scripting
• 07.1.18 - PHP Live! Multiple Cross-Site Scripting Vulnerabilities
• 07.1.19 - PNAmazu Cross-Site Scripting
• 07.1.20 - PHP ICalendar Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 07.1.21 - Enthrallweb eCars Types.ASP SQL Injection
• 07.1.22 - Enthrallweb ePages Actualpic.ASP SQL Injection
• 07.1.23 - Enthrallweb ePhotos SubLevel2.ASP SQL Injection
• 07.1.24 - Hitachi Soumu Workflow Multiple Unspecified SQL Injection Vulnerabilities
• 07.1.25 - Ixprim CMS IXM_IXPNews.PHP SQL Injection
• 07.1.26 - Efkan Forum Grup Variable SQL Injection Vulnerability
• 07.1.27 - Chatwm SelGruFra.ASP SQL Injection
• 07.1.28 - Netbula Anyboard User Login SQL Injection
• 07.1.29 - Mxmania File Upload Manager Detail.ASP SQL Injection
• 07.1.30 - The Classified Ad System Default.ASP SQL Injection
• 07.1.31 - Calendar MX Basic Calendar_Detail.ASP SQL Injection
• 07.1.32 - PHP-Update Guestadd.PHP Multiple SQL Injection Vulnerabilities
• 07.1.33 - EnthrallWeb Ananda Real Estate List.ASP SQL Injection
• 07.1.34 - dmxREADY Secure Login Manager Multiple SQL Injection Vulnerabilities

Web Application

• 07.1.35 - eNdonesia Multiple Scripts Multiple Input Validation Vulnerabilities
• 07.1.36 - EnthrallWeb Multiple Products Myprofile.ASP Arbitrary User Password Change
• 07.1.37 - Logahead UNU Edition _Widged.PHP Arbitrary File Upload
• 07.1.38 - My_eGallery Module DisplayCategory.PHP Remote File Include
• 07.1.39 - Newsletter MX admin_mail_adressee.ASP SQL Injection
• 07.1.40 - PHPBuilder HTM2PHP.PHP Directory Traversal
• 07.1.41 - Intertianews Inertianews_Main.PHP Remote File Include
• 07.1.42 - Xt-News Multiple Input Validation Vulnerabilities
• 07.1.43 - Keep It Simple Guest Book Authenticate.PHP Remote File Include
• 07.1.44 - Okul Merkezi Portal Page Variable Remote File Include
• 07.1.45 - FishyShoop Administrative Bypass
• 07.1.46 - VBulletin SWF Script Injection Vulnerability
• 07.1.47 - phpbbXtra Archive_Topic.PHP Remote File Include
• 07.1.48 - Shadowed Portal Include.PHP Remote File Include
• 07.1.49 - Made Simple Comment Form HTML Injection
• 07.1.50 - Ciberia Content Federator Maquetacion_Socio.PHP Remote File Include
• 07.1.51 - SH-News Misc.PHP Remote File Include
• 07.1.52 - Luckybot DIR Parameter Multiple Remote File Include Vulnerabilities
• 07.1.53 - phpCMS Class.Cache_PHPCMS.PHP Remote File Include
• 07.1.54 - Irokez CMS Multiple Remote File Include Vulnerabilities
• 07.1.55 - MTCMS Admin_Settings.PHP Remote File Include
• 07.1.56 - Open Newsletter Settings.PHP Authentication Bypass
• 07.1.57 - BE IT EasyPartner Joomla! Component Multiple Remote File Include Vulnerabilities
• 07.1.58 - Wordpress Template.PHP HTML Injection
• 07.1.59 - myPHPCalendar Cal_Dir Parameter Multiple Remote File Include Vulnerabilities
• 07.1.60 - Hosting Controller FolderManager.ASPX Directory Traversal
• 07.1.61 - AlstraSoft Web Host Directory Administrator Password Change
• 07.1.62 - PHP-Update Admin Upload.PHP Arbitrary File Upload Vulnerability
• 07.1.63 - Yrch! Plug.inc.PHP Remote File Include
• 07.1.64 - Fantastic News Multiple Remote File Include Vulnerabilities
• 07.1.65 - Limbo CMS Event Module Remote File Include
• 07.1.66 - Cacti CMD.PHP Remote Command Execution

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 1, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5321 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. 07.1.1 CVE: Not Available Platform: Third Party Windows Apps Title: FTPRush Host Field Local Buffer Overflow Description: FTPRush is an FTP client available for Microsoft Windows. It is prone to a local buffer overflow vulnerability due to insufficient bounds checking on the Host field in the client GUI. FTPRush version 1.0.0.610 is reportedly vulnerable. Ref: http://www.securityfocus.com/bid/21714

• 07.1.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: FTPRush Host Field Local Buffer Overflow
• Description: FTPRush is an FTP client available for Microsoft Windows. It is prone to a local buffer overflow vulnerability due to insufficient bounds checking on the Host field in the client GUI. FTPRush version 1.0.0.610 is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21714

• 07.1.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: LANMessenger Information Request Mechanism Denial of Service
• Description: LANMessenger is a UPD instant messenger application. It is affected by a denial of service issue due to an unspecified error in the information request mechanism. LANMessenger versions prior to 1.5.1.2 are affected.
• Ref: http://www.securityfocus.com/bid/21715/info

• 07.1.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: WikiReader URL Field Local Buffer Overflow
• Description: WikiReader is a utility that allows you to open WikiPedia articles via Microsoft Windows applications. It is exposed to a local buffer overflow issue because it fails to adequately bounds check user-supplied input data to an insufficiently sized buffer. The problem occurs when data supplied to the URL field in the client GUI is greater than 16635 bytes. The application will crash when the data is processed. This issue affects version 1.12.
• Ref: http://www.securityfocus.com/bid/21718

• 07.1.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: acFTP Server Multiple Remote Denial of Service Vulnerabilities
• Description: acFTP is an open source FTP server application for the Microsoft Windows operating systems. It is exposed to multiple remote denial of service issues because the application fails to properly handle user-supplied input. These issues affect version 1.5.
• Ref: http://www.securityfocus.com/bid/21767

• 07.1.5 - CVE: Not Available
• Platform: Linux
• Title: KSirc IRC Client Remote PRIVMSG Buffer Overflow
• Description: KSirc is the default IRC client included with the KDE desktop environment. It is exposed to a remote buffer overflow vulnerability. The issue arises when the client handles excessive string data. Specifically, this issue is triggered when PRIVMSG messages containing excessively long content of approximately 2500 bytes are received by affected clients. When the "stdout_read()" method of the "KSircIOController" class attempts to process this data, a buffer will be overrun with attacker-supplied data. KSirc 1.3.12 is affected.
• Ref: http://www.securityfocus.com/bid/21790

• 07.1.6 - CVE: Not Available
• Platform: Novell
• Title: Novell Netmail IMAP Verb Literal Heap Overflow
• Description: Novell Netmail is an email and calendaring system. It is prone to a remotely exploitable buffer overflow vulnerability caused by a lack of bounds checking on literals that are appended to IMAP verbs. Novell NetMail versions 3.52 D and earlier are vulnerable.
• Ref: http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&
  ;sliceId=SAL_Public

• 07.1.7 - CVE: Not Available
• Platform: Novell
• Title: Novell Netmail IMAP APPEND Denial of Service
• Description: Novell Netmail is an email and calendaring system. Insufficient sanitization of the IMAP APPEND argument exposes the application to a denial of service issue. Please refer to the attached advisory for a list of affected versions.
• Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=455

• 07.1.8 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenSER Parse_Expression Remote Buffer Overflow
• Description: OpenSER is an open source SIP (session initiation protocol) server available for multiple operating systems. It is prone to a remote buffer overflow issue because the software fails to perform adequate bounds checks on user-supplied input to the "str" parameter of the "parse_expression()" routine. OpenSER version 1.1.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/21706

• 07.1.9 - CVE: CVE-2006-6425
• Platform: Cross Platform
• Title: Novell Netmail IMAP APPEND Buffer Overflow
• Description: Novell Netmail is an email and calendaring system. It is prone to a remotely exploitable buffer overflow vulnerability due to insufficient bounds checking on a client supplied IMAP APPEND parameter. Novell Netmail versions 3.52 D and prior are reportedly vulnerable.
• Ref: http://www.novell.com/support/search.do?cmd=displayKC&externalId=3096026&
  ;sliceId=SAL_Public

• 07.1.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Novell Netmail IMAP SUBSCRIBE Buffer Overflow
• Description: Novell Netmail is an email and calendaring system. It is exposed to a remotely exploitable buffer overflow vulnerability. Please refer to the link below for further details.
• Ref: http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=3717068&sliceId=SAL_Public&dialogID=22219381&stateId=0%200%20222
  25106

• 07.1.11 - CVE: Not Available
• Platform: Cross Platform
• Title: W3M SSL Certificate Format String
• Description: W3M is a console based web browser. W3M is available for UNIX/Linux and Windows operating systems. It is exposed to a format string vulnerability. This issue can occur when the browser processes SSL certificates that include format specifiers. Version 0.5.1 is affected.
• Ref: http://www.securityfocus.com/bid/21735

• 07.1.12 - CVE: CVE-2006-6698
• Platform: Cross Platform
• Title: GConf Temporary Directory Creation Denial of Service
• Description: GConf is a user preference storing application for multiple windows managers. It is prone to a local denial of service vulnerability that occurs in the "gconf_get_daemon_dir" routine of "gconf-internals.c". GConf versions 2.7 and 2.8 are reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21762

• 07.1.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Novell Netmail Multiple Services Unspecified Stack Buffer Overflow Vulnerabilities
• Description: Novell Netmail is an email and calendaring system. It is prone to multiple unspecified stack based buffer overflow vulnerabilities due to insufficient bounds checking in the "SMTP", "POP3", "IMAP" and "HTTP" services. Novell Netmail versions 3.52e-ftfi and prior are reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21773

• 07.1.14 - CVE: Not Available
• Platform: Cross Platform
• Title: DB Hub Remote Denial of Service
• Description: DB Hub is a open source fork of the Open DC Hub application. It is vulnerable to a remote denial of service issue due to a memory corruption flaw when it attempts to process specially crafted network traffic. DB Hub version 0.3 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21791

• 07.1.15 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenSER OSP Module Validateospheader Function Buffer Overflow
• Description: OpenSER is an open source SIP server. The OpenSER OSP Module is prone to a buffer overflow vulnerability that exists in the "validateospheader()" function when validating OSP headers. An attacker may exploit this vulnerability by manipulating the OSP headers, ultimately resulting in memory corruption. Versions 1.1.0 and prior are reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21801

• 07.1.16 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: a-blog Unspecified Cross-Site Scripting Vulnerability
• Description: The "a-blog" application is a web log program. It is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to unspecified parameters and scripts. Version 2.1.c is affected.
• Ref: http://www.securityfocus.com/bid/21716

• 07.1.17 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TimberWolf ShowNews.PHP Cross Site Scripting
• Description: TimberWolf is a web-based content management system. It is prone to a cross site scripting vulnerability due to insufficient sanitization of the "nid" parameter of the "shownews.php" script. TimberWolf version 1.2.2 is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21733

• 07.1.18 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHP Live! Multiple Cross-Site Scripting Vulnerabilities
• Description: PHP Live! is a customer support application. It is exposed to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the URI parameters of multiple scripts. Version 3.2.2 is affected.
• Ref: http://www.securityfocus.com/bid/21737

• 07.1.19 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PNAmazu Cross-Site Scripting
• Description: PNAmazu is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. PNAmazu versions prior to 2006.12.23 are vulnerable.
• Ref: http://www.securityfocus.com/bid/21759

• 07.1.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHP ICalendar Multiple Cross-Site Scripting Vulnerabilities
• Description: PHP icalendar is a web-based calendar application. It is exposed to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the URI parameters of multiple scripts. PHP iCalendar versions 2.0 b, 2.23 rc1, 2.22 and 1.1 are affected.
• Ref: http://www.securityfocus.com/bid/21792

• 07.1.21 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Enthrallweb eCars Types.ASP SQL Injection
• Description: Enthrallweb eCars is a web-based automobile dealership application. Insufficient sanitization of the "type_id" parameter of the "Types.asp" script exposes the application to an SQL injection issue. eCars version 1.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21748

• 07.1.22 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Enthrallweb ePages Actualpic.ASP SQL Injection
• Description: Enthrallweb ePages is a web-based directory. Insufficient sanitization of the "Biz_ID" parameter of the "actualpic.asp" script exposes the application to a SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/21750

• 07.1.23 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Enthrallweb ePhotos SubLevel2.ASP SQL Injection
• Description: Enthrallweb ePhotos is a web-based photo gallery. Insufficient sanitization of the "SUB_ID" parameter of the "subLevel2.asp" script exposes the application to a SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/21742

• 07.1.24 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Hitachi Soumu Workflow Multiple Unspecified SQL Injection Vulnerabilities
• Description: Hitachi Soumu Workflow is an application for workflow productivity. Unspecified parameters and scripts are vulnerable to SQL injection attacks because the application fails to properly sanitize user-supplied input. Hitachi Soumu Workflow versions 3.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/21704

• 07.1.25 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Ixprim CMS IXM_IXPNews.PHP SQL Injection
• Description: Ixprim CMS is a content manager. It is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "story_id" parameter of the "ixm_ixpnews.php" script. Version 1.2 is affected.
• Ref: http://www.securityfocus.com/bid/21710

• 07.1.26 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Efkan Forum Grup Variable SQL Injection Vulnerability
• Description: Efkan Forum is a web-based forum application. Insufficient sanitization of the "grup" parameter of the "default.asp" script exposes the appliction to a SQL injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/archive/1/455205

• 07.1.27 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Chatwm SelGruFra.ASP SQL Injection
• Description: Chatwm is a web-based chat application. It is exposed to multiple SQL injection issues because it fails to properly sanitize user-supplied input to the "txtUse" and "txtPas" variables of the "SelGruFra.asp" script. Chatwm version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21732

• 07.1.28 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Netbula Anyboard User Login SQL Injection
• Description: Netbula Anyboard is a forum application. Insufficient sanitization of user supplied input exposes the application to an SQL injection issue. Netbula Anyboard version 9.9.5.6 is affected.
• Ref: http://www.securityfocus.com/bid/21734

• 07.1.29 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Mxmania File Upload Manager Detail.ASP SQL Injection
• Description: Mxmania File Upload Manager is a web site utility for uploading and managing files. It is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ID" parameter of the "detail.asp" script file. Mxmania File Upload Manager versions prior to 1.0.6 are vulnerable.
• Ref: http://www.securityfocus.com/bid/21754

• 07.1.30 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: The Classified Ad System Default.ASP SQL Injection
• Description: The Classified Ad System is a content management system. It is exposed to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "main" parameter of the "default.asp" script file. Version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21758

• 07.1.31 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Calendar MX Basic Calendar_Detail.ASP SQL Injection
• Description: Calendar MX Basic is a web-based calendar application. Insufficient sanitization of the "ID" parameter of the "calendar_detail.asp" script exposes the application to an SQL injection issue. Calendar MX Basic versions 1.0.2 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/21763

• 07.1.32 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHP-Update Guestadd.PHP Multiple SQL Injection Vulnerabilities
• Description: PHP-Update is a web-based application for remote administration of a web-site. It is exposed to multiple SQL injection issues because it fails to properly sanitize user-supplied input to the "newmessage", "newname", "newwebsite", and "newemail" parameters of the "guestadd.php" script. PHP-Update version 2.7 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/21772

• 07.1.33 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: EnthrallWeb Ananda Real Estate List.ASP SQL Injection
• Description: Ananda Real Estate is a web-based real estate management application. It is affected by an SQL injection issue due to insufficient sanitization of the "agent" parameter of the "list.asp" script. Ananda Real Estate version 3.4 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21771

• 07.1.34 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: dmxREADY Secure Login Manager Multiple SQL Injection Vulnerabilities
• Description: dmxREADY Secure Login Manager is affected by multiple SQL injection issues due to insufficient sanitization of the "sent" parameter of the "login.asp", "content.asp", "members.asp" and "inc_secureloginmanager.asp" scripts. dmxREADY version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21788

• 07.1.35 - CVE: Not Available
• Platform: Web Application
• Title: eNdonesia Multiple Scripts Multiple Input Validation Vulnerabilities
• Description: eNdonesia is a web portal application. It is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied input. eNdonesia version 8.4 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/21333

• 07.1.36 - CVE: Not Available
• Platform: Web Application
• Title: EnthrallWeb Multiple Products Myprofile.ASP Arbitrary User Password Change
• Description: EnthrallWeb produces multiple web-based applications. The "myprofile.asp" is prone to an unspecified vulnerability that may permit attackers to change arbitrary passwords. Multiple versions are reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21739

• 07.1.37 - CVE: Not Available
• Platform: Web Application
• Title: Logahead UNU Edition _Widged.PHP Arbitrary File Upload
• Description: Logahead UNU edition is a blog application. It is exposed to an arbitrary file upload vulnerability because it fails to sufficiently sanitize user-supplied input to the "_widged.php" script when uploading arbitrary files. Logahead version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21743

• 07.1.38 - CVE: Not Available
• Platform: Web Application
• Title: My_eGallery Module DisplayCategory.PHP Remote File Include
• Description: The My_eGallery Module is an image gallery application for myPHPNuke. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "basepath" parameter of the "displayCategory.php" script. My_eGallery Module version 2.5.6 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21744

• 07.1.39 - CVE: Not Available
• Platform: Web Application
• Title: Newsletter MX admin_mail_adressee.ASP SQL Injection
• Description: Newsletter MX is a web-based newsletter application. It is exposed to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "ID" parameter of "admin_mail_adressee.asp". Newsletter MX version 1.0.2 is affected.
• Ref: http://www.securityfocus.com/bid/21746/

• 07.1.40 - CVE: Not Available
• Platform: Web Application
• Title: PHPBuilder HTM2PHP.PHP Directory Traversal
• Description: PHPBuilder is a content management system. It is exposed to a directory traversal vulnerability because it fails to properly sanitize user-supplied input to the "filename" parameter of the "htm2php.php" script. PHPBuilder version 0.0.2 is affected.
• Ref: http://www.securityfocus.com/bid/21703/info

• 07.1.41 - CVE: Not Available
• Platform: Web Application
• Title: Intertianews Inertianews_Main.PHP Remote File Include
• Description: Intertianews is a web-based news script. It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "inews_path" parameter of the "inertianews_main.php" script. Intertianews version 0.02b is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/21713

• 07.1.42 - CVE: Not Available
• Platform: Web Application
• Title: Xt-News Multiple Input Validation Vulnerabilities
• Description: XT-News is a web-based news script. Insufficient sanitization of user-supplied input exposes the application to multiple cross-site scripting and SQL injection issues. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/21719

• 07.1.43 - CVE: Not Available
• Platform: Web Application
• Title: Keep It Simple Guest Book Authenticate.PHP Remote File Include
• Description: Keep It Simple Guest Book (KISGB) is a guestbook application. It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "default_path_for_themes" parameter of the "authenticate.php" script. Keep It Simple Guest Book versions 5.1.1 and earlier are vulnerable.
• Ref: http://www.securityfocus.com/bid/21721

• 07.1.44 - CVE: Not Available
• Platform: Web Application
• Title: Okul Merkezi Portal Page Variable Remote File Include
• Description: Okul Merkezi Portal is a web-based portal application. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "page" parameter of the "ataturk.php" script. Okul Merkezi Portal version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21730

• 07.1.45 - CVE: Not Available
• Platform: Web Application
• Title: FishyShoop Administrative Bypass
• Description: FishyShoop is a web-based shopping cart application. It is vulnerable to an administrative access issue due to insufficient checks on user-supplied POST data. FishyShoop version 0.930 beta is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/455260

• 07.1.46 - CVE: Not Available
• Platform: Web Application
• Title: VBulletin SWF Script Injection Vulnerability
• Description: vBulletin is a web-based bulletin board. Insufficient sanitization of user-supplied input exposes the application to a SWF script injection issue. All current versions are affected.
• Ref: http://www.securityfocus.com/bid/21736

• 07.1.47 - CVE: Not Available
• Platform: Web Application
• Title: phpbbXtra Archive_Topic.PHP Remote File Include
• Description: phpbbXtra is a web-based bulletin board. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "phpbb_root_path" parameter of the "archive_topic.php" script. phpbbXtra version 2.0 is vulnerable.
• Ref: http://www.securityfocus.com/archive/1/455304

• 07.1.48 - CVE: Not Available
• Platform: Web Application
• Title: Shadowed Portal Include.PHP Remote File Include
• Description: Shadowed Portal is a web-based bulletin board application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "mod_root" parameter of the "include.php" script. Shadowed Portal version 5.7 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21753

• 07.1.49 - CVE: Not Available
• Platform: Web Application
• Title: Made Simple Comment Form HTML Injection
• Description: CMS Made Simple is a content management system. It is prone to an HTML injection vulnerability due to insufficient input sanitization of the comment form when submitting user comments. CMS Made Simple version 1.0.2 is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21756

• 07.1.50 - CVE: Not Available
• Platform: Web Application
• Title: Ciberia Content Federator Maquetacion_Socio.PHP Remote File Include
• Description: Ciberia Content Federator is a web-based blog application. Insufficient sanitization of the "path" parameter of the "maquetacion_socio.php" script exposes the application to a remote file include issue. Ciberia Content Federator version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21757

• 07.1.51 - CVE: CVE-2006-5282
• Platform: Web Application
• Title: SH-News Misc.PHP Remote File Include
• Description: SH-News is a web-based news manager application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "news_cfg[path]" parameter of the "misc.php" script. SH-News version 0.93 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21761

• 07.1.52 - CVE: Not Available
• Platform: Web Application
• Title: Luckybot DIR Parameter Multiple Remote File Include Vulnerabilities
• Description: Multiple remote file include vulnerabilities affect Luckybot because the application fails to properly sanitize user-supplied input to the "dir" parameter of the "run.php" and "classes/ircbot.class.php" scripts before using it in a PHP "include()" function call. Luckybot version 3 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/21765

• 07.1.53 - CVE: Not Available
• Platform: Web Application
• Title: phpCMS Class.Cache_PHPCMS.PHP Remote File Include
• Description: phpCMS is a content management system. Insufficient sanitization of the "PHPCMS_INCLUDEPATH" parameter of the "includes/class.cache_phpcms.php" script exposes the application to a remote file include issue. phpCMS version 1.1.7 is affected.
• Ref: http://www.securityfocus.com/bid/21768

• 07.1.54 - CVE: Not Available
• Platform: Web Application
• Title: Irokez CMS Multiple Remote File Include Vulnerabilities
• Description: Irokez CMS is a content management application. It is exposed to multiple remote file include issues because the application fails to properly sanitize user-supplied input before using it in a PHP "include()" function call. Versions 0.7.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/21769

• 07.1.55 - CVE: Not Available
• Platform: Web Application
• Title: MTCMS Admin_Settings.PHP Remote File Include
• Description: MTCMS is a web-based content manager application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "ins_file" parameter of the "admin/admin_settings.php" script. MTCMS version 2.0 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21770

• 07.1.56 - CVE: Not Available
• Platform: Web Application
• Title: Open Newsletter Settings.PHP Authentication Bypass
• Description: Open Newsletter is a web-based application. It is exposed to an authentication bypass issue because the software fails to perform sufficient authentication checking in the "settings.php" script. As a result, sensitive information may be disclosed. Versions 2.0 thru 2.5 are affected.
• Ref: http://www.securityfocus.com/bid/21775

• 07.1.57 - CVE: Not Available
• Platform: Web Application
• Title: BE IT EasyPartner Joomla! Component Multiple Remote File Include Vulnerabilities
• Description: BE IT EasyPartner is a component for the Joomla! content management system. Insufficient sanitization of use-supplied input exposes the application to multiple remote file include issues. BE IT EasyPartner version 0.0.9 beta is affected.
• Ref: http://www.securityfocus.com/bid/21776

• 07.1.58 - CVE: Not Available
• Platform: Web Application
• Title: Wordpress Template.PHP HTML Injection
• Description: Wordpress is a blog application. It is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied input to the "file" parameter of the "template.php" script. Wordpress versions 2.0.5 and earlier are vulnerable.
• Ref: http://michaeldaw.org/

• 07.1.59 - CVE: Not Available
• Platform: Web Application
• Title: myPHPCalendar Cal_Dir Parameter Multiple Remote File Include Vulnerabilities
• Description: myPHPCalendar is a content management system. It is exposed to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "cal_dir" parameter of various scripts. myPHPCalendar version 10.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/21785

• 07.1.60 - CVE: Not Available
• Platform: Web Application
• Title: Hosting Controller FolderManager.ASPX Directory Traversal
• Description: Hosting Controller is a set of hosting automation tools. It is prone to a directory traversal vulnerability due to insufficient sanitization of the "BrowsePath" parameter of the "FolderManager.ASPX" script. Hosting Controller version 7C is reportedly vulnerable.
• Ref: http://www.securityfocus.com/bid/21786

• 07.1.61 - CVE: Not Available
• Platform: Web Application
• Title: AlstraSoft Web Host Directory Administrator Password Change
• Description: Web Host Directory is a web hosting directory and comparison application. It is prone to a vulnerability that may permit attackers to change the administrative password simply by navigating to the "admin/config" page. AlstraSoft Web Host Directory version 1.2 is vulnerable.
• Ref: http://www.securityfocus.com/bid/21787

• 07.1.62 - CVE: Not Available
• Platform: Web Application
• Title: PHP-Update Admin Upload.PHP Arbitrary File Upload Vulnerability
• Description: PHP-Update is a content management system. It is exposed to an arbitrary file upload vulnerability because it fails to sufficiently sanitize user-supplied input to the "admin/upload.php" script. Versions 2.7 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/21789

• 07.1.63 - CVE: Not Available
• Platform: Web Application
• Title: Yrch! Plug.inc.PHP Remote File Include
• Description: Yrch! is a web directory hierarchy application. Insufficient sanitization of the "path" parameter of the "plug.inc.php" script exposes the application to a remote file include issue. Yrch! versions 1.0 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/21794

• 07.1.64 - CVE: Not Available
• Platform: Web Application
• Title: Fantastic News Multiple Remote File Include Vulnerabilities
• Description: Fantastic News is a news reader. It is exposed to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "CONFIG" parameter of the "archive.php" and "headlines.php" scripts. Fantastic News 2.1.4 is affected.
• Ref: http://www.securityfocus.com/bid/21796

• 07.1.65 - CVE: Not Available
• Platform: Web Application
• Title: Limbo CMS Event Module Remote File Include
• Description: Limbo CMS event module is a component of the Limbo content management system. Insufficient sanitization of the "lm_absolute_path" parameter of the "mod_eventcal.php" script exposes the application to a remote file include issue. Limbo CMS event module version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/21798

• 07.1.66 - CVE: Not Available
• Platform: Web Application
• Title: Cacti CMD.PHP Remote Command Execution
• Description: Cacti is exposed to a remote command execution vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. Cacti versions 0.8.6i and earlier are affected.
• Ref: http://www.securityfocus.com/bid/21799

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.