Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 13
March 26, 2007

SANS Newsletters Home

No major products are on the critical list this week. So while you have a possibly more relaxed week, take the opportunity to get all the programmers in your organization to test their secure programming skills using the free sample tests at www.sans-ssi.org Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 1
    • Third Party Windows Apps
    • 9 (#2, #5)
    • Mac Os
    • 1
    • Linux
    • 4
    • Unix
    • 1
    • Cross Platform
    • 24 (#1, #3, #4)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 14
    • Web Application
    • 22
    • Network Device
    • 4

********************* Sponsored By ArcSight, Inc. ***********************

Free Whitepaper: "Selecting a SIM Solution for Compliance".

Meeting compliance regulations doesn't mean sacrificing your security budget. Discover the best practices - based on actual customer experiences - that should be an integral part of your evaluation process when assessing a SIM. Brought to you by ArcSight, the leader in security, compliance and insider threat. http://www.sans.org/info/5091

*************************************************************************

SANSFIRE 07 in Washington DC Features the Internet Storm Center Experts

No one knows the newest attacks better than the Internet Storm center Incident Handlers, and they are sharing the newest attacks and defenses in evening sessions during SANSFIRE in Washington DC, July 25-August 7, 2007. Anyone who attends a course can also attend Internet Storm Center Threat Updates. For a list of courses http://www.sans.org/sansfire07/

If you cannot come to Washington or can't wait that long, SANS award winning security training is available in more than 70 cities in nine countries just in the next four months. Better still, you can schedule SANS training on-site or even take it live online or on demand.

*Complete schedule: http://www.sans.org/training/bylocation/index_all.php

*SANS courses on site at your facility: http://www.sans.org/onsite/ *************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Mac Os
Linux
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

************************ Sponsored Links: ******************************

a) Security professionals focus on fighting the most common data threats - - Encryption Summit, April 23-25. http://www.sans.org/info/5096

b) Protect your company from phishing expeditions. New FREE report has the facts. http://www.sans.org/info/5101

c) Test your secure programming skills. Sample tests. Blueprints. http:/www.sans-ssi.org *************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Helix DNA Server DESCRIBE Heap Overflow
  • Affected:
    • Helix DNA Server versions prior to 11.1.3

  • Description: Helix DNA Server is a popular open source media streaming server based on code from Real. The server contains a heap-based buffer overflow that can be triggered by sending an overlong "LoadTestPassword" header in the "DESCRIBE" command. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the Helix Server process, often root or SYSTEM. Full technical details and a working exploit are publicly available for this vulnerability.

  • Status: Helix confirmed, updates available.

  • References:
  • (2) CRITICAL: Atrium MERCUR Messaging Multiple Vulnerabilities
  • Affected:
    • Atrium Software MERCUR Messaging 2005 Standard/Lite/Enterprise

  • Description: Atrium MERCUR Messaging, a popular mail and messaging suite for Microsoft Windows, contains multiple vulnerabilities: (a) A specially crafted SUBSCRIBE command, sent to the IMAP server, could allow an authenticated attacker to exploit a stack-based buffer overflow, and execute arbitrary code with the privileges of the server process. A working exploit and technical details are available for this vulnerability. Authentication is required to exploit this flaw. (b) A specially-crafted NTLM authentication request sent to the IMAP server could allow an attacker to exploit a stack-based buffer overflow and execute arbitrary code with the privileges of the server process. Note that no authentication is necessary for this vulnerability. A simple proof-of-concept is publicly available, and a working exploit is available to members of Immunity's partners program.

  • Status: Atrium has not confirmed, no updates available.

  • References:
  • (3) MODERATE: OpenOffice.org and LibWPD Multiple Vulnerabilities
  • Affected:
    • OpenOffice.org versions 1.x and 2.x

  • Description: OpenOffice.org, a popular open source office suite included with many Unix, Unix-like, and Linux systems, contains multiple vulnerabilities: (a) A specially-crafted Word Perfect document could trigger several integer overflows in the "LibWPD" library, used to parse Word Perfect files. Successfully exploiting these integer overflows could allow an attacker to execute arbitrary code with the privileges of the current user. Note that "LibWPD" is used internally by OpenOffice.org and by other open source word processors, such as AbiWord. (b) A specially crafted link in an OpenOffice.org document could execute arbitrary commands when the link in clicked by a user. (c) A specially crafted OpenOffice.org document could trigger a buffer overflow in the "Calc spreadsheet" portion of the application. Successfully exploiting this buffer overflow could allow the attacker to execute arbitrary code with the privileges of the current user. Note that since all of the affected code is open source, technical details are available via source code analysis. Depending on operating system and configuration, malicious files may be opened without prompting, after downloading.

  • Status: OpenOffice.org confirmed, updates available.

  • References:
Other Software
  • (5) HIGH: InterActual IASystemInfo.DLL ActiveX Control Buffer Overflow
  • Affected:
    • InterActual IASystemInfo.DLL ActiveX Control
    • Products known to use the vulnerable control include:
    • Roxio CinePlayer version 3.2
    • InterActual Player 2.60.12.0717

  • Description: The IASystemInfo.DLL ActiveX control, installed along with several popular multimedia applications, contains a buffer overflow vulnerability. A malicious web page that instantiates this control and passes an "ApplicationType" argument longer than 260 bytes could trigger this buffer overflow and execute arbitrary code with the privileges of the current user. Note that reusable exploit code for arbitrary ActiveX controls exists and is easily adaptable to this control. Some technical details for this control are publicly available.

  • Status: InterActual has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the control via Microsoft's "kill bit" mechanism, using the following CLSIDs: "B727C210-2022-11D4-B2C6-0050DA1BD906", "B727C212-2022-11D4-B2C6-0050DA1BD906", "B727C217-2022-11D4-B2C6-0050DA1BD906", "B727C219-2022-11D4-B2C6-0050DA1BD906", "B727C21B-2022-11D4-B2C6-0050DA1BD906", "B727C21D-2022-11D4-B2C6-0050DA1BD906", "B727C220-2022-11D4-B2C6-0050DA1BD906", and "B727C222-2022-11D4-B2C6-0050DA1BD906".

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 13, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5406 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 07.13.1 - CVE: Not Available
  • Platform: Windows
  • Title: Windows Vista Windows Mail Client Side File Execution
  • Description: Windows Vista Windows Mail is exposed to a client side file execution issue because of a design error. Windows Mail on all versions of Windows Vista are affected. Please refer to the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/23103
  • 07.13.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Opera FTP PASV Port Scanning
  • Description: Opera is prone to an issue that may allow attackers to reveal potentially sensitive information. This issue occurs because malicious FTP servers can cause the affected application to connect to arbitrary hosts when the browser is set to "PASV" mode. Opera Web Browser 9.10 is affected.
  • Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=370559
  • 07.13.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: 0irc IRC Client Null Pointer Dereference Remote Denial of Service
  • Description: 0irc is a small IRC client. The application is exposed to a remote denial of service issue which is triggered when affected clients receive messages containing excessively long content of approximately 623 bytes. 0irc version 1345 build 20060823 is affected.
  • Ref: http://www.securityfocus.com/bid/23101
  • 07.13.4 - CVE: CVE-2007-0348
  • Platform: Third Party Windows Apps
  • Title: IASystemInfo.dll ActiveX control Remote Buffer Overflow Vulnerabilities
  • Description: InterActual Player and CinePlayer are media player applications. These applications are exposed to buffer overflow issues due to a boundary condition in the "ApplicationType" function. InterActual Player version 2.60.12.0717 and CinePlayer version 3.2 are affected.
  • Ref: http://secunia.com/secunia_research/2007-37/advisory/
  • 07.13.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Atrium Mercur IMap Subscribe Stack Based Buffer Overflow
  • Description: Mercur IMAP is an implementation of the Internet Message Access Protocol. The application is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer. Atrium Software MERCUR Messaging 2005 Standard Edition 5.0 SP3 and earlier versions are affected.
  • Ref: http://www.securityfocus.com/bid/23050
  • 07.13.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Intervations FileCopa Unspecified Remote Stack Based Buffer Overflow Description: FileCopa FTP Server is a file transfer application. The application is exposed to a buffer overflow issue because it fails to adequately bounds check user-suppli
  • Ref: http://www.securityfocus.com/bid/23056/references
  • 07.13.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Atrium Mercur IMAPD NTLM Buffer Overflow
  • Description: Mercur IMAPD is an implementation of the Internet Message Access Protocol. The application is exposed to a stack-based buffer overflow issue because the application fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer. Mercur IMAPD version 1 SP4 is affected.
  • Ref: http://www.securityfocus.com/bid/23058
  • 07.13.8 - CVE: CVE-2007-1313
  • Platform: Third Party Windows Apps
  • Title: NETXAutomation NETXEIB OPC Server Arbitrary Code Execution
  • Description: NetxEIB is an OLE process server (OPC). The application is exposed to an issue that will allow remote attackers to execute arbitrary code on an affected computer. NETxEIB version 3.0 is affected.
  • Ref: http://www.kb.cert.org/vuls/id/296593
  • 07.13.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FTPDMIN List Command Remote Denial of Service
  • Description: FTPDMIN is an FTP server application. The application is exposed to a remote denial of service issue because the application fails to handle specially crafted LIST commands. FTPDMIN version 0.96 is affected.
  • Ref: http://www.securityfocus.com/bid/23049
  • 07.13.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: F-Secure Anti-Virus Client Security Local Format String Vulnerability
  • Description: F-Secure Anti-Virus Client Security is a commercially available application. It contains anti-virus and intrusion-detection features. The Secure BackWeb client application is exposed to a format string issue because it fails to properly sanitize user-supplied input before using it in the format specifier argument to a formatted printing function. F-Secure Anti-Virus Client Security 6.02 and 6.03 are affected.
  • Ref: http://www.securityfocus.com/bid/23023
  • 07.13.11 - CVE: CVE-2007-0237
  • Platform: Mac Os
  • Title: Lookup Insecure Temporary File Creation
  • Description: Lookup is a freely available search interface for Emacs applications. Lookup creates temporary files in an insecure manner which results in symlink attacks that overwrite arbitrary files in the context of the affected application. Lookup version 1.4 is affected. Please refer to the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/23026
  • 07.13.12 - CVE: CVE-2007-1592
  • Platform: Linux
  • Title: Linux Kernel IPv6 TCP Sockets Local Denial of Service
  • Description: The Linux kernel is exposed to a denial of service issue due to IPV6 sockets incorrectly sharing the flowlist in "ipv6_fl_socklist" with child sockets. Malicious local users can exploit this flaw to crash an affected kernel. The Linux kernel 2.6 series is affected.
  • Ref: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233478
  • 07.13.13 - CVE: CVE-2007-1463
  • Platform: Linux
  • Title: Inkscape Format String
  • Description: Inkscape is an Open Source vector graphics editor. The application is exposeed to a format string issue because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted printing function. Inkscape version 0.44 and all prior versions are affected.
  • Ref: http://www.securityfocus.com/bid/23070
  • 07.13.14 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Security Auditing Tool Insecure Temporary File Creation
  • Description: The Linux Security Auditing Tool is a post install auditing tool. The application is expsoed to a temporary file creation issue because it creates temporary files with predictable filenames in an insecure manner. The Linux Security Auditing Tool version 0.9.2 is affected.
  • Ref: http://www.securityfocus.com/bid/23014
  • 07.13.15 - CVE: Not Available
  • Platform: Linux
  • Title: Rhapsody IRC Multiple Remote Vulnerabilities
  • Description: Rhapsody IRC is an internet relay chat application available for the Linux operating system. The application is exposed to multiple buffer overflow issues that occur because the application fails to bounds check user-supplied data before copying it into an insufficiently-sized buffer. Multiple format string issues occur because the application fails to properly sanitize user-supplied input before passing the input as the format specifier to a formatted printing function. Rhapsody IRC 0.28b is affected.
  • Ref: http://www.securityfocus.com/archive/1/463092
  • 07.13.16 - CVE: Not Available
  • Platform: Unix
  • Title: KDE Konqueror FTP PASV Port Scanning
  • Description: KDE Konqueror is exposed to an issue that may allow attackers to obtain potentially sensitive information. This issue occurs because malicious FTP servers can cause the affected application to connect to arbitrary hosts. KDE Konqueror 3.5.5 is affected.
  • Ref: http://www.securityfocus.com/bid/23091
  • 07.13.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP S Data Type Serialization Format Heap Information Leak
  • Description: PHP contains a new S: data type that has been added to "unserialize()" as a compatibility layer for the future PHP 6 release. The application is exposed to a heap information leak because of a missing boundary check in the unserialization of escaped strings. PHP5 version 5.2.1 is affected.
  • Ref: http://www.php-security.org/MOPB/MOPB-29-2007.html
  • 07.13.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Asterisk SIP Channel Driver Reponse Code Zero Remote Denial of Service
  • Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. The application is exposed to a remote denial of service issue because it fails to properly handle certain SIP packets. Asterisk versions prior to 1.2.17 and 1.4.2 are affected.
  • Ref: http://bugs.digium.com/view.php?id=9313
  • 07.13.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: LMS Userpanel.PHP Remote File Include
  • Description: LMS (LAN Management System) is network management software designed for Internet Service Providers (ISPs). The software is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input. LMS version 1.8.9 is affected.
  • Ref: http://www.securityfocus.com/bid/23099
  • - CVE: CVE-2007-0653, CVE-2007-0654
  • Platform: Cross Platform
  • Title: XMMS Skins Integer Overflow And Underflow Vulnerabilities
  • Description: XMMS is a multimedia player for multiple operating platforms. The player is exposed to an integer overflow issue and an integer underflow issue because it fails to adequately handle user-supplied data. XMMS version 1.2.10 is affected.
  • Ref: http://www.securityfocus.com/archive/1/463408
  • 07.13.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Squid Proxy TRACE Request Remote Denial of Service
  • Description: Squid is an open source proxy server available for a number of platforms. The application is exposed to a remote denial of service issue because it fails to handle certain FTP requests. Squid version 2.6 is affected.
  • Ref: http://www.squid-cache.org/Advisories/SQUID-2007_1.txt
  • 07.13.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server Unspecified HTTP Response Splitting
  • Description: IBM WebSphere Application Server is a tool for creating various enterprise web applications. The application is exposed to an HTTP response splitting issue because it fails to properly sanitize user-supplied input before using it to create dynamic content. IBM WebSphere Application Server version 6.0.2 is affected.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg1PK39732
  • 07.13.24 - CVE: CVE-2007-1507
  • Platform: Cross Platform
  • Title: OpenAFS FetchStatus Reply Privilege Escalation
  • Description: OpenAFS is vulnerable to a local privilege escalation vulnerability. OpenAFS versions 1.4.3 and prior and versions 1.5.0 through 1.5.16 are affected. Please refer to the advisory for further details.
  • Ref: http://www.openafs.org/security/
  • 07.13.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Hash_Update_File Freed Resource Access Code Execution
  • Description: The PHP "hash_update_file()" function is used to stream data from an arbitrary file as active hash data. The application is exposed to a locally exploitable arbitrary code execution issue due to a design error. PHP 5 versions 5.0 through 5.2.1 are affected.
  • Ref: http://www.php-security.org/MOPB/MOPB-28-2007.html
  • 07.13.26 - CVE: CVE-2007-0238
  • Platform: Cross Platform
  • Title: OpenOffice StarCalc Parser Unspecified Buffer Overflow
  • Description: OpenOffice is expossed to a remote stack-based buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. This issue occurs in the StarCalc parser when parsing specially crafted documents. Please refer to the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/23067
  • 07.13.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Real Networks Helix Server DESCRIBE Request Remote Heap Overflow
  • Description: Real Networks Helix Server is a multi format server. The application is exposed to a heap overflow issue because it fails to perform sufficient boundary checks on user-supplied data before copying it to an insufficiently sized memory buffer. Real Networks Helix Server version 11.1.2 is affected. Ref: http://lists.helixcommunity.org/pipermail/server-cvs/2007-January/003783.html
  • 07.13.28 - CVE: CVE-2007-0239
  • Platform: Cross Platform
  • Title: OpenOffice Meta Character Remote Shell Command Execution
  • Description: OpenOffice is a suite of open source software. The application is exposed to an issue which allows the execution of arbitrary shell commands because the application fails to adequately escape shell command meta characters. Please refer to the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/22812
  • 07.13.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP GD Extension Freed Resource Access Code Execution
  • Description: PHP GD extension is a library that facilitates the creation of dynamic images. It supports various formats such as GIF, JPEG and PNG. The application is exposed to a local arbitrary code execution issue which results from a design error. PHP 4.x versions 4.4.6 and earlier as well as 5.x versions 5.2.1 and earlier are affected.
  • Ref: http://www.php-security.org/MOPB/MOPB-27-2007.html
  • 07.13.30 - CVE: CVE-2007-1319
  • Platform: Cross Platform
  • Title: Takebishi Electric DeviceXPlorer OPC Server Arbitrary Code Execution
  • Description: Takebishi Electric DeviceXPlorer is a communication middleware application for process control and manufacturing. The application is exposed to an issue that will allow remote attackers to execute arbitrary code on an affected computer. Takebishi Corporation DeviceXPlorer OPC Server 3.12 Build2 is affected.
  • Ref: http://www.kb.cert.org/vuls/id/926551
  • 07.13.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Asterisk SIP Invite Message Remote Denial of Service
  • Description: Asterisk is a private branch exchange (PBX) application. Asterisk is exposed to a remote denial of service issue while handling a single, malformed "SIP INVITE" request containing two headers. When the first header is valid and the second header is not valid, the vulnerability is triggered. Asterisk versions 1.4.1, 1.2.16, 1.2.15 and 1.2.14 are affected.
  • Ref: http://www.securityfocus.com/bid/23031
  • 07.13.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities
  • Description: SQL Ledger and Ledger SMB are double entry accounting system. The applications are prone to a local file include issue because they fail to properly sanitize user-supplied input to the "input" parameter. SQL Ledger and Ledger SMB version 2.5 is affected.
  • Ref: http://www.securityfocus.com/archive/1/463175
  • 07.13.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Network Audio System Local Privilege Escalation and Denial of Service Vulnerabilities
  • Description: Network Audio System is a network transparent audio transport system for multiple operating systems. The application is exposed to local privilege escalation vulnerability and multiple denial of service issues. Network Audio System version 1.8a is affected.
  • Ref: http://aluigi.altervista.org/adv/nasbugs-adv.txt
  • 07.13.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: file(1) Command File_PrintF Integer Underflow
  • Description: Ian Darwin's file(1) command is the standard "file" command for BSD, Linux, and other operating platforms. The command is exposed to an integer underflow issue because the command fails to adequately handle user-supplied data. Ian Darwin's file(1) command versions prior to 4.20 are affected.
  • Ref: http://www.securityfocus.com/bid/23021
  • 07.13.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Mb_Parse_Str Function Register_Globals Activation Weakness
  • Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a weakness that allows attackers to enable the "register_globals" directive because the application fails to properly handle a memory limit exception. PHP versions 4 to 4.4.6 and 5 to 5.2.1 are affected.
  • Ref: http://www.php-security.org/MOPB/MOPB-26-2007.html
  • 07.13.36 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Header Function Space Trimming Buffer Overflow
  • Description: PHP is exposed to a buffer overflow issue because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. PHP version 5.2.0 is affected.
  • Ref: http://www.php-security.org/MOPB/MOPB-25-2007.html
  • 07.13.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ZZipLib ZZip_Open_Shared_IO Stack Based Buffer Overflow
  • Description: ZZIPlib is a library for extracting data from files that are archived in a zip file. The library is exposed to a remote stack-based buffer overflow issue because it fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. ZZIPlib versions prior to 0.13.49 are affected. Ref: http://sourceforge.net/project/shownotes.php?group_id=6389&release_id=494587
  • 07.13.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Fujitsu Products File Decryption Information Disclosure
  • Description: Systemwalker Desktop Encryption and FENCE-Pro are security applications available from Fujitsu. These applications are exposed to an information disclosure issue that stems from an unspecified error in the self decoding mechanism of encrypted files created by the software. Fujitsu Systemwalker Desktop Encryption V13.0.0 and earlier versions are affected, and Fujitsu FENCE-Pro 4, 3 and 2 are affected.
  • Ref: http://www.securityfocus.com/bid/23001
  • 07.13.39 - CVE: CVE-2007-0002
  • Platform: Cross Platform
  • Title: libwpd Library Multiple Buffer Overflow Vulnerabilities
  • Description: The libwpd library, which is written in C++, is used for encoding and decoding Word Perfect documents. The library is commonly used in word processing software such as Open Office and Abiword. The library is exposed to multiple buffer overflow vulnerabilities because it fails to perform adequate bounds checks on user-supplied input. The libwpd library version 0.8.7 is affected.
  • Ref: https://rhn.redhat.com/errata/RHSA-2007-0055.html
  • 07.13.40 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FrontBase Relational Database Server Procedure Buffer Overflow
  • Description: FrontBase Relational Database Server is exposed to a remote stack-based buffer overflow issue because the application fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. FrontBase Relational Database Server versions 4.2.7 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/463042
  • 07.13.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Oracle Application Server DMS Cross-Site Scripting
  • Description: Oracle Application Server is an integrated, standards-based software platform. The application is exposed to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "table" parameter of the Dynamic Monitoring Service (DMS). Oracle Application Server version 10g Release 2 (10.1.2) is affected.
  • Ref: http://www.securityfocus.com/bid/23102
  • 07.13.42 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Wordpress PHP_Self Cross-Site Scripting
  • Description: Wordpress allows users to generate news pages and web logs dynamically. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "PHP_SELF" variable. WordPress versions 2.1.2 and earlier are affected.
  • Ref: http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt
  • 07.13.43 - CVE: CVE-2007-0537, CVE-2007-0478
  • Platform: Web Application - Cross Site Scripting
  • Title: Interstage Application Server Unspecified Cross-Site Scripting
  • Description: Interstage Application Server is an application server developed by Fujitsu. The software is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input passed to the Servlet service for Interstage Application Server and for Interstage Management Console. Fujitsu Interstage Studio Standard-J Edition 8.0.1 and all earlier versions are affected. Ref: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200701e.html
  • 07.13.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PortailPHP IDNews Parameter SQL Injection
  • Description: PortailPHP is a content management system. The application is exposed to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. PortailPHP version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/23096
  • 07.13.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: aspWebCalendar Calendar.ASP SQL Injection
  • Description: aspWebCalendar is a web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "eventid" parameter of the "calendar.asp" script before using it in an SQL query. aspWebCalendar version 4.5 is affected.
  • Ref: http://www.securityfocus.com/bid/23098
  • 07.13.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Active Link Engine Default.ASP SQL Injection
  • Description: Active Link Engine is a search engine and directory link management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the "default.asp" script before using it in an SQL query. The routine is called when the affected script is included by the "login.php" script.
  • Ref: http://www.securityfocus.com/bid/23080
  • 07.13.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Revista Multiple SQL Injection Vulnerabilities
  • Description: PHP-Revista is a content management system (CMS). The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. PHP-Revista version 1.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/23079
  • 07.13.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Active Photo Gallery Default.ASP SQL Injection
  • Description: Active Photo Gallery is a web-based photo gallery and search engine software. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the "default.asp" script before using it in an SQL query. Active Photo Gallery version 6.2 is affected.
  • Ref: http://www.securityfocus.com/bid/23077
  • 07.13.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Web Wiz Forums String Filtering SQL Injection
  • Description: Web Wiz Forums is a bulletin board application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data. Web Wiz Forums versions prior to 8.05a are affected.
  • Ref: http://www.securityfocus.com/bid/23051
  • 07.13.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Net Portal Dynamic System Print.PHP SQL Injection
  • Description: Net Portal Dynamic System is a content management system (CMS). It is based on the PHPBB bulletin board system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "_FILES[DB][tmp_name]" parameter of the "print.php" script before using it in an SQL query. Net Portal Dynamic System versions 5.10 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/23041
  • 07.13.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NetVios Portal Page.ASP SQL Injection
  • Description: NetVios Portal is a web platform. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "NewsID" parameter of the "page.asp" script before using it in an SQL query. NetVios version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/23045
  • 07.13.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Katalog Plyt Audio Index.PHP SQL Injection
  • Description: Katalog Plyt Audio is a content management system (CMS) application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "kolumna" parameter of the "index.php" script before using it in an SQL query. Katalog Plyt Audio versions 1.0 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/23024
  • 07.13.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Minerva Forum.PHP SQL Injection
  • Description: Minerva is a content management system (CMS). It is based on the PHPBB bulletin board system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "c" parameter of the "forum.php" script before using it in an SQL query. Minerva versions 2.0.21 build 238a and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/23036
  • 07.13.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ScriptMagix Lyrics Index.PHP SQL Injection
  • Description: ScriptMagix Lyrics is a content management system (CMS) for lyrics. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "recid" parameter of the "index.php" script before using it in an SQL query. ScriptMagix Lyrics versions 2.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/23019
  • 07.13.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ScriptMagix Photo Rating ViewComments.PHP SQL Injection
  • Description: ScriptMagix Photo Rating is an application which allows images on web sites to be rated. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "phid" parameter of the "viewcomments.php" script before using it in an SQL query. ScriptMagix Photo Rating versions 2.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/23018
  • 07.13.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Multiple ScriptMagix Products Index.PHP SQL Injection
  • Description: FAQ Builder is a question and answer application. Jokes is an application that allows users to view and rate jokes. Recipes is an application that allows users to manage and view recipes. All of these applications are developed by ScriptMagix. These applications are exposed to an SQL injection issue because they fail to sufficiently sanitize user-supplied data to the "catid" parameter of the "index.php" script before using it in an SQL query. Multiple ScriptMagix products version 2.0 are affected.
  • Ref: http://www.securityfocus.com/bid/23015
  • 07.13.57 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Particle Blogger Post.PHP SQL Injection
  • Description: Particle Blogger is a web log. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "postid" parameter of the "post.php" script before using it in an SQL query. Particle Soft Particle Blogger versions 1.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/463027
  • 07.13.58 - CVE: Not Available
  • Platform: Web Application
  • Title: NFN Address Book mosConfig_Absolute_Path Remote File Include
  • Description: The NFN Address Book component is an address book component for the Mambo and Joomla content management system. The application is exposed to a remote file include issue because it fails to properly sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the "nfnaddressbook.php" script. Mambo and Joomla NFN address book version 0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/23092
  • 07.13.59 - CVE: Not Available
  • Platform: Web Application
  • Title: NewsGlue RSS Feed HTML Injection
  • Description: NewsGlue Feed is an application that displays any RSS news feed. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. NewsGlue Feed version 1.3.3 is affected.
  • Ref: http://www.securityfocus.com/bid/23094
  • 07.13.60 - CVE: Not Available
  • Platform: Web Application
  • Title: ClassWeb Language.PHP Remote File Include
  • Description: ClassWeb is an application used to create and control class web sites. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "BASE" parameter of the "language.php" script. ClassWeb versions 2.03 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/23095
  • 07.13.61 - CVE: Not Available
  • Platform: Web Application
  • Title: ManageEngine Firewall Analyzer Arbitrary Files Information Disclosure
  • Description: ManageEngine Firewall Analyzer is a web-based application for monitoring firewalls. The application is exposed to a remote information disclosure issue. Please refer to the advisory for further details.
  • Ref: http://www.securityfocus.com/archive/1/463509
  • 07.13.62 - CVE: Not Available
  • Platform: Web Application
  • Title: LMS Welcome.PHP Remote File Include
  • Description: LMS (LAN Management System) is network management software designed for Internet Service Providers (ISPs). It is implemented in PHP, Perl and C. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user- supplied input to the "_LIB_DIR" parameter of the "welcome.php" script before using the input in an "include()" function call. LMS (LAN Management System) version 1.8.9 is affected.
  • Ref: http://www.securityfocus.com/bid/23100
  • 07.13.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Digital Eye Gallery Module.PHP Remote File Include
  • Description: Digital Eye Gallery is a web-based photo gallery module for Mambo. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "menu" parameter of the "module.php" script before using it in a "require()" function call. Digital Eye Gallery version 1.1 Beta is affected.
  • Ref: http://www.securityfocus.com/bid/23083
  • 07.13.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Zope HTTP Get Request HTML Injection
  • Description: Zope is a content management application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied HTTP GET requests to an unspecified parameter and script. Zope versions 2.10.2 and earlier are affected. Ref: http://www.zope.org/Products/Zope/Hotfix-2007-03-20/announcement/view
  • 07.13.65 - CVE: Not Available
  • Platform: Web Application
  • Title: realGuestbook Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: realGuestbook is a German language based guestbook system. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data. realGuestbook version 5.0.1 is affected.
  • Ref: http://trew.icenetx.net/toolz/advisory-realGuestbook_V5-en.txt
  • 07.13.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Monster Top List Remote Command Execution
  • Description: Monster Top List is a "topsites" web directory listing script. The application is exposed to a remote command execution because the application fails to sufficiently sanitize user-supplied input to the "root_path" parameter of the "functions.php" script. Monster Top List versions 1.4.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/23074
  • 07.13.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Study Planner SPL_CFG['dirroot'] Multiple Remote File Include Vulnerabilities
  • Description: Study Planner (Studiewijzer) is a web-based tool to organize study times. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "SPL_CFG[dirroot]" parameter. Study Planner version 0.15 is affected.
  • Ref: http://www.securityfocus.com/bid/23076
  • 07.13.68 - CVE: Not Available
  • Platform: Web Application
  • Title: phpRaid RSS.PHP Remote File Include
  • Description: The phpRaid application is a raid management system for the game World of Warcraft. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "phpraid_dir" parameter of the "rss.php" script. phpRaid versions 3.0.4, 3.0.5 and 3.0.6 are affected.
  • Ref: http://www.securityfocus.com/bid/23066
  • 07.13.69 - CVE: Not Available
  • Platform: Web Application
  • Title: GeBlog Index.PHP Local File Include
  • Description: GeBlog is a web log application. The application is exposed to a local file include issue because it fails to sufficiently sanitize the "GLOBALS[tplname]" parameter of the "index.php"script. GeBlog version 0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/23052
  • 07.13.70 - CVE: Not Available
  • Platform: Web Application
  • Title: WebCalendar IncludeDir Multiple Remote File Include Vulnerabilities
  • Description: WebCalendar is a web-based calendar application. The application is exposed to multiple remote file-include issues because it fails to sufficiently sanitize user-supplied input to the "includedir" parameter of the "/ws/login.php", "/ws/get_reminders.php", and "/ws/get_events.php" scripts. WebCalendar versions prior to 1.0.4 are affected.
  • Ref: http://www.securityfocus.com/archive/1/462957
  • 07.13.71 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke IFrame Module IFrame.PHP Remote File Include
  • Description: IFrame module is a module for the PHP Nuke content mangement system (CMS). The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "file" parameter of the "iframe.php" script.
  • Ref: http://www.securityfocus.com/bid/23038
  • 07.13.72 - CVE: Not Available
  • Platform: Web Application
  • Title: PragmaMX Landkartenmodule Local File Include
  • Description: PragmaMX Landkartenmodule is a web-based module application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "/inc/conf.php" script. PragmaMX Landkartenmodule version 2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/23044
  • 07.13.73 - CVE: Not Available
  • Platform: Web Application
  • Title: TYPOlight Unspecified Vulnerability
  • Description: TYPOlight is a content management system. The application is exposed to an unspecified issue. TYPOlight versions prior to 2.2 Build 5 (2007-03-19) are affected. Please refer to the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/23048
  • 07.13.74 - CVE: Not Available
  • Platform: Web Application
  • Title: Guesbara Administrator Password Change
  • Description: Guesbara is web-based application. The application is exposed to an issue that may permit attackers to change the administrative password by submitting an HTTP POST request to the "admin/configuration.php" script. Guesbara version 1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/23029
  • 07.13.75 - CVE: Not Available
  • Platform: Web Application
  • Title: Splatt Forum BBCode_Ref.PHP Local File Include
  • Description: Splatt Forum is a web forum application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "name" parameter of the "bbcode_ref.php" script. Splatt Forum version 4.0 RC1 is affected.
  • Ref: http://www.securityfocus.com/bid/23035
  • 07.13.76 - CVE: Not Available
  • Platform: Web Application
  • Title: MetaForum Arbitrary File Upload
  • Description: MetaForum is a web-based forum application. The application is exposed to an arbitrary file upload issue because the "usercp.php" script fails to properly verify the contents of uploaded images files. MetaForum version 0.513 Beta is affected.
  • Ref: http://www.securityfocus.com/archive/1/463178
  • 07.13.77 - CVE: Not Available
  • Platform: Web Application
  • Title: PhpStats PHP-Stats-Options.PHP Remote Code Execution
  • Description: PhpStats is a PHP based application for analyzing web site statistics. The application is exposed to a remote code execution issue because it fails to properly sanitize user-supplied input to the "new[report_w_day]" parameter of the "/option/php-stats-options.php" script. PhpStats version 0.1.9.1b is affected.
  • Ref: http://www.securityfocus.com/bid/23008
  • 07.13.78 - CVE: Not Available
  • Platform: Web Application
  • Title: MPM Chat View.PHP Local File Include
  • Description: MPM Chat is an instant messaging application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "logi" parameter of the "view.php" script. MPM Chat version 2.5 is affected.
  • Ref: http://www.securityfocus.com/bid/23009
  • 07.13.79 - CVE: Not Available
  • Platform: Web Application
  • Title: Active PHP Bookmarks Head.PHP Remote File Include
  • Description: Active PHP Bookmarks is a web-based bookmark application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "APB_SETTINGS[template_path]" parameter of the "templates/head.php" script. Active PHP Bookmarks version 0.2.5 is affected.
  • Ref: http://www.securityfocus.com/bid/23010
  • 07.13.80 - CVE: Not Available
  • Platform: Network Device
  • Title: Grandstream Budgetone 200 Phone SIP INVITE Remote Denial of Service
  • Description: Grandstream Budgetone 200 phones are VOIP enabled telephony products. Grandstream Budgetone 200 phones are prone to a remote denial of service issue while handling a single SIP "INVITE" or any other message with a "WWW-Authenticate" where the digest-domain is manually crafted by an attacker. The device will freeze, provoking a denial of service. Grandstream Budgetone 200 phones with software version 1.1.1.14 are affected.
  • Ref: http://www.securityfocus.com/bid/23075
  • 07.13.81 - CVE: Not Available
  • Platform: Network Device
  • Title: Zyxel Router Zynos SMB Data Handling Denial of Service
  • Description: ZynOS is an operating system for Zyxel Routers. Zyxel routers running the ZynOS operating system are exposed to a remote denial of service issue because the software fails to handle specially crafted SMB data sent using the SMB Mailslot protocol. Zyxel routers running ZynOS version 3.40 are affected.
  • Ref: http://www.securityfocus.com/archive/1/463238
  • 07.13.82 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WAG200G DSL Router/Gateway Information Disclosure
  • Description: Linksys WAG200G is a DSL modem and wireless router. Linksys WAG200G is prone to a vulnerability that may disclose sensitive information. Linksys firmware version 1.01.01 is affected.
  • Ref: http://www.securityfocus.com/archive/1/463342
  • 07.13.83 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco 7940/7960 Phone SIP Invite Remote Denial of Service
  • Description: Cisco 7940/7960 phones are VOIP enabled telephony products. Cisco 7940/7960 phones are prone to a remote denial of service issue while handling a single, malformed "SIP INVITE" message containing attacker-supplied data in the "sipURI" field of the Remote Party ID of the message. Cisco 7940/7960 phones running firmware P0S3-07-4-00 are affected.
  • Ref: http://www.securityfocus.com/bid/23047

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

There's nothing that compares to the detail and real world content in this course.
-John Daskal, Johns Hopkins University Applied Physics Laboratory

SEC505: Securing Windows and Resisting Malware

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.