3 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 2
January 8, 2007

Adobe Acrobat Reader is the big problem this week because the browser plug-in is used widely in both Internet Explorer and Firefox.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1
    • Third Party Windows Apps
    • 7 (#4)
    • Linux
    • 3
    • Cross Platform
    • 4 (#1, #3, #5)
    • Apple (#2)
    • Web Application - Cross Site Scripting
    • 2
    • Web Application - SQL Injection
    • 6
    • Web Application
    • 11
    • Hardware
    • 1

*************************************************************************

SECURITY TRAINING UPDATE: Several of the hands-on immersion security training courses at SANS 2007 (San Diego, March 29 - April 4) are starting to fill up. If you want a place, register early. You'll also save hundreds of dollars if you do it in the next few weeks. Full Schedule (53 courses): http://www.sans.org/sans2007/event.php

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Hardware

**************************** Sponsored Link: ****************************

1) Insider threat research report shows CEO's in denial. Download the report now from ArcSight. http://www.sans.org/info/2741

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) MODERATE: Apple iPhoto Photocast Format String Vulnerability
  • Affected:
    • Apple iPhoto version 6.0.5 and possibly prior
  • Description: Apple iPhoto, a popular photo management application installed on most Apple computers, contains a format string vulnerability. A specially-crafted photocast feed (a series of photos accessible via RSS) could exploit this vulnerability and execute arbitrary code with the privileges of the current user. A complete proof of concept and technical details for this vulnerability are publicly available. Note that, in most common configurations, users must explicitly subscribe to a malicious photocast in order to be vulnerable. This vulnerability was disclosed as part of the "Month of Apple Bugs" project, a project whose goal is to release a bug for an Apple product every day for a month.

  • Status: Apple has not confirmed, no updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Other Software
  • (3) MODERATE: Business Objects Crystal Reports XI Professional Stack Overflow
  • Affected:
    • Business Objects Crystal Reports XI Professional and possibly prior
  • Description: Crystal Reports, a popular enterprise reporting system, contains a stack-based buffer overflow in the processing of "report" (RPT) files. A specially-crafted report file could exploit this vulnerability and execute arbitrary code with the privileges of the Crystal Reports process. In some configurations, Crystal Reports may be configured to automatically open report files without prompting. Full technical details for this vulnerability are publicly available.

  • Status: Business Objects has not confirmed, no updates available.

  • Council Site Actions: Only one of the reporting council sites is using the affected software and they are waiting on the vendor for more information and a patch.

  • References:
  • (4) MODERATE: PowerArchiver ISO Buffer Overflow
  • Affected:
    • PowerArchiver version 9.64.02 and possibly prior
  • Description: PowerArchiver, a popular archiving application for Microsoft Windows, contains a buffer overflow vulnerability when parsing ISO image files (commonly used to transmit CD and DVD images). A specially-crafted ISO image file containing an overlong file name could exploit this buffer overflow and execute arbitrary code with the privileges of the current user. Full technical details and several proofs-of-concept are available for this vulnerability.

  • Status: PowerArchiver confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 2, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5329 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 07.2.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft January Advance Notification Multiple Vulnerabilities
  • Description: Microsoft has released advance notification that the vendor will be releasing eight security bulletins on January 9, 2007. The highest severity rating for these issues is "Critical".
  • Ref: http://www.microsoft.com/technet/security/bulletin/advance.mspx

  • 07.2.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MoviePlay LST File Handling Buffer Overflow
  • Description: MoviePlay is an application that plays videos of various formats. It is available for the Microsoft Windows operating system. It is exposed to a remote buffer overflow vulnerability because it fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. MoviePlay version 4.76 is affected.
  • Ref: http://www.securityfocus.com/bid/21840

  • 07.2.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Kerio Personal Firewall IPHLPAPI.DLL Local Privilege Escalation
  • Description: Kerio Personal Firewall is exposed to a local privilege escalation vulnerability because it searches the installation directory before searching the system directory when looking for the "iphlpapi.dll" library. If exploited, this could allow a malicious library to be loaded to the installation directory. Kerio Personal Firewall versions 4.3.246 and 4.3.268 are vulnerable. Ref: http://www.matousec.com/info/advisories/Kerio-Fake-iphlpapi-DLL-injection.php

  • 07.2.4 - CVE: CVE-2006-6759
  • Platform: Third Party Windows Apps
  • Title: RealPlayer IERPPLUG.DLL ActiveX Control Remote Denial of Service
  • Description: RealNetworks RealPlayer is vulnerable to a denial of service issue when the "OpenURLInPlayerBrowser" method is called with an excessively long string as the second argument. RealPlayer version 10.5 is vulnerable.
  • Ref: http://support.microsoft.com/kb/240797

  • 07.2.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Macromedia Flash Flash8b.OCX ActiveX Control Remote Denial of Service
  • Description: Macromedia Flash is prone to a denial of service vulnerability. The vulnerability is the result of calling the "Flash8b.AllowScriptAccess" method of the Activex control from the "Flash8b.ocx" COM object with an argument consisting of an excessively long string. Macromedia Flash 8 is vulnerable. Other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21818

  • 07.2.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Total Commander iso_wincmd Plugin Multiple Remote Buffer Overflow Vulnerabilities
  • Description: iso_wincmd is a plugin module for accessing ISO images. It is available for Total Commander and other applications. Total Commander is a file manager application available for multiple Microsoft Windows platforms. It is exposed to multiple remote buffer overflow vulnerabilities because it fails to properly bounds check user-supplied data prior to using it in a finite-sized buffer. These issues affect version 1.7.3 beta 3 of the plugin.
  • Ref: http://www.securityfocus.com/bid/21820

  • 07.2.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Adobe Reader AcroPDF.DLL ActiveX Control Remote Denial of Service
  • Description: Acrobat Reader is prone to a denial of service issue when the "src" object of the ActiveX in the "acropdf.dll" library is set to a string of approximately two megabytes. Acrobat Reader version 7.0.8.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21813

  • 07.2.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AIDeX Mini-Webserver HTTP Request Remote Denial of Service
  • Description: AIDeX Mini-Webserver is vulnerable to a remote denial of service issue when the application receives an excessive amount of HTTP requests in a short period of time and the application's GUI log window is being used. AIDeX Mini-Webserver version 1.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21816

  • 07.2.9 - CVE: CVE-2006-5749
  • Platform: Linux
  • Title: Linux Kernel Unspecified Remote Vulnerability
  • Description: The Linux kernel is prone to an unspecified vulnerability that affects the "isdn_ppp_ccp_reset_alloc_state()" function of "drivers/isdn/i4l/isdn_ppp.c". Linux kernel versions prior to 2.4.34 are vulnerable to this issue.
  • Ref: http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.34

  • 07.2.10 - CVE: Not Available
  • Platform: Linux
  • Title: QuickCam VC Device Driver for Linux QCAMVC_Video_Init Function Buffer Overflow
  • Description: QuickCam VC device driver for Linux is a device driver for web cameras. This device driver is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying the data into an insufficiently-sized memory buffer. Versions 1.0.9 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/21815

  • 07.2.11 - CVE: CVE-2006-5173
  • Platform: Linux
  • Title: Linux Kernel EFLAGS Local Denial of Service
  • Description: The Linux kernel is prone to a denial of service vulnerability. This issue occurs because the kernel fails to properly reset "EFLAGS" when creating new threads or when saving and restoring "EFLAGS" during context switches. Linux kernel versions prior to 2.6.18 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21851

  • 07.2.12 - CVE: CVE-2007-0015
  • Platform: Cross Platform
  • Title: QuickTime RTSP URI Remote Buffer Overflow
  • Description: Apple QuickTime is prone to a remote buffer overflow issue. When URIs with the "RTSP" scheme containing specifically-formatted data are loaded, a memory buffer may be overrun with attacker-supplied data. Apple QuickTime versions 7.2.3 and earlier are vulnerable.
  • Ref: http://projects.info-pull.com/moab/MOAB-01-01-2007.html

  • 07.2.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenSER SMS Module Remote Buffer Overflow
  • Description: OpenSER is a Session Initiation Protocol (SIP) server. The SMS module is a Simple Messaging Service module for OpenSER. The module is prone to a remote buffer overflow vulnerability because the application fails to bounds check user-supplied data to the "fetchsms()" function before copying it from the "beginning" buffer to the "PDU" buffer. OpenSER versions 1.1.0 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/21800

  • 07.2.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: W3M SSL Certificate Format String Vulnerability
  • Description: W3M is a console-based web browser. W3M is available for UNIX/Linux and Windows operating systems. It is exposed to a format string vulnerability. This issue occurs when the browser processes SSL certificates that include format specifiers. Version 0.5.1 is affected.
  • Ref: http://www.securityfocus.com/bid/21735

  • 07.2.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: VideoLan VLC Media Player Remote Format String Vulnerability
  • Description: VideoLAN VLC media player is a multimedia player for audio and video. It is prone to a remote format string vulnerability due to insufficient input sanitization when .m3u data is passed to the "udp://" handler. VideoLAN VLC version 0.8.6 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21852

  • 07.2.16 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TimberWolf ShowNews.PHP Cross Site Scripting
  • Description: TimberWolf is a web-based content management system. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of the "nid" parameter of the "shownews.php" script. TimberWolf version 1.2.2 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21733

  • 07.2.17 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Mobilelib GOLD Multiple Cross Site Scripting Vulnerabilities
  • Description: Mobilelib GOLD is a web application that is exposed to multiple cross-site scripting issues. It fails to properly sanitize user-supplied URI input to the "email" and "errr" parameters of the "contact_us.php" script. Mobilelib GOLD version 2 is vulnerable. Other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21817

  • 07.2.18 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Oracle Portal Key Parameter Cross Site Scripting
  • Description: Oracle Portal is a portal application that is integrated with Oracle's application server software. It is vulnerable to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "key" parameter of the "page" script. Oracle Portal version 10g is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/455486

  • 07.2.19 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: TimberWolf ShowNews.PHP Cross-Site Scripting
  • Description: TimberWolf is a web-based content management system. It is prone to a cross-site scripting vulnerability due to insufficient sanitization of the "nid" parameter of the "shownews.php" script. TimberWolf version 1.2.2 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21733

  • 07.2.20 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AutoDealer Detail.ASP SQL Injection
  • Description: AutoDealer is a web-based application targeted towards small auto dealers for inventory display purposes. It is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "iPro" parameter of the "detail.asp" script file before using it in an SQL query. AutoDealer version 2.0 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21833

  • 07.2.21 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Vizayn Haber Haberdetay.ASP SQL Injection
  • Description: Vizayn Haber is a web-based application. It is vulnerable to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "haberdetay.asp" script. All versions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21836

  • 07.2.22 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Click N' Print Coupons Coupon_Detail.ASP SQL Injection
  • Description: Click N' Print Coupons is a web-based coupon application. It is prone to an SQL injection vulnerability due to insufficient sanitization of the "key" parameter of "coupon_detail.asp". Click N' Print Coupons version 2005.01 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21824

  • 07.2.23 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Acronym Mod Admin_Acronyms.PHP SQL Injection
  • Description: Acronym Mod is an application for use with phpBB2 which automatically adding acronyms to bulletin board posts. It is vulnerable to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "/admin/admin_acronyms.php" script. Acronym Mod version 0.9.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21805

  • 07.2.24 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ASPTicker Admin.ASP SQL Injection Vulnerability
  • Description: ASPTicker is a scrolling news management application. It is exposed to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "password" field of the "admin.asp" script file before using it in an SQL query. ASPTicker version 1.0 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/21807

  • 07.2.25 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Netbula Anyboard User Login SQL Injection
  • Description: Netbula Anyboard is a forum application. Insufficient sanitization of user-supplied input exposes the application to an SQL injection issue. Netbula Anyboard version 9.9.5.6 is affected.
  • Ref: http://www.securityfocus.com/bid/21734

  • 07.2.26 - CVE: Not Available
  • Platform: Web Application
  • Title: MDForum PNSVLang Parameter Local File Include
  • Description: MDForum is a module to Content Management System MDPro. It is vulnerable to a local file include issue due to insufficient sanitization of user-supplied input to the "PNSVlang" parameter of the "search_mdforum.php" script. MDForum versions 2.0.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21837

  • 07.2.27 - CVE: Not Available
  • Platform: Web Application
  • Title: Rediff Bol Downloader ActiveX Control Remote Code Execution
  • Description: Rediff Bol Downloader is an ActiveX control designed to download and execute the Rediff Bol Messenger installation application. It is exposed to a remote code execution issue. This issue is due to a failure of the application to enforce restrictions on the content type and source of files that it will download and execute. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21831

  • 07.2.28 - CVE: Not Available
  • Platform: Web Application
  • Title: Bubla Multiple Remote File Include Vulnerabilities
  • Description: Bubla is a web-based application. It is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "bu_dir" parameter of the "bu_claro.php", "bu_cache.php" and "bu_parse.php" scripts. Bubla versions 0.9.2 and earlier are affected.
  • Ref: http://www.milw0rm.com/exploits/3059

  • 07.2.29 - CVE: Not Available
  • Platform: Web Application
  • Title: Spooky Login Multiple Input Validation Vulnerabilities
  • Description: Spooky Login is a web-based user management application. It is exposed to multiple cross-site scripting vulnerabilities which affect unspecified parameters of the "login.asp" and "register.asp" scripts and also to multiple SQL injection issues which affect the "UserUpdate" parameter of "register.asp" and an unspecified parameter of the "a_register.asp" script. Spooky Login version 2.7 is affected and other versions may also be vulnerable.
  • Ref: http://www.securityfocus.com/bid/21822

  • 07.2.30 - CVE: Not Available
  • Platform: Web Application
  • Title: Enigma Coppermine Bridge E2_Header.Inc.PHP Remote File Include
  • Description: Enigma Coppermine Bridge allows bridging between Enigma and Coppermine. Insufficient sanitization of the "boardir" parameter of the "E2_header.inc.php" script exposes the application to a remote file include issue.
  • Ref: http://www.securityfocus.com/bid/21825

  • 07.2.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Enigma WordPress Bridge Enigma2.PHP Remote File Include
  • Description: Enigma WordPress Bridge allows bridging between Enigma and WordPress. It is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "boardir" parameter of the "Enigma2.php" script. All current versions are affected.
  • Ref: http://www.securityfocus.com/bid/21826

  • 07.2.32 - CVE: Not Available
  • Platform: Web Application
  • Title: IMGallery Start.PHP Arbitrary File Upload
  • Description: IMGallery is a web-based image gallery application. It is exposed to an arbitrary file upload issue because it fails to sufficiently sanitize user-supplied input when uploading photos through "start.php". IMGallery version 2.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21827

  • 07.2.33 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB Multiple Input Validation Vulnerabilities
  • Description: phpBB is a web-based bulletin board application. It is exposed to multiple input validation issues due to insufficient sanitization of user-supplied input. phpBB version 2.0.22 resolves the issue.
  • Ref: http://www.securityfocus.com/bid/21806

  • 07.2.34 - CVE: Not Available
  • Platform: Web Application
  • Title: SoftArtisans FileUp Viewsrc.ASP Directory Traversal
  • Description: FileUp is a web-based file upload and download component. It is vulnerable to a directory traversal issue due to insufficient sanitization of user-supplied input to the "path" parameter of the "viewsrc.asp" script. FileUp version 5.0.14 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/455549

  • 07.2.35 - CVE: Not Available
  • Platform: Web Application
  • Title: Durian Web Application Server Remote Buffer Overflow
  • Description: Durian Web Application Server is a Free Delphi Web Application Server. It is prone to a remote buffer overflow vulnerability because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Durian Web Application Server version 3.02 for Windows is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/21808

  • 07.2.36 - CVE: Not Available
  • Platform: Web Application
  • Title: WebText User Profile PHP Code Injection
  • Description: WebText is a web-based application to send text messages. It is vulnerable to an arbitrary PHP code injection issue because it fails to properly sanitize user-supplied input to the "wt/users/[nick].php" script. WebText version 0.4.5.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/21809/info

  • 07.2.37 - CVE: Not Available
  • Platform: Hardware
  • Title: MythControlServer SendToMythTV() Buffer Overflow
  • Description: MythControl enables a Windows Mobile Smartphone to be used as a Bluetooth based remote control for MythTV. It is exposed to a buffer overflow issue when the "MythControlServer.c" file executes the "sendToMythTV()" function. MythControl and MythControlServer versions 1.0 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/21839

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.