@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Apple QuickTime Multiple Vulnerabilities
• (2) HIGH: Multiple ActiveX Controls Multiple Vulnerabilities
• (3) HIGH: Multiple F-Secure Products LHA Archive Processing Buffer Overflow
• (4) MODERATE: Apache Web Server Multiple Vulnerabilities
• (5) MODERATE: Mozilla-Based Browsers Multiple Vulnerabilities

Other Software

• (6) HIGH: Avira Antivir Antivirus Multiple Vulnerabilities
• (7) HIGH: Avast! Antivirus SIS File Parsing Integer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 07.23.1 - Microsoft Active Directory Logon Hours Username Enumeration Weakness
• 07.23.2 - Microsoft DirectX Media DXTMSFT.DLL ActiveX Control Denial of Service

Third Party Windows Apps

• 07.23.3 - Acoustica MP3 CD Burner PlayList Files Buffer Overflow
• 07.23.4 - Logitech VideoCall Multiple ActiveX Controls Multiple Buffer Overflow Vulnerabilities
• 07.23.5 - F-Secure Policy Manager FSMSH.DLL Remote Denial of Service
• 07.23.6 - Vivotek Motion Jpeg ActiveX Control PTZURL Method Buffer Overflow
• 07.23.7 - British Telecommunications Webhelper Multiple Buffer Overflow Vulnerabilities
• 07.23.8 - Zenturi ProgramChecker SASATL.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities
• 07.23.9 - British Telecommunications Consumer Webhelper Multiple Buffer Overflow Vulnerabilities
• 07.23.10 - Media Technology Group CDPass ActiveX Control Multiple Buffer Overflow Vulnerabilities
• 07.23.11 - EDraw Office Viewer Component EDrawOfficeViewer.OCX ActiveX Control Buffer Overflow
• 07.23.12 - EDraw Office Viewer Component ActiveX Control Arbitrary File Delete
• 07.23.13 - LeadTools Raster ISIS Object LTRIS14e.DLL ActiveX Control Buffer Overflow
• 07.23.14 - Yahoo! Messenger Webcam Viewer YWCVWR.DLL ActiveX Control Denial of Service
• 07.23.15 - LeadTools Raster Document Object Library LTRDC14E.DLL ActiveX Control Buffer Overflow
• 07.23.16 - Ademco ATNBaseLoader100 ActiveX Control Buffer Overflow
• 07.23.17 - Avast! Managed Client SIS File Handling Remote Heap Overflow
• 07.23.18 - Dart Zip Compression DartZip.DLL ActiveX Control Buffer Overflow

Mac Os

• 07.23.19 - Apple Mac OS X VPND Local Format String
• 07.23.20 - Apple Mac OS X mDNSResponder Remote Buffer Overflow

Linux

• 07.23.21 - PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass
• 07.23.22 - DOMjudge Receive Function Remote Buffer Overflow
• 07.23.23 - Mutt Mutt_Gecos_Name Function Local Buffer Overflow

HP-UX

• 07.23.24 - OpenVMS PAS$RTL.EXE Unspecified Local Denial of Service

Solaris

• 07.23.25 - Sun Solaris IKED(1M) Denial of Service
• 07.23.26 - Sun Solaris INETD(1M) Local Denial of Service

Unix

• 07.23.27 - GNU Locate Old Format Locate Database Local Buffer Overflow

Novell

• 07.23.28 - Novell GroupWise Man In The Middle

Cross Platform

• 07.23.29 - PHP Chunk_Split() Unspecified Integer Overflow
• 07.23.30 - Apple Xserve Lights-Out Management Firmware IPMI Remote Privilege Escalation
• 07.23.31 - Eudora Mail Imap Flags Remote Buffer Overflow
• 07.23.32 - Bochs Buffer Overflow and Denial of Service Vulnerabilities
• 07.23.33 - Authentium Command Antivirus ActiveX Control ODAPI.DLL Multiple Buffer Overflow Vulnerabilities
• 07.23.34 - Multiple F-Secure Products Packed Executables and Archives Denial of Service
• 07.23.35 - F-Secure Anti-Virus LHA Processing Buffer Overflow
• 07.23.36 - F-Secure Multiple Products Real-time Scanning Component Local Privilege Escalation
• 07.23.37 - Avira Antivir Tar Archive Handling Remote Denial of Service
• 07.23.38 - Apple QuickTime for Java Unspecified Remote Heap Buffer Overflow
• 07.23.39 - Apple Quicktime For Java Variant Information Disclosure
• 07.23.40 - Apache HTTP Server Worker Process Multiple Denial of Service Vulnerabilities
• 07.23.41 - Ignite Realtime Openfire Unspecified Privilege Escalation
• 07.23.42 - InGate Firewall and SIParator Multiple Unspecified Vulnerabilities
• 07.23.43 - Sony Playstation 3 Internet Browser Multiple Denial of Service Vulnerabilities
• 07.23.44 - Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow
• 07.23.45 - Mozilla Firefox Resource Directory Traversal
• 07.23.46 - Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow
• 07.23.47 - Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow
• 07.23.48 - Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow
• 07.23.49 - OpenOffice Writer Component Remote Denial of Service
• 07.23.50 - Avira Antivir Antivirus Multiple Remote Vulnerabilities
• 07.23.51 - Tor Circuit Entry Guard Same Family Check Design Weakness
• 07.23.52 - Sun Java Web Proxy Server Multiple Buffer Overflow Vulnerabilities

Web Application - Cross Site Scripting

• 07.23.53 - @Mail Links/Images Cross-Site Scripting
• 07.23.54 - Hitachi Collaboration Portal Products Cross-Site Scripting Vulnerabilities
• 07.23.55 - HP System Management Homepage (SMH) Unspecified Cross-Site Scripting
• 07.23.56 - Particle Gallery Search.PHP Cross-Site Scripting
• 07.23.57 - Invision Power Board Module_table.PHP Cross-Site Scripting
• 07.23.58 - 8E6 R3000 Internet Filter Multiple Cross-Site Scripting Vulnerabilities
• 07.23.59 - DGNews Footer.PHP Cross-Site Scripting
• 07.23.60 - Centrinity FirstClass %00 Cross-Site Scripting
• 07.23.61 - phpPgAdmin Redirect.PHP Cross-Site Scripting
• 07.23.62 - BoastMachine Index.PHP Cross-Site Scripting
• 07.23.63 - Digirez Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 07.23.64 - myBloggie Index.PHP Multiple SQL Injection Vulnerabilities
• 07.23.65 - Particle Blogger Archives.PHP SQL Injection
• 07.23.66 - Vizayn Urun Tanitim Sistemi Default.ASP SQL Injection
• 07.23.67 - SalesCart Shopping Cart Reorder2.ASP Multiple SQL Injection Vulnerabilities
• 07.23.68 - Joomla Phil-A-Form Component Index.PHP SQL Injection
• 07.23.69 - DGNews News.PHP SQL Injection
• 07.23.70 - My Little Forum User.PHP SQL Injection
• 07.23.71 - Zindizayn Okul Web Sistemi Multiple SQL Injection Vulnerabilities
• 07.23.72 - gCards GetNewsItem.PHP SQL Injection

Web Application

• 07.23.73 - PHP JackKnife Multiple Input Validation Vulnerabilities
• 07.23.74 - AdminBot-MX Live_Status.Lib.PHP Remote File Include
• 07.23.75 - IBM Web-based System Manager Unspecified Denial of Service
• 07.23.76 - IBM AIX Perl Interpreter Local Arbitrary Code Execution
• 07.23.77 - Pheap Config.PHP Pheap_Login Authentication Bypass
• 07.23.78 - FileCloset Unspecified Arbitrary File Upload
• 07.23.79 - Uebimiau Error.PHP Multiple Input Validation Vulnerabilities
• 07.23.80 - Geeklog CAPTCHA Plugin _CONF[path] Remote File Include
• 07.23.81 - Inout Metasearch Engine Cookie Forgery Remote Authentication Bypass
• 07.23.82 - Inout Metasearch Engine Create_Engine.PHP Remote PHP Code Execution
• 07.23.83 - FlashChat F_CMS Parameter Multiple Remote File Include Vulnerabilities
• 07.23.84 - Wordpress Comment Field HTML Injection
• 07.23.85 - Fundanemt SpellCheck.PHP Remote Command Execution
• 07.23.86 - Frequency Clock Multiple Remote File Include Vulnerabilities
• 07.23.87 - WANewsletter Waroot Parameter Remote File Include
• 07.23.88 - Windy Road Vistered Little Theme Skin Parameter Directory Traversal
• 07.23.89 - cpCommerce Full Name Field HTML Injection
• 07.23.90 - FlaP Multiple Remote File Include Vulnerabilities
• 07.23.91 - OpenBase Root_Prefix Remote File Include
• 07.23.92 - vBGSiteMap Base Parameter Remote File Include
• 07.23.93 - TROforum Admin.PHP Remote File Include
• 07.23.94 - Mazen's PHP Chat Multiple Remote File Include Vulnerabilities
• 07.23.95 - WebAvis Class.PHP Remote File Include
• 07.23.96 - Ruby on Rails To_JSON Script Injection
• 07.23.97 - Pligg Reset Forgotten Password Security Bypass

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 23, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5465 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 07.23.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Active Directory Logon Hours Username Enumeration Weakness
• Description: Microsoft Active Directory is an LDAP implementation used on the Microsoft Windows operating system. The application is exposed to a username enumeration weakness because of a design error in the application when verifying user-supplied input. Microsoft Active Directory on Microsoft Windows Server 2003 Standard Edition is affected.
• Ref: http://www.securityfocus.com/bid/24248

• 07.23.2 - CVE: Not Available
• Platform: Windows
• Title: Microsoft DirectX Media DXTMSFT.DLL ActiveX Control Denial of Service
• Description: Microsoft DirectX Media ActiveX control is part of the Microsoft Windows operating system. The application is exposed to a denial of service issue because it fails to perform adequate checks on user-supplied data. Microsoft Windows XP Tablet PC Edition SP2 and earlier versions are affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.23.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Acoustica MP3 CD Burner PlayList Files Buffer Overflow
• Description: Acoustica MP3 CD Burner is an application that allows users to edit and burn MP3s onto CDs. The application exposed to a buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer.
• Ref: http://www.securityfocus.com/bid/24247

• 07.23.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Logitech VideoCall Multiple ActiveX Controls Multiple Buffer Overflow Vulnerabilities
• Description: Logitech VideoCall is an application that permits users to communicate through the internet via video and sound. The application is exposed to multiple buffer overflow issues because they fail to bounds check user-supplied data before copying it into an insufficiently sized buffer.
• Ref: http://www.kb.cert.org/vuls/id/330289

• 07.23.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: F-Secure Policy Manager FSMSH.DLL Remote Denial of Service
• Description: F-Secure Policy Manager is a management application designed to handle security application installation and policy enforcement for company networks. The application is exposed to a remote denial of service issue due to a failure of the application to properly handle unexpected conditions. F-Secure Policy Manager versions prior to 7.01 are affected.
• Ref: http://www.f-secure.com/security/fsc-2007-4.shtml

• 07.23.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Vivotek Motion Jpeg ActiveX Control PTZURL Method Buffer Overflow
• Description: Vivotek Motion Jpeg is an ActiveX control that controls network cameras. The application is exposed to a buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Vivotek Motion Jpeg version 2.0.0.13 is affected.
• Ref: http://www.securityfocus.com/bid/24245

• 07.23.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: British Telecommunications Webhelper Multiple Buffer Overflow Vulnerabilities
• Description: The British Telecommunications Webhelper ActiveX control is a user registration application for British Telecommunications customers. The application is exposed to multiple buffer overflow issues because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. British Telecommunications Webhelper ActiveX Control versions prior to 1.0.0.7 are affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.23.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Zenturi ProgramChecker SASATL.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities
• Description: Zenturi ProgramChecker ActiveX controls are utility programs. The application is exposed to multiple buffer overflow issues because they fail to bounds check user-supplied data before copying it into an insufficiently sized buffer.
• Ref: http://www.kb.cert.org/vuls/id/603529

• 07.23.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: British Telecommunications Consumer Webhelper Multiple Buffer Overflow Vulnerabilities
• Description: The British Telecommunications Consumer Webhelper ActiveX control is a user registration application for British Telecommunications customers. The application is exposed to multiple buffer overflow issues because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. British Telecommunications Consumer Webhelper ActiveX Control versions prior to 2.0.0.8 are affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.23.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Media Technology Group CDPass ActiveX Control Multiple Buffer Overflow Vulnerabilities
• Description: CDPass is an ActiveX control providing bonus content for Music CDs and DVDs. The application is exposed to multiple stack-based buffer overflow issues because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer.
• Ref: http://www.kb.cert.org/vuls/id/933353

• 07.23.11 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EDraw Office Viewer Component EDrawOfficeViewer.OCX ActiveX Control Buffer Overflow
• Description: The EDraw Office Viewer Component is a ActiveX control to display and interact with Microsoft Office files such as Word, Excel, PowerPoint, Project and Visio. The application is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. The EDraw Office Viewer Component version 4.0.5.20 is affected.
• Ref: http://moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-co mponent.html

• 07.23.12 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EDraw Office Viewer Component ActiveX Control Arbitrary File Delete
• Description: The EDraw Office Viewer Component is exposed to an arbitrary file delete issue because it fails to properly sanitize user-supplied input. This issue affects the string filename parameter of the "DeleteLocalFile" method of the affected ActiveX control.
• Ref: http://support.microsoft.com/kb/240797

• 07.23.13 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: LeadTools Raster ISIS Object LTRIS14e.DLL ActiveX Control Buffer Overflow
• Description: LeadTools ISIS Control is an SDK for imaging applications. The application is exposed to a buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. LeadTools Raster ISIS ActiveX control version 14.5.0.44 is affected. Ref: http://moaxb.blogspot.com/2007/05/moaxb-27-leadtools-raster-isis-object.html

• 07.23.14 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Yahoo! Messenger Webcam Viewer YWCVWR.DLL ActiveX Control Denial of Service
• Description: Yahoo! Messenger Webcam Viewer Networking and Imaging is an ActiveX control to provide video support to the messaging application. The application is exposed to a denial of service issue because it fails to perform adequate checks on user-supplied input data. Yahoo! Messenger version 8.0.1 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.23.15 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: LeadTools Raster Document Object Library LTRDC14E.DLL ActiveX Control Buffer Overflow
• Description: LeadTools Raster OCR Document Object Library ActiveX control is exposed to a buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. LeadTools Raster OCR Document Object Library ActiveX control version 14.5.0.44 is affected. Ref: http://moaxb.blogspot.com/2007/05/moaxb-26-leadtools-raster-ocr-document.html

• 07.23.16 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ademco ATNBaseLoader100 ActiveX Control Buffer Overflow
• Description: Ademco ATNBaseLoader100 ActiveX control is a control used in conjunction with certain webcams. The application is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Ademco ATNBaseLoader100 ActiveX control version 5.4.0.6 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.23.17 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Avast! Managed Client SIS File Handling Remote Heap Overflow
• Description: Avast! Managed Client is used with Avast! Distributed Network Manager to deploy and manage Avast! antivirus software over the network. The application is exposed to a heap overflow issue in its SIS-processing routines. Avast! Managed Client versions earlier than 4.7.700 are affected. Ref: http://www.nruns.com/advisories/%5Bn.runs-SA-2007.009%5D%20-%20Avast!%20Antivirus%20SIS%20parsing%20Arbitrary%20Code%20Execution%20Advisory.pdf

• 07.23.18 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Dart Zip Compression DartZip.DLL ActiveX Control Buffer Overflow
• Description: The Dart Zip Compression for ActiveX is a file compression/decompression utility for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Dart Zip Compression for ActiveX version 1.8.5.3 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.23.19 - CVE: CVE-2007-0753
• Platform: Mac Os
• Title: Apple Mac OS X VPND Local Format String
• Description: Apple Mac OS X's VPN service daemon is exposed to a format-string issue because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. Apple Mac OS X Server versions 10.4.9 and earlier are affected.
• Ref: http://docs.info.apple.com/article.html?artnum=305530

• 07.23.20 - CVE: CVE-2007-2386
• Platform: Mac Os
• Title: Apple Mac OS X mDNSResponder Remote Buffer Overflow
• Description: Apple Mac OS X's mDNSResponder service is exposed to a remote buffer overflow issue due to a failure of the software to properly bounds check user-supplied input prior to copying it to an insufficiently sized memory buffer. Apple Mac OS X versions 10.4.0 through 10.4.9 are affected.
• Ref: http://www.kb.cert.org/vuls/id/221876

• 07.23.21 - CVE: Not Available
• Platform: Linux
• Title: PHP Realpath() Safe_Mode and Open_Basedir Restriction Bypass
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to a "safe_mode" and "open_basedir" restriction bypass issue. PHP versions prior to 5.2.3 are affected.
• Ref: http://www.securityfocus.com/bid/24259

• 07.23.22 - CVE: Not Available
• Platform: Linux
• Title: DOMjudge Receive Function Remote Buffer Overflow
• Description: DOMjudge is an automated judge system for programming contests. The application is exposed to a buffer overflow issue because it fails to adequately bounds check user-supplied data before copying it to an insufficiently sized buffer. DOMjudge versions prior to 2.0.0 RC1 are affected.
• Ref: http://www.securityfocus.com/bid/24218

• 07.23.23 - CVE: CVE-2007-2683
• Platform: Linux
• Title: Mutt Mutt_Gecos_Name Function Local Buffer Overflow
• Description: Mutt is a text-based mail client available for Unix, Linux, and other Unix-like operating systems. The application is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer.
• Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239890

• 07.23.24 - CVE: Not Available
• Platform: HP-UX
• Title: OpenVMS PAS$RTL.EXE Unspecified Local Denial of Service
• Description: OpenVMS is a mainframe-like operating system originally developed by Digital. It is maintained and distributed by HP. The application is exposed to a local denial of service issue due to an unspecified error in the "PAS$RTL.EXE" application.
• Ref: http://www.securityfocus.com/bid/24252

• 07.23.25 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris IKED(1M) Denial of Service
• Description: The in.iked service for Sun Solaris is exposed to a denial of service issue because the application fails to handle exceptional conditions. This issue is due to a logical pointer handling error in the "iked(1M)" service. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102745-1&searchclause=

• 07.23.26 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris INETD(1M) Local Denial of Service
• Description: Sun Solaris inetd(1M) is exposed to a local denial of service issue as unauthorized local users are permitted to disable the inetd daemon process. Sun Solaris versions 10_x86 and 10 are affected. Please refer to the advisory for further details. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102921-1&searchclause=

• 07.23.27 - CVE: CVE-2007-2452
• Platform: Unix
• Title: GNU Locate Old Format Locate Database Local Buffer Overflow
• Description: GNU locate is included as part of GNU findutils. It is a utility to list files in a database matching certain criteria. The application is exposed to a local heap-based buffer overflow issue because it fails to properly bounds check user-supplied input before using it in a memory copy operation. GNU locate versions as found in GNU findutils versions prior to 4.2.31 are affected.
• Ref: http://www.securityfocus.com/archive/1/470108

• 07.23.28 - CVE: CVE-2007-2513
• Platform: Novell
• Title: Novell GroupWise Man In The Middle
• Description: GroupWise is a groupware application for the Novell operating system. The application is exposed to a man-in-the middle issue due to a design error. Novell GroupWise versions prior to GroupWise 6.5 post-SP6 and GroupWise 7 SP2 are affected.
• Ref: http://www.securityfocus.com/bid/24258

• 07.23.29 - CVE: CVE-2007-2872
• Platform: Cross Platform
• Title: PHP Chunk_Split() Unspecified Integer Overflow
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to an integer overflow issue because it fails to ensure that integer values aren't overrun. PHP versions prior to 5.2.3 are affected.
• Ref: http://www.securityfocus.com/bid/24261

• 07.23.30 - CVE: CVE-2007-2387
• Platform: Cross Platform
• Title: Apple Xserve Lights-Out Management Firmware IPMI Remote Privilege Escalation
• Description: Apple Xserve Lights-Out Management Firmware provides remote control, administration and resource management of certain subsystems for Apple servers. The application is exposed to a remote privilege escalation issue which exists in Apple's implementation of IPMI in the Lights-Out Management Firmware.
• Ref: http://docs.info.apple.com/article.html?artnum=305571

• 07.23.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Eudora Mail Imap Flags Remote Buffer Overflow
• Description: Eudora Mail is a client email application from Qualcomm. It is available for Microsoft Windows and Apple Mac OS operating systems. The application is exposed to a remote buffer overflow issue because the application fails to properly bounds check user-supplied input before copying it into an insufficiently sized memory buffer. Eudora Mail version 7.1 is affected.
• Ref: http://www.securityfocus.com/bid/24251

• 07.23.32 - CVE: CVE-2007-2894
• Platform: Cross Platform
• Title: Bochs Buffer Overflow and Denial of Service Vulnerabilities
• Description: Bochs IA-32(x86) PC emulator application is implemented in C++. It is available for multiple operating systems. The application is exposed to a heap-based buffer overflow and denial of service issue due to an application failure to bounds check user-supplied data before copying it into an insufficiently sized memory buffer.
• Ref: http://www.securityfocus.com/bid/24246

• 07.23.33 - CVE: CVE-2007-2917
• Platform: Cross Platform
• Title: Authentium Command Antivirus ActiveX Control ODAPI.DLL Multiple Buffer Overflow Vulnerabilities
• Description: Authentium Command Antivirus is an antivirus application for multiple platforms. The application is exposed to multiple buffer overflow issues because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Command Antivirus versions 4.93.7 and earlier are affected.
• Ref: http://www.kb.cert.org/vuls/id/563401

• 07.23.34 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple F-Secure Products Packed Executables and Archives Denial of Service
• Description: F-Secure Anti-Virus and Internet Gatekeeper are antivirus applications developed by F-Secure. Multiple F-Secure products are exposed to a denial of service issue because the application fails to handle exceptional conditions.
• Ref: http://www.f-secure.com/security/fsc-2007-3.shtml

• 07.23.35 - CVE: Not Available
• Platform: Cross Platform
• Title: F-Secure Anti-Virus LHA Processing Buffer Overflow
• Description: F-Secure Anti-Virus is antivirus software available for Microsoft Windows and Linux. Multiple F-Secure Anti-Virus applications are exposed to a buffer overflow issue when they process malicious LHA archive files because the applications fail to properly check boundaries on user-supplied data before copying it to an insufficiently sized memory buffer.
• Ref: http://www.f-secure.com/security/fsc-2007-1.shtml

• 07.23.36 - CVE: Not Available
• Platform: Cross Platform
• Title: F-Secure Multiple Products Real-time Scanning Component Local Privilege Escalation
• Description: F-Secure provides multiple antivirus and internet security applications for the Microsoft Windows and Linux operating systems. Multiple F-Secure workstation and file server products are exposed to a local privilege escalation issue due to an improper access validation of the address space used by the affected component.
• Ref: http://www.f-secure.com/security/fsc-2007-2.shtml

• 07.23.37 - CVE: Not Available
• Platform: Cross Platform
• Title: Avira Antivir Tar Archive Handling Remote Denial of Service
• Description: Avira Antivir Antivirus is an antivirus application available for Microsoft Windows, Linux, FreeBSD, OpenBSD, and Sun Solaris. The application is exposed to a denial of service issue because the application fails to handle certain TAR archives. Avira Antivir version 6.35.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/470042

• 07.23.38 - CVE: CVE-2007-2388
• Platform: Cross Platform
• Title: Apple QuickTime for Java Unspecified Remote Heap Buffer Overflow
• Description: Apple QuickTime for Java is exposed to a remote heap-based buffer overflow issue because it fails to properly bounds check user-supplied input prior to copying it to an insufficiently sized buffer. Apple QuickTime Player version 7.1.6 is affected.
• Ref: http://www.securityfocus.com/bid/24221

• 07.23.39 - CVE: CVE-2007-2389
• Platform: Cross Platform
• Title: Apple Quicktime For Java Variant Information Disclosure
• Description: Apple QuickTime for Java is exposed to an information disclosure issue which convinces victims to visit a malicious web site. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/24222

• 07.23.40 - CVE: Not Available
• Platform: Cross Platform
• Title: Apache HTTP Server Worker Process Multiple Denial of Service Vulnerabilities
• Description: Apache is exposed to multiple denial of service issues due to a failure in the application to properly handle malformed or malicious worker processes. Apache Software Foundation Apache versions 2.2.4, 2.0.59 and 1.3.37 are affected.
• Ref: http://www.securityfocus.com/archive/1/469899

• 07.23.41 - CVE: Not Available
• Platform: Cross Platform
• Title: Ignite Realtime Openfire Unspecified Privilege Escalation
• Description: Openfire is an instant messaging server based on the Jabber protocol. The application is exposed to an unspecified privilege escalation issue that resides in the built-in admin console over TCP port 9090. Openfire versions 3.3.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24205

• 07.23.42 - CVE: Not Available
• Platform: Cross Platform
• Title: InGate Firewall and SIParator Multiple Unspecified Vulnerabilities
• Description: Ingate Firewalls are hardware firewall devices that support Session Initiation Protocol(SIP) via SIParator SIP-based communication devices. The application is exposed to multiple unspecified remote issues because the application does not properly restrict the downloading of support reports which could be exploited to access. Ingate Firewalls versions prior to 4.5.2 are affected. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/24207

• 07.23.43 - CVE: Not Available
• Platform: Cross Platform
• Title: Sony Playstation 3 Internet Browser Multiple Denial of Service Vulnerabilities
• Description: Sony Playstation 3 is a video game console which includes an internet browser which is based on the NetFront web browser. The device is exposed to multiple denial of service issues because the internet browser fails to adequately handle user-supplied data.
• Ref: http://www.securityfocus.com/bid/24203

• 07.23.44 - CVE: CVE-2007-2446
• Platform: Cross Platform
• Title: Samba NDR RPC Request DFSEnum Heap-Based Buffer Overflow
• Description: Samba is a suite of software that provides file and print services for "SMB/CIFS" clients. Samba is exposed to a remote heap-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
• Ref: http://www.kb.cert.org/vuls/id/773720

• 07.23.45 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox Resource Directory Traversal
• Description: Mozilla Firefox is a web browser available for multiple operating platforms. The application is exposed to a directory traversal issue because it fails to adequately sanitize user-supplied data. Mozilla Firefox versions 2.0.0.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24191

• 07.23.46 - CVE: CVE-2007-2446
• Platform: Cross Platform
• Title: Samba NDR RPC Request LsarLookupSids/LsarLookupSids2 Heap-Based Buffer Overflow
• Description: Samba is a suite of software that provides file and print services for "SMB/CIFS" clients. Samba is exposed to a remote heap based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
• Ref: http://www.kb.cert.org/vuls/id/773720

• 07.23.47 - CVE: CVE-2007-2446
• Platform: Cross Platform
• Title: Samba NDR RPC Request NetSetFileSecurity Heap-Based Buffer Overflow
• Description: Samba is a suite of software that provides file and print services for "SMB/CIFS" clients. Samba is exposed to a remote heap-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
• Ref: http://www.kb.cert.org/vuls/id/773720

• 07.23.48 - CVE: CVE-2007-2446
• Platform: Cross Platform
• Title: Samba NDR RPC Request RFNPCNEX Heap-Based Buffer Overflow
• Description: Samba is a suite of software that provides file and print services for "SMB/CIFS" clients. Samba is exposed to a remote heap-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer. Samba versions 3.0.25rc3 and earlier are affected.
• Ref: http://www.kb.cert.org/vuls/id/773720

• 07.23.49 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenOffice Writer Component Remote Denial of Service
• Description: OpenOffice is a suite of productivity tools for multiple operating systems. The OpenOffice "Writer" component gets exposed to a remote denial of service issue when an attacker convinces a victim user to open a malicious native "Writer" file. OpenOffice version 2.2.0 is affected.
• Ref: http://www.securityfocus.com/bid/24186

• 07.23.50 - CVE: Not Available
• Platform: Cross Platform
• Title: Avira Antivir Antivirus Multiple Remote Vulnerabilities
• Description: Avira Antivir Antivirus is a multi-platform antivirus application. The application is exposed to a buffer overflow issue when processing specially crafted LZH archive files due to an integer handling flaw and an infinite loop denial of service issue when processing TAR archives. Avira Antivir AVPack versions prior to 7.03.00.09 and Engine versions prior to 7.04.00.24 are affected.
• Ref: http://www.securityfocus.com/bid/24187

• 07.23.51 - CVE: Not Available
• Platform: Cross Platform
• Title: Tor Circuit Entry Guard Same Family Check Design Weakness
• Description: Tor is an implementation of second generation onion routing, a connection-oriented anonymous communication service. Tor contains a design weakness in the way it builds a circuit for client routing that contributes to the compromise of client communication streams. Tor versions prior to 0.1.2.14 are affected.
• Ref: http://www.securityfocus.com/bid/24180

• 07.23.52 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java Web Proxy Server Multiple Buffer Overflow Vulnerabilities
• Description: Sun Java System Web Proxy Server is a proxy server developed by Sun Microsystems. The application is exposed to multiple buffer overflow issues because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Web Proxy Server version 4.0.3 is affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102927-1

• 07.23.53 - CVE: CVE-2007-2825
• Platform: Web Application - Cross Site Scripting
• Title: @Mail Links/Images Cross-Site Scripting
• Description: @Mail is a webmail application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "links/images" parameter of the "readmsg.php" script. @Mail versions prior to 5.04 are affected.
• Ref: http://www.securityfocus.com/bid/24260

• 07.23.54 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Hitachi Collaboration Portal Products Cross-Site Scripting Vulnerabilities
• Description: Hitachi Collaboration Portal Products are a collection of Windows based server and client applications for web collaboration. The application is exposed to multiple cross-site scripting issues because they fail to properly sanitize user-supplied input. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS07-011_e/index-e.html

• 07.23.55 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: HP System Management Homepage (SMH) Unspecified Cross-Site Scripting
• Description: System Management Homepage (SMH) provides a web-based management interface for ProLiant and Integrity servers. The application is exposed to a cross-site scripting issue. Please refer to the advisory for further details. HP System Management Homepage (SMH) versions prior to 2.1.2 for Linux and Windows are affected.
• Ref: http://www.securityfocus.com/bid/24256

• 07.23.56 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Particle Gallery Search.PHP Cross-Site Scripting
• Description: Particle Gallery is a web-based image gallery application. It is exposed to a cross-site scripting issue because it fails to properly handle user-supplied input to the "order" parameter of the "search.php" script. Particle Gallery versions 1.0.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24236

• 07.23.57 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Invision Power Board Module_table.PHP Cross-Site Scripting
• Description: DGNews is a web-based forum application. It is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user input to the "editorid" parameter of the "jscripts/folder_rte_files/module_table.php" script. Invision Power Board versions 2.2.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24244

• 07.23.58 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: 8E6 R3000 Internet Filter Multiple Cross-Site Scripting Vulnerabilities
• Description: The 8E6 R3000 Internet Filter is a dedicated Internet traffic filtering appliance. The 8E6 R3000 Internet Filter appliance is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/24206

• 07.23.59 - CVE: CVE-2007-0694
• Platform: Web Application - Cross Site Scripting
• Title: DGNews Footer.PHP Cross-Site Scripting
• Description: DGNews is a web-based news script. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user input to the "copyright" parameter of the "footer.php" script. DGNews version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/24200

• 07.23.60 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Centrinity FirstClass %00 Cross-Site Scripting
• Description: Centrinity FirstClass is a messaging and collaboration product. The application is exposed to a cross-site scripting issue because it fails to properly handle user-supplied sequences in the form of "%00". FirstClass versions 8.0 and 8.3 are affected.
• Ref: http://www.securityfocus.com/bid/24204

• 07.23.61 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: phpPgAdmin Redirect.PHP Cross-Site Scripting
• Description: phpPgAdmin is a web-based administration utility. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user input to the "redirect.php" script. phpPgAdmin versions 4.1.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24182

• 07.23.62 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: BoastMachine Index.PHP Cross-Site Scripting
• Description: BoastMachine is a blog application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user input. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/24156

• 07.23.63 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Digirez Multiple Cross-Site Scripting Vulnerabilities
• Description: Digirez is a web-based reservation application. The application is exposed to multiple cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "Romm_name" parameter of the "info_book.asp" script, and the "curYear" parameter of the "week.asp" script. Digirez version 3.4 is affected.
• Ref: http://www.securityfocus.com/bid/24157

• 07.23.64 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: myBloggie Index.PHP Multiple SQL Injection Vulnerabilities
• Description: myBloggie is web-based blogging software. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied input to the "cat_id" and "year" parameters of "index.php" before using it in an SQL query. MyBloggie versions 2.1.6 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24249

• 07.23.65 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Particle Blogger Archives.PHP SQL Injection
• Description: Particle Blogger is a weblog. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "month" parameter of the "archives.php" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/archive/1/469984

• 07.23.66 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Vizayn Urun Tanitim Sistemi Default.ASP SQL Injection
• Description: Vizayn Urun Tanitim Sistemi is a content management system implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "default.asp" script before using it in an SQL query. Vizayn Urun Tanitim Sistemi version 0.2 is affected.
• Ref: http://www.securityfocus.com/bid/24238

• 07.23.67 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SalesCart Shopping Cart Reorder2.ASP Multiple SQL Injection Vulnerabilities
• Description: SalesCart Shopping Cart is a web-based application implemented in ASP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/24226

• 07.23.68 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla Phil-A-Form Component Index.PHP SQL Injection
• Description: Joomla Phil-A-Form is a form generation component. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "form_id" parameter of the "index.php" script before using it in an SQL query. The Joomla Phil-A-Form Component version 1.2.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/24211

• 07.23.69 - CVE: CVE-2007-0693
• Platform: Web Application - SQL Injection
• Title: DGNews News.PHP SQL Injection
• Description: DGNews is a web-based photo album application. The application is exposed to an SQL injection issue due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query of the "catid" parameter in the "news.php" script. DGNews version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/24201

• 07.23.70 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: My Little Forum User.PHP SQL Injection
• Description: My Little Forum is a forum application. It utilizes a MySQL database for data storage. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "user.php" script before using it in an SQL query. My Little Forum version 1.7 is affected.
• Ref: http://www.securityfocus.com/bid/24173

• 07.23.71 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Zindizayn Okul Web Sistemi Multiple SQL Injection Vulnerabilities
• Description: Zindizayn Okul Web Sistemi is an ASP-based web application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" and "password" parameters of the "mezungiris.asp" and "ogretmenkontrol.asp" scripts. Zindizayn Okul Web Sistemi version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/24174

• 07.23.72 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: gCards GetNewsItem.PHP SQL Injection
• Description: gCards is a web-based greeting card application. It uses a MySQL database for data storage. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "newsid" parameter of the "getnewsitem.php" script before using it in an SQL query. gCards version 1.46 is affected.
• Ref: http://www.securityfocus.com/bid/24175

• 07.23.73 - CVE: Not Available
• Platform: Web Application
• Title: PHP JackKnife Multiple Input Validation Vulnerabilities
• Description: PHP JackKnife is a web-based gallery. The application is exposed to input validation issues because it fails to sufficiently sanitize user-supplied data. PHP JackKnife version 2.21 is affected.
• Ref: http://www.securityfocus.com/archive/1/470111

• 07.23.74 - CVE: Not Available
• Platform: Web Application
• Title: AdminBot-MX Live_Status.Lib.PHP Remote File Include
• Description: AdminBot-MX is a web-based application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "ROOT" parameter of the "lib/live_status.lib.php" script. AdminBot-MX version 9.0.5 is affected.
• Ref: http://www.securityfocus.com/bid/24231

• 07.23.75 - CVE: Not Available
• Platform: Web Application
• Title: IBM Web-based System Manager Unspecified Denial of Service
• Description: IBM Web-based System Manager (WebSM) is a suite of system management tools for AIX 5L. The application is exposed to an unspecified denial of service issue which can be exploited only when WebSM is configured in applet mode, remote client mode or client-server mode. IBM AIX versions 5.2 and 5.3 are affected.
• Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY95637

• 07.23.76 - CVE: Not Available
• Platform: Web Application
• Title: IBM AIX Perl Interpreter Local Arbitrary Code Execution
• Description: IBM AIX is exposed to a local arbitrary code execution issue that exists in the AIX Perl interpreter and other related unspecified binaries shipped with the affected operating system. IBM AIX versions 5.2 and 5.3 are affected. Please refer to the advisory for further details.
• Ref: http://www.securityfocus.com/bid/24241

• 07.23.77 - CVE: Not Available
• Platform: Web Application
• Title: Pheap Config.PHP Pheap_Login Authentication Bypass
• Description: Pheap is a web-based content manager. The application is exposed to an authentication bypass issue due to a design error. The issue occurs when a specially crafted cookie containing the administrative account name is used when accessing the site's user verification routine. Pheap version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/24227

• 07.23.78 - CVE: Not Available
• Platform: Web Application
• Title: FileCloset Unspecified Arbitrary File Upload
• Description: FileCloset is a web-based file management system. The application is exposed to an arbitrary file upload issue because an unspecified script fails to properly verify the file extensions of uploaded files. FileCloset versions prior to 1.1.5 are affected.
• Ref: http://www.securityfocus.com/bid/24228

• 07.23.79 - CVE:
• Platform: Web Application
• Title: Uebimiau Error.PHP Multiple Input Validation Vulnerabilities
• Description: Uebimiau provides webmail access to IMAP and POP3 accounts. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied input. Uebimiau versions 2.7.2 and 2.7.10 are affected.
• Ref: http://www.securityfocus.com/bid/24210

• 07.23.80 - CVE: Not Available
• Platform: Web Application
• Title: Geeklog CAPTCHA Plugin _CONF[path] Remote File Include
• Description: The CAPTCHA plugin is a module for the Geeklog weblog application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "_CONF[path]" parameter of the "class/captcha.class.php" script. The CAPTCHA plugin version 2.1.1 is affected.
• Ref: http://www.securityfocus.com/bid/24214

• 07.23.81 - CVE: Not Available
• Platform: Web Application
• Title: Inout Metasearch Engine Cookie Forgery Remote Authentication Bypass
• Description: The Inout metasearch engine is a search engine application. The application is exposed to an authentication bypass issue because it fails to adequately sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/24199

• 07.23.82 - CVE: Not Available
• Platform: Web Application
• Title: Inout Metasearch Engine Create_Engine.PHP Remote PHP Code Execution
• Description: The Inout Metasearch engine is a search engine application. The application is exposed to an arbitrary PHP code execution issue because it fails to properly sanitize user-supplied input.
• Ref: http://www.securityfocus.com/archive/1/469808

• 07.23.83 - CVE: Not Available
• Platform: Web Application
• Title: FlashChat F_CMS Parameter Multiple Remote File Include Vulnerabilities
• Description: FlashChat is a web-based chatroom application. The application is exposed to multiple remote file include issues because it fails to properly sanitize user-supplied input to the "f_cms" parameter of the "incclasses/connection.php" and "inc/common.php" scripts. FlashChat version 4.7.9 is affected.
• Ref: http://www.securityfocus.com/bid/24190

• 07.23.84 - CVE: Not Available
• Platform: Web Application
• Title: Wordpress Comment Field HTML Injection
• Description: Wordpress is a web-log application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "comment" field of the article section. WordPress versions 2.1.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24183

• 07.23.85 - CVE: Not Available
• Platform: Web Application
• Title: Fundanemt SpellCheck.PHP Remote Command Execution
• Description: Fundanemt is a content management system. The application is exposed to a command execution issue because it fails to sanitize user-supplied input to the "dict" parameter of the "spellcheck.php" script. Fundanemt versions 2.2.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24185

• 07.23.86 - CVE: Not Available
• Platform: Web Application
• Title: Frequency Clock Multiple Remote File Include Vulnerabilities
• Description: Frequency Clock is a web-based application. It is used to manage streaming audio and video channels. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "conf.php" and "cp2.php" scripts in the "securelib" parameter. Frequency Clock version 0.1 Beta is affected.
• Ref: http://www.securityfocus.com/bid/24176

• 07.23.87 - CVE: Not Available
• Platform: Web Application
• Title: WANewsletter Waroot Parameter Remote File Include
• Description: WANewsletter is a web-based application. WANewsletter is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "waroot" parameter of the "newsletter.php" script. WANewsletter version 2.1.3 is affected.
• Ref: http://www.securityfocus.com/bid/24177

• 07.23.88 - CVE: Not Available
• Platform: Web Application
• Title: Windy Road Vistered Little Theme Skin Parameter Directory Traversal
• Description: Vistered Little is a theme for Wordpress. The application is exposed to a directory traversal issue because it fails to properly sanitize user-supplied input to the "skin" parameter of the "skins/common.css.php" script. Vistered Little version 1.6a is affected.
• Ref: http://www.securityfocus.com/bid/24178

• 07.23.89 - CVE: Not Available
• Platform: Web Application
• Title: cpCommerce Full Name Field HTML Injection
• Description: cpCommerce is an e-commerce application. It is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "Full Name" input field of an unspecified script. cpCommerce version 1.1.0 is affected.
• Ref: http://www.securityfocus.com/bid/24166

• 07.23.90 - CVE: Not Available
• Platform: Web Application
• Title: FlaP Multiple Remote File Include Vulnerabilities
• Description: FlaP is a web-based application. FlaP is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "skin/html/table.php", "skin/html/login.php" and "skin/html/left_menu.php" in the "pachtofile" parameter. FlaP version 1.0 Beta is affected.
• Ref: http://www.securityfocus.com/bid/24167

• 07.23.91 - CVE: Not Available
• Platform: Web Application
• Title: OpenBase Root_Prefix Remote File Include
• Description: OpenBase is a web-based foundation library used to create other web applications. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root_prefix" parameter of the "core.inc.php" script. OpenBase version 0.6 alpha is affected.
• Ref: http://www.securityfocus.com/bid/24168

• 07.23.92 - CVE: Not Available
• Platform: Web Application
• Title: vBGSiteMap Base Parameter Remote File Include
• Description: vBGSiteMap is a PHP application designed to create a Google Sitemap for vBulletin web sites. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "base" parameter of the "vbgsitemap/vbgsitemap-vbseo.php" script. vBGSiteMap version 2.41 is affected.
• Ref: http://www.securityfocus.com/bid/24169

• 07.23.93 - CVE: Not Available
• Platform: Web Application
• Title: TROforum Admin.PHP Remote File Include
• Description: TROforum is a web-based application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "site_url" parameter of the "admin/admin.php" script. TROforum version 0.1 is affected.
• Ref: http://www.securityfocus.com/bid/24170

• 07.23.94 - CVE: Not Available
• Platform: Web Application
• Title: Mazen's PHP Chat Multiple Remote File Include Vulnerabilities
• Description: Mazen's PHP Chat is a web-based application. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "include/pear/ITX.php", "include/pear/IT_Error.php" and "include/pear/IT.php" scripts in the "basepath" parameter. Mazen's PHP Chat version 3.0.0B1 is affected.
• Ref: http://www.securityfocus.com/bid/24171

• 07.23.95 - CVE: Not Available
• Platform: Web Application
• Title: WebAvis Class.PHP Remote File Include
• Description: WebAvis is a web frontend for "amavisd-new". The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root" parameter of the "class.php" script. WebAvis version 0.1.1 is affected.
• Ref: http://www.securityfocus.com/bid/24164

• 07.23.96 - CVE: Not Available
• Platform: Web Application
• Title: Ruby on Rails To_JSON Script Injection
• Description: Ruby on Rails is a freely available, web application framework implemented in the Ruby programming language. The application is exposed to a script injection issue because it fails to properly sanitize user-supplied input when it is passed through the "to_json" method. Ruby on Rails version 1.2.3 is affected.
• Ref: http://dev.rubyonrails.org/ticket/8371

• 07.23.97 - CVE: Not Available
• Platform: Web Application
• Title: Pligg Reset Forgotten Password Security Bypass
• Description: Pligg is a web-based content manager. The application is exposed to a design error when resetting forgotten passwords. Pligg version 9.5 is affected.
• Ref: http://www.securityfocus.com/archive/1/469591

========================================================================= SANS Software Security @RISK: Secure Coding Error of the Month Vol. 1, Num. 1 June 3, 2007 =========================================================================

Millions of problems from one coding error.

The apache.org foundation reports that more than 10 million copies its Apache Tomcat package have been downloaded, providing Java servlet functionality for web servers throughout the world. Moreover, Tomcat is frequently used as a standalone web server in high-traffic and high-availability environments where sensitive and valuable information are stored.

So a programming error by one of the Tomcat developers is a BIG error. If it opens a security hole, millions of people now need to patch their systems. It is an even bigger problem because, sadly, thousands or tens of thousands of sites will not install the patch, possibly because no one will tell them about the need to do so, and will become victims of data theft, extortion, and other cyber crimes.

As you read this first edition of SANS Software Security @RISK newsletter, note how little effort would have been needed to avoid the problem.

***************************************************** Apache Tomcat JK Web Server Connector Buffer Overflow *****************************************************

What kind of error is it? A buffer overflow. - -------------

Buffer overflow is one of the oldest types of security vulnerabilities discovered as early as mid sixties. As the name suggests, the vulnerability arises when a programmer allows more data to be crammed into a storage area than the programmer had originally set aside. When the data overflows the reserved area, bad things often happen.

In early March, a critical buffer overflow was disclosed in versions of Apache Tomcat JK Web Server Connector.

This vulnerability is a stack-based buffer overflow. The flaw can be triggered by a long URI input to the mod_jk module. An unauthenticated user can exploit this overflow by sending a large URI to execute arbitrary code of his choice on the server.

Information about the problem of interest to security professionals -- the vulnerable versions of Tomcat, damage that can be done, and exploits in the wild -- have all been well covered in SANS weekly @RISK newsletter and elsewhere (and are referenced at the end of this issue). Here we focus instead on the aspect of the problem relevant to programmers: the programming error that led to this huge problem?

What coding error was responsible for this vulnerability? - ------------------------------------------------------------------------

Buffer overflows arise because programmers forget to check that the length of data being copied into a buffer is less than or equal to the buffer size.

Let us now look at the vulnerable function that led to the Tomcat overflow.

The buffer overflow was found in the map_uri_to_worker() function that is defined in native/common/jk_uri_worker_map.c file.

#define JK_MAX_URI_LEN 4095 (From jk_uri_worker_map.h)

************* Function code ************* const char *map_uri_to_worker(jk_uri_worker_map_t *uw_map, const char *uri, jk_logger_t *l) { unsigned int i; char *url_rewrite; const char *rv = NULL; char url[JK_MAX_URI_LEN+1];

JK_TRACE_ENTER(l);

if (!uw_map || !uri) { JK_LOG_NULL_PARAMS(l); JK_TRACE_EXIT(l); return NULL; } if (*uri != '/') { jk_log(l, JK_LOG_WARNING, "Uri %s is invalid. Uri must start with /", uri); JK_TRACE_EXIT(l); return NULL; }

############################### Erroneous Code in this function ###############################

for (i = 0; i < strlen(uri); i++) if (uri[i] == ';') break; else url[i] = uri[i]; url[i] = '';

What is wrong with this function? - ---------------------------------

Notice that "uri" is an input to the function. It is being copied into a locally declared variable url. url is a buffer of size 4096. However, the copy operation depends on the size of the input uri. There is no check in the function to stop copying if the length of uri is greater than the maximum length of url buffer i.e. 4096. This results in a stack-based buffer overflow, which is usually the simplest buffer overflow to exploit.

What did it take to fix the vulnerable function? - ------------------------------------------------

Introduce a check for the length of the uri that is copied into the url variable.

********** Fixed Code **********

for (i = 0; i < strlen(uri); i++) { if (i == JK_MAX_URI_LEN) { jk_log(l, JK_LOG_WARNING, "Uri %s is invalid. Uri must be smaller then %d chars", uri, JK_MAX_URI_LEN); JK_TRACE_EXIT(l); return NULL; } if (uri[i] == ';') break; else url[i] = uri[i]; }

As you can see, once the length of uri reaches the max length of 4096, the copy operation is terminated.

Take Away: Programmers who want to avoid this kind of error should follow SANS Secure Programming Rule 01.1.1: - -------------------------------------------------------------------------

Input Validation - The programmer must securely process inputs from all aspects of the environment, then correctly decode, canonicalize, and validate those inputs.

Source: SANS Secure Coding in C Examination Blueprint, (www.sans-ssi.org/ (rest of url))) More granular rules can be found at that url, as well.

References: - ----------------

Zero Day Initiative Advisory http://www.zerodayinitiative.com/advisories/ZDI-07-008.html

SANS @RISK Posting http://www.sans.org/newsletters/risk/display.php?v=6&amp;i=10#widely1

Apache Tomcat Homepage http://tomcat.apache.org/

Apache Tomcat Code http://svn.apache.org/viewvc/tomcat/connectors/tags/jk1.2.x/JK_1_2_20/jk/native/
common/jk_uri_worker_map.c?revision=513250&amp;view=markup

Secunia Advisory http://secunia.com/advisories/24398/ CVE 2007-0774

The National Vulnerability Database: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0774

============================================================ Copyright 2007, The SANS Institute You may distribute copies of Software Security @RISK to anyone within your own organization but you may not post it.

______________________________________________________________________

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.