@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: SAP Products Multiple Vulnerabilities
• (2) HIGH: SAP EnjoySAP ActiveX Controls Multiple Buffer Overflows
• (3) HIGH: Fujitsu ServerView Remote Command Execution
• (4) MODERATE: Novell Access Manager Multiple Content Inspection Bypasses

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 07.28.1 - Microsoft .Net Framework Null Byte Injection
• 07.28.2 - Microsoft July 2007 Advance Notification Multiple Vulnerabilities
• 07.28.3 - Microsoft Internet Explorer Zone Denial of Service

Third Party Windows Apps

• 07.28.4 - MDaemon Server DomainPOP Messages Denial of Service
• 07.28.5 - HP Photo Digital Imaging HPQVWOCX.DLL Arbitrary File Overwrite
• 07.28.6 - EnjoySAP Multiple ActiveX Controls Multiple Unspecified Vulnerabilities
• 07.28.7 - SAP EnjoySAP RFCGUISink.DLL ActiveX Control Stack Buffer Overflow
• 07.28.8 - SAP EnjoySAP KWEdit.DLL ActiveX Control Stack Buffer Overflow
• 07.28.9 - SAP DB Web Server WAHTTP.EXE Multiple Buffer Overflow Vulnerabilities
• 07.28.10 - HP Instant Support ActiveX Control Driver Check Buffer Overflow

Linux

• 07.28.11 - SILC Toolkit and SILC Client NICK_CHANGE Remote Buffer Overflow
• 07.28.12 - GFax Temporary Files Local Arbitrary Command Execution
• 07.28.13 - SquirrelMail G/PGP Encryption Plug-in Unspecified Remote Command Execution
• 07.28.14 - GNU GLibC LD.SO Mask Dynamic Loader Integer Overflow
• 07.28.15 - SlackRoll Malicious Package Denial of Service
• 07.28.16 - ImLib BMP Image _LoadBMP Function Denial of Service
• 07.28.17 - Linux Kernel USBLCD Memory Consumption Denial of Service
• 07.28.18 - GSAMBAD Insecure Temporary File Creation
• 07.28.19 - Fireflier-Server Insecure Temporary File Creation
• 07.28.20 - Unicon-imc2 Environment Variable Buffer Overflow
• 07.28.21 - flac123 Local__VCentry_Parse_Value() Stack Buffer Overflow

Unix

• 07.28.22 - IBM OS/400 TCP Packet Security Bypass Weakness

Cross Platform

• 07.28.23 - Citrix Presentation Server Client Content-Redirection Denial of Service
• 07.28.24 - SAP Internet Communication Manager Long URI Handling Denial of Service
• 07.28.25 - Yahoo! Messenger 8.1 Unspecified Remote Buffer Overflow
• 07.28.26 - Fujitsu ServerView DBASCIIAccess Remote Command Execution
• 07.28.27 - SAP Message Server Group Parameter Remote Buffer Overflow
• 07.28.28 - Fujitsu PRIMERGY BX300 Blade Server Information Disclosure
• 07.28.29 - GIMP PSD File Integer Overflow
• 07.28.30 - bbs100 Multiple Denial of Service Vulnerabilities
• 07.28.31 - HP TCP/IP Services for OpenVMS User Enumeration Weakness and Security Bypass Vulnerabilities
• 07.28.32 - Mozilla FireFox OnKeyDown Event File Upload
• 07.28.33 - FreeType Bitmap Font Handling Remote Buffer Overflow

Web Application - Cross Site Scripting

• 07.28.34 - SAP Internet Graphics Server PARAMS Cross Site Scripting
• 07.28.35 - NetFlow Analyzer Multiple Cross-Site Scripting Vulnerabilities
• 07.28.36 - OpManager Multiple Cross-Site Scripting Vulnerabilities
• 07.28.37 - Oliver Multiple Cross-Site Scripting Vulnerabilities
• 07.28.38 - LightBlog Add_Comment.PHP Cross-Site Scripting
• 07.28.39 - Claroline $_SERVER['PHP_SELF'] Parameter Multiple Cross-Site Scripting Vulnerabilities
• 07.28.40 - Moodle Index.PHP Cross Site Scripting
• 07.28.41 - PHP-Fusion ShoutBox_Panel.PHP Cross-Site Scripting

Web Application - SQL Injection

• 07.28.42 - Vastal I-Tech PHPVID Categories_Type.PHP SQL Injection
• 07.28.43 - Levent Veysi Portal Oku.ASP SQL Injection
• 07.28.44 - Dating Software eMeeting Online Multiple SQL Injection Vulnerabilities
• 07.28.45 - MKPortal Unspecified SQL Injection
• 07.28.46 - Girlserv Ads Details_News.PHP SQL Injection
• 07.28.47 - SuperCali Index.PHP SQL Injection
• 07.28.48 - PostNuke PNPHPBB2 Module Viewforum.PHP SQL Injection
• 07.28.49 - ArcadeBuilder Cookie Data SQL Injection
• 07.28.50 - Free Domain CO.NR Clone Members.PHP SQL Injection
• 07.28.51 - Efendy Blog Search Field HTML Injection
• 07.28.52 - Easybe 1-2-3 Music Store Process.PHP Script SQL Injection
• 07.28.53 - Buddy Zone Multiple SQL Injection Vulnerabilities
• 07.28.54 - AV Arcade Index.PHP SQL Injection
• 07.28.55 - PHP Director Videos.PHP SQL Injection
• 07.28.56 - Wheatblog Login SQL Injection
• 07.28.57 - TotalCalendar View_Event Script SQL Injection
• 07.28.58 - HispaH Youtube Clone MSG.PHP Script SQL Injection
• 07.28.59 - PHPEventCalendar Eventdisplay.PHP Script SQL Injection
• 07.28.60 - Coppermine Photo Gallery Album Password Cookie SQL Injection
• 07.28.61 - Buddy Zone View_Sub_Cat.PHP SQL Injection

Web Application

• 07.28.62 - AsteriDex CallBoth.PHP Remote Command Execution
• 07.28.63 - FarsiNews Admin.PHP Arbitrary File Upload
• 07.28.64 - Zen Cart Session Fixation
• 07.28.65 - Maia Mailguard Login.PHP Multiple Local File Include Vulnerabilities
• 07.28.66 - Elite Bulletin Board Multiple Input Validation Vulnerabilities
• 07.28.67 - MyCMS Multiple Input Validation Vulnerabilities
• 07.28.68 - MySQLDumper Apache Access Control Authentication Bypass
• 07.28.69 - LightBlog Main.PHP Arbitrary File Upload
• 07.28.70 - ETicket SERVER[REQUEST_URI] Parameter Multiple HTML Injection Vulnerabilities
• 07.28.71 - Liesbeth Base CMS Information Disclosure
• 07.28.72 - Esqlanelapse Multiple Unspecified Vulnerabilities
• 07.28.73 - Gorki Online Santrac Sitesi Uyeler.ASP Multiple HTML Injection Vulnerabilities
• 07.28.74 - AV Arcade Cookie[ava_userid] Authentication Bypass
• 07.28.75 - XCMS Multiple Local File Include Vulnerabilities
• 07.28.76 - SPHPell Multiple Remote File Include Vulnerabilities
• 07.28.77 - Ripe Website Manager Multiple Remote File Include and Information Disclosure Vulnerabilities
• 07.28.78 - WebApp.org and WebApp.net Multiple Input Validation Vulnerabilities
• 07.28.79 - GL-SH Deaf Board Multiple Local File Include Vulnerabilities
• 07.28.80 - W3Filer Banner Handling Remote Buffer Overflow

Network Device

• 07.28.81 - Yoggie Pico and Pico Pro Backticks Remote Code Execution

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 28, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5465 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 07.28.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft .Net Framework Null Byte Injection
• Description: Microsoft .NET Framework is exposed to a NULL byte injection issue because it fails to adequately sanitize user-supplied data. The application fails to filter out "%00" NULL byte characters from attacker-supplied URI requests. Microsoft .NET Framework versions 1.0, 1.1 and 2.0 are affected.
• Ref: http://www.securityfocus.com/bid/24791

• 07.28.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft July 2007 Advance Notification Multiple Vulnerabilities
• Description: Microsoft has released advance notification of 6 security bulletins that will be released on July 10, 2007. The highest severity rating for these bulletins is "Critical". The bulletins are as follows: Three critical bulletins affecting Windows, Office/Excel, and .NET Framework; Two important bulletins affecting Office/Publisher, and Windows XP Professional; One moderate bulletin affecting Windows Vista. Further details about these bulletins are not currently available. Individual BIDs will be created for each issue.
• Ref: http://www.securityfocus.com

• 07.28.3 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Zone Denial of Service
• Description: Microsoft Internet Explorer is exposed to a denial of service issue because the application fails to handle exceptional conditions. The issue occurs when handling domain names with different parameter values than those specified in the Intranet Zone and Restricted Zones. The differing parameter values can be specified using malicious meta character data in a specially crafted HTML document. Internet Explorer versions 6 and 7 are affected.
• Ref: http://www.secniche.org/advisory/Internet_Dos_Adv.pdf

• 07.28.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: MDaemon Server DomainPOP Messages Denial of Service
• Description: MDaemon Server is a windows-based email server. The application is exposed to a remote denial of service issue because it fails to handle exceptional conditions. MDaemon Server versions prior to version 9.61 are affected.
• Ref: http://www.securityfocus.com/bid/24787

• 07.28.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: HP Photo Digital Imaging HPQVWOCX.DLL Arbitrary File Overwrite
• Description: The "hpqvwocx.dll" ActiveX control is part of HP's Photo Digital Imaging application. The ActiveX control is exposed to an issue that lets attackers overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). This issue occurs because the application fails to sanitize user-supplied input to the "SaveToFile" method of the "hpqvwocx.dll" library. HP Photo Digital Imaging version 2.1.0.556 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.28.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EnjoySAP Multiple ActiveX Controls Multiple Unspecified Vulnerabilities
• Description: EnjoySAP is a GUI application for SAP software. The application is exposed to multiple unspecified issues affecting multiple ActiveX controls. These issues include multiple denial of service issues, buffer overflow issues, and other issues that can result in arbitrary files being created on an affected computer.
• Ref: http://support.microsoft.com/kb/240797

• 07.28.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SAP EnjoySAP RFCGUISink.DLL ActiveX Control Stack Buffer Overflow
• Description: EnjoySAP is a GUI application for SAP software. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input.
• Ref: http://www.securityfocus.com/bid/24777

• 07.28.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SAP EnjoySAP KWEdit.DLL ActiveX Control Stack Buffer Overflow
• Description: EnjoySAP is a GUI application for SAP software. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input.
• Ref: http://www.securityfocus.com/archive/1/472887

• 07.28.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SAP DB Web Server WAHTTP.EXE Multiple Buffer Overflow Vulnerabilities
• Description: SAP DB Web Server is an open source webserver developed by SAP. The application is exposed to multiple buffer overflow issues because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer.
• Ref: http://www.securityfocus.com/archive/1/472891

• 07.28.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: HP Instant Support ActiveX Control Driver Check Buffer Overflow
• Description: HP Instant Support is an ActiveX control that is used for system administration. The application is exposed to a buffer overflow issue because it fails to adequately bounds check user-supplied input before copying it to an insufficiently sized memory buffer.
• Ref: http://support.microsoft.com/kb/240797

• 07.28.11 - CVE: Not Available
• Platform: Linux
• Title: SILC Toolkit and SILC Client NICK_CHANGE Remote Buffer Overflow
• Description: SILC Toolkit is an application development framework to implement secure conferencing services using the SILC protocol, which supports AES, SHA-1, PKCS#1, PKCS#3, X.509, and OpenPGP. SILC Client is a client application to connect to SILC networks. The application is exposed to a remote buffer overflow issue because they fail to perform adequate boundary checks on user-supplied input before copying it into an insufficiently sized memory buffer. SILC Toolkit and SILC Client versions prior to 1.1.2 are affected.
• Ref: http://www.securityfocus.com/bid/24795

• 07.28.12 - CVE: CVE-2007-2839
• Platform: Linux
• Title: GFax Temporary Files Local Arbitrary Command Execution
• Description: GFAX is a front-end application for fax programs running on the GNOME desktop manager. The application is exposed to a local arbitrary command execution issue that resides in the "src/mgetty_setup.c" file because it fails to safely create and use temporary files. GFAX version 0.7.6 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=431893

• 07.28.13 - CVE: Not Available
• Platform: Linux
• Title: SquirrelMail G/PGP Encryption Plug-in Unspecified Remote Command Execution
• Description: The G/PGP encryption plug-in for SquirrelMail provides encryption, decryption, and digital signature within the SquirrelMail Web mail system. Squirrelmail version 1.4.10a and G/PGP Plugin version 2.0 are affected.
• Ref: http://www.securityfocus.com/bid/24782

• 07.28.14 - CVE: CVE-2007-3508
• Platform: Linux
• Title: GNU GLibC LD.SO Mask Dynamic Loader Integer Overflow
• Description: GNU glibc is the C Library used by the Linux kernel and other operating platforms. The library is exposed to an integer overflow issue because it fails to properly ensure that integer math operations do not result in overflow. GNU glibc versions 2.5 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24758

• 07.28.15 - CVE: Not Available
• Platform: Linux
• Title: SlackRoll Malicious Package Denial of Service
• Description: SlackRoll is an upgrade and package manager for Slackware Linux. The application is exposed to a denial of service issue because the application allows malicious packages to end up in the package cache in certain circumstances. SlackRoll versions 9 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24739

• 07.28.16 - CVE: Not Available
• Platform: Linux
• Title: ImLib BMP Image _LoadBMP Function Denial of Service
• Description: ImLib is an open source graphics library available for the Linux and Unix operating systems. The application is exposed to a denial of service issue because the application fails to properly process certain BMP image files. Imlib version 1.9.15 is affected.
• Ref: http://www.securityfocus.com/bid/24750

• 07.28.17 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel USBLCD Memory Consumption Denial of Service
• Description: The Linux Kernel is exposed to a denial of service issue that affects the "usblcd" device because it fails to limit memory consumption by "fast writers". The Linux Kernel versions prior to 2.6.22-rc7 are affected.
• Ref: http://www.securityfocus.com/bid/24734

• 07.28.18 - CVE: CVE-2007-2838
• Platform: Linux
• Title: GSAMBAD Insecure Temporary File Creation
• Description: GSAMBAD is a front end configuration tool for the SAMBA file and print server. The application creates temporary files in an insecure manner. All versions of GSAMBAD are affected.
• Ref: http://www.securityfocus.com/bid/24717

• 07.28.19 - CVE: CVE-2007-2837
• Platform: Linux
• Title: Fireflier-Server Insecure Temporary File Creation
• Description: Fireflier-Server application is an interactive firewall rule creation tool for Linux systems. The application creates temporary files in an insecure manner. An attacker with local access may be able to remove arbitrary files from the local system. Fireflier versions 1.1.5 and 1.1.6 are affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=431332

• 07.28.20 - CVE: CVE-2007-2835
• Platform: Linux
• Title: Unicon-imc2 Environment Variable Buffer Overflow
• Description: unicon-imc2 is a Chinese input method library and API. The application is exposed to a local buffer overflow issue because it fails to perform boundary checks before copying user-supplied data into sensitive process buffers. unicon-imc2 version 3.0.4 is affected.
• Ref: http://www.securityfocus.com/bid/24719

• 07.28.21 - CVE: Not Available
• Platform: Linux
• Title: flac123 Local__VCentry_Parse_Value() Stack Buffer Overflow
• Description: flac123 is a command-line application for playing FLAC audio files. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks when parsing "vorbis comments". flac123 version 0.0.9 is affected.
• Ref: http://www.securityfocus.com/bid/24712

• 07.28.22 - CVE: Not Available
• Platform: Unix
• Title: IBM OS/400 TCP Packet Security Bypass Weakness
• Description: IBM OS/400 is exposed to a weakness that may allow certain TCP packets to bypass security rules. IBM has reported that the vulnerable computer does not drop or discard TCP packets that have the TCP SYN and FIN flags set. This violation can be used to bypass firewall and intrusion detection rules if the security applications strictly adhere to the assumption that RFC 793 would not be violated and thus lack proper handling of error and exceptional conditions. Ref: http://www-1.ibm.com/support/docview.wss?uid=nas2742405285431729b86256e620067dc17

• 07.28.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Citrix Presentation Server Client Content-Redirection Denial of Service
• Description: The Citrix Presentation Server Client is an ICA client application that includes Citrix support. The application is exposed to a denial of service issue that occurs in the Program Neighborhood Agent when attempting to access a file using content redirection. Citrix Presentation Server Client versions prior to 10.100 are affected.
• Ref: http://www.securityfocus.com/bid/24790

• 07.28.24 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP Internet Communication Manager Long URI Handling Denial of Service
• Description: SAP Web Application Server is a component of NetWeaver that acts as a web application server for other SAP products. Internet Communication Manager (ICM) enables Web Application Server to communicate with the outside world over HTTP, HTTPS and SMTP. The application is exposed to a remote denial of service issue because of how it handles excessively long URI requests when configured as a web cache.
• Ref: http://www.securityfocus.com/archive/1/472890

• 07.28.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Yahoo! Messenger 8.1 Unspecified Remote Buffer Overflow
• Description: Yahoo! Messenger is a freely available chat client distributed and maintained by Yahoo!. The application is exposed to an unspecified buffer overflow issue because it fails to perform sufficient bounds checking of user-supplied input before copying it to an insufficiently sized memory buffer. Yahoo! Messenger version 8.1 is affected.
• Ref: http://www.securityfocus.com/bid/24784

• 07.28.26 - CVE: CVE-2007-3011
• Platform: Cross Platform
• Title: Fujitsu ServerView DBASCIIAccess Remote Command Execution
• Description: Fujitsu ServerView is an asset management tool that provides automated analysis and version maintenance functionality to enterprise networks. The application is exposed to a remote command execution issue because it fails to adequately sanitize user-supplied data. Fujitsu ServerView versions prior to 4.50.09 are affected.
• Ref: http://www.securityfocus.com/archive/1/472800

• 07.28.27 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP Message Server Group Parameter Remote Buffer Overflow
• Description: SAP Message Server is software that allows communication between SAP application servers. The application is exposed to a remote heap-based buffer overflow issue that occurs because the application fails to perform adequate boundary checks on user-supplied data before copying it to an insufficiently sized buffer.
• Ref: http://www.securityfocus.com/archive/1/472888

• 07.28.28 - CVE: CVE-2007-3012
• Platform: Cross Platform
• Title: Fujitsu PRIMERGY BX300 Blade Server Information Disclosure
• Description: Fujitsu PRIMERGY BX300 is a set of up to 20 individual blade computers in a three-unit rack (3U) space of a single 19-inch rack. The application is exposed to a remote information disclosure issue because the device fails to properly authenticate users prior to granting access to sensitive information.
• Ref: http://www.securityfocus.com/archive/1/472803

• 07.28.29 - CVE: CVE-2007-2949
• Platform: Cross Platform
• Title: GIMP PSD File Integer Overflow
• Description: GIMP is a free image manipulation application, written for multiple operating systems. The application is exposed to an integer overflow issue because it fails to properly bounds check user-supplied input data before copying it to an insufficiently sized memory buffer. GIMP version 2.2.15 is affected.
• Ref: http://secunia.com/secunia_research/2007-63/advisory/

• 07.28.30 - CVE: Not Available
• Platform: Cross Platform
• Title: bbs100 Multiple Denial of Service Vulnerabilities
• Description: bbs100 is a BBS server. The application is exposed to multiple denial of service issues. bbs100 versions prior to 3.2 are affected. Please refer to the link below for further information.
• Ref: http://www.securityfocus.com/bid/24747

• 07.28.31 - CVE: Not Available
• Platform: Cross Platform
• Title: HP TCP/IP Services for OpenVMS User Enumeration Weakness and Security Bypass Vulnerabilities
• Description: TCP/IP Services for OpenVMS is a series of services, including POP3, IMAP, HTTP and others. The application is exposed to multiple issues that include a user enumeration weakness and a security bypass issue. TCP/IP Services version 5.6 for OpenVMS is affected.
• Ref: http://www.securityfocus.com/bid/24751

• 07.28.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla FireFox OnKeyDown Event File Upload
• Description: Mozilla FireFox is exposed to an information disclosure issue due to a design error. All versions of FireFox are affected.
• Ref: http://www.securityfocus.com/bid/24725

• 07.28.33 - CVE: Not Available
• Platform: Cross Platform
• Title: FreeType Bitmap Font Handling Remote Buffer Overflow
• Description: FreeType is a digital typography application available for multiple operating platforms. The application is exposed to a remote buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. FreeType versions prior to 2.3.4 are affected.
• Ref: http://www.securityfocus.com/bid/24708

• 07.28.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SAP Internet Graphics Server PARAMS Cross Site Scripting
• Description: The Internet Graphics Server (IGS) is a subcomponent of the SAP R/3 enterprise environment, which is accessible over HTTP via a minimalist webserver component. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "PARAMS" parameter of the "ADM:GETLOGFILE" script.
• Ref: http://www.securityfocus.com/bid/24775

• 07.28.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: NetFlow Analyzer Multiple Cross-Site Scripting Vulnerabilities
• Description: NetFlow Analyzer is web-based bandwidth analyzer. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. NetFlow Analyzer version 5 is affected.
• Ref: http://www.securityfocus.com/bid/24766

• 07.28.36 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: OpManager Multiple Cross-Site Scripting Vulnerabilities
• Description: OpManager is a network monitoring application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. AdventNet ManageEngine OpManager versions 6 and 7 are affected.
• Ref: http://www.securityfocus.com/bid/24767

• 07.28.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Oliver Multiple Cross-Site Scripting Vulnerabilities
• Description: Oliver is a web-based library management application for schools. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input when malicious data is passed.
• Ref: http://www.securityfocus.com/bid/24754

• 07.28.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: LightBlog Add_Comment.PHP Cross-Site Scripting
• Description: LightBlog is a blogging application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "id" parameter of the "add_comment.php" script. LightBlog versions prior to 6 are affected.
• Ref: http://www.securityfocus.com/archive/1/470673

• 07.28.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Claroline $_SERVER['PHP_SELF'] Parameter Multiple Cross-Site Scripting Vulnerabilities
• Description: Claroline is a collaborative-learning application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. This issue occurs when malicious data is passed via the "$_SERVER['PHP_SELF']" parameter of "index.php" and other unspecified scripts. Claroline versions prior to 1.8.4 are affected.
• Ref: http://www.securityfocus.com/bid/24742

• 07.28.40 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Moodle Index.PHP Cross Site Scripting
• Description: Moodle is a content manager for online courseware and e-learning. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "search" parameter of the "/usr/index.php" script. Moodle version 1.7.1 is affected.
• Ref: http://www.securityfocus.com/bid/24748

• 07.28.41 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHP-Fusion ShoutBox_Panel.PHP Cross-Site Scripting
• Description: PHP-Fusion is a content management system. The application is exposed to a cross-site scripting issue due to a failure in the application to properly sanitize user-supplied input to the "FUSION_QUERY" parameter of the "infusions/shoutbox_panel/shoutbox_panel.php" script. PHP-Fusion version 6.01.10 is affected.
• Ref: http://www.securityfocus.com/bid/24733

• 07.28.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Vastal I-Tech PHPVID Categories_Type.PHP SQL Injection
• Description: phpVID is a web-based video sharing application. The application is exposed to a SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat" parameter of the "categories_type.php" script before using it in an SQL query. phpVID version 0.9.9 is affected.
• Ref: http://www.securityfocus.com/bid/24788

• 07.28.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Levent Veysi Portal Oku.ASP SQL Injection
• Description: Levent Veysi Portal is a web-portal application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "oku.asp" script before using it in an SQL query. Levent Veysi Portal version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/24794

• 07.28.44 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Dating Software eMeeting Online Multiple SQL Injection Vulnerabilities
• Description: phpRaider is a web-based application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "b.php" and "gallery.php" scripts. Dating Software eMeeting Online version 5.2 is affected.
• Ref: http://www.securityfocus.com/bid/24786

• 07.28.45 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MKPortal Unspecified SQL Injection
• Description: MKPortal is a content management application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to an unspecified parameter and script before using it in SQL queries. MKPortal version 1.1.1 is affected.
• Ref: http://www.securityfocus.com/bid/24783

• 07.28.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Girlserv Ads Details_News.PHP SQL Injection
• Description: Girlserv Ads is a web-based advertisement application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "idnew" parameter of the "details_news.php" script before using it in an SQL query. Girlserv Ads version 1.5 is affected.
• Ref: http://www.securityfocus.com/bid/24755

• 07.28.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SuperCali Index.PHP SQL Injection
• Description: SuperCali is a web-based event calendar application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "o" parameter of the "index.php" script before using it in an SQL query. SuperCali version 4.0 is affected.
• Ref: http://www.securityfocus.com/bid/24756

• 07.28.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PostNuke PNPHPBB2 Module Viewforum.PHP SQL Injection
• Description: The PNPHPBB2 module is a PHPBB forum for the PostNuke content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "order" parameter of the "viewforum.php" script before using it in an SQL query. PNPHPBB2 versions 1.2i and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24760

• 07.28.49 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: ArcadeBuilder Cookie Data SQL Injection
• Description: ArcadeBuilder is an arcade game content management system (CMS). The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied "Content" cookie data before using it in an SQL query. ArcadeBuilder version 1.7 is affected.
• Ref: http://www.securityfocus.com/bid/24731

• 07.28.50 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Free Domain CO.NR Clone Members.PHP SQL Injection
• Description: Free Domain CO.NR Clone is a domain redirection script. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "logindomain" parameter of the "members.php" script before using it in an SQL query. Free Domain CO.NR Clone version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/24737

• 07.28.51 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Efendy Blog Search Field HTML Injection
• Description: Efendy Blog is a web-log application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the search field before using it in dynamically generated content. Efendy Blog version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/24738

• 07.28.52 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Easybe 1-2-3 Music Store Process.PHP Script SQL Injection
• Description: 1-2-3 Music Store is a web-based application. It allows vendors to sell music. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "CategoryID" variable of the "process.php" script. All versions of 1-2-3 Music Store are affected.
• Ref: http://www.securityfocus.com/bid/24723

• 07.28.53 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Buddy Zone Multiple SQL Injection Vulnerabilities
• Description: Buddy Zone is a community and social network application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Buddy Zone versions 1.5 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24726

• 07.28.54 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: AV Arcade Index.PHP SQL Injection
• Description: AV Arcade is a web-based arcade application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script before using it in an SQL query. AV Arcade version 2.1b is affected.
• Ref: http://www.securityfocus.com/bid/24728

• 07.28.55 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHP Director Videos.PHP SQL Injection
• Description: PHP Directory is a content management system (CMS). The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "videos.php" script before using it in an SQL query. PHP Directory version 0.21 is affected.
• Ref: http://www.securityfocus.com/bid/24729

• 07.28.56 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Wheatblog Login SQL Injection
• Description: Wheatblog is a content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data during logins. Wheatblog version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/24715

• 07.28.57 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: TotalCalendar View_Event Script SQL Injection
• Description: TotalCalendar is a web-based calendar and scheduling application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" variable of the "view_event.php" script. TotalCalendar version 2.402 is affected.
• Ref: http://www.securityfocus.com/bid/24716

• 07.28.58 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: HispaH Youtube Clone MSG.PHP Script SQL Injection
• Description: HispaH Youtube Clone is a web-based application that allows users to build sites that are similar to YouTube. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" variable of the "msg.php" script. All versions of Youtube Clone are affected.
• Ref: http://www.securityfocus.com/bid/24720

• 07.28.59 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHPEventCalendar Eventdisplay.PHP Script SQL Injection
• Description: phpEventCalendar is a web-based calendar application. It is implemented in PHP and runs on Unix and Linux variants as well as Microsoft Windows platforms. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" variable of the "eventdisplay.php" script. phpEventCalendar versions 0.2.3 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24721

• 07.28.60 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Coppermine Photo Gallery Album Password Cookie SQL Injection
• Description: Coppermine Photo Gallery is a web-based photo gallery application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied cookie data to the "album password" cookie parameter of an unspecified script. Coppermine Photo Gallery versions prior to 1.4.11 are affected.
• Ref: http://www.securityfocus.com/bid/24710

• 07.28.61 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Buddy Zone View_Sub_Cat.PHP SQL Injection
• Description: Buddy Zone is a community and social network application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat_id" parameter of the "view_sub_cat.php" script. Buddy Zone version 1.5 is affected.
• Ref: http://www.securityfocus.com/bid/24711

• 07.28.62 - CVE: Not Available
• Platform: Web Application
• Title: AsteriDex CallBoth.PHP Remote Command Execution
• Description: AsteriDex is a digital rolodex for Asterisk and Trixbox PBXs. The application is exposed to a remote command execution issue because it fails to adequately sanitized user-supplied data. AsteriDex version 3.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/472907

• 07.28.63 - CVE: Not Available
• Platform: Web Application
• Title: FarsiNews Admin.PHP Arbitrary File Upload
• Description: FarsiNews is a web-based news script. The application is exposed to an arbitrary file upload issue because it fails to sufficiently sanitize user-supplied input to the "mod" parameter of the "admin.php" script. FarsiNews version 3.0 Beta is affected.
• Ref: http://www.securityfocus.com/bid/24764

• 07.28.64 - CVE: Not Available
• Platform: Web Application
• Title: Zen Cart Session Fixation
• Description: Zen Cart is an e-commerce shopping card application. The application is exposed to a session fixation issue due to a design error in the application. Zen Cart version 1.3.7 is affected.
• Ref: http://www.securityfocus.com/bid/24768

• 07.28.65 - CVE: Not Available
• Platform: Web Application
• Title: Maia Mailguard Login.PHP Multiple Local File Include Vulnerabilities
• Description: Maia Mailguard is an email scanner and virus scanner application. The application is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input to the "lang", "prevlang" and "super" parameters of the "login.php" script. Maia Mailguard versions 1.0.2 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24770

• 07.28.66 - CVE: Not Available
• Platform: Web Application
• Title: Elite Bulletin Board Multiple Input Validation Vulnerabilities
• Description: Elite Bulletin Board is a web-based bulletin board. The application is exposed to multiple input validation issues because the application fails to sufficiently sanitize user-supplied data. Elite Bulletin Board versions prior to 1.0.10 are affected.
• Ref: http://www.securityfocus.com/bid/24763

• 07.28.67 - CVE: Not Available
• Platform: Web Application
• Title: MyCMS Multiple Input Validation Vulnerabilities
• Description: MyCMS is a content management application. The application is exposed to multiple input validation issues that affect the application. MyCMS versions 0.9.8 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24757

• 07.28.68 - CVE: Not Available
• Platform: Web Application
• Title: MySQLDumper Apache Access Control Authentication Bypass
• Description: MySQLDumper is an open source backup application. The application is exposed to an authentication bypass issue due to a configuration error in the apache access control files.
• Ref: http://www.securityfocus.com/archive/1/472756

• 07.28.69 - CVE: Not Available
• Platform: Web Application
• Title: LightBlog Main.PHP Arbitrary File Upload
• Description: LightBlog is a blogging application. The application is exposed to an arbitrary file upload issue because it fails to sufficiently sanitize user-supplied input. It affects the "$_FILES['image']['name']" parameter used by the "main.php" script. LightBlog version 6.8 is affected.
• Ref: http://www.securityfocus.com/bid/24752

• 07.28.70 - CVE: Not Available
• Platform: Web Application
• Title: ETicket SERVER[REQUEST_URI] Parameter Multiple HTML Injection Vulnerabilities
• Description: eTicket is a web-based ticket management application. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. eTicket version 1.5.1.1 is affected.
• Ref: http://www.securityfocus.com/bid/24740

• 07.28.71 - CVE: Not Available
• Platform: Web Application
• Title: Liesbeth Base CMS Information Disclosure
• Description: Liesbeth Base CMS is a content manager application. The application is exposed to an information disclosure issue because of a design error and presents itself when an attacker sends a GET request for "config.inc" which returns sensitive information to the attacker.
• Ref: http://www.securityfocus.com/bid/24749

• 07.28.72 - CVE: Not Available
• Platform: Web Application
• Title: Esqlanelapse Multiple Unspecified Vulnerabilities
• Description: Esqlanelapse is a web-based application. The application is exposed to multiple unspecified issues. Esqlanelapse versions prior to 2.6 are affected. Please refer to the link below for further information.
• Ref: http://www.securityfocus.com/bid/24732

• 07.28.73 - CVE: Not Available
• Platform: Web Application
• Title: Gorki Online Santrac Sitesi Uyeler.ASP Multiple HTML Injection Vulnerabilities
• Description: Gorki Online Santrac Sitesi is a web-based application. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
• Ref: http://www.securityfocus.com/bid/24735

• 07.28.74 - CVE: Not Available
• Platform: Web Application
• Title: AV Arcade Cookie[ava_userid] Authentication Bypass
• Description: AV Arcade is an arcade game content management system. The application is exposed to an authentication bypass issue because it fails to adequately authenticate users. An attacker can gain administrative access to the application by setting the "COOKIE[ava_userid]" cookie parameter to "1". AV Arcade version 2.1b is affected.
• Ref: http://www.securityfocus.com/bid/24736

• 07.28.75 - CVE: Not Available
• Platform: Web Application
• Title: XCMS Multiple Local File Include Vulnerabilities
• Description: XCMS is a content management system. The application is exposed to multiple local file include issues because it fails to sufficiently sanitize user-supplied to the "ent" and "lang" parameters of the "galerie.php" script. XCMS versions 1.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24724

• 07.28.76 - CVE: Not Available
• Platform: Web Application
• Title: SPHPell Multiple Remote File Include Vulnerabilities
• Description: SPHPell is a spell checker application. It is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "SpellIncPath" parameter of "checkpageinc.php", "spellchecktext.php", "spellcheckwindow.php" and "spellcheckwindowframeset.php". SPHPell version 1.01 is affected.
• Ref: http://www.securityfocus.com/bid/24727

• 07.28.77 - CVE: Not Available
• Platform: Web Application
• Title: Ripe Website Manager Multiple Remote File Include and Information Disclosure Vulnerabilities
• Description: Ripe Website Manager is a content manager application. The application is exposed to multiple remote issues which include: multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "level" parameter of the scripts "admin/includes/admin_header.php" and "admin/includes/author_panel_header.php"; and an information disclosure issue because of a design error. Ripe Website Manager versions 0.8.9 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/24722

• 07.28.78 - CVE: CVE-2006-7186, CVE-2006-7187, CVE-2006-7188,CVE-2006-7189, CVE-2006-7190
• Platform: Web Application
• Title: WebApp.org and WebApp.net Multiple Input Validation Vulnerabilities
• Description: WebApp.org and WebApp.net are web portal applications implemented in Perl. The applications are exposed to multiple input validation issues because the application fails to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/24714

• 07.28.79 - CVE: Not Available
• Platform: Web Application
• Title: GL-SH Deaf Board Multiple Local File Include Vulnerabilities
• Description: GL-SH Deaf Board is a bulletin board. The application is exposed to multiple local file include issues because it fails to sufficiently sanitize user-supplied input to the "FORUM_LANGUAGE" parameter of the "functions.php" script and the "style" parameter of the "bottom.php" script. GL-SH Deaf Board version 6.4.4 is affected.
• Ref: http://www.securityfocus.com/bid/24707

• 07.28.80 - CVE: Not Available
• Platform: Web Application
• Title: W3Filer Banner Handling Remote Buffer Overflow
• Description: W3Filer is a web-based file transfer client that supports FTP and HTTP protocols. The application is exposed to a remote buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. W3Filer versions 2.1.3 is affected.
• Ref: http://www.securityfocus.com/bid/24709

• 07.28.81 - CVE: Not Available
• Platform: Network Device
• Title: Yoggie Pico and Pico Pro Backticks Remote Code Execution
• Description: Yoggie Pico and Pico Pro are security appliances developed by Yogi. The application is exposed to a remote code execution issue because the device fails to sanitize user-supplied input when passing data through the web interface.
• Ref: http://www.securityfocus.com/bid/24743

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner

===================================== SANS CRITICAL INTERNET THREATS 2007 =====================================

SANS Critical Internet Threats research is undertaken annually and provides the basis for the SANS "Top-20" report. The "Top-20" report describes the most serious internet security threats in detail, and provides the steps to identify and mitigate these threats.

The "Top-20" began its life as a research study undertaken jointly between the SANS Institute and the National Infrastructure Protection Centre (NIPC) at the FBI. Today thousands of organizations from all spheres of industry are using the "Top-20" as a definitive list to prioritize their security efforts.

The 2007 Top-20 will once again create the experts' consensus on threats - - the result of a process that brings together security experts, leaders, researchers and visionaries from the most security-conscious federal agencies in the US, UK and around the world; the leading security software vendors and consulting firms; the university-based security programs; many other user organizations; and the SANS Institute.

For reference a copy of the 2006 paper is available online: http://www.sans.org/top20.htm. *A list of participants may be found in the Appendix.

CALL FOR SECURITY & ASSURANCE EXPERTS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you are an administrator/CSO/vulnerability researcher (or similar roles) and are interested in the Top-20 2007 research please contact the Project Manager, Rohit Dhamankar (dhamankar@sans.org), with the following details:

. Your Name . The Organization you represent and your role . Contact Details (inc. email and phone) . A brief description of your security specialty

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.