Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 30
July 23, 2007

SANS Newsletters Home

This week's most critical new vulnerabilities were found in Oracle and in Trillian, an instant messaging client that supports AIM, ICQ, MSN, Yahoo Messenger, and IRC. Proof of concept code has been published for the Trillian flaw but the company that sells it, Cerulian Labs, has not confirmed that the flaw exists. The Oracle flaws include remote code execution vulnerabilities, SQL injection, cross-site-scripting and information disclosure vulnerabilities. Computer Associate's security and backup tools also have multiple newly discovered vulnerabilities as does Firefox.

Despite the flaws it announced this week, Oracle, more than any other software company except Microsoft, seems to be on the way to improving its secure programming tools and, particularly the secure coding skills of its programmers. More than 150 companies that are developing secure coding programs are coming to Washington in three weeks to hear VISA clarify the application security requirements in the PCI standard, and to hear application security pioneers from Morgan Stanley, Cisco, LexisNexis, Oracle, Honeywell, Sovereign Bank, Depository Trust, Polk, TSA, Ounce, SpiDynamics, TippingPoint, and the FBI share the lessons they learned in establishing their secure application development programs: how to manage outsourced application development securely; how to get the developers engaged; how to pick the right tools; how to train and test programmer skills and much more. If you are building an application security program and/or if you are subject to PCI, attending the Application Security Summit will save you months of research and will help you avoid the pitfalls that have hurt other programs. Agenda and registration: http://www.sans.org/appsummit07 Companies attending the Summit also get scholarships for two of their programmers to participate in the Secure Software Certification Examinations (in Java and in C) the day before the Summit. Details: http://www.sans.org/gssp07/ Questions: email apaller@sans.org.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 5 (#1, #4, #5, #7)
    • Mac Os
    • 1 (#8)
    • Linux
    • 5
    • Cross Platform 19 (#2, #3, #6)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection 18
    • Web Application 13 (#9)

************************** Sponsored By SANS ****************************

Do you know common security flaws? Can you find them in your code and correct them? Be one of the first to pass the GSSP Exams in C and Java. Check out the test blueprints, try the sample tests and look at the test specs. Then sign up for one of only 100 pilot test openings. Register at: http://www.sans.org/info/11591

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

************************* Sponsored Links: ****************************

1) Register NOW for any SANS OnDemand course and receive 10% off http://www.sans.org/info/11596 Discount code: NL_OD15

2) Spend Year End money with SANS Vouchers http://www.sans.org/info/11601

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Cerulean Studios Trillian URI Handling Vulnerabilities
  • Affected:
    • Cerulean Studios Trillian versions prior to 3.1.6.0

  • Description: Cerulean Studios Trillian, a popular multi-protocol instant messaging client for Microsoft Windows, contains multiple flaws in its handling of URIs. Trillian registers itself as the handler for multiple URI schemes, including "aim:" URIs using the "aim:" scheme are used to initiate an AOL Instant Messenger session. A specially crafted or overlong URI using this scheme and passed to Trillian could trigger a command execution or buffer overflow vulnerability. In either case, a specially crafted web page or email message would be able to execute arbitrary code with the privileges of the current user. Depending upon configuration, users may or may not be notified that Trillian is being invoked to handle a URI when a link is clicked. Some technical details and two proofs-of-concept are available for these vulnerabilities.

  • Status: Cerulean Studios has not confirmed, no updates available.

  • Council Site Actions: The affected software and/or configuration is not in production or widespread use, or is not officially supported at any of the responding council sites. They reported that no action was necessary.

  • References:
  • (3) HIGH: Mozilla Products Multiple Vulnerabilities
  • Affected:
    • Products based on the Mozilla suite, including:
    • Mozilla Firefox versions prior to 2.0.0.5
    • Mozilla Thunderbird versions prior to 2.0.0.5
    • Mozilla Seamonkey is believed to also be vulnerable, but this has not been confirmed.
    • Details: The Mozilla Firefox web browser contains multiple
    • vulnerabilities. Flaws in the handling of JavaScript scripts (or other
    • DOM scripting methods) could allow a malicious web page to execute
    • arbitrary code with the privileges of the current user, or perform
    • cross-site-scripting attacks. It is believed that the Mozilla
    • Thunderbird email client is also vulnerable when configured to execute
    • JavaScript scripts in email messages. Note that this is not the default
    • configuration for Thunderbird. Because the affected products are open
    • source, technical details for these vulnerabilities could be obtained
    • via source code analysis.

  • Status: Mozilla confirmed, updates available. Council Site Status: Most of the reporting council sites do not officially support Firefox; however, they do have a growing number of Firefox users. Most of their users tend to have the auto-update feature enabled. Users will be notified of the issue to ensure updates take place.

  • References:
  • (4) HIGH: Computer Associates Alert Notification Server Multiple Buffer Overflows
  • Affected:
    • CA Threat Manager for the Enterprise
    • CA Anti-Virus for the Enterprise
    • CA Protection Suites
    • BrightStor ARCserve Backup version r11.5
    • BrightStor ARCserve Backup version r11.1
    • BrightStor ARCserve Backup version r11 for Windows
    • BrightStor Enterprise Backup version r10.5
    • BrightStor ARCserve Backup version 9.01
    • BrightStor ARCserve Client agent for Windows

  • Description: The Computer Associates Alert Notification Server is included in several Computer Associates products and used to accept notifications of events. It exports an MS-RPC interface. Several procedures exposed via this interface contain buffer overflows. A specially crafted request to one of these procedures could exploit one of these buffer overflows. Successful exploitation would allow an attacker to execute arbitrary code with the privileges of the vulnerable process (usually SYSTEM). Note that on Windows 2000 systems, no authentication would be necessary to exploit these vulnerabilities; other Windows systems would require authentication.

  • Status: Computer Associates confirmed, updates available.

  • Council Site Actions: Only one of the reporting council sites is using the affected software and they are still researching the impact before deciding on the best course of action.

  • References:
  • (5) MODERATE: Ipswitch IMail Server 2006 Multiple Buffer Overflows
  • Affected:
    • Ipswitch IMail 2006

  • Description: Ipswitch IMail, a popular enterprise mail sever for Microsoft Windows, contains multiple buffer overflows in its handling of Internet Message Access Protocol (IMAP) messages. An overlong IMAP "search" or "search charset" command could trigger buffer overflows in the vulnerable application. Successfully exploiting these overflows would allow an attacker to execute arbitrary code with the privileges of the vulnerable process (usually SYSTEM). Note that an attacker would require valid authentication credentials to exploit these vulnerabilities.

  • Status: Ipswitch confirmed, updates available. Council Site Status: The affected software is not in production or widespread use, or is not officially supported at any of the responding council sites. They reported that no action was necessary.

  • References:
  • (6) MODERATE tcpdump Buffer Overflow
  • Affected:
    • tcpdump versions 3.9.6 and prior

  • Description: The "tcpdump" command is provided on many Unix and Unix-like systems and is used to provide a raw packet capture or snapshot of network traffic on the local network. It is often used by network administrators and network administration tools for traffic capture and analysis. A specially crafted packet could overflow a static buffer in any tcpdump process capturing traffic. Because tcpdump by default monitors all traffic on the local network, no authentication is necessary to exploit this vulnerability. However, an attacker would need a way to inject arbitrary traffic onto the local network. Successfully exploiting this overflow would allow an attacker to execute arbitrary code with the privileges of the vulnerable process (usually root). Note that tcpdump is included by default on most Unix, Unix-like, and Linux-based operating systems (including Apple Mac OS X). Full technical details and working proof-of-concept are available for this vulnerability.

  • Status: Vendor confirmed, updates available. Council Site Status: Several of the reporting council sites are using tcpdump. At one site their RHE servers and desktops will be updated via the Up2Date option. They will advise the other users to upgrade. The other sites report plans to patch.

  • References:
  • (7) MODERATE: Trend Micro OfficeScan Web Management Authentication Bypass
  • Affected:
    • Trend Micro OfficeScan Corporate Edition versions 8.0 and prior

  • Description: Trend Micro OfficeScan, a popular enterprise virus scanning solution, contains an authentication bypass vulnerability in its web-based administration console. Authentication credentials are generated by an ActiveX control instantiated by the login page and then sent to the server. By sending an empty authentication request, an attacker could log into the administration console and alter OfficeScan configuration. Note that this would also allow an attacker to alter the configuration of the antivirus system on clients controlled by the OfficeScan server. Some technical details are publicly available for this vulnerability.

  • Status: Trend Micro confirmed, updates available.

  • References:
  • (8) MODERATE: Apple Mac OS X Unconfirmed Remote Code Execution
  • Affected:
    • Apple Mac OS X versions 10.4.10 and prior
    • Apple Mac OS X Server versions 10.4.10 and prior

  • Description: Apple Mac OS X is reported to contain a remote code execution in its mDNSResponder subsystem. Note that this flaw is believed to be distinct from earlier flaws reported in this subsystem. According to the researcher, successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with root privileges. No further details are available for this vulnerability.

  • Status: Apple has not confirmed. The researcher has stated that a proof-of-concept exists, but it is not publicly available.

  • References:
Other Software
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5465 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 07.30.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer OnBeforeUnload Javascript Browser Entrapment
  • Description: Microsoft Internet Explorer is the standard browser for Windows platforms. Internet Explorer is exposed to an issue that allows attackers to trap users at a particular webpage and spoof page transitions. Internet Explorer 7 is affected.
  • Ref: http://www.securityfocus.com/archive/1/473702
  • 07.30.2 - CVE: CVE-2007-3796
  • Platform: Third Party Windows Apps
  • Title: Marshal MailMarshal SMTP Spam Quarantine Interface User Password Change
  • Description: Marshal MailMarshal SMTP is an email content security application designed for use on the Microsoft Windows operating system. The application is exposed to an issue that may permit attackers to change arbitrary passwords. MailMarshal SMTP versions prior to version 6.2.1 are affected.
  • Ref: http://www.sec-1labs.co.uk/advisories/BTA_Full.pdf
  • 07.30.3 - CVE: CVE-2007-3455
  • Platform: Third Party Windows Apps
  • Title: Trend Micro OfficeScan Management Console Authentication Bypass
  • Description: Trend Micro OfficeScan is a centrally-managed antivirus application for Microsoft Windows. The application is exposed to an authentication bypass issue because it fails to adequately handle user-supplied input. OfficeScan version 7.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/473880
  • 07.30.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: interActual Player IAMCE and IAKey Remote Buffer Overflow Vulnerabilities
  • Description: interActual Player is a client application that plays DVD-ROM content. The application is available for Microsoft Windows. The application is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user-supplied input before copying it to insufficiently sized memory buffers. interActual Player version 2.60.12.0717 is affected.
  • Ref: http://www.securityfocus.com/bid/24919
  • 07.30.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Data Dynamics ActiveBar Actbar3.OCX ActiveX Control Multiple Insecure Methods Vulnerabilities
  • Description: Data Dynamics ActiveBar ActiveX control is a toolbar generation application for use on the Microsoft Windows operating system. The ActiveX control is exposed to an issue that lets attackers overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). This issue occurs because the application fails to sanitize user-supplied input to the "Save", "SaveLayoutChanges", and "SaveMenuUsageData" methods in the "actbar3.ocx" library. Data Dynamics ActiveBar ActiveX control version 3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/24959
  • 07.30.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ipswitch IMail Server Multiple Buffer Overflow Vulnerabilities
  • Description: Ipswitch IMail Server is an email server that serves clients their mail via a web interface. It runs on Microsoft Windows. The application is exposed to multiple buffer overflow issues due to a failure of the application to properly bounds check user-supplied input prior to copying it to insufficiently sized memory buffers. Ipswitch IMail Server 2006 is affected.
  • Ref: http://docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNo tes.htm#NewRelease
  • 07.30.7 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X mDNSResponder Variant Unspecified Remote Code Execution
  • Description: Apple Mac OS X is exposed to an unspecified remote code execution issue that allows remote attackers to execute arbitrary machine code with superuser privileges, facilitating the complete compromise of affected computers. Failed exploit attempts likely result in a denial of service condition.
  • Ref: http://apple.slashdot.org/apple/07/07/17/213203.shtml
  • 07.30.8 - CVE: CVE-2007-3564
  • Platform: Linux
  • Title: Curl GnuTLS Certificate Verfication Access Validation
  • Description: Curl is a utility for retrieving remote content from servers over a number of protocols. The application is exposed to an issue that permits an attacker to access unauthorized websites. Curl versions prior to 7.16.14 are affected.
  • Ref: http://curl.haxx.se/docs/adv_20070710.html
  • 07.30.9 - CVE: Not Available
  • Platform: Linux
  • Title: HP Serviceguard for Linux Unspecified Local Privilege Escalation
  • Description: HP Serviceguard for Linux is a high-availability clustering system for critical applications. The application is exposed to an unspecified privilege escalation issue.
  • Ref: http://www.securityfocus.com/archive/1/473783
  • 07.30.10 - CVE: Not Available
  • Platform: Linux
  • Title: Konqueror Web Browser Data: URL Scheme Address Bar Spoofing
  • Description: Konqueror is a web browser and file management application for the KDE desktop environment. The application is exposed to an address bar spoofing issue that may allow a remote attacker to carry out phishing style attacks. Konqueror version 3.5.7 on Linux is affected.
  • Ref: http://www.securityfocus.com/bid/24918
  • 07.30.11 - CVE: CVE-2007-3380
  • Platform: Linux
  • Title: Red Hat Cluster Suite DLM Remote Denial of Service
  • Description: Red Hat Cluster Suite is a set of application/service failover and IP load-balancing tools. The application is exposed to a remote denial of service issue. Please refer to the link below for further information.
  • Ref: http://www.securityfocus.com/bid/24968
  • 07.30.12 - CVE: Not Available
  • Platform: Linux
  • Title: Samsung Linux Printer Driver SetUID Script Local Privilege Escalation
  • Description: Samsung Linux Printer Driver is a printer driver for Samsung printers running on Linux operating systems. The application is exposed to a local privilege escalation issue because the Samsung Linux Printer Driver installation script changes the permissions (via chmod) of various applications to "4755". These applications include StarOffice, StarCalc, StarImpress, and StarWriter. Ref: http://digg.com/linux_unix/Samsung_Linux_printer_driver_modifies_the_permissions_of_many_executables
  • 07.30.13 - CVE: CVE-2007-3268
  • Platform: Cross Platform
  • Title: IBM Tivoli Provisioning Manager for OS Deployment Divide By Zero Denial of Service
  • Description: IBM Tivoli Provisioning Manager for OS Deployment is a boot-server for managing networked workstations. The application is exposed to a denial of service issue because the server fails to handle exceptional conditions. IBM Tivoli Provisioning Manager for OS Deployment version 5.1.0.2 is affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=560
  • 07.30.14 - CVE: CVE-2007-3528
  • Platform: Cross Platform
  • Title: Disk ARchive Flawed Blowfish-CBC Cryptography Implementation Weakness
  • Description: Disk ARchive (DAR) is a cross platform shell program for backing up files and directories. The application is exposed to a design error in its cryptographic Blowfish-CBC implementation. Disk ARchive versions prior to 2.3.4 are affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=425335
  • 07.30.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Kaspersky Anti-Virus 5.5 for Check Point Firewall-1 Denial of Service
  • Description: Kaspersky Anti-Virus 5.5 for Check Point Firewall-1 is an antivirus application that dynamically inspects certain protocols for malicious code as it traverses the firewall. The application is exposed to an unspecified denial of service issue because it fails to properly handle an unknown condition. Kaspersky Anti-Virus version 5.5 for Check Point Firewall-1 is affected.
  • Ref: http://support.kaspersky.com/checkpoint?qid=208279464
  • 07.30.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Glob() Function Arbitrary Code Execution
  • Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to an arbitrary code execution issue. PHP versions 5.2.3 and 4.4.4 are affected.
  • Ref: http://www.securityfocus.com/bid/24922
  • 07.30.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Yahoo! Messenger Address Book Remote Buffer Overflow
  • Description: Yahoo! Messenger is an instant messaging application available for multiple operating platforms. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Yahoo! Messenger versions 8.1 and earlier are affected. Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064669.html
  • 07.30.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AOL Instant Messenger URI Handler Remote Code Execution Vulnerabilities
  • Description: AOL Instant Messenger (AIM) is an instant messaging client available for various operating systems. The application is exposed to remote command and code execution issues because the application fails to properly handle user-supplied input via a registered URI. AOL Instant Messenger (AIM) version 6.1 is affected.
  • Ref: http://www.kb.cert.org/vuls/id/786920
  • 07.30.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Data: URL Scheme Address Bar Spoofing
  • Description: Opera is a cross platform web browser. The application is exposed to an address bar spoofing issue that may allow a remote attacker to carry out phishing style attacks. Opera version 9.21 is affected.
  • Ref: http://www.securityfocus.com/bid/24917
  • 07.30.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Pidgin Unspecified Remote Command Execution
  • Description: Pidgin is an instant messaging application for multiple platforms. Pidgin was formerly known as Gaim. The application is exposed to an unspecified remote command execution issue because the application fails to adequately sanitize user-supplied data. Pidgin version 2.0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/24904
  • 07.30.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Hitachi Products GIF Image Buffer Overflow
  • Description: Multiple Hitachi products are exposed to a buffer overflow issue due to a failure of the application to properly bounds check user-supplied input prior to copying it to an insufficiently sized memory buffer. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS07-018_e/index-e.html
  • 07.30.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi TP1/Server Base Unspecified Denial of Service
  • Description: Hitachi TP1/Server Base is exposed to an unspecified denial of service issue that occurs when the application receives unexpected data. Please refer to the link below for further information. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS07-020_e/index-e.html
  • 07.30.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Multiple Browsers Address Bar URI Spoofing
  • Description: Multiple web browsers are affected by a URI spoofing issue. The application is exposed to this issue because it fails to handle user-supplied data in pages based on the "data:" URI scheme (RFC 2397). Opera version 9.21 and Konqueror version 3.5.7 are affected.
  • Ref: http://www.securityfocus.com/archive/1/473703
  • 07.30.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Opera Web Browser Dangling Pointer Remote Code Execution
  • Description: The Opera Web Browser is a web client available for multiple platforms. The application is exposed to a remote code execution issue that occurs because of a dangling pointer in the affected application. Opera version 9.21 is affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=564
  • 07.30.25 - CVE: CVE-2007-3798
  • Platform: Cross Platform
  • Title: tcpdump Print-bgp.C Remote Integer Overflow
  • Description: The "tcpdump" utility is a freely available open-source network monitoring tool. It is available for UNIX, Linux, and Microsoft Windows operating systems. The utility is exposed to an integer overflow issue because it fails to bounds check user-supplied input before copying it into an insufficiently sized memory buffer. tcpdump versions 3.9.6 and earlier are affected.
  • Ref: http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c
  • 07.30.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Lighttpd Multiple Remote Denial of Service and Information Disclosure Vulnerabilities
  • Description: Lighttpd is an open-source webserver application. The application is exposed to multiple remote issues. An attacker can exploit these issues to gain access to sensitive information or crash the affected application, denying service to legitimate users. Lighttpd version 1.4.16 is affected.
  • Ref: https://issues.rpath.com/browse/RPL-1550
  • 07.30.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cisco Wide Area Application Services CIFS Remote Denial of Service
  • Description: Cisco Wide Area Application Services (WAAS) is WAN optimization software for Cisco devices. The application is exposed to a remote denial of service issue that occurs when handling a large number of TCP "SYN" packets on ports 139 or 445. Cisco devices configured with Edge Services are affected. Cisco WAAS software versions 4.0.7 and 4.0.9 are affected.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml
  • 07.30.28 - CVE: CVE-2007-3762
  • Platform: Cross Platform
  • Title: Asterisk IAX2 Channel Driver IAX2_Write Function Remote Stack Buffer Overflow
  • Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. The application is exposed to a stack-based buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer.
  • Ref: http://ftp.digium.com/pub/asa/ASA-2007-014.pdf
  • 07.30.29 - CVE: CVE-2007-3763, CVE-2007-3764, CVE-2007-3765
  • Platform: Cross Platform
  • Title: Asterisk Multiple Remote Denial of Service Vulnerabilities
  • Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. The application is exposed to multiple remote denial of service issues.
  • Ref: http://www.securityfocus.com/bid/24950
  • 07.30.30 - CVE: CVE-2007-3734, CVE-2007-3735, CVE-2007-3736,CVE-2007-3737, CVE-2007-3738
  • Platform: Cross Platform
  • Title: Mozilla Firefox 2.0.0.4 Multiple Remote Vulnerabilities
  • Description: The Mozilla Foundation has released four advisories regarding security issues in Firefox 2.0.0.4. Please refer to the advisory for more information.
  • Ref: http://www.mozilla.org/security/announce/2007/mfsa2007-18.html
  • 07.30.31 - CVE: CVE-2007-3825
  • Platform: Cross Platform
  • Title: Computer Associates Alert Notification Server Multiple Buffer Overflow Vulnerabilities
  • Description: Computer Associates Alert Notification Server provides alerting capabilities to multiple CA products. The application is exposed to multiple buffer overflow issues because it fails to bounds check user-supplied data before copying it into insufficiently sized buffers. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=561
  • 07.30.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ElementCMS S Parameter Cross-Site Scripting
  • Description: ElementCMS is a content manager. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "s" parameter when performing a search before returning to the user.
  • Ref: http://www.securityfocus.com/bid/24960
  • 07.30.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WordPress Multiple Themes S Parameter Cross-Site Scripting
  • Description: These themes are addons for the WordPress publishing platform. Multiple themes for WordPress are exposed to a cross-site scripting issue because they fail to properly sanitize user-supplied input to the "s" parameter of the "index.php" installation script. BlixKrieg versions 2.2, 1.0 and 0.9.1 are affected.
  • Ref: http://www.securityfocus.com/bid/24954
  • 07.30.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: QuickerSite Default.ASP Cross-Site Scripting
  • Description: QuickerSite is a CMS system for Microsoft Internet Information Server. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "svalue" parameter of the "default.asp" script. QuickerSite version 1.7.2 is affected.
  • Ref: http://www.securityfocus.com/bid/24948
  • 07.30.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Expert Advisor Index.PHP SQL Injection
  • Description: Expert Advisor is a web application for handling customer questions. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "id" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/24943
  • 07.30.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Infinite Responder Unspecified SQL Injection
  • Description: Infinite Responder is an auto-responder script. The application is exposed to an unspecified SQL injection issue because it fails to properly sanitize user-supplied input to an unknown script and parameter before using it in an SQL query. Infinite Responder versions prior to 1.48 are affected.
  • Ref: http://www.securityfocus.com/bid/24931
  • 07.30.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Zoph _Order Multiple SQL Injection Vulnerabilities
  • Description: Zoph is a PHP-based application for managing digital photographs. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "_order" parameter of the "photos.php" and "edit_photos.php" scripts. Zoph version 0.7 is affected.
  • Ref: http://www.securityfocus.com/bid/24933
  • 07.30.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Traffic Stats ReferralUrl.PHP SQL Injection
  • Description: Traffic Stats is a traffic statistics program. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "offset" parameter of the "referralUrl.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/24929
  • 07.30.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SiteTrafficStats ReferralURL.PHP SQL Injection
  • Description: SiteTrafficStats is a web traffic analyzer and statistics application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "offset" parameter of the "referralUrl.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/24925
  • 07.30.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: husrevforum Philboard_forum.ASP SQL Injection
  • Description: husrevforum is an application implemented in ASP. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "forumid" parameter of the "philboard_forum.asp" script before using it in an SQL query. husrevforum version 1.0.1 (tr) is affected.
  • Ref: http://www.securityfocus.com/bid/24928
  • 07.30.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: paFileDB Search.PHP SQL Injection
  • Description: paFileDB is a file download database application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "act" parameter of the "search.php" script before using it in an SQL query. paFileDB version 3.6 is affected.
  • Ref: http://www.securityfocus.com/bid/24914
  • 07.30.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Prozilla Directory.PHP SQL Injection
  • Description: Prozilla is a web site building application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "ax" parameter of the "directory.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/24915
  • 07.30.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: REALTOR 747 Index.PHP SQL Injection
  • Description: REALTOR 747 is a property list management application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "pageid" parameter of the "index.php" script before using it in an SQL query. REALTOR 747 version 4.0 is affected.
  • Ref: http://www.securityfocus.com/bid/24916
  • 07.30.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CMScout Forums.PHP SQL Injection
  • Description: CMScout is an open-source content management system (CMS). The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "f" parameter of the "forums.php" script before using it in an SQL query. CMScout version 1.23 is affected.
  • Ref: http://www.securityfocus.com/bid/24906
  • 07.30.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Hitachi JP1/NETM/DM Manager Products Unspecified SQL Injection
  • Description: Multiple Hitachi JP1/NETM/DM Manager products are exposed to an SQL injection issue because they fail to properly sanitize user-supplied input to unspecified parameters before using it in an SQL query. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS07-019_e/index-e.html
  • 07.30.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: eSyndiCat Link Directory Multiple SQL Injection Vulnerabilities
  • Description: eSyndiCat Link Directory is a web link management application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "news.php" script, and the "name" parameter of the "page.php" script. eSyndiCat version 1.6 is affected.
  • Ref: http://www.securityfocus.com/bid/24908
  • 07.30.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MzK Blog Katgoster.ASP SQL Injection
  • Description: MzK Blog is a blogging application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "katID" parameter of the "katgoster.asp" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/24909
  • 07.30.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla Pony Gallery Component Index.PHP SQL Injection
  • Description: Pony Gallery is a component for Joomla. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of the "index.php" script before using it in an SQL query. Pony Gallery version 1.5 is affected.
  • Ref: http://www.securityfocus.com/bid/24972
  • 07.30.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MD-Pro Index.PHP TopicID SQL Injection
  • Description: MD-Pro is exposed to an SQL injection issue because the application fails to properly sanitize user-supplied input to the "topicid" parameter of the "index.php" script before using it in an SQL query. The "module" parameter must be "Topics", and the "func" parameter must be "view" to trigger this issue. MD-Pro version 1.081 is affected.
  • Ref: http://www.securityfocus.com/bid/24969
  • 07.30.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: QuickEStore InsertOrder.CFM SQL Injection
  • Description: QuickEStore a web-based ecommerce application written in Cold Fusion. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "CFTOKEN" parameter of the "insertorder.cfm" script before using it in an SQL query. QuickEStore version 8.2 is affected.
  • Ref: http://www.securityfocus.com/bid/24961
  • 07.30.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SpoonLabs Vivvo CMS Index.PHP SQL Injection
  • Description: Vivvo CMS is a web-based content manager. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "category" parameter of the "index.php" script before using it in an SQL query. Vivvo CMS version 3.40 is affected.
  • Ref: http://www.securityfocus.com/bid/24955
  • 07.30.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Pictures Rating Index.PHP SQL Injection
  • Description: Pictures Rating is a web application for rating the popularity of photos. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "msgid" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/24945
  • 07.30.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Jasmine CMS Profile.PHP HTML Injection
  • Description: Jasmine CMS is a content manager implemented in PHP. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "profile_email" parameter of the "profile.php" script before using it in dynamically generated content. Jasmine CMS version 1.0_1 is affected.
  • Ref: http://www.securityfocus.com/bid/24939
  • 07.30.54 - CVE: Not Available
  • Platform: Web Application
  • Title: LedgerSMB Authentication Login.PL Authentication Bypass
  • Description: LedgerSMB is a double-entry accounting system implemented in Perl. The application is exposed to an authentication bypass issue that occurs in the "login.pl" script. LedgerSMB versions 1.2.6 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/24940
  • 07.30.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Insanely Simple Blog Multiple Input Validation Vulnerabilities
  • Description: Insanely Simple Blog is a web log application. The application is exposed to cross-site scripting, HTML injection and SQL injection issues because it fails to sufficiently sanitize user-supplied input. Insanely Simple Blog versions 0.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/24934
  • 07.30.56 - CVE: Not Available
  • Platform: Web Application
  • Title: TBDev.NET DR TakeProfEdit.PHP HTML Injection
  • Description: TBDev.NET DR is a web-based torrent tracker. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. TBDev.NET DR versions 010306 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/24923
  • 07.30.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Citadel WebCit Multiple Input Validation Vulnerabilities
  • Description: WebCit is a web-based administration front end for the Citadel groupware server. The application is exposed to multiple input validation issues because it fails to properly sanitize user-supplied input. WebCit versions prior to 7.11 are affected.
  • Ref: http://www.securityfocus.com/archive/1/473714
  • 07.30.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal LoginToboggan Module Username HTML Injection
  • Description: The MySite Module for Drupal allows users to create a personal web page summary. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input. This issue affects the module's "username" field.
  • Ref: http://www.securityfocus.com/bid/24901
  • 07.30.59 - CVE: Not Available
  • Platform: Web Application
  • Title: AzDG Dating Gold Multiple Remote File Include Vulnerabilities
  • Description: AzDG Dating Gold is an online dating site manager. The application is exposed to multiple remote file include issues because it fails to properly sanitize user-supplied input to the "int_path" parameter of the "header.php", "footer.php" and "secure.admin.php" scripts. AzDG Dating Gold version 3.0.5 is affected.
  • Ref: http://www.securityfocus.com/archive/1/473664
  • 07.30.60 - CVE: Not Available
  • Platform: Web Application
  • Title: A-Shop FileBrowser.ASP Arbitrary File Deletion
  • Description: A-Shop is a web-based ecommerce application implemented in ASP. The application is exposed to an arbitrary file deletion issue because it fails to sufficiently sanitize user-supplied input to the "delfiles" parameter of the "filebrowser.asp" script. A-Shop version 0.70 is affected.
  • Ref: http://www.securityfocus.com/bid/24971
  • 07.30.61 - CVE: Not Available
  • Platform: Web Application
  • Title: DokuWiki Spell_UTF8Test Function HTML Injection
  • Description: DokuWiki is a wiki application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "spell_utf8test()" function of the "lib/exe/spellcheck.php" script before using it in dynamically generated content. DokuWiki versions 2007-06-26 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/474144
  • 07.30.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Geoblog Multiple Security Bypass Vulnerabilities
  • Description: Geoblog is a web application framework and content management system (CMS). The application is exposed to multiple security bypass issues. The issue occurs in the "admin/deletecomments.php" and "admin/deleteblog.php" scripts when deleting user comments and blog posts. The affected script fails to validate user credentials and privileges, allowing an unauthorized user to delete assets. Geoblog MOD_1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/24966
  • 07.30.63 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB SupaNav Module Remote File Include
  • Description: phpBB SupaNav module is a phpBB sidebar customization application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "link_main.php" script. phpBB SupaNav module version 1.0.0 is affected.
  • Ref: http://www.securityfocus.com/bid/24964
  • 07.30.64 - CVE: Not Available
  • Platform: Web Application
  • Title: BBS E-Market P_Mode Parameter Remote File Include
  • Description: BBS E-Market Professional is a web-based ecommerce application. The application is exposed to a remote file include issue because the application fails to properly sanitize user-supplied input to the "p_mode" parameter of the "postscript/postscript.php" script.
  • Ref: http://www.securityfocus.com/bid/24957
  • 07.30.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla Expose Component Uploadimg.PHP Arbitrary File Upload
  • Description: Joomla Expose Component is a component of the Joomla content management system (CMS). The application is exposed to an issue that lets attackers upload arbitrary files. This issue occurs because the application fails to sufficiently sanitize user-supplied input to the "userfile_name" parameter of the "uploadimg.php" script. Joomla Expose Component versions RC35 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/24958

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Wow! It's an incident handler's Christmas morning, tools, tools, tools. Very Applicable!
-Todd Davis, Symantec

CyberTalent Assessments

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County