Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 35
August 27, 2007

SANS Newsletters Home

Security and backup products (from Trend Micro and Legato, respectively) had multiple, critical vulnerabilities discovered this week. Backup and security products do not actually have more vulnerabilities than other products (although they seem to); rather, they are targeted more by security "researchers" because they are are ubiquitous, run with very high privileges and many organizations fail to run regular update cycles on them - assuming the vendor will do it for them. Also, in backup's case - they store the organizations' crown jewels. Significant break-ins at federal agencies and many other organizations have been found to have been traced to exploits of vulnerabilities in back-up products.

Alan

PS. To ensure you have current knowledge about the newest attack vectors, don't miss Ed Skoudis' Hacker Techniques course ( http://www.sans.org/ns2007/description.php?tid=243) or Josh Wright's Assessing and Securing Wireless Networks course ( http://www.sans.org/ns2007/description.php?tid=343) in Las Vegas next month. Both Ed and Josh are breathtakingly good teachers; their content is even better.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Third Party Windows Apps
    • 9 (#1, #7)
    • Mac Os
    • 2
    • Linux
    • 5
    • Solaris
    • 2
    • Unix
    • 1
    • Novell
    • 1
    • Cross Platform
    • 19 (#2, #3, #4, #4, #6)
    • Web Application - Cross Site Scripting
    • 6
    • Web Application - SQL Injection
    • 6
    • Web Application
    • 10
    • Network Device
    • 5

********** Sponsored By SANS Network Security and SANS London ***********

Come join us in Las Vegas on September 22-30 for SANS Network Security or in London on 26 Nov to 05 Dec, 2007 (or both) for the biggest SANS training conferences we've ever held in the US and Europe. In Las Vegas, there are more than 40 courses and a big product expo. In London we have 10 classes and the GSSP exam. How good have these event been? Here's what past attendees said:

"You learn something new every day...the experience of the instructor and of the students make the difference." (Gabriel Schmitt, Hoffmann-LaRoche)

"An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life)

"The depth of knowledge is awesome." (Stephen Hall, Barclays)

"This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton)

"The quality of teachers, speakers, and even attendees is far superior to any other training event I've attended." (Corinne Cook, Jeppesen)

"You will never ever find anything more valuable than SANS superknowledge. Worth the price!!" (Carlos Fragoso, CESCA)

Registration information:

Las Vegas: http://www.sans.org/ns2007

London: http://www.sans.org/info/14431

Also SANS @Home, our most innovative and effective new educational program, announces Security 601: Reverse Engineering Malware starting on September 12, http://www.sans.org/info/12436. You can take complete SANS courses, live with SANS Instructor Lenny Zeltser, and network with fellow students on-line, without leaving your home or office.

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Mac Os
Linux
Solaris
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

************************* Sponsored Link *****************************

Purchase SANS Voucher Credit today. One procurement, transcend fiscal years, online usage reports, status updates. Visit online today

http://www.sans.org/info/14741 or Email Vouchers@sans.org.

************************************************************************* ************************* Sponsored Link *****************************

Purchase SANS Voucher Credit today. One procurement, transcend fiscal years, online usage reports, status updates. Visit online today

http://www.sans.org/info/14741 or Email Vouchers@sans.org.

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) CRITICAL: EMC Legato Networker Remote Execution Service Buffer Overflows
  • Affected:
    • EMC Legato Networker versions 7.x.x

  • Description: EMC Legato Networker, a popular enterprise backup solution, contains multiple buffer overflows in its handling of Sun RPC (also known as ONC-RPC) requests. This product exports multiple procedures via these Remote Procedure Call (RPC) interfaces. A specially crafted call to the service exported by the "NSREXECD.EXE" process could trigger several buffer overflows. Successfully exploiting one of these buffer overflows would allow an attacker to execute arbitrary code with the privileges of the vulnerable process. Some technical details are available for these vulnerabilities.

  • Status: EMC confirmed, updates available. Note that the affected services run on an arbitrary port. This port number can be retrieved via the standard portmapper service, running on TCP port 111. Blocking access to this port at the network perimeter could mitigate the impact of this vulnerability.

  • References:
  • (3) HIGH: Motorola Timbuktu Multiple Vulnerabilities
  • Affected:
    • Motorola Timbuktu versions prior to 8.6.5

  • Description: Motorola Timbuktu is a remote desktop access application for multiple operating systems, similar to VNC or Microsoft Remote Desktop. Timbuktu contains multiple vulnerabilities. A directory traversal vulnerability in "send" requests can lead to arbitrary file writes. Additionally, several buffer overflow vulnerabilities exist in the handling of application and login requests. No authentication is required to exploit the buffer overflow vulnerabilities, and the "Guest" account has enough access to exploit the directory traversal vulnerability by default. In all cases, successfully exploiting these vulnerabilities would allow an attacker to execute arbitrary code with SYSTEM/root privileges. Some technical details are available for these vulnerabilities.

  • Status: Motorola confirmed, updates available.

  • References:
  • (4) HIGH: Real Networks Helix DNA Server RTSP Buffer Overflow
  • Affected:
    • Real Networks Helix DNA Server versions prior to 11.1.4

  • Description: The Helix DNA Server is an open source streaming media server from Real Networks. It contains a buffer overflow vulnerability in its handling of Real Time Streaming Protocol (RTSP) requests. A specially crafted request containing multiple "Require" headers could trigger this buffer overflow, and allow an attacker to execute arbitrary code with the privileges of the vulnerable process. The Helix DNA Server runs on multiple platforms, and is included in many distributions of Linux. The Helix DNA Server shares some code with other Real Networks products; it is possible that they are also vulnerable. Technical details are available for this vulnerability both in the advisories and via source code analysis.

  • Status: Real Networks confirmed, updates available.

  • References:
  • (5) MODERATE: ClamAV Remote Command Execution
  • Affected:
    • ClamAV versions prior to 0.91.2

  • Description: Clam AntiVirus (ClamAV) is a popular open source antivirus solution. ClamAV can be integrated with the Sendmail mail transport system via Sendmail's "milter" mechanism. Sendmail is the most common mail transport system in the world, and the default system on most Unix and Unix-like systems. When ClamAV is integrated with Sendmail and the ClamAV "black hole" configuration option is enabled, a specially crafted email could cause arbitrary commands to be executed with root privileges. No authentication is necessary; it is sufficient to have an email transiting a vulnerable system to exploit this vulnerability. Technical details are available for this vulnerability, both in the advisory and via source code analysis.

  • Status: ClamAV confirmed, updates available.

  • References:
  • (6) LOW: Asterisk SIP Denial of Service
  • Affected: Asterisk versions prior to 1.4.11

  • Description: Asterisk is a popular open source telephony platform. Asterisk fails to properly free memory when dealing with Session Initiation Protocol (SIP) requests when configured to use the "chan_sip" subsystem. Sending large numbers of specially crafted requests to this subsystem could allow an attacker to exhaust all memory resources on a vulnerable machine. This would prevent further telephony services, including emergency telephony services. Full technical details for this vulnerability are available via source code analysis, and some details are available via the security advisory

  • Status: Asterisk confirmed, updates available.

  • References:
Other Software
  • (7) HIGH: eCentrex VoIP Client ActiveX Control Buffer Overflow
  • Affected:
    • eCentrex VoIP Client ActiveX Control versions 2.0.1 and prior

  • Description: eCentrex is a popular developer of Voice-over-IP (VoIP) solutions. The eCentrex VoIP client ActiveX control, installed by several eCentrex products, contains a buffer overflow vulnerability in its "ReInit" method. A specially crafted web page that instantiates this control could trigger this buffer overflow and execute arbitrary code with the privileges of the current user. Full technical details and a proof-of-concept are publicly available for this vulnerability.

  • Status: Vendor has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable ActiveX control via Microsoft's "kill bit" mechanism for CLSID "BD80D375-5439-4D80-B128-DDA5FDC3AE6C". Note that this may affect normal functionality.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 35, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 07.35.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Unreal Commander Malformed Archives Multiple Remote Vulnerabilities
  • Description: Unreal Commander is a file management application available for Microsoft Windows. The application is exposed to multiple remote issues when handling malformed ZIP and RAR archives. Unreal Commander version 0.92 (build 565) and version 0.92 (build 573) are affected.
  • Ref: http://www.securityfocus.com/archive/1/477432
  • 07.35.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Asura Engine Challenge B Query Remote Stack Buffer Overflow
  • Description: Asura Engine is a 3D game engine used by various applications. These applications include - Rogue Trooper and Prism: Guard Shield. The application is exposed to a remote stack-based buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer.
  • Ref: http://www.securityfocus.com/archive/1/477357
  • 07.35.3 - CVE: CVE-2007-3873
  • Platform: Third Party Windows Apps
  • Title: Trend Micro Anti-Spyware And PC-cillin SSAPI Engine Local Stack Buffer Overflow
  • Description: Trend Micro Anti-Spyware is a spyware detection and removal application. PC-cillin Internet Security is a security application that helps protect users from malicious internet content. These applications are exposed to a local stack buffer overflow issue because the application fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Trend Micro Anti-Spyware for Consumer version 3.5 and PC-cillin Internet Security 2007 are affected.
  • Ref: http://www.securityfocus.com/archive/1/477249
  • 07.35.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: eCentrex VOIP Client UACOMX.OCX ActiveX Control Buffer Overflow
  • Description: eCentrex VOIP Client ActiveX control is a Voice over IP client for use in conjunction with web pages. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. eCentrex VOIP Client ActiveX control version 2.0.1 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.35.5 - CVE: CVE-2007-4216, CVE-2005-2932
  • Platform: Third Party Windows Apps
  • Title: Check Point ZoneAlarm Multiple Products Local Privilege Escalation Vulnerabilities
  • Description: ZoneAlarm is a firewall and application security package designed for Microsoft Windows operating systems. It is distributed and maintained by Check Point. The application is exposed to local privilege escalation issues. ZoneAlarm version 6.5.737 and ZoneAlarm Security Suite 5.5.062.004 and 6.5.737 are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=585
  • 07.35.6 - CVE: CVE-2007-4216, CVE-2005-2932
  • Platform: Third Party Windows Apps
  • Title: Check Point Zone Labs Multiple Products Local Privilege Escalation Vulnerabilities
  • Description: ZoneAlarm is a firewall and application security package designed for Microsoft Windows operating systems. It is distributed and maintained by Check Point. The application is exposed to multiple local privilege escalation issues. ZoneAlarm versions prior to 7.0.362 and ZoneLabs products that include "vsdatant.sys" version 6.5.737.0 are affected.
  • Ref: http://www.securityfocus.com/archive/1/477134
  • 07.35.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow
  • Description: Mercury Mail Transport System is a mail server implementation for Microsoft Windows platforms. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Mercury Mail Transport System 4.01b and 4.51 are affected.
  • Ref: http://www.pmail.com/m32_451.htm
  • 07.35.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: rFactor Multiple Vulnerabilities
  • Description: rFactor is an racing simulator that is available for Microsoft Windows platforms. The application is exposed to multiple code execution and denial of service issues. rFactor version 1150 and 1250 are affected.
  • Ref: http://www.securityfocus.com/archive/1/477023
  • 07.35.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Lhaz Unspecified Remote Code Execution
  • Description: Lhaz is a file extractor for Microsoft Windows. The application is exposed to an unspecified remote code-execution issue. Lhaz version 1.33 is affected. Ref: http://www.avertlabs.com/research/blog/index.php/2007/08/17/targeted-zero-day-attack-against-free-tools-lhaz/
  • 07.35.10 - CVE: Not Available
  • Platform: Mac Os
  • Title: SSHKeychain Local Privilege Escalation and Information Disclosure Vulnerabilities
  • Description: SSHKeychain is a freely available application for the Apple Mac OS X platform. It is designed to provide convenience functionality when dealing with SSH and SSH-Agent. The application is exposed to a local privilege escalation and information disclosure issues. SSHKeychain version 0.8.1 is affected.
  • Ref: http://www.sshkeychain.org/pipermail/users/2007-August/000098.html
  • 07.35.11 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Safari Beta Same Origin Policy Violation
  • Description: Apple Safari is susceptible to a same-origin policy violation issue. The application fails to properly enforce same-origin policy for JavaScript remote data access due to the same-origin policy not being properly enforced for IFRAME page elements. Safari version 3 beta is affected.
  • Ref: http://www.thespanner.co.uk/2007/08/17/safari-beta-zero-day/
  • 07.35.12 - CVE: CVE-2007-3852
  • Platform: Linux
  • Title: Sysstat Insecure Temporary File Creation
  • Description: Sysstat is a system monitoring utility for Linux. The application creates temporary files in an insecure manner. Specifically, this issue is caused by the "systat.in" script. Sysstat version 7.1.6 is affected.
  • Ref: https://bugs.gentoo.org/show_bug.cgi?id=188808
  • 07.35.13 - CVE: CVE-2007-3848
  • Platform: Linux
  • Title: Linux Kernel Parent Process Death Signal Local Security Bypass Weakness
  • Description: The Linux kernel supports a "prctl" function (PR_SET_PDEATHSIG) that allows child processes to register their interest in its parent process's death. This causes a user-defined signal to be sent to the child process upon the death of the parent. The application is exposed to a security bypass weakness when dealing with signal handling. Linux kernel versions prior to 2.6.22.4 are affected.
  • Ref: http://www.securityfocus.com/archive/1/476464
  • 07.35.14 - CVE: CVE-2007-3532
  • Platform: Linux
  • Title: Gentoo Linux NVIDIA Drivers Local Denial of Service
  • Description: Gentoo Linux NVIDIA drivers are exposed to a denial of service issue which allows local attackers to cause the application to crash or possibly cause hardware damage to a graphics card.
  • Ref: http://www.securityfocus.com/bid/25360
  • 07.35.15 - CVE: CVE-2007-3105
  • Platform: Linux
  • Title: Linux Kernel Random Number Generator Local Denial of Service and Privilege Escalation
  • Description: The Linux kernel is exposed to a local issue that may result in a denial of service or privilege escalation due to a stack-based overflow in kernel memory. Linux kernel versions prior to 2.6.22.3 are affected.
  • Ref: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.3
  • 07.35.16 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris x86 ATA(7D) Disk Driver Multiple Local Denial of Service Vulnerabilities
  • Description: Sun Solaris is exposed to multiple local denial of service issue. These issues occurs in various "ioctl(2)" functions of the "ata(7D)" disk driver. Solaris versions 8, 9 and 10 running on x86 platforms are affected.
  • Ref: http://sunsolve.sun.com/show.do?target=tous
  • 07.35.17 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris 8 RBAC Remote Privilege Escalation Vulnerabilities
  • Description: The Sun Solaris RBAC (Role-Based Access Control) is an advanced access control mechanism. The application is exposed to two remote privilege escalation issues that allow remote attackers to gain unauthorized access to computers via role accounts.
  • Ref: http://sunsolve.sun.com/show.do?target=tous
  • 07.35.18 - CVE: CVE-2007-4131
  • Platform: Unix
  • Title: GNU Tar Dot_Dot Function Remote Directory Traversal
  • Description: GNU Tar is a file-archiving/compression application for various UNIX platforms. The application is exposed to a directory traversal issue because the application fails to sufficiently validate user-supplied data. Specifically, the "dot_dot()" function fails to validate the name of a directory symbolic link.
  • Ref: http://rhn.redhat.com/errata/RHSA-2007-0860.html
  • 07.35.19 - CVE: CVE-2007-4462
  • Platform: Novell
  • Title: po4a GetTextization.Failed.PO Local Privilege Escalation
  • Description: po4a Perl module designed to aid in text translation. The application is exposed to a local privilege escalation issue because the "gettextize()" function in "lib/Locale/Po4a/Po.pm" creates the temporary "/tmp/gettextixzation.failed.po" file insecurely. po4a versions prior to 0.32 are affected.
  • Ref: http://alioth.debian.org/frs/shownotes.php?release_id=1019
  • 07.35.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Novell Identity Manager Client Login Extension Local Information Disclosure
  • Description: Novell Identity Manager is an identity-management product that provisions user/password management for the enterprise. The application is exposed to a local information disclosure issue in the client login extension. Specifically, when a user logs in the application writes the username and password into a local world-readable file. Novell Identity Manager versions prior to 3.5.1 20070730 are affected. Ref: https://secure-support.novell.com/KanisaPlatform/Publishing/177/3329402_f.SAL_Public.html
  • 07.35.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Skulltag Huffman Packet Decompression Remote Heap Based Buffer Overflow
  • Description: Skulltag is a Doom engine for Linux and Microsoft Windows operating systems. The application is exposed to a remote heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Skulltag version 0.97d-beta4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/25423
  • 07.35.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Soldat Multiple Remote Denial of Service Vulnerabilities
  • Description: Soldat is a freely-available game available for multiple platforms. The application is exposed to multiple remote denial of service issues due to failures of the game software when handling unexpected input. Soldat version 1.4.2 and Soldat dedicated server version 2.6.2 are affected.
  • Ref: http://www.securityfocus.com/bid/25426
  • 07.35.23 - CVE: CVE-2007-2958
  • Platform: Cross Platform
  • Title: Sylpheed and Sylpheed-Claws POP3 Format String
  • Description: Sylpheed and Sylpheed-Claws are cross-platform lightweight mail clients. The application is exposed to contain a format string issue that presents itself because the applications fail to properly sanitize POP3 server error responses that contain format specifiers. Sylpheed version 2.4.4, Sylpheed-Claws 1.9.100, and Sylpheed-Claws "Claws Mail" 2.10.0 are affected.
  • Ref: http://secunia.com/advisories/26550/
  • 07.35.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP PHP_NTUser.DLL Extension Multiple Local Buffer Overflow Vulnerabilities
  • Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. php_ntuser is an extension library for PHP. The application is exposed to multiple local buffer overflow issues because it fails to properly bounds check user-supplied input. PHP version 5.2.3 when running the vulnerable library is affected.
  • Ref: http://www.securityfocus.com/bid/25421
  • 07.35.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP Win32std Extension Local Buffer Overflow
  • Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to a local buffer overflow issue because it fails to properly bounds check user-supplied input. PHP version 5.2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/25414
  • 07.35.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: InterSystems Cache Login Page Redirection Unauthorized Data Manipulation
  • Description: InterSystems Cache is a post-relational database developed by InterSystems Corporation. The application is exposed to a remote unauthorized data manipulation issue due to an unspecified flaw while encoding certain parameter values in login page redirection logic with the application's Cache Server Page implementation. Cache versions 2007.1.0.369.0 and 2007.1.1.420.0 are affected.
  • Ref: http://www.intersystems.com/support/cflash/2007announce.html
  • 07.35.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Application Server Administrative Console Encryption Protocol Selection Weakness
  • Description: Sun Java System Application Server is exposed to an encryption protocol selection weakness because the configuration settings set in the administration web interface have no affect in the selection of the cipher. This would result in a false sense of security. Sun Java System Application Server 9.0_0.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/477315
  • 07.35.28 - CVE: CVE-2007-4219
  • Platform: Cross Platform
  • Title: Trend Micro ServerProtect RPCFN_SYNC_TASK Remote Integer
  • Description: Trend Micro ServerProtect is an antivirus application designed specifically for servers. The application is exposed to an interger overflow issue that is exploitable over RPC. The issue exists in the SpntSvc.exe service that listens on TCP port 5168 and is accessible through RPC via interface uuid 25288888-bd5b-11d1-9d53-0080c83a5c2c. ServerProtect version 5.58 Build 1176 (Security Patch 3) is affected.
  • Ref: http://www.securityfocus.com/archive/1/477283
  • 07.35.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Clam AntiVirus ClamAV Multiple Remote Denial of Service Vulnerabilities
  • Description: ClamAV is an antivirus application for Microsoft Windows and UNIX-like operating systems. The application is exposed to multiple denial of service issues. ClamAV versions prior to 0.91.2 are affected.
  • Ref: http://kolab.org/security/kolab-vendor-notice-17.txt
  • 07.35.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Notes NTMulti.EXE Local Privilege Escalation
  • Description: IBM Lotus Notes is an email client/server application for Microsoft Windows, Linux, and Sun Solaris operating systems. The application is exposed to a local privilege escalation issue because it fails to assign proper file permissions during installation.
  • Ref: http://www.securityfocus.com/archive/1/477312
  • 07.35.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Trend Micro ServerProtect Multiple RPC Remote Buffer Overflow Vulnerabilities
  • Description: Trend Micro ServerProtect is an antivirus application designed specifically for servers. The application is exposed to multiple remote buffer overflow issues because the application fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. ServerProtect version 5.58 Build 1176 (Security Patch 3) is affected.
  • Ref: http://www.kb.cert.org/vuls/id/204448
  • 07.35.32 - CVE: CVE-2007-4455
  • Platform: Cross Platform
  • Title: Asterisk SIP Dialog History Resource Exhaustion Remote Denial of Service
  • Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. The application is exposed to a remote denial of service issue when handling SIP dialog history. Specifically, the application fails to specify a limit on the number of history items stored in an SIP dialog.
  • Ref: http://www.securityfocus.com/archive/1/477273
  • 07.35.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: NuFW Time Based Filtering Rule Bypass
  • Description: NuFW is a freely available, open-source authenticating firewall suite. The application is exposed to a rule-bypass issue that affects time based filtering rules. NuFW versions prior to 2.2.4 are affected.
  • Ref: http://www.nufw.org/+NuFW-2-2-4,201+.html
  • 07.35.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Total Commander FileInfo Plugin Multiple PE File Denial of Service Vulnerabilities
  • Description: FileInfo is a plugin for the Total Commander application. It is designed to provide extra information about files to users. The application is exposed to multiple PE file denial of service issues due to a failure of the plugin to properly handle malformed input. FileInfo version 2.09 is affected.
  • Ref: http://www.securityfocus.com/archive/1/477170
  • 07.35.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Epic Games Unreal Engine Logging Function Remote Denial of Service
  • Description: Epic Games' Unreal Engine is a 3D game engine used by Unreal and many other games. The Unreal Engine is exposed to a remote denial of service issue due to a failure of the application to properly bounds-check user-supplied input. Unreal Engine versions as included in Unreal Tournament 2003 and 2004 are affected.
  • Ref: http://www.securityfocus.com/archive/1/477026
  • 07.35.36 - CVE: CVE-2007-3618
  • Platform: Cross Platform
  • Title: EMC Legato Networker Remote Exec Service Stack Buffer Overflow
  • Description: EMC Legato Networker is a centralized data protection system available for multiple operating platforms. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. EMC Legato Networker versions in the 7.0.0 series are affected.
  • Ref: http://www.zerodayinitiative.com/advisories/ZDI-07-049.html
  • 07.35.37 - CVE: Not Available
  • Platform: Cross Platform
  • Title: id3lib Insecure Temporary File Creation
  • Description: The id3lib library is an open-source library for reading and manipulating ID3v1 and ID3v2 tags. The id3lib library creates temporary files in an insecure manner. Specifically, the "RenderV2ToFile()" function in the "tag_file.cpp" source file contains an improper "#if" compiler directive that causes the library to fail to utilize the "mkstemp()" function. This causes temporary files to be created with predictable names. id3lib version 3.8.3 is affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=438540
  • 07.35.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Toribash Multiple Vulnerabilities
  • Description: Toribash is a fighting game that is available for Microsoft Windows, Mac OS X, and Linux platforms. The application is exposed to multiple remote code execution and denial of service issues that affect game servers and clients. Toribash version 2.4, 2.5, 2.6 and 2.7 are affected.
  • Ref: http://www.securityfocus.com/archive/1/477025
  • 07.35.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WordPress Pool Index.PHP Cross-Site Scripting
  • Description: Pool is a web-based theme for Wordpress. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "index.php" script to the "header.php" script. WordPress Pool version 1.0.7 is affected.
  • Ref: http://www.securityfocus.com/bid/25413
  • 07.35.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: coWiki Index.PHP Cross-Site Scripting
  • Description: coWiki is a wiki engine application implemented in PHP. The project has been inactive since 2006. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "q" parameter of the "index.php" script.
  • Ref: http://www.securityfocus.com/archive/1/477253
  • 07.35.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: m-phorum Index.PHP Cross-Site Scripting
  • Description: m-phorum is a forum application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "go" parameter of the "index.php" script. m-phorum version 0.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/477253
  • 07.35.42 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ALeadSoft Search Engine Builder Search.HTML Cross-Site Scripting
  • Description: ALeadSoft Search Engine Builder is a web-application used for constructing search engines. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "searWords" parameter of the "search.html" page.
  • Ref: http://www.securityfocus.com/archive/1/477253
  • 07.35.43 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Text File Search Classic TextFileSearch.ASP Cross-Site Scripting
  • Description: Text File Search Classic is ASP-based application for searching for text in a text file. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "query" parameter of the "textfilesearch.asp" script.
  • Ref: http://www.securityfocus.com/bid/25350
  • 07.35.44 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Text File Search TextFileSearch.ASPX Cross-Site Scripting
  • Description: Text File Search is an ASP-based application for searching text in a text files. The application is exposed to a cross-site scripting issue because the application fails to properly sanitize user-supplied input. This issue occurs in the "search" field parameter of the "textfilesearch.aspx" script.
  • Ref: http://www.securityfocus.com/bid/25349
  • 07.35.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Olate Download Download.PHP Multiple SQL Injection Vulnerabilities
  • Description: Olate Download is a download manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. These issues occur in the "Referer" and "User-Agent" HTTP request headers of the "download.php" script. Olate Download version 3.4.2 is affected. Ref: http://myimei.com/security/2007-08-22/olate-download-342downloadphp-sql-injection.html
  • 07.35.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Olate Download Admin.PHP SQL Injection
  • Description: Olate Download is a download manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "OD3_AutoLogin" cookie parameter used by the "admin.php" script before using it in an SQL query. Olate Download versions prior to 3.4.2 are affected. Ref: http://myimei.com/security/2007-08-16/olate-download-341adminphpauthentication-bypassing.html
  • 07.35.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SimpleFAQ Index.PHP SQL Injection
  • Description: SimpleFAQ is a frequently asked questions component for the Mambo and Joomla content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "aid" parameter of the "index.php" script before using it in an SQL query. SimpleFAQ version 2.11 is affected.
  • Ref: http://www.securityfocus.com/archive/1/477174
  • 07.35.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Gurur Haber Uyeler2.PHP SQL Injection
  • Description: Gurur Haber is web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "uyeler2.php" script before using it in an SQL query. Gurer Haber version 2.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/477121
  • 07.35.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TorrentTrader Multiple Unspecified SQL Injection Vulnerabilities
  • Description: TorrentTrader is a web-based torrent tracking application. The application is exposed to multiple SQL-injection issues because it fails to sufficiently sanitize user-supplied data to unspecified parameters and script files before using it in an SQL query. TorrentTrader versions prior to 1.07 are affected.
  • Ref: http://www.securityfocus.com/bid/25369
  • 07.35.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Ampache Albums.PHP SQL Injection
  • Description: Ampache is a PHP-based audio file manager. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "match" parameter of the "album.php" script before using it in an SQL query. Ampache versions prior to 3.3.3.5 are affected.
  • Ref: http://www.securityfocus.com/bid/25362
  • 07.35.51 - CVE: Not Available
  • Platform: Web Application
  • Title: phpress ADisplay.PHP Local File Include
  • Description: phpress is a newspaper analysis and information management application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "lang" parameter of the "adisplay.php" script. phpress version 0.2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25415
  • 07.35.52 - CVE: Not Available
  • Platform: Web Application
  • Title: SPIP Inc-Calcul.PHP3 Remote File Include
  • Description: SPIP is a web based content management system. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "squelette_cache" parameter of the "inc-calcul.php3" script. SPIP version 1.7.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25416
  • 07.35.53 - CVE: Not Available
  • Platform: Web Application
  • Title: Ripe Website Manager Multiple SQL and HTML Injection Vulnerabilities
  • Description: Ripe Website Manager is a content manager. The application is exposed to multiple input validation issues due to a failure of the application to properly sanitize user-supplied input. Ripe Website Manager versions prior to 0.8.10 are affected.
  • Ref: http://www.securityfocus.com/archive/1/477320
  • 07.35.54 - CVE: Not Available
  • Platform: Web Application
  • Title: American Financing eMail Image Upload Output.PHP Arbitrary File Upload
  • Description: eMail Image Upload is an application that allows users to upload files on a webserver. The application is exposed to an arbitrary file upload issue because the application fails to sufficiently sanitize user-supplied input in an unspecified parameter of the "output.php" script before uploading files onto the webserver. eMail Image Upload version 4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/25404
  • 07.35.55 - CVE: Not Available
  • Platform: Web Application
  • Title: phUploader phUploader.PHP Arbitrary File Upload
  • Description: phUploader is a PHP-based application that allows users to upload files onto a webserver. The application is exposed to an arbitrary file upload issue because it fails to sanitize user-supplied input in an unspecified parameter of the "phUploader.php" script before uploading files onto the webserver. phUploader version 1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/25405
  • 07.35.56 - CVE: Not Available
  • Platform: Web Application
  • Title: Squirrelcart Popup_Window.PHP Remote File Include
  • Description: Squirrelcart is a shopping-cart application for ecommerce sites. The application is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "site_isp_root" parameter of the "popup_window.php" script.
  • Ref: http://www.securityfocus.com/bid/25382
  • 07.35.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Firesoft Class_TPL.PHP Remote File Include
  • Description: Firesoft is a web application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "cache_file" parameter of the "/includes/class/class_tpl.php" script.
  • Ref: http://www.securityfocus.com/bid/25366
  • 07.35.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Project and Project Issue Tracking Modules Insecure Permissions Security Bypass
  • Description: The Drupal Project and Project issue-tracking module are third-party modules to track various projects. The modules are available for the Drupal content manager. The application is exposed to a security bypass issue because of an access validation error in the affected module.
  • Ref: http://drupal.org/node/168760
  • 07.35.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Dalai Forum Forumreply.PHP Local File Include
  • Description: Dalai Forum is a web-based forum. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "chemin" parameter of the "forumreply.php" script. Florian Mahieu Dalai Forum version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/25361
  • 07.35.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Olate Download Environment.PHP Arbitrary Script Code Execution
  • Description: Olate Download is a download manager. The application is exposed to an arbitrary script code execution issue due to a failure of the application to properly sanitize user-supplied input prior to utilizing it in a PHP "eval" statement. Olate Download version 3.4.1 is affected. Ref: http://myimei.com/security/2007-08-17/olate-download-341-environmentphpphp-code-execution.html
  • 07.35.61 - CVE: Not Available
  • Platform: Network Device
  • Title: Grandstream GXV-3000 Phone Remote Denial of Service
  • Description: Grandstream GXV-3000 phones are VOIP-enabled telephony products. The application is exposed to a remote denial of service issue when handling a specific combination of SIP messages. Grandstream GXV-3000 phones with software version 1.0.1.7 and boot/loader 1.0.0.18/1.0.0.6 are affected.
  • Ref: http://www.securityfocus.com/bid/25399
  • 07.35.62 - CVE: Not Available
  • Platform: Network Device
  • Title: Planet VC-200M VDSL2 Router Administration Interface Remote Denial of Service
  • Description: The Planet VC-200M VDSL2 Router is hardware networking device. The device is exposed to a remote denial of service issue because it fails to handle malicious HTTP requests. The Planet VC-200M VDSL2 Router is affected.
  • Ref: http://www.securityfocus.com/archive/1/477253
  • 07.35.63 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco 7940 Phone SIP Message Handling Remote Denial of Service Vulnerabilities
  • Description: Cisco 7940 phone is a VOIP-enabled telephony products. The application is exposed to multiple denial of service issues because the device fails to handle specially crafted SIP message requests. Cisco 7940 devices running firmware P0S3-08-6-00 are affected.
  • Ref: http://www.securityfocus.com/bid/25378
  • 07.35.64 - CVE: CVE-2007-4213
  • Platform: Network Device
  • Title: Palm OS Treo Smartphone Remote Denial of Service
  • Description: Treo Smartphones running the Palm OS are exposed to a denial of service issue because they fail to handle excessive amounts of specially crafted ICMP requests. This issue occurs when multiple ICMP "echo" requests, that have a packet size of 1470 bytes, are received by an affected device. Palm Treo 650 and 700p Smartphones are affected. Ref: http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-007.txt
  • 07.35.65 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS Show IP BGP Regexp Remote Denial of Service
  • Description: Cisco IOS is exposed to a remote denial of service issue due to a failure of the software to properly handle certain CLI commands. Successfully exploiting this issue allows attackers to trigger device reboots, denying service to legitimate users.
  • Ref: http://www.heise-security.co.uk/news/94526/

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

The instructors are very knowledgeable, humorous, and give excellent resources/tools I never knew of, but can use to help enhance my security skills.
-LaTrease Coleman, Vanguard Group

Forensics 526

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP