Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 38
September 17, 2007

SANS Newsletters Home

No critical vulnerabilities in any widely used packages this week.

On the other hand, data is leaking out of large organizations at an extraordinary rate. Last week's news is tame compare with news coming in the next week or two. If you have not yet implemented broad-based data leakage protection and thorough encryption programs, mark your calendar for December 2-3 in Orlando the for Data Leakage and Mobile Encryption summits where pioneering uses will share the lessons they learned in implementing these essential technologies. You'll also go home with a short list of vendors to consider ***WhatWorks in Stopping Data Leakage and Insider Threat Summit http://www.sans.org/leakage07_summit/ ***WhatWorks in Mobile Encryption Summit http://www.sans.org/encryption07_summit/ Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Other Microsoft Products
    • 6 (#1, #2, #5)
    • Third Party Windows Apps
    • 11 (#4, #7, #8, #9)
    • Linux
    • 3
    • Unix
    • 1
    • Cross Platform
    • 11 (#3)
    • Web Application - Cross Site Scripting
    • 7
    • Web Application - SQL Injection
    • 9
    • Web Application
    • 24 (#6)
    • Network Device
    • 1
Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: Microsoft MSN and Windows Live Messenger Memory Corruption (MS07-054)
  • Affected:
    • Microsoft MSN Messenger versions prior to 7.0.0820
    • Microsoft Windows Live Messenger versions prior to 8.1

  • Description: Microsoft Windows Live Messenger, formerly known as Microsoft MSN Messenger, is Microsoft's instant messaging application. This application supports live videoconferencing. Failure to properly handle specially crafted video data could trigger a memory corruption vulnerability. An attacker that successfully exploited this vulnerability would be able to execute arbitrary code with the privileges of the current user. Note that the user must first accept a video chat session from an attacker to be vulnerable. A proof-of-concept for this vulnerability is publicly available. This vulnerability was discussed in a previous edition of @RISK.

  • Status: Microsoft confirmed, updates available.

  • References:
  • (3) HIGH: Apple Quicktime Script Injection Vulnerability
  • Affected:
    • Apple QuickTime version 7.2.0 and prior

  • Description: Apple QuickTime is Apple's streaming media framework. QuickTime media link files are XML files that can be used to define various media streams and other parameters for QuickTime. A specially crafted media link file containing JavaScript or Mozilla Chrome information could trigger a vulnerability and lead to arbitrary script execution when viewed in a web browser. A malicious website hosting such a file could exploit this vulnerability to execute arbitrary scripting code with the privileges of the current user. Note that, depending on configuration, malicious content may be opened without first prompting the user. It is believed that the vulnerability is exploitable in Mozilla-based browsers (such as Firefox), Microsoft Internet Explorer, and Apple Safari. A proof-of-concept for this vulnerability is publicly available. Note that several Apple applications install QuickTime, including iTunes and Safari. It is believed that both the Mac OS X and Microsoft Windows platforms are vulnerable.

  • Status: Apple has not confirmed, no updates available.

  • References:
  • (4) HIGH: Multiple HP Products ActiveX Control Buffer Overflow
  • Affected:
    • HP HPQUTIL.DLL ActiveX Component
    • Products known to install this DLL include:
    • HP Photo and Image Gallery
    • HP All-in-One Series

  • Description: Multiple HP products install the HPQUTIL.DLL library. This library exports several ActiveX controls. One of these controls contains a buffer overflow vulnerability in its "ListFiles" method. A specially crafted web page that instantiates this control could trigger this buffer overflow and execute arbitrary code with the privileges of the current user. A proof-of-concept for this vulnerability is publicly available.

  • Status: HP has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's "kill bit" mechanism for CLSID "F3F381A3-4795-41FF-8190-7AA2A8102F85".

  • References:
  • (5) MODERATE: Microsoft Visual Studio Crystal Reports File Processing Vulnerability (MS07-052)
  • Affected:
    • Microsoft Visual Studio .NET 2002/2003
    • Microsoft Visual Studio 2005

  • Description: Microsoft Visual Studio, Microsoft's integrated development environment, ships with an embedded copy of Business Objects' Crystal Reports. Crystal Reports is a popular enterprise reporting application. A specially crafted Crystal Reports report file (RPT file) could trigger a vulnerability in Microsoft Visual Studio. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. Depending upon configuration, Visual Studio may open such files without first prompting the user. A proof-of-concept for this vulnerability is publicly available.

  • Status: Microsoft confirmed, updates available. This vulnerability was first publicly reported in November of 2006 for the standalone Crystal Reports product. This advisory concerns the embedded copy in Microsoft Visual Studio.

  • References:
Other Software
  • (6) CRITICAL: ewire Payment Client Remote Command Execution
  • Affected:
    • ewrite Payment Client versions 1.70 and prior

  • Description: The ewire Payment Client is a remote payment client for the Danish ewire payment settlement company. Vendors who wish to settle accounts via ewire install this client on their systems. The client is available in two versions, a PHP version and a Windows-based COM version. The PHP version contains a remote command execution vulnerability in its handling of the "paymentinfo" parameter. An attacker who successfully exploited this vulnerability would be able to execute arbitrary commands with the privileges of the web server process. A proof-of-concept and full technical details for this vulnerability are publicly available. Note that the PHP version is vulnerable and available for Microsoft Windows, Linux, and FreeBSD platforms.

  • Status: Vendor has not confirmed, no updates available.

  • References:
  • (7) HIGH: Callisto Photo Parade Player ActiveX Control Buffer Overflow
  • Affected:
    • Callisto Photo Parade Player

  • Description: Callisto Photo Parade Player is a popular slideshow and photo sharing application. It uses a custom ActiveX control. This control contains a buffer overflow in its "FileVersionOf" property. A specially crafted web page that instantiated this control could exploit this buffer overflow and execute arbitrary code with the privileges of the current user. Technical details for this vulnerability are publicly available.

  • Status: Callisto has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's "kill bit" mechanism for CLSID "0115A685-ED24-4F7B-A08E-3BD15D84E668".

  • References:
  • (8) HIGH: PhotoChannel Networks Photo Upload Plugin ActiveX Control Buffer Overflow
  • Affected:
    • PhotoChannel Networks Photo Upload Plugin ActiveX Control versions prior to 2.0.0.10

  • Description: The PhotoChannel Networks Photo Upload Plugin is an ActiveX control used to upload photos to a server. This control is distributed and used by multiple retailers and photo processors, including Wal-Mart, K-Mar, and Eckard Pharmacy. This control contains a buffer overflow that can be exploited by a specially crafted web page that instantiates the control. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user.

  • Status: Vendor confirmed, updates available.

  • References:
  • (9) HIGH: GlobalLink "glitemflat.dll" ActiveX Control Buffer Overflow
  • Affected:
    • GlobalLink glitemflat.dll ActiveX Control versions 2.7.0.8 and prior

  • Description: The GlobalLink "glitemflat.dll" ActiveX control contas a buffer overflow in its "SetClientInfo" method. A specially crafted web page that instantiates this control could exploit this buffer overflow and allow an attacker to execute arbitrary code with the privileges of the current user. A proof-of-concept for this vulnerability is publicly available.

  • Status: Vendor has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's "kill bit" mechanism for CLSID "7D1425D4-E2FC-4A52-BDA9-B9DCAC5EF574".

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 38, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 07.38.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft SQL Server sqldmo.dll ActiveX Buffer Overflow
  • Description: Microsoft SQL Server is an implementation of an SQL relational database developed by Microsoft. Microsoft SQL Server "sqldmo.dll" ActiveX control is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. The issue occurs when passing excessive amounts of data to the "Start()" method.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.38.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Visual Basic 6.0 VBP_Open Project File Handling Buffer Overflow
  • Description: Microsoft Visual Basic 6.0 is a development platform for building applications on Microsoft platforms. The application is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer.
  • Ref: http://www.securityfocus.com/bid/25629
  • 07.38.3 - CVE: CVE-2007-3036
  • Platform: Other Microsoft Products
  • Title: Microsoft Windows Services for UNIX Local Privilege Escalation
  • Description: Microsoft Windows Services for UNIX and Microsoft Subsystem for UNIX-based Applications are software packages available for Microsoft Windows operating systems that add compatibility services for UNIX-based applications and services. The application is exposed to a local privilege escalation issue that stems from a flaw in the handling of connection credentials of setuid-privileged binary files. Microsoft Windows Services for UNIX versions 3.0 and 3.5 and Microsoft Subsystem for UNIX-based Applications are affected.
  • Ref: http://www.kb.cert.org/vuls/id/768440
  • 07.38.4 - CVE: CVE-2007-3040
  • Platform: Other Microsoft Products
  • Title: Microsoft Agent agentdpv.dll ActiveX Control Malformed URL Stack Buffer Overflow
  • Description: Microsoft Agent is a set of software services for developers to enhance the user interface of web-based applications. The application is exposed to a stack-based buffer overflow issue because it fails to adequately bounds check user-supplied data. The issue occurs in the "agentdpv.dll" ActiveX control.
  • Ref: http://www.kb.cert.org/vuls/id/716872
  • 07.38.5 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Visual Studio VB To VSI Support Library ActiveX Arbitrary File Overwrite
  • Description: Microsoft Visual Studio VB To VSI Support Library ActiveX Control is a support library for Visual Studio. The ActiveX Control is exposed to an issue that lets attackers overwrite arbitrary files with attacker-supplied content.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.38.6 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Visual Studio PDWizard.ocx ActiveX Control Multiple Remote Vulnerabilities
  • Description: Microsoft Visual Studio is a development tool for building applications on Microsoft platforms and web technologies. The application is exposed to multiple remote issues. The issues occur in the "PDWizard.ocx" ActiveX control. Microsoft Visual Studio version 6.0.0 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.38.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: GlobalLink glitemflat.dll ActiveX Control Heap Buffer Overflow
  • Description: GlobalLink is exposed to a heap-based buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. The issue occurs in the "SetClientInfo()" method of the "glitemflat.dll" ActiveX control. GlobalLink version 2.7.0.8 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.38.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: EDraw Office Viewer Component HttpDownloadFileToTempDir ActiveX Buffer Overflow
  • Description: The EDraw Office Viewer Component is an ActiveX control to display and interact with Microsoft Office files such as Word, Excel, PowerPoint, Project, and Visio. The application is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. EDraw Office Viewer Component version 5.2 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.38.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BaoFeng Storm MPS.DLL ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities
  • Description: BaoFeng Storm is a multi-media player. The application is exposed to multiple buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. BaoFeng Storm versions 2.8 and 2.9 are affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.38.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ultra Crypto Component CryptoX.dll ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities
  • Description: Ultra Crypto Component is an ActiveX component for encrypting and decrypting both strings and binary data. The control is exposed to multiple buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. These issues affect the "AcquireContext()" and "DeleteContext()" methods of "CryptoX.dll".
  • Ref: http://support.microsoft.com/kb/240797
  • 07.38.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ultra Crypto Component ActiveX Control SaveToFile Arbitrary File Overwrite
  • Description: Ultra Crypto Component is an ActiveX component for encrypting and decrypting both strings and binary data. The ActiveX Control is eposed to an issue that lets attackers overwrite arbitrary files with attacker supplied content.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.38.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: CellFactor Revolution Multiple Remote Code Execution Vulnerabilities
  • Description: CellFactor Revolution is a freely-available game for the Microsoft Windows platform. The application is exposed to multiple remote issues. There is a format string issue that occurs because the application fails to sanitize user-supplied input before using it in a formatted-printing function. There is also a buffer overflow issue that occurs because the application fails to properly bounds check user-supplied input prior to copying it to an insufficiently sized memory buffer. CellFactor Revolution version 1.03 is affected.
  • Ref: http://aluigi.altervista.org/adv/cellfucktor-adv.txt
  • 07.38.13 - CVE: CVE-2007-4472
  • Platform: Third Party Windows Apps
  • Title: Broderbund 3DGreetings Player ActiveX Control Multiple Buffer Overflow Vulnerabilities
  • Description: Broderbund 3DGreetings Player is an ActiveX control for displaying 3D greeting cards on the Internet. The application is exposed to multiple remote buffer overflow issues because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer.
  • Ref: http://www.kb.cert.org/vuls/id/574401
  • 07.38.14 - CVE: CVE-2007-4749
  • Platform: Third Party Windows Apps
  • Title: Autodesk Backburner cmdjob Unauthorized Access
  • Description: Backburner is a facility wide network render manager for 3ds Max, Combustion, Inferno, Flame, Flint, Fire, Smoke, and Lustre. The application is exposed to an unauthorized access issue because it fails to authenticate users submitting jobs to the remote job queuing tool "cmdjob". Backburner version 3.0.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/479193
  • 07.38.15 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Media Player Classic Malformed AVI Header Multiple Remote Vulnerabilities
  • Description: Media Player Classic is a media player available for Microsoft Windows. The application is exposed to multiple remote issues that occur when handling malformed AVI files. Media Player Classic version 6.4.9.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/475150
  • 07.38.16 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WinSCP URL Protocol Handler Arbitrary File Access
  • Description: WinSCP is a freely available secure file transfer client for Microsoft Windows operating systems. WinSCP has the functionality to handle "sftp:" (SSH File Transfer Protocol) and "scp:" (Secure Copy) addresses. The application is exposed to an arbitrary file access issue. WinSCP versions prior to 4.0.4 are affected.
  • Ref: http://www.securityfocus.com/archive/1/479298
  • 07.38.17 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: COWON America jetCast Server Remote Denial of Service
  • Description: jetCast Server facilitates broadcasting of music over the Internet. It is available for the Microsoft Windows operating platform. The application is exposed to a remote denial of service issue. jetCast Server version 2 is affected.
  • Ref: http://www.securityfocus.com/bid/25660
  • 07.38.18 - CVE: CVE-2007-4752
  • Platform: Linux
  • Title: OpenSSH X11 Cookie Local Authentication Bypass
  • Description: OpenSSH is a free implementation of the Secure Shell protocol suite. It is available for a large array of operating platforms. The application is exposed to a local authentication bypass issue because the software fails to properly manage trusted and untrusted X11 cookies. OpenSSH version 4.6 is affected.
  • Ref: https://bugs.gentoo.org/show_bug.cgi?id=191321
  • 07.38.19 - CVE: Not Available
  • Platform: Linux
  • Title: MPlayer AVIHeader.C Heap Based Buffer Overflow
  • Description: MPlayer is an application for playing movies. It runs on Linux operating systems. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input data. MPlayer version 1.0rc1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/479222
  • 07.38.20 - CVE: Not Available
  • Platform: Linux
  • Title: KMPlayer Multiple Remote Denial of Service Vulnerabilities
  • Description: KMPlayer is a multi-media player available for the KDE desktop. The application is exposed to multiple denial of service issues when handling malformed AVI media files. These issues occur when handling AVI files with malformed "indx truck size", "wLongsPerEntry", and "nEntriesInuse" header values. KMPlayer version 2.9.3.1210 is affected.
  • Ref: http://www.securityfocus.com/archive/1/479222
  • 07.38.21 - CVE: CVE-2007-4631
  • Platform: Unix
  • Title: QGit DataLoader::doStart Function Local Privilege Escalation
  • Description: QGit is a software version control application available for Unix, Linux and other Unix-like operating systems. The application is exposed to a local privilege escalation issue that occurs in the "DataLoader::doStart()" function in "dataload.cpp". QGit versions prior to 1.5.7 are affected.
  • Ref: http://bugs.gentoo.org/show_bug.cgi?id=190697
  • 07.38.22 - CVE: CVE-2007-4730
  • Platform: Cross Platform
  • Title: X.Org X Server Composite Extension Local Buffer Overflow
  • Description: The X.Org X Windows System is a windows server for Unix, Linux, and variants. It is freely available and distributed publicly. The application is exposed to a local buffer overflow issue due to a design error in the X Server composite extension. X.Org X Server version 1.3.99.2 (RC2) is affected. Ref: http://lists.freedesktop.org/archives/xorg-announce/2007-September/000378.html
  • 07.38.23 - CVE: CVE-2007-4727
  • Platform: Cross Platform
  • Title: Lighttpd Mod_FastCGI Request Headers Remote Buffer Overflow
  • Description: Lighttpd is a freely-available web server application. The application is exposed to a remote buffer overflow issue because the application fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. Lighttpd version 1.4.17 is affected. Ref: http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/
  • 07.38.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server Edge Component Unspecified
  • Description: IBM WebSphere Application Server is exposed to an unspecified issue that affects the Edge Component. IBM WebSphere Application Server version 6.1.0.11 is affected.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg24016159
  • 07.38.25 - CVE: CVE-2007-3410
  • Platform: Cross Platform
  • Title: RealPlayer/HelixPlayer AU Divide-By-Zero Denial of Service
  • Description: RealPlayer and HelixPlayer are media players developed by Real Networks. The applications are exposed to a denial of service issue while processing a malformed AU file. A divide-by-zero exception can occur, causing the affected applications to crash. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2007-09/att-0154/OS2A_1010.txt
  • 07.38.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Quagga Routing Suite Multiple Denial Of Service Vulnerabilities
  • Description: Quagga Routing Suite is a suite of routing applications written for FreeBSD, Linux, Solaris, and NetBSD operating systems. The application is exposed to multiple denial of service issues. A denial of service condition occurs when the application handles specially crafted "OPEN" messages, and also when the application handles specially crafted "COMMUNITY" attributes that are included in messages. Quagga Routing Suite versions prior to 0.99.9 are affected.
  • Ref: http://www.quagga.net/download/quagga-0.99.9.changelog.txt
  • 07.38.27 - CVE: CVE-2007-4138
  • Platform: Cross Platform
  • Title: Samba NSS_Info Plugin Local Privilege Escalation
  • Description: Samba is a file and print server for SMB/CIFS clients that supports interoperability between multiple operating systems. The application is exposed to a local privilege escalation issue due to a logic error in the Winbind daemon (winbindd). Samba versions 3.0.25 through 3.0.25c are affected.
  • Ref: http://www.securityfocus.com/archive/1/479078
  • 07.38.28 - CVE: CVE-2007-4651
  • Platform: Cross Platform
  • Title: Adobe Connect Enterprise Server Information Disclosure
  • Description: Adobe Connect Enterprise Server is a communication system used to support and extend the functionality of Adobe Acrobat Connect Professional. The server is exposed to an information disclosure issue because it fails to perform adequate access validation. Adobe Connect Enterprise Server version 6 prior to Service Pack 3 is affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb07-14.html
  • 07.38.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Ekiga GetHostAddress Remote Denial of Service
  • Description: Ekiga is a VoIP and video-conferencing application. It is also known as GnomeMeeting. The application is exposed to a remote denial of service issue that arises due to memory mismanagement when handling user-supplied data. Ekiga versions 2.0.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/479185
  • 07.38.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SafeSquid Prior to 4.2.0 Unspecified Security
  • Description: SafeSquid is a content filtering proxy server. The application is exposed to an unspecified security issue. SafeSquid versions prior to 4.2.0 are affected.
  • Ref: http://www.securityfocus.com/bid/25649
  • 07.38.31 - CVE: CVE-2007-4137
  • Platform: Cross Platform
  • Title: Trolltech QT ToUnicode Function Off By One Buffer Overflow
  • Description: Trolltech Qt is an application-development framework that supports windowing, multimedia, and other functionality and is available for several platforms. The application is exposed to a buffer overflow issue because the framework fails to perform adequate boundary checks on user-supplied data. The problem is due to an off-by-one buffer overflow issue in the "QUtf8Decoder::toUnicode()" function when parsing UTF-8 encoded strings.
  • Ref: https://rhn.redhat.com/errata/RHSA-2007-0883.html
  • 07.38.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: AOL Instant Messenger Notification Window Remote Script Code Execution
  • Description: AOL Instant Messenger is a real-time chat application available for Windows, Linux and Mac OS operating platforms. The application is exposed to a remote script code execution issue. When a notification window is out of main focus, arbitrary HTML or JavaScript sent to the user in a message from a third party will be rendered and executed. AOL Instant Messenger version 6.1.41.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/479199
  • 07.38.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Netjuke Multiple Cross Site Scripting Vulnerabilities
  • Description: Netjuke is a web-based media player. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. Netjuke version 1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/478871
  • 07.38.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DirectAdmin CMD_BANDWIDTH_BREAKDOWN Cross-Site Scripting
  • Description: DirectAdmin is website-administration panel. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "user" parameter of the "CMD_BANDWIDTH_BREAKDOWN" script. DirectAdmin version 1.30.2 is affected. Ref: http://pridels-team.blogspot.com/2007/09/directadmin-v1302-xss-vuln.html
  • 07.38.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MediaWiki API Pretty-Printing Mode Cross-Site Scripting
  • Description: MediaWiki is a wiki application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to unspecified parameters when API pretty-printing mode is enabled. Ref: http://lists.wikimedia.org/pipermail/mediawiki-announce/2007-September/000067.html
  • 07.38.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: BOINC forum_text_search_action.php Multiple Cross-Site Scripting Vulnerabilities
  • Description: BOINC (Berkeley Open Infrastructure for Network Computing) is a PHP-based application for desktop grid computing. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the "search_string" and "id" parameters of the "forum_text_search_action.php?" script. BOINC version 5.10.20 is affected.
  • Ref: http://www.securityfocus.com/archive/1/479182
  • 07.38.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: RSA enVision Platform Cross-Site Scripting
  • Description: The RSA enVision platform is an application for managing enterprise security and compliance. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the username form field parameter of the log in script. RSA enVision 3.3.6 Build 0115 is affected.
  • Ref: http://www.securityfocus.com/archive/1/479183
  • 07.38.38 - CVE: CVE-2007-4465
  • Platform: Web Application - Cross Site Scripting
  • Title: Apache Mod_AutoIndex.C Undefined Charset Cross-Site Scripting
  • Description: Apache is a web server application available for multiple operating platforms. The application is exposed to an issue due to the lack of a defined charset on certain generated pages. Apache2 versions prior to 2.2.6 are affected.
  • Ref: http://www.securityfocus.com/archive/1/479237
  • 07.38.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: LetterGrade Multiple Cross-Site Scripting Vulnerabilities
  • Description: LetterGrade is a PHP-based online academic progress-tracking tool. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the "year" parameter of "genbrws/Student/cal_month.php3" and to unspecified parameters of the calendar component.
  • Ref: http://www.securityfocus.com/bid/25662
  • 07.38.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: RW::Download Index.PHP Multiple SQL Injection Vulnerabilities
  • Description: RW::Download is a PHP-based download manager application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "dlid" and "cid" parameters of the "index.php" script before using it in an SQL query. RW::Download version 2.0.3 lite is affected.
  • Ref: http://www.securityfocus.com/bid/25589
  • 07.38.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Webace Linkscript start.php SQL Injection
  • Description: Linkscript is a PHP-based catalog application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "start.php" script before using it in an SQL query. Linkscript version 1.3 Special Edition is affected.
  • Ref: http://www.securityfocus.com/bid/25592
  • 07.38.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Netjuke Multiple SQL Injection Vulnerabilities
  • Description: Netjuke is a web-based media player. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "ge_id" parameter of "explore.php", and the "id" parameter of "xml.php" before using it in SQL queries.
  • Ref: http://www.securityfocus.com/archive/1/478871
  • 07.38.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TLM CMS Multiple SQL Injection Vulnerabilities
  • Description: TLM CMS is a web-based content management system. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data before using it in SQL queries. TLM CMS version 3.2 is affected.
  • Ref: http://www.securityfocus.com/bid/25602
  • 07.38.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Proxy Anket anket.asp SQL Injection
  • Description: Proxy Anket is a web-based application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of "anket.asp" before using it in an SQL query. Proxy Anket version 3.0.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/478971
  • 07.38.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AuraCMS ID Parameter Multiple SQL Injection Vulnerabilities
  • Description: AuraCMS is a web-based content manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" parameter of "hal.php", "cetak.php", "lihat.php", "pesan.php" and "teman.php" scripts before using it in SQL queries. AuraCMS 1.5rc is affected.
  • Ref: http://www.securityfocus.com/bid/25614
  • 07.38.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: psi-labs.com psisns SQL Injection
  • Description: psisns is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "u" parameter of "profile/myprofile.php" before using it in an SQL query. psisns version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25631
  • 07.38.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SWsoft Plesk PLESKSESSID Parameter Multiple SQL Injection Vulnerabilities
  • Description: Plesk is a server management application targeted at hosting providers. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "PLESKSESSID" cookie parameter of the "login.php3" and "auth.php3" scripts before using it in SQL queries. Plesk versions 7.6.1, 8.1.0, 8.1.1 and 8.2.0 for Microsoft Windows are affected.
  • Ref: http://www.securityfocus.com/archive/1/464064
  • 07.38.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Module jeuxflash for KwsPHP ID Parameter SQL Injection
  • Description: KwsPHP is a content management system (CMS) and Module jeuxflash is a module for KwsPHP. The module is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter before using it in an SQL query. Module jeuxflash version V1_0 is affected.
  • Ref: http://www.securityfocus.com/bid/25658
  • 07.38.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Blogsphere Name Field HTML Injection
  • Description: Blogsphere is a PHP-based web log application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. This issue occurs in the "name" field of an unspecified script.
  • Ref: http://www.securityfocus.com/bid/25587
  • 07.38.50 - CVE: Not Available
  • Platform: Web Application
  • Title: OFFL DOC_ROOT Multiple Remote File Include Vulnerabilities
  • Description: OFFL (Online Fantasy Football League) is a web-based application to host a fantasy American-rules football league. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "DOC_ROOT" parameter of the "header.php" and "functions.php" scripts. OFFL version 0.2.6 is affected.
  • Ref: http://www.securityfocus.com/bid/25596
  • 07.38.51 - CVE: Not Available
  • Platform: Web Application
  • Title: TxX CMS doc_root Multiple Remote File Include Vulnerabilities
  • Description: TxX CMS is a web-based content management system. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "doc_root" parameter of the "modules/addons/plugin.php", "modules/addons/sidebar.php", "modules/mail/index.php" and "modules/mail/mailbox.php" scripts.
  • Ref: http://www.securityfocus.com/bid/25597
  • 07.38.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Focus/SIS Multiple Remote File Include Vulnerabilities
  • Description: Focus/SIS is an open-source web-based student information system. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input before using it in an "include()" function call. Focus/SIS version 1.0 is affected through the "FocusPath" parameter of "CategoryBreakdownTime.php". Focus/SIS 2.2 is affected through the "staticpath" parameter of "CategoryBreakdownTime.php" and "StudentFieldBreakdown.php".
  • Ref: http://www.securityfocus.com/bid/25603
  • 07.38.53 - CVE: Not Available
  • Platform: Web Application
  • Title: fuzzylime cms getgalldata.php Local File Include
  • Description: fuzzylime cms is a web-based content management system. fuzzylime cms was formerly known as PHP-Update. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "p" POST parameter of the "getgalldata.php" script. fuzzylime cms version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25597
  • 07.38.54 - CVE: Not Available
  • Platform: Web Application
  • Title: Smart Sisfo Kampus blanko.preview.php Local File Include
  • Description: Smart Sisfo Kampus is a web-based system information management application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "nmf" parameter of the "blanko.preview.php" script. Smart Sisfo Kampus version 2006 is affected.
  • Ref: http://www.securityfocus.com/bid/25605
  • 07.38.55 - CVE: Not Available
  • Platform: Web Application
  • Title: ED Engine Codebase Parameter Multiple Remote File Include Vulnerabilities
  • Description: Ed Engine is a PHP-based file manager and content management system. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "Codebase" parameter of the "channeledit.php", "post.php", "view.php" and "viewitem.php" scripts. ED Engine version 0.8999 alpha is affected.
  • Ref: http://www.securityfocus.com/bid/25608
  • 07.38.56 - CVE: Not Available
  • Platform: Web Application
  • Title: TorrentTrader Account_Settings.PHP Multiple HTML Injection Vulnerabilities
  • Description: TorrentTrader is a web-based torrent-tracking application. The application is exposed to multiple HTML injection issues because the application fails to sufficiently sanitize user-supplied input to the "avatar" and "title" form field parameters of the "account_settings.php" script. TorrentTrader version 1.07 is affected.
  • Ref: http://www.securityfocus.com/bid/25616
  • 07.38.57 - CVE: Not Available
  • Platform: Web Application
  • Title: SisfoKampus dwoprn.php Arbitrary File Download
  • Description: SisfoKampus is a web-based system information manager. The application is exposed to an arbitrary file download issue because it fails to sufficiently sanitize user-supplied input to the "f" parameter of the "dwoprn.php" script. SisfoKampus version 2006 is affected.
  • Ref: http://www.securityfocus.com/bid/25617
  • 07.38.58 - CVE: Not Available
  • Platform: Web Application
  • Title: phpRealty MGR Parameter Multiple Remote File Include Vulnerabilities
  • Description: phpRealty is a PHP-based application for managing real-estate listings. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "MGR" parameter of the "index.php", "p_ins.php" and "u_ins.php" scripts. phpRealty version 0.02 is affected.
  • Ref: http://www.securityfocus.com/bid/25610
  • 07.38.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! Comp Restaurante Component Index.PHP Arbitrary File Upload
  • Description: The Joomla! Comp Restaurante component is a PHP-based restaurant directory component for the Joomla! content management system. The application is exposed to an arbitrary file upload issue because it fails to limit the file types that can be uploaded. The issues occur in the "index.php" script when the "options" parameter is set to "com_restaurant" and the "task" parameter is set to "upload".
  • Ref: http://www.securityfocus.com/bid/25612
  • 07.38.60 - CVE: Not Available
  • Platform: Web Application
  • Title: phpMyQuote Index.PHP SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: phpMyQuote is a web-based quote system. The application is exposed to multiple input validation issues. The "id" parameter of the "index.php" script is vulnerable to both cross-site scripting and SQL injection attacks. phpMyQuote version 0.20 is affected.
  • Ref: http://www.securityfocus.com/archive/1/478967
  • 07.38.61 - CVE: Not Available
  • Platform: Web Application
  • Title: AuraCMS Index.PHP Local File Include
  • Description: AuraCMS is a web-based content management system. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "pilih" parameter of the "index.php" script.
  • Ref: http://www.milw0rm.com/exploits/4390
  • 07.38.62 - CVE: Not Available
  • Platform: Web Application
  • Title: AuraCMS mod/contak.php Arbitrary File Upload
  • Description: AuraCMS is a web-based content management system. The application is exposed to an arbitrary file upload issue because it fails to limit the file types that can be uploaded when uploading images. AuraCMS version 2.1 is affected.
  • Ref: http://www.milw0rm.com/exploits/4390
  • 07.38.63 - CVE: Not Available
  • Platform: Web Application
  • Title: TechExcel CustomerWise Multiple Input Validation Vulnerabilities
  • Description: CustomerWise is a web-based Customer Relationship Management (CRM) application. The application is exposed to multiple input validation issues, including cross-site scripting and HTML injection issues, because it fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/25624
  • 07.38.64 - CVE: Not Available
  • Platform: Web Application
  • Title: NuclearBB send_queued_emails.php Remote File Include
  • Description: NuclearBB is a PHP-based bulletin board application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root_path" parameter of the "send_queued_emails.php" script. NuclearBB alpha version 2.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/479086
  • 07.38.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Qualiteam X-Cart xcart_dir Multiple Remote File Include Vulnerabilities
  • Description: X-Cart is a web-based shopping-cart application. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "xcart_dir" parameter.
  • Ref: http://www.securityfocus.com/bid/25637
  • 07.38.66 - CVE: Not Available
  • Platform: Web Application
  • Title: WordPress Unfiltered_HTML Field Name HTML Injection
  • Description: WordPress allows users to generate news pages and web logs dynamically; it is implemented in PHP with a MySQL database. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. WordPress versions prior to 2.2.3 are affected.
  • Ref: http://trac.wordpress.org/ticket/4720
  • 07.38.67 - CVE: Not Available
  • Platform: Web Application
  • Title: XWiki Multiwiki Setup Information Disclosure
  • Description: XWiki is a wiki application. The application is exposed to an information disclosure issue due to an unspecified design error in the multiwiki setup. XWiki versions prior 1.1 RC2 are affected. Ref: http://www.xwiki.org/xwiki/bin/view/Main/ReleaseNotesXWikiEnterprise11RC2
  • 07.38.68 - CVE: Not Available
  • Platform: Web Application
  • Title: CS-Guestbook Login Credentials Information Disclosure
  • Description: CS-Guestbook is PHP-based guestbook application. The application is exposed to an information disclosure issue that occurs because the application does not properly protect sensitive information. ComScripts TEAM CS-Guestbook version 0.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/479194
  • 07.38.69 - CVE: CVE-2007-1688
  • Platform: Web Application
  • Title: Callisto PhotoParade Player PhPInfo ActiveX Control Remote Buffer Overflow
  • Description: PhotoParade Player ActiveX control is a web-based photo album application. The control is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue affects the "PhPinfo" control of "PhPCtrl.dll".
  • Ref: http://www.kb.cert.org/vuls/id/171449
  • 07.38.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board User Profile and Subscription Manager Multiple Input Validation Vulnerabilities
  • Description: Invision Power Board is a content management system (CMS). The application is exposed to multiple input validation issues because it fails to adequately sanitize user-supplied input. Power Board version 2.3.1 is affected.
  • Ref: http://forums.invisionpower.com/index.php?showtopic=237075
  • 07.38.71 - CVE: Not Available
  • Platform: Web Application
  • Title: netInvoicing Unspecified Security
  • Description: netInvoicing is a web-based customer manager, invoicing and billing application. The application is exposed to an unspecified security issue related to an improper security check. netInvoicing versions prior to 2.7.3 are affected.
  • Ref: http://www.securityfocus.com/bid/25661
  • 07.38.72 - CVE: Not Available
  • Platform: Web Application
  • Title: LetterGrade Email Address HTML Injection
  • Description: LetterGrade is a PHP-based online academic progress-tracking tool. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. This issue occurs in the email address field of an unspecified script.
  • Ref: http://www.securityfocus.com/bid/25663
  • 07.38.73 - CVE: Not Available
  • Platform: Network Device
  • Title: Buffalo AirStation WHR-G54S Web Management Cross-Site Request Forgery
  • Description: Buffalo AirStation WHR-G54S is exposed to a cross-site request-forgery issue because the application does not validate the origin of the HTTP request. The issue resides in the Web Management Interface. Buffalo AirStation WHR-G54S version 1.20 is affected.
  • Ref: http://www.louhi.fi/advisory/buffalo_070907.txt

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Consistently some of the best training available. It is apparent that SANS updates their course content and SANS instructors are established experts in the field.
-Ryan Macfarlane, FBI

NetWars - Cyber Range

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.