Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 40
October 1, 2007

SANS Newsletters Home

This week's top vulnerability comes from the same vendor in the same product category as last week: A backup product is once again on the "critical list" and again it is CA's backup product. A big problem is that many people think back up software patches automatically. It doesn't. If you use BrightStor, quick action is really important. The iPhone also has a big vulnerability.

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Other Microsoft Products
    • 3 (#5)
    • Third Party Windows Apps
    • 5 (#3, #4)
    • Linux
    • 10
    • Solaris
    • 2
    • Unix
    • 1
    • Apple
    • 1 (#2)
    • Cross Platform
    • 12 (#1)
    • Web Application - Cross Site Scripting
    • 8
    • Web Application - SQL Injection
    • 9
    • Web Application
    • 23
    • Network Device
    • 2

********************* Sponsored By Sunbelt Software ************************

Trap and Kill Image Spam with Ninja Email Security for Exchange

Ninja integrates best-of-breed antispam, antivirus, disclaimers, & attachment filtering on your Exchange server. It has one of the industry's only dedicated image-spam detection engines designed to protect against emerging image spam threats.

Try the 30-day evaluation to see this policy-based email security product in action!

http://www.sans.org/info/17201

****************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
Solaris
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

*************************** Sponsored Link: ******************************

1) Learn about using/implementing automated DLP technologies at the Data Leakage and Insider Threat Summit December 3-4. http://www.sans.org/info/17206

****************************************************************************

TRAINING UPDATE Where can you find Hacker Exploits, Security Essentials and SANS other top-rated courses? New Orleans (1/12-1/17): http://www.sans.org/security08/event.php Washington DC (12/13-12/18): http://www.sans.org/london07/ Chicago (11/2-11/7): http://www.sans.org/chicago07/event.php Tokyo (11/5-11/10): http://www.sans.org/sanstokyo2007_autumn/event.php London (11/26 - 12/1): http://www.sans.org/london07/ Plus in 100 other cities and even on-line at your convenience. How good are the courses? Here's what past attendees said: "An extraordinary amount of information covered in a week, backed up with excellent documentation for those long winter nights." (Keith Mellism, Canada Life) "This course has valuable information that can be implemented immediately in the work place." (Christopher O'Brien, Booz Allen Hamilton) "You will never ever find anything more valuable than SANS super knowledge. Worth the price!!" (Carlos Fragoso, CESCA)

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: Apple iPhone Multiple Vulnerabilities
  • Affected:
    • Apple iPhone versions prior to 1.1.1

  • Description: The Apple iPhone contains multiple vulnerabilities in its handling of web and email content, Bluetooth messages, and other data. A specially crafted Bluetooth packet sent by an attacker within physical Bluetooth range could trigger a buffer overflow vulnerability and allow an attacker to execute arbitrary code on the iPhone. Specially crafted web pages or email messages could cause phone numbers to be dialed without confirmation, or could spoof phone numbers such that the number dialed is different from the number displayed for confirmation. Other vulnerabilities include cross site scripting vulnerabilities and information disclosure vulnerabilities.

  • Status: Apple confirmed, updates available. Users can mitigate the impact of the Bluetooth vulnerability by disabling Bluetooth access, though this will impact normal functionality.

  • References:
  • (3) HIGH: AOL Instant Messenger Arbitrary Script Execution
  • Affected:
    • AOL Instant Messenger versions later than 6.1 on Microsoft Windows

  • Description: AOL Instant Messenger (AIM) is AOL's popular instant messenging application. AIM allows users to send messages with embedded HTML. These messages are rendered using Microsoft's HTML rendering engine. Embedded HTML and scripting code in messages will be executed as though it had been viewed in Microsoft Internet Explorer. Therefore, any vulnerabilities exploitable in Microsoft Internet Explorer are exploitable in AIM, including vulnerabilities involving ActiveX control instantiation. No user interaction is required to exploit this vulnerability if the user is configured to accept messages from unknown recipients. A simple proof-of-concept and full technical details are available for this vulnerability.

  • Status: AOL confirmed, updates available.

  • References:
  • (4) HIGH: Ask Toolbar ActiveX Control Buffer Overflow
  • Affected:
    • Ask and AskJeeves Toolbar

  • Description: The Ask Toolbar provides Microsoft Internet Explorer users easy access to Ask.com services. This toolbar is implemented as an ActiveX control. This control contains a buffer overflow vulnerability in its "ShortForm" member. A specially crafted web page that instantiates this control could trigger this vulnerability and execute arbitrary code with the privileges of the current user. A proof-of-concept for this vulnerability is publicly available.

  • Status: Ask has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the affected control via Microsoft's "kill bit" mechanism.

  • References:
  • (5) LOW: Microsoft Internet Explorer Arbitrary File Upload
  • Affected:
    • Microsoft Internet Explorer versions 7 and prior

  • Description: Microsoft Internet Explorer is vulnerable to an arbitrary file upload attack. A web page containing a specially crafted HTML form could exploit this vulnerability to disclose the contents of any file on the system to an attacker with the privileges of the current user. A proof-of-concept and full technical details are available for this vulnerability.

  • Status: Microsoft has not confirmed, no updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 40, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 07.40.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Live Messenger Shared Files Denial of Service
  • Description: Microsoft Live Messenger is an instant-messaging application for the Windows platform. The application is exposed to a denial of service issue because it fails to properly bounds check user-supplied input. Live Messenger version 8.1 is affected. Ref: http://lostmon.blogspot.com/2007/09/windows-live-messenger-jpg-overflow.html
  • 07.40.2 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Windows Explorer PNG Image Local Denial of Service
  • Description: Microsoft Windows Explorer is exposed to a denial of service issue because it fails to handle malformed PNG image files. This issue presents itself because of an integer overflow of a 32-bit counter that occurs when handling overly large text chunks in PNG files. This will cause an infinite loop that will exhaust CPU cycles and cause Windows Explorer to become unresponsive.
  • Ref: http://www.securityfocus.com/archive/1/480594
  • 07.40.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer File Upload
  • Description: Microsoft Internet Explorer is exposed to an information disclosure issue that allows attackers to gain access to the contents of arbitrary files. This issue stems from a design error resulting from the improper handling of form fields.
  • Ref: http://www.securityfocus.com/bid/25836
  • 07.40.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ipswitch IMail SMTP Server IASPAM.DLL Remote Buffer Overflow
  • Description: Ipswitch IMail Server is an email server that serves clients their mail via a web interface. It runs on Microsoft Windows. The application is exposed to a buffer overflow issue because the application fails to properly bounds check user-supplied input before copying it into an insufficiently sized memory buffer. This issue occurs due to a flaw in the "iaspam.dll" library. Ipswitch IMail Server versions between 8.01 through 8.11 are affected.
  • Ref: http://www.securityfocus.com/bid/25762
  • 07.40.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ebCrypt ActiveX Control SaveToFile Arbitrary File Overwrite
  • Description: ebCrypt is a set of ActiveX components that add third-party encryption algorithms to VisualBasic, VBScript, JScript and other applications/development environments. The ActiveX control is exposed to an arbitrary file overwrite issue which resides in the "SaveToFile()" method of "ebCrypt.dll" in the ActiveX control. ebCrypt version 2.0 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.40.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ebCrypt ActiveX Control AddString Denial of Service
  • Description: ebCrypt is a set of ActiveX components that add third-party encryption algorithms to VisualBasic, VBScript, JScript and other applications/development environments. The control is exposed to a denial of service issue. ebCrypt version 2.0 is affected.
  • Ref: http://support.microsoft.com/kb/q240797/
  • 07.40.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AskJeeves Toolbar Settings Plugin ActiveX Control Remote Heap Based Buffer Overflow
  • Description: AskJeeves Toolbar is a customizable toolbar designed for web browsers. The application's SettingsPlugin ActiveX control is exposed to a heap-based remote buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized buffer.
  • Ref: http://www.securityfocus.com/archive/1/480459
  • 07.40.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ICEOWS ICEGUI.DLL ACE File Processing Buffer Overflow
  • Description: ICEOWS is an application designed to compress and extract files in many different formats like ICE, ZIP, RAR, ACE and others. The application is exposed to a buffer overflow issue because the application fails to properly bounds check user-supplied data before copying it to an insufficiently sized buffer, while processing filenames in ACE archives with the "ICEGUI.DLL" library. ICEOWS version 4.20b is affected.
  • Ref: http://vuln.sg/iceows420b-en.html
  • 07.40.9 - CVE: CVE-2007-5007
  • Platform: Linux
  • Title: Balsa Fetch Command Remote Stack Buffer Overflow
  • Description: Balsa is an email client designed for GNOME, a desktop manager for the Linux operating platform. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling excessively long replies to the "FETCH" command from an IMAP server. The affected code resides in the "ir_fetch_seq()" function of the "libbalsa/imap/imap-handle.c" source file. Balsa versions prior to 2.3.20 are affected.
  • Ref: http://www.securityfocus.com/bid/25777
  • 07.40.10 - CVE: CVE-2007-4573
  • Platform: Linux
  • Title: Linux Kernel Ptrace Local Privilege Escalation
  • Description: The Linux kernel is exposed to a local privilege escalation issue because the application does not zero extend all of the memory registers after ptrace is executed in 32bit entry path. Linux kernel versions prior to 2.4.35.3 and 2.6.22.7 are affected.
  • Ref: http://www.securityfocus.com/archive/1/480451
  • 07.40.11 - CVE: CVE-2007-4974
  • Platform: Linux
  • Title: libsndfile FLAC.C Buffer Overflow
  • Description: libsndfile is a C library for reading and writing audio files. The library is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The issue occurs in the "flac_buffer_copy()" function of the "src/flac.c" file when handling FLAC files with variable bitrates. libsndfile version 1.0.17 is affected.
  • Ref: https://bugs.gentoo.org/show_bug.cgi?id=192834
  • 07.40.12 - CVE: Not Available
  • Platform: Linux
  • Title: Linux Kernel ATM Module CLIP Support Local Denial of Service
  • Description: Linux kernel is exposed to a local denial of service issue. This issue affects the ATM module and arises when the CLIP module has not been loaded but the ATM module is configured with CLIP support. A local attacker can exploit this issue to trigger a kernel panic and cause a denial of service condition. Linux kernel versions prior to 2.4.35.3 and 2.6.22.7 are affected.
  • Ref: http://www.securityfocus.com/bid/25798
  • 07.40.13 - CVE: CVE-2007-5034
  • Platform: Linux
  • Title: ELinks HTTPS POST Request Information Disclosure Weakness
  • Description: ELinks is a character-mode browser based on lynx. The application is exposed to an information disclosure weakness. This issue results from a design error. ELinks versions prior to 0.11.3 are affected.
  • Ref: http://bugzilla.elinks.cz/show_bug.cgi?id=937
  • 07.40.14 - CVE: CVE-2007-3731
  • Platform: Linux
  • Title: Linux Kernel PTrace NULL Pointer Dereference Local Denial of Service
  • Description: The Linux kernel is exposed to a local denial of service issue due to a NULL-pointer dereference in certain "ptrace" operations. This issue occurs during single-step ptrace operations when handling an invalid LDT segment selector in %cs (xcs field).
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=248324
  • 07.40.15 - CVE: CVE-2007-4571
  • Platform: Linux
  • Title: Linux Kernel ALSA snd-page-alloc Local Proc File Information Disclosure
  • Description: The Linux kernel is exposed to an information disclosure issue that occurs when attackers perform specially-crafted reads from the "/proc/driver/snd-page-alloc" file. This file is a part of the ALSA sound driver kernel module. If sound hardware exists and the module is enabled, the affected PROC file will be present. Linux kernel versions prior to 2.6.22.8 are affected.
  • Ref: http://www.securityfocus.com/archive/1/480585
  • 07.40.16 - CVE: CVE-2007-4993
  • Platform: Linux
  • Title: Xen pygrub TOOLS/PYGRUB/SRC/GRUBCONF.PY Local Command Injection
  • Description: Xen is an open-source virtual machine monitor. pygrub is a boot loader used by Xen to boot guest domains. The application is exposed to a local command injection issue which can lead to privilege escalation. The issue exists because the application fails to validate input in the "tools/pygrub/src/GrubConf.py" script. Xen version 3.0.3 is affected.
  • Ref: http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068
  • 07.40.17 - CVE: Not Available
  • Platform: Linux
  • Title: OpenSSL SSL_Get_Shared_Ciphers Off-by-One Buffer Overflow
  • Description: OpenSSL is an open-source implementation of the SSL protocol that is used by a number of other projects, including but not restricted to Apache, Sendmail and Bind. It is commonly found on Linux and UNIX systems. The application is exposed to an off-by-one buffer overflow issue because the library fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer.
  • Ref: http://www.securityfocus.com/archive/1/480855
  • 07.40.18 - CVE: CVE-2007-4849
  • Platform: Linux
  • Title: Linux Kernel JFFS2 Filesystem Security Bypass
  • Description: The Linux kernel is prone to a security bypass vulnerability. This issue is due to a failure of the software to properly store POSIX ACLs in the JFFS2 filesystem. Specifically, this issue is present when POSIX ACL support is enabled and used in conjunction with the JFFS2 filesystem.
  • Ref: http://dev.laptop.org/ticket/2732
  • 07.40.19 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Human Interface Device Local Denial of Service
  • Description: Sun Solaris is an enterprise-grade UNIX distribution. The application is exposed to a local denial of service issue due to an unspecified error in the Human Interface Device (HID) Class Driver. Solaris SPARC versions 8, 9 and 10, and Solaris x86 versions 9 and 10 are affected.
  • Ref: http://sunsolve.sun.com/show.do?target=tous
  • 07.40.20 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Thread Handling Local Denial of Service
  • Description: Sun Solaris is exposed to a local denial of service issue because of a race condition when handling thread context. An attacker could exploit this issue to cause a kernel panic, denying further service to legitimate users. Please refer to the link below for more information. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103084-1&searchclause=
  • 07.40.21 - CVE: Not Available
  • Platform: Unix
  • Title: ChironFS File Creation Local Privilege Escalation
  • Description: ChironFS is a filesystem application available for Unix and other Unix-like operating systems. The application is exposed to a local privilege escalation issue because the application creates files with the set-uid bit set. ChironFS versions prior to 1.0 RC7 are affected.
  • Ref: http://furquim.org/chironfs/Changelog.html
  • 07.40.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Imatix Xitami If-Modified-Since Remote Buffer Overflow
  • Description: Xitami is a freely available web server package distributed by Imatix. It is available for the Unix, Linux, and Microsoft platforms. The application is exposed to a remote buffer overflow issue because the software fails to properly bounds check user-supplied input before copying it into an insufficiently sized memory buffer. Xitami version 2.5 is affected.
  • Ref: http://www.securityfocus.com/bid/25772
  • 07.40.23 - CVE: CVE-2007-4988
  • Platform: Cross Platform
  • Title: ImageMagick ReadDIBImage Integer Overflow
  • Description: ImageMagick is an image-editing suite that includes a library and command-line utilities supporting numerous image formats, including SGI. The application is exposed to an integer overflow issue because it fails to properly validate user-supplied data. ImageMagick versions prior to 6.3.5-9 are affected.
  • Ref: http://www.securityfocus.com/archive/1/480277
  • 07.40.24 - CVE: CVE-2007-4987
  • Platform: Cross Platform
  • Title: ImageMagick Blob.C Off-By-One Buffer Overflow
  • Description: ImageMagick is an image-editing suite that includes a library and command-line utilities supporting numerous image formats, including SGI. The application is exposed to an off-by-one buffer overflow issue in the "ReadBlobString()" function in the "magick/blob.c" source file. The function fails to accurately reference the last element of a character array resulting in data being copied to the array one element higher than was allocated in memory. ImageMagick versions prior to 6.3.5-9 are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595
  • 07.40.25 - CVE: CVE-2007-4986
  • Platform: Cross Platform
  • Title: ImageMagick DCM, DIB, XBM, XCF, and XWD Image Files Multiple Integer Overflow Vulnerabilities
  • Description: ImageMagick is an image-editing suite that includes a library and command-line utilities supporting numerous image formats, including SGI. It is available for a variety of platforms including Microsoft Windows, UNIX, and UNIX-like operating systems. The application is exposed to multiple integer overflow issues because it fails to adequately handle user-supplied data. Specifically, the application fails to properly handle specially crafted DCM, DIB, XBM, XCF, and XWD image files. ImageMagick versions prior to 6.3.5-9 are affected.
  • Ref: http://www.securityfocus.com/archive/1/480272
  • 07.40.26 - CVE: CVE-2007-4985
  • Platform: Cross Platform
  • Title: ImageMagick ReadBlob Multiple Remote Denial Of Service Vulnerabilities
  • Description: ImageMagick is an image-editing suite that includes a library and command-line utilities supporting numerous image formats, including SGI. The application is exposed to multiple remote denial of service issues because the application fails to check the return value of the "ReadBlobByte()" and "ReadBlobMSBLong()" functions. ImageMagick version 6.3.4 is affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596
  • 07.40.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Symantec Veritas Backup Exec for Windows Unspecified Vulnerability
  • Description: Symantec Vertias Backup Exec is a network-enabled backup solution from Symantec. It is available for Novell NetWare and Microsoft Windows platforms. The application is exposed to an unspecified issue. Symantec Veritas Backup Exec for Windows Server version 11d is affected.
  • Ref: http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000147
  • 07.40.28 - CVE: Not Available
  • Platform: Cross Platform
  • Title: JSPWiki Multiple Input Validation Vulnerabilities
  • Description: JSPWiki is a freely available, open-source wiki application written in Java. It is designed to be served from a webserver that supports Java Server Pages (JSP). The application is exposed to multiple input validation issues because it fails to adequately sanitize user-supplied input. JSPWiki versions prior to 2.4.104 are affected.
  • Ref: http://www.securityfocus.com/archive/1/480570
  • 07.40.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apache Geronimo Management EJB Security Bypass
  • Description: Apache Geronimo is a Java application server. The application is exposed to a security bypass issue whcich occurs in the management EJB (MEJB). Apache Geronimo version 2.0.1 is affected.
  • Ref: https://issues.apache.org/jira/browse/GERONIMO-3456
  • 07.40.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Rational ClearQuest Data Corruption Denial of Service
  • Description: IBM Rational ClearQuest is exposed to a denial of service issue. Please refer to the link below for further information.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg21268116
  • 07.40.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: F-Secure Anti-Virus for Windows Servers Malware Detection Bypass
  • Description: F-Secure Anti-Virus for Windows Servers is exposed to an issue that may allow certain compressed archives to bypass the scan engine and also allow certain malware to bypass detection. F-Secure Anti-Virus for Windows Servers version 7.0 is affected.
  • Ref: http://www.f-secure.com/security/fsc-2007-6.shtml
  • 07.40.32 - CVE: CVE-2007-5082, CVE-2007-5083, CVE-2007-5084
  • Platform: Cross Platform
  • Title: Computer Associates BrightStor Hierarchical Storage Manager CsAgent Multiple Remote Vulnerabilities
  • Description: Computer Associates BrightStor Hierarchical Storage Manager facilitates data migration across storage tiers. The application is exposed to multiple remote issues because the software fails to properly validate and bounds check user-supplied data. Computer Associates BrightStor Hierarchical Storage Manager version r11.5 is affected.
  • Ref: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35690
  • 07.40.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Access Manager Multiple Vulnerabilities
  • Description: Sun Java System Access Manager is an application for managing secure access to web applications. The application is exposed to multiple remote issues that result from configuration errors. Sun Java System Access Manager version 7.1 is affected.
  • Ref: http://sunsolve.sun.com/show.do?target=tous
  • 07.40.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WordPress wp-register.php Multiple Cross-Site Scripting Vulnerabilities
  • Description: WordPress allows users to generate news pages and web-logs dynamically. It's implemented in PHP with a MySQL database. WordPress is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input to the "user_login" and "user_email" parameters of the "wp-register.php" script. WordPress version 2.0 is affected. Ref: http://blogsecurity.net/wordpress/2-vanilla-xss-on-wordpress-wp-registerphp/
  • 07.40.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Urchin session.cgi Cross-Site Scripting
  • Description: Urchin is web-based analysis software implemented in CGI. The software is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. The issue affects the "session.cgi" script when logging into the application. Urchin Software version 5.6.00r2, 5.7.1, 5.7.2 and 5.7.3 are affected.
  • Ref: http://www.securityfocus.com/archive/1/480469
  • 07.40.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: eGroupWare CLASS.UICATEGORIES.INC.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: eGroupWare is a web-based groupware application. The application is exposed to multiple cross-site scripting issues that arise because the application fails to sanitize the "cat_data[color]" input parameter in "admin/inc/class.uicategories.inc.php" and "preferences/inc/class.uicategories.inc.php". eGroupWare version 1.4.001 is affected.
  • Ref: http://www.securityfocus.com/bid/25800
  • 07.40.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Simple PHP Blog Multiple Cross-Site Scripting Vulnerabilities
  • Description: Simple PHP Blog is a PHP-based web-log application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input in the "user_style.php" script. PHP Blog versions affected are 0.5.0.1, 0.4.8, and prior.
  • Ref: http://www.securityfocus.com/archive/1/480569
  • 07.40.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SimpGB Multiple Cross-Site Scripting Vulnerabilities
  • Description: SimpGB is a web-based guestbook application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the following scripts and parameters: "admin/index.php:l_username" and "admin/emoticonlist.php:l_emoticonlist". SimpGB version 1.46.02 is affected.
  • Ref: http://www.securityfocus.com/archive/1/480596
  • 07.40.39 - CVE: CVE-2007-4874
  • Platform: Web Application - Cross Site Scripting
  • Title: SimpNews Multiple Cross-Site Scripting Vulnerabilities
  • Description: SimpNews is a PHP-based news system. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the following scripts and parameters: "layout2b.php:l_username" and "comment.php:backurl". SimpNews version 2.41.03 is affected.
  • Ref: http://www.securityfocus.com/archive/1/480598
  • 07.40.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Freeside cust_bill_event.cgi Cross-Site Scripting
  • Description: Freeside is open-source software for billing, trouble ticketing, and automation. The application is exposed to a flaw in "search/cust_bill_event.cgi" where input passed to the "failed" parameter isn't sanitized properly before being returned to the user. Freeside version 1.7.2 is affected.
  • Ref: http://pridels-team.blogspot.com/2007/09/freeside-xss-vuln.html
  • 07.40.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Novus Buscar.ASP Cross-Site Scripting
  • Description: Novus is an ASP-based content manager. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "p" parameter of the "buscar.asp" script.
  • Ref: http://www.securityfocus.com/bid/25828
  • 07.40.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: phpFullAnnu mod Parameter SQL Injection
  • Description: phpFullAnnu is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "mod" parameter of the "index.php" script before using it in an SQL query. phpFullAnnu version 6.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25779
  • 07.40.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Clansphere index.php SQL Injection
  • Description: Clansphere is a PHP-based content manager. The application is exposed to an SQL-injection issue because it fails to sufficiently sanitize user-supplied data to the "cat_id" parameter of the "index.php" script before using it in an SQL query. Clansphere version 2007.4 is affected.
  • Ref: http://www.securityfocus.com/bid/25770
  • 07.40.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: bcoos Arcade Module Index.PHP SQL Injection
  • Description: bcoos is a content management system (CMS); it is implemented in PHP. The Arcade module for bcoos is exposed to an SQL injection issue because it fails to adequately sanitize user-supplied input before using it in an SQL query. This issue affects the "gid" parameter of the "modules/arcade/index.php" script when the "act" parameter is set to "play_game". bcoos Arcade module version 1.0.10 is affected.
  • Ref: http://www.securityfocus.com/bid/25790
  • 07.40.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NukeSentinel NSBypass.PHP SQL Injection
  • Description: NukeSentinel is a module for the PHP-Nuke content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "admin" cookie parameter of the "includes/nsbypass.php" script before using it in an SQL query. NukeSentinel version 2.5.11 is affected.
  • Ref: http://www.securityfocus.com/archive/1/480575
  • 07.40.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Novus Notas.ASP SQL Injection
  • Description: Novus is an ASP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "nota_id" parameter of the "notas.asp" script before using it in an SQL query. Novus version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25815
  • 07.40.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Softbiz Classifieds store_info.PHP SQL Injection
  • Description: Softbiz Classifieds is a PHP-based script for building classified-advertisement sites. The application is affected by an SQL injection issue because it fails to properly sanitize user-supplied input to the "id" parameter of the "store_info.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/25818
  • 07.40.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ActiveKB Index.PHP SQL Injection
  • Description: ActiveKB is a web-based knowledgebase application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat_Id" parameter of the "index.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/25820
  • 07.40.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NukeSentinel NukeSentinel.PHP SQL Injection
  • Description: NukeSentinel is a PHP-based module for the PHP-Nuke content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "admin" cookie parameter used in the "includes/nukesentinel.php" script before using it in an SQL query. NukeSentinel version 2.5.11 is affected.
  • Ref: http://www.securityfocus.com/archive/1/480812
  • 07.40.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NukeSentinel NukeSentinel.PHP Admin Cookie Variant SQL Injection
  • Description: NukeSentinel is a PHP-based module for the PHP-Nuke content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "$_COOKIE[admin]" parameter used in the "includes/nukesentinel.php" script before using it in an SQL query. NukeSentinel version 2.5.12 is affected.
  • Ref: http://www.securityfocus.com/archive/1/480846
  • 07.40.51 - CVE: Not Available
  • Platform: Web Application
  • Title: DFD Cart Multiple Remote File Include Vulnerabilities
  • Description: DFD Cart is a PHP-based file order management system for wholesale distributors. The application is expsoed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "set_depth" parameter of the following scripts: "product.control.config.php", "customer.browse.list.php" and "customer.browse.search.php". DFD Cart version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/25775
  • 07.40.52 - CVE: Not Available
  • Platform: Web Application
  • Title: CMS Made Simple AdodB-Perf-Module.Inc.PHP Remote Code Execution
  • Description: CMS Made Simple is a content management application. The application is exposed to an arbitrary code execution issue because it fails to properly sanitize user-supplied input to the "last_module" parameter of the "/lib/adodb-perf-module.inc.php" script. CMS Made Simple version 1.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/25768
  • 07.40.53 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPBB2 Plus Language Packs PHPBB_Root_Path Parameter Multiple Remote File Include Vulnerabilities
  • Description: phpBB2 Plus is a version of the phpBB bulletin board that has been modified to include added features. The application is exposed to multiple remote file include issues because it fails to properly sanitize user-supplied input to the "phpbb_root_path" parameter of the following scripts: "language/lang_german/lang_admin_album.php", "language/lang_english/lang_main_album.php" and "language/lang_english/lang_admin_album.php". phpBB2 Plus version 1.53a is affected.
  • Ref: http://www.phpbb2.de/ftopic45218.html
  • 07.40.54 - CVE: Not Available
  • Platform: Web Application
  • Title: XCMS Password Parameter Arbitrary PHP Code Execution
  • Description: XCMS is a PHP-based content manager. The application is exposed to an arbitrary PHP code-execution issue because it fails to properly sanitize user-supplied input. Specifically, it fails to sanitize input to the "password" form field parameter.
  • Ref: http://www.securityfocus.com/bid/25771
  • 07.40.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Webmin Unspecified Command Execution
  • Description: Webmin is a web-based UNIX system-administration interface implemented in Perl. It is available for various platforms. The application is exposed to an issue that allows attackers to execute arbitrary commands. Webmin versions prior to 1.370 are affected.
  • Ref: http://www.webmin.com/security.html
  • 07.40.56 - CVE: Not Available
  • Platform: Web Application
  • Title: GreenSQL Username And Password Multiple HTML Injection Vulnerabilities
  • Description: GreenSQL is a database firewall used to protect databases from SQL injection attacks. The application is exposed to multiple HTML injection issues because the application fails to sufficiently sanitize user-supplied input to the "login" and "password" form field parameters.
  • Ref: http://www.securityfocus.com/archive/1/480278
  • 07.40.57 - CVE: Not Available10.20.0004 on Microsoft Windows platforms are affected.
  • Platform: Web Application
  • Title: NetSupport Manager Remote Authentication Bypass
  • Description: NetSupport Manager is a commercially-available remote control and management application available for multiple platforms. The application is exposed to an authentication bypass issue due to a failure of the client application to properly require authentication when handling connections. NetSupport Manager versions prior to
  • Ref: http://www.netsupportsoftware.com/support/td.asp?td=543
  • 07.40.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Barracuda Spam Firewall Web Administration Console Username HTML Injection
  • Description: Barracuda Spam Firewall is an appliance that provides spam and virus protection. The application is exposed to an HTML injection issue in the Web Administration Console. Specifically, the application fails to sanitize user-supplied input to the "username" form field parameter before using it in dynamically generated content. This issue only occurs when the "Monitor Web Syslog" screen is open. Barracuda Spam Firewall firmware version 3.4.10.102 is affected.
  • Ref: http://www.barracudanetworks.com/ns/support/tech_alert.php
  • 07.40.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Neuron News Index.PHP Local File Include
  • Description: Neuron News is a web-based news reader. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "q" parameter of the "index.php" script. Specifically, the application fails to properly sanitize directory traversal strings ("../"). Neuron News 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25759
  • 07.40.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla! com_slideshow Admin.Slideshow1.PHP Remote File Include
  • Description: The Joomla! com_slideshow component is a PHP-based slide show module for the Joomla! content management system. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "mosConfig_live_site" parameter of the "admin.slideshow1.php" script.
  • Ref: http://www.securityfocus.com/bid/25760
  • 07.40.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Helplink Show.PHP Remote File Include
  • Description: Helplink is web-based help desk software. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "file" GET parameter of the "show.php" script. Helplink version 0.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25782
  • 07.40.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Wordsmith Config.Inc.PHP Remote File Include
  • Description: Wordsmith is a blogging application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "_path" parameter of the "config.inc.php" script. Wordsmith version 1.0 RC1 is affected.
  • Ref: http://www.securityfocus.com/bid/25783
  • 07.40.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Nuke Mobile Entertainment Compatible.PHP Local File Include
  • Description: Nuke Mobile Entertainment is a PHP-Nuke addon which enables you to interface with Mediaplazza. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "module_name" parameter of the "data/compatible.php" script. Nuke Mobile Entertainment 1 is affected.
  • Ref: http://www.securityfocus.com/bid/25784
  • 07.40.64 - CVE: Not Available
  • Platform: Web Application
  • Title: sk.log Log.Inc.PHP Remote File Include
  • Description: sk.log is a web-based content management system (CMS) implemented in PHP, and using a MySQL backend. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "SKIN_URL" parameter of the "php-inc/log.inc.php" script. sk.log version 0.5.3 is affected.
  • Ref: http://www.securityfocus.com/archive/1/480484
  • 07.40.65 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke Dance Music Module Index.PHP Local File Include
  • Description: Dance Music is part of the Music Sound PHP-Nuke module. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "ACCEPT_FILE" array of the "index.php" script.
  • Ref: http://www.securityfocus.com/archive/1/480578
  • 07.40.66 - CVE: Not Available
  • Platform: Web Application
  • Title: FrontAccounting Multiple Remote File Include Vulnerabilities
  • Description: FrontAccounting is web-based accounting software. The software is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "path_to_root" parameter of the following scripts: "language.php" and "login.php". FrontAccounting versions 1.13 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/25812
  • 07.40.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Tcl/Tk ReadImage Buffer Overflow
  • Description: Tcl (Tool Command Language) is a scripting language. Tk is a library used to build graphical user interfaces, which is usually included and used with Tcl. A buffer overflow issue exists in the Tk library shipped with Tcl. Tcl/Tk versions prior to 8.4.16 are affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=541207
  • 07.40.68 - CVE: Not Available
  • Platform: Web Application
  • Title: IntegraMOD Nederland phpbb_root_path Remote File Include
  • Description: IntegraMOD Nederland is a modified version of phpBB2 that includes a number of third-party modules. The application is exposed to a remote file include issue because it fails to properly sanitize user-supplied input before using it in a PHP "include()" function call. IntegraMOD Nederland version 1.4.2 is affected.
  • Ref: http://www.securityfocus.com/bid/25832
  • 07.40.69 - CVE: Not Available
  • Platform: Web Application
  • Title: lustig.cms Forum.PHP Remote File Include
  • Description: lustig.cms is a PHP-based content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "view" parameter of the "forum/forum.php" script. lustig.cms beta version 2.5.2 is affected.
  • Ref: http://www.securityfocus.com/bid/25833
  • 07.40.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Flatnuke Cross-Site Request Forgery
  • Description: Flatnuke is an open-source content manager. The application is exposed to a cross-site request forgery issue which allows a remote attacker to use a victim's currently active session to perform actions with the application. Flatnuke versions 2.6.1 and 2.6 are affected.
  • Ref: http://www.securityfocus.com/bid/25817
  • 07.40.71 - CVE: Not Available
  • Platform: Web Application
  • Title: Chupix CMS Header.PHP Remote File Include
  • Description: Chupix CMS is an open-source content manager. The application is exposed to a remote file include issue because it fails to properly sanitize user-supplied input before using it in a PHP "include()" function call. Chupix CMS version 0.2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/25835
  • 07.40.72 - CVE: Not Available
  • Platform: Web Application
  • Title: phpFidoNode phfito SRC_PATH Parameter Remote File Include
  • Description: phpfito - PHP Fidonet Tosser is the main part of the phpFidoNode project, which intends to implement the basic Fidonet software functionality in PHP. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "SRC_PATH" parameter of the "/phfito/phfito-post.php" script. phpfito version 1.3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/25839
  • 07.40.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Aipo Session Fixation
  • Description: Aipo is a web-based groupware application. The application is exposed to a session fixation issue because of a design error. Specifically, attackers can predefine a victim user's URI parameter. Aipo and Aipo ASP versions 3.0.1.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/25843
  • 07.40.74 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco Catalyst 6500 and Cisco 7600 Loopback Access Control Bypass
  • Description: Cisco Catalyst 6500 and Cisco 7600 devices are exposed to a vulnerability that may allow attackers to bypass Access Control Lists (ACLs). Catalyst series devices use addresses from the loopback range (120.0.0.0/8) for internal communication. Addresses in this range that are used in Ethernet Out-of-Band Channel (EOBC) are accessible from outside the system. This may allow an attacker to bypass existing ACLs that do not filter the loopback range.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sr-20070926-lb.shtml
  • 07.40.75 - CVE: Not Available
  • Platform: Network Device
  • Title: Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities
  • Description: Axis Communications 2100 Network Cameras are video cameras that communicate over TCP/IP. The devices are exposed to multiple input validation issues. 2100 Network Cameras with firmware version 2.43 are affected.
  • Ref: http://www.procheckup.com/Vulnerability_Axis_2100_research.pdf

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS instructors are top tier on all training classes.
-Fuchu Liu, First Quadrant

Healthcare Cyber Security Summit - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc