@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: IBM Lotus Notes and Domino Multiple Vulnerabilities
• (2) HIGH: Symantec Mail Security Multiple Vulnerabilities
• (3) HIGH: Real Networks RealPlayer Multiple Vulnerabilities
• (4) HIGH: Sun Java Runtime Environment Multiple Applet Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 07.44.1 - RealNetworks RealPlayer MOV File Parsing Multiple Memory Corruption Vulnerabilities
• 07.44.2 - eIQnetworks Enterprise Security Analyzer SEARCHREPORT Command Remote Buffer Overflow
• 07.44.3 - BitDefender Unspecified Arbitrary Code Execution

Linux

• 07.44.4 - Zaptel SetHDLC.C Local Buffer Overflow
• 07.44.5 - Red Hat Linux Kernel Stack Unwinder Local Denial of Service
• 07.44.6 - Linux Kernel eHCA Driver Physical Address Space Information Disclosure
• 07.44.7 - Gnome-Screensaver With Compiz Lock Bypass

Cross Platform

• 07.44.8 - Shttp Remote Directory Traversal
• 07.44.9 - Bacula MySQL Password Information Disclosure
• 07.44.10 - Mozilla Firefox ParseFTPList Remote Denial of Service
• 07.44.11 - LiteSpeed Web Server Null-Byte Handling Information Disclosure
• 07.44.12 - Mono System.Web StaticFileHandler.CS Source Code Information Disclosure
• 07.44.13 - GSview Multiple Unspecified Security Vulnerabilities
• 07.44.14 - Mozilla Firefox Malformed XBL Constructor Remote Denial of Service
• 07.44.15 - MultiXTpm Application Server DebugPrint() Remote Buffer Overflow
• 07.44.16 - Lotus Domino Memory Mapped Files Arbitrary Access
• 07.44.17 - DeleGate Multiple Denial of Service Vulnerabilities
• 07.44.18 - IBM Lotus Domino Information Disclosure Vulnerabilities and Buffer Overflow
• 07.44.19 - IBM Lotus Notes Attachment Viewer Multiple Buffer Overflow Vulnerabilities
• 07.44.20 - 3proxy FTP Proxy Double Free Memory Corruption
• 07.44.21 - wpa_supplicant ASN1_Get_Next Buffer Overflow
• 07.44.22 - Sun Java Runtime Environment Virtual Machine Remote Privilege Escalation
• 07.44.23 - XEN Xenmon.py Xenbaked Insecure Temporary File Creation
• 07.44.24 - IBM Lotus Notes TagAttributeListCopy Remote Buffer Overflow
• 07.44.25 - MLDonkey P2P User Security Bypass
• 07.44.26 - XScreenSaver Locked Screen Bypass
• 07.44.27 - Pidgin HTML Processing Remote Denial of Service
• 07.44.28 - JustSystem Ichitaro JSTARO4.OCX and TJSVDA.DLL Multiple Buffer Overflow Vulnerabilities

Web Application - Cross Site Scripting

• 07.44.29 - SocketKB Multiple Cross-Site Scripting Vulnerabilities
• 07.44.30 - SocketMail Lostpwd.PHP Cross-Site Scripting Vulnerability
• 07.44.31 - rNote rnote.PHP Multiple Cross-Site Scripting Vulnerabilities
• 07.44.32 - SearchSimon Lite Filename.ASP Cross-Site Scripting
• 07.44.33 - Nagios Unspecified Cross-Site Scripting
• 07.44.34 - CandyPress Store Logon.ASP Cross-Site Scripting
• 07.44.35 - WebIf Webif.exe Cross-Site Scripting
• 07.44.36 - Hackish Blocco.PHP Cross-Site Scripting
• 07.44.37 - RSA Keon Registration Authority Multiple Cross-Site Scripting Vulnerabilities
• 07.44.38 - SWAMP Login Pages Cross-Site Scripting
• 07.44.39 - TikiWiki Multiple Cross-Site Scripting and Local File Include Vulnerabilities

Web Application - SQL Injection

• 07.44.40 - SMF Index.PHP SQL Injection
• 07.44.41 - Lussumo Vanilla Sortcategories.PHP SQL Injection
• 07.44.42 - Multi-Forums Directory.PHP Multiple SQL Injection Vulnerabilities
• 07.44.43 - BBsProcesS BBPortalS TNEWS.PHP SQL Injection
• 07.44.44 - PHP Project Management Multiple Remote File Include Vulnerabilities
• 07.44.45 - DM CMS Index.PHP SQL Injection
• 07.44.46 - CodeWidget Online Event Registration Template Multiple SQL Injection Vulnerabilities
• 07.44.47 - CodeWidgets Web Based Alpha Tabbed Address Book Index.ASP SQL Injection
• 07.44.48 - Aleris Web Publishing Server Page.ASP SQL Injection

Web Application

• 07.44.49 - ZZ:FlashChat Help.PHP Local File Include
• 07.44.50 - A-Cart Multiple Input Validation Vulnerabilities
• 07.44.51 - ReloadCMS Index.PHP Local File Include
• 07.44.52 - Broadband Mechanics PeopleAggregator Multiple Remote File Include Vulnerabilities
• 07.44.53 - PHP Project Management Multiple Local File Include Vulnerabilities
• 07.44.54 - Support Incident Tracker SiT! Multiple Unspecified Security Vulnerabilities
• 07.44.55 - Simple PHP Blog Multiple Remote Vulnerabilities
• 07.44.56 - Flatnuke3 File Manager Module Unauthorized Access
• 07.44.57 - Flatnuke3 Myforum Cookie Parameter Authentication Bypass
• 07.44.58 - SocketMail FNC-Readmail3.PHP Remote File Include
• 07.44.59 - The Online Web Library Site Scripture.PHP Remote File Include
• 07.44.60 - InstaGuide Weather Index.PHP Local File Include
• 07.44.61 - Jeebles Technology Jeebles Directory Download.PHP Local File Include
• 07.44.62 - Mobile-Spy Insecure Password Storage Information Disclosure
• 07.44.63 - Japanese PHP Gallery Hosting Arbitrary File Upload
• 07.44.64 - Drupal Prior To 4.7.8 and 5.3 Multiple Remote Vulnerabilities
• 07.44.65 - BugHotel Reservation System Main.PHP Authentication Bypass
• 07.44.66 - GHBoard Multiple Arbitrary File Access Vulnerabilities
• 07.44.67 - Platinum Favorites.PHP Remote File Include
• 07.44.68 - efileman Arbitrary File Upload And Access Validation Vulnerabilities
• 07.44.69 - FCKeditor Unspecified Arbitrary File Upload
• 07.44.70 - PHP Image XArg Parameter Multiple Remote File Include Vulnerabilities
• 07.44.71 - Phpbasic basicFramework Includes.PHP Remote File Include
• 07.44.72 - BosDev BosMarket Multiple HTML Injection Vulnerabilities
• 07.44.73 - BosDev BosNews Multiple HTML Injection Vulnerabilities
• 07.44.74 - OneOrZero USD250 Helpdesk Utility HTML Injection

Network Device

• 07.44.75 - Cisco Multiple Products Extensible Authentication Protocol Denial of Service
• 07.44.76 - GrandStream HandyTone-488 PSTN To VoIP Adapter Remote Denial of Service
• 07.44.77 - Vonage VoIP Multiple Security Vulnerabilities
• 07.44.78 - Globe7 SIP Soft Phone Weak Password Obfuscation Information Disclosure

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 44, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 07.44.1 - CVE: CVE-2007-5080, CVE-2007-5081, CVE-2007-2263,CVE-2007-2264, CVE-2007-4599
• Platform: Third Party Windows Apps
• Title: RealNetworks RealPlayer MOV File Parsing Multiple Memory Corruption Vulnerabilities
• Description: RealNetworks RealPlayer is an application that allows users to play various media formats. The application is exposed to multiple memory corruption issues that stem from errors in MOV files parsing functions. These issues can cause a heap memory corruption due to attackers being able to write data to heap memory. RealPlayer version 10.5 is affected.
• Ref: http://www.securityfocus.com/archive/1/482856

• 07.44.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: eIQnetworks Enterprise Security Analyzer SEARCHREPORT Command Remote Buffer Overflow
• Description: eIQnetworks Enterprise Security Analyzer is a distributed application for enterprise security. It provides security information, event and asset management, and threat visualization across a network. The application is exposed to a remote buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Enterprise Security Analyzer version 2.5 is affected.
• Ref: http://www.securityfocus.com/bid/26189

• 07.44.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BitDefender Unspecified Arbitrary Code Execution
• Description: BitDefender is a computer security application for the Microsoft Windows operating platform. The application is exposed to an unspecified arbitrary code execution issue.
• Ref: http://research.eeye.com/html/advisories/upcoming/20071024.html

• 07.44.4 - CVE: Not Available
• Platform: Linux
• Title: Zaptel SetHDLC.C Local Buffer Overflow
• Description: Zaptel (Zapata Telephony) is an API for developing various telephony hardware drivers. The application is exposed to a local buffer issue because it fails to perform adequate boundary checks on user-supplied input. Zaptel version 1.4.5.1 is affected.
• Ref: http://www.eleytt.com/advisories/eleytt_ZAPTEL.pdf

• 07.44.5 - CVE: CVE-2007-4574
• Platform: Linux
• Title: Red Hat Linux Kernel Stack Unwinder Local Denial of Service
• Description: The Red Hat Linux kernel is prone to a local denial of service issue due to a NULL-pointer dereference in certain "ptrace" operations. This issue occurs because of some missing stack unwinder fixes in the Red Hat Enterprise Linux 5 kernel on AMD64 and Intel 64 platforms.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=298141

• 07.44.6 - CVE: CVE-2007-3850
• Platform: Linux
• Title: Linux Kernel eHCA Driver Physical Address Space Information Disclosure
• Description: The Linux kernel is exposed to an information disclosure issue. This issue occurs because of a problem in the eHCA driver on PowerPC systems when mapping userspace resources. The driver can map resources that are 4k in size.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=308811

• 07.44.7 - CVE: CVE-2007-3920
• Platform: Linux
• Title: Gnome-Screensaver With Compiz Lock Bypass
• Description: Gnome-screensaver is a screensaver with desktop locking functionality, included with the Gnome Window Manager. The desktop locking feature is designed to prevent access to the desktop by users without valid credentials. The application is exposed to a locked screen bypass issue. The application can lose keyboard lock focus. This issue occurs in conjunction with Compiz, a framework for 3-D desktop add-ons. gnome-screensaver released with Ubuntu 7.10 is affected.
• Ref: http://www.securityfocus.com/archive/1/482702

• 07.44.8 - CVE: Not Available
• Platform: Cross Platform
• Title: Shttp Remote Directory Traversal
• Description: Shttp is a webserver application that utilizes the ServerKit server library. The application is exposed to a remote directory traversal issue due to the failure of the "safe_path()" function to properly validate that requested files are located in the document root of the HTTP server. Shttp versions prior to 0.0.5 are affected.
• Ref: http://www.securityfocus.com/archive/1/482797

• 07.44.9 - CVE: Not Available
• Platform: Cross Platform
• Title: Bacula MySQL Password Information Disclosure
• Description: Bacula is a set of programs used to perform various data management operations on networks consisting of computers with various operating systems. The application is exposed to an information disclosure issue because it fails to protect the MYSQL director password.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446809

• 07.44.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox ParseFTPList Remote Denial of Service
• Description: Mozilla Firefox is a web browser available for multiple operating platforms. The application is exposed to a remote denial of service issue when parsing file listings on malicious FTP servers. User-supplied input can cause the "ParseFTPList.ccp" source file to use a "pos" parameter value that exceeds the number of indices in the "tokens" array, causing an invalid pointer reference. Firefox version 2.0.0.7 is affected.
• Ref: http://www.eleytt.com/advisories/eleytt_FFPARSEFTPLIST.pdf

• 07.44.11 - CVE: Not Available
• Platform: Cross Platform
• Title: LiteSpeed Web Server Null-Byte Handling Information Disclosure
• Description: LiteSpeed Web Server is a scalable web server that is interchangeable with Apache. The server is exposed to an information disclosure issue because it fails to adequately sanitize user-supplied input. LiteSpeed Web Server versions prior to 3.2.4 are affected. Ref: http://www.litespeedtech.com/latest/litespeed-web-server-3.2.4-released.html

• 07.44.12 - CVE: CVE-2007-5473
• Platform: Cross Platform
• Title: Mono System.Web StaticFileHandler.CS Source Code Information Disclosure
• Description: Mono is a multi-platform open-source implementation of the Microsoft .NET architecture. The application is exposed to a source-disclosure issue because it fails to properly sanitize user-supplied input. Mono versions prior to 1.2.5.2 running on Windows platforms are affected. Ref: http://anonsvn.mono-project.com/viewcvs/trunk/mcs/class/System.Web/System.Web/StaticFileHandler.cs

• 07.44.13 - CVE: Not Available
• Platform: Cross Platform
• Title: GSview Multiple Unspecified Security Vulnerabilities
• Description: GSview is a freely-available graphical user interface for the Ghostscript application. It is designed to view PostScript files. The application is exposed to multiple unspecified issues. GSview version 4.8 is affected.
• Ref: http://www.securityfocus.com/archive/1/482601

• 07.44.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox Malformed XBL Constructor Remote Denial of Service
• Description: Mozilla Firefox is a web browser available for multiple operating platforms. The application is exposed to a remote denial of service issue that occurs when handling HTML files with a malformed XML file. Specifically, when the XML binding language (XBL) is used, the application fails to handle malformed data contained in the constructor. Firefox 2.0.0.7 is affected.
• Ref: http://www.securityfocus.com/bid/26172

• 07.44.15 - CVE: Not Available
• Platform: Cross Platform
• Title: MultiXTpm Application Server DebugPrint() Remote Buffer Overflow
• Description: MultiXTpm Application Server is a Message Oriented Middleware (MOM) and Transaction Processing (TP) Monitor. It is available for various platforms. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input before using it in an insufficiently sized buffer. MultiXTpm Application Server versions prior to 4.0.2d are affected. Ref: http://sourceforge.net/project/shownotes.php?release_id=548209&group_id=196021

• 07.44.16 - CVE: CVE-2007-5544
• Platform: Cross Platform
• Title: Lotus Domino Memory Mapped Files Arbitrary Access
• Description: IBM Lotus Domino is a client/server product designed for collaborative working environments. Domino Server supports email, scheduling, instant messaging, and data-driven applications. The application is exposed to an issue that may allow access to other users' sessions. The issue exists in the Inter-Process Communication (IPC) between "NLNOTES" and "NTASKLDR".
• Ref: http://www.securityfocus.com/archive/1/482694

• 07.44.17 - CVE: Not Available
• Platform: Cross Platform
• Title: DeleGate Multiple Denial of Service Vulnerabilities
• Description: DeleGate is an application-level gateway and proxy server for multiple operating platforms. The application is exposed to multiple denial of service issues. DeleGate versions prior to 9.7.5 are affected.
• Ref: http://www.delegate.org/mail-lists/delegate-en/3875

• 07.44.18 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Domino Information Disclosure Vulnerabilities and Buffer Overflow
• Description: IBM Lotus Domino is a client/server product designed for collaborative working environments. Domino Server supports email, scheduling, instant messaging, and data-driven applications. The application is exposed to multiple issues.
• Ref: http://www.securityfocus.com/archive/1/482676

• 07.44.19 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Notes Attachment Viewer Multiple Buffer Overflow Vulnerabilities
• Description: IBM Lotus Notes is exposed to multiple buffer overflow issues due to issues in the file attachment viewer. These issues could allow arbitrary code execution in the context of the user running the application. A user must open malicious attached files with the attachment viewer to trigger these issues. Lotus Notes version 7.0.2 is affected.
• Ref: http://vuln.sg/lotusnotes702wpd-en.html

• 07.44.20 - CVE: CVE-2007-5622
• Platform: Cross Platform
• Title: 3proxy FTP Proxy Double Free Memory Corruption
• Description: 3proxy is a free proxy server for Linux/UNIX and Windows. The application is exposed to a double-free memory corruption issue. Specifically, the "hostname" parameter is freed in both the "ftpprchild()" and "parsehostname()" functions. 3proxy version 0.5.3i is affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0710.html

• 07.44.21 - CVE: Not Available
• Platform: Cross Platform
• Title: wpa_supplicant ASN1_Get_Next Buffer Overflow
• Description: wpa_supplicant is a freely-available package designed to allow WPA and WPA2 wireless communications on many different operating systems. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. wpa_supplicant version 0.5.8 is affected.
• Ref: http://hostap.epitest.fi/wpa_supplicant/

• 07.44.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java Runtime Environment Virtual Machine Remote Privilege Escalation
• Description: Sun Java Runtime Environment is an enterprise development platform. The Virtual Machine of the Java Runtime Environment is exposed to a remote privilege escalation issue. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1&searchclause=

• 07.44.23 - CVE: CVE-2007-3919
• Platform: Cross Platform
• Title: XEN Xenmon.py Xenbaked Insecure Temporary File Creation
• Description: Xen is an open-source hypervisor or virtual machine monitor. The application is exposed to a security issue because it creates temporary files in an insecure manner. The issue occurs when the "xenmon.py" script and the "xenbaked" program create and use temporary files with predictable filenames. Xen version 3.0 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447795

• 07.44.24 - CVE: CVE-2007-4222
• Platform: Cross Platform
• Title: IBM Lotus Notes TagAttributeListCopy Remote Buffer Overflow
• Description: IBM Lotus Notes is a tool for email, calendar, scheduling, and collaboration tasks. The application is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. The issue occurs in the "TagAttributeListCopy()" function of the "nnotes.dll" library when interchanging the format of HTML emails to a format similar to RTF. Specifically, the buffer overflow occurs when the "Cstrcpy()" function copies user-supplied data into a fixed-sized buffer. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=604

• 07.44.25 - CVE: Not Available
• Platform: Cross Platform
• Title: MLDonkey P2P User Security Bypass
• Description: MLDonkey is a peer-to-peer client that operates on multiple platforms and networks. The application is exposed to a security bypass issue due to a design error. This issue occurs because the MLDonkey ebuild adds a user to the computer named "p2p" with no password. MLDonkey versions prior to 2.9.0-r3 are affected.
• Ref: http://www.securityfocus.com/bid/26202

• 07.44.26 - CVE: CVE-2007-5585
• Platform: Cross Platform
• Title: XScreenSaver Locked Screen Bypass
• Description: XScreenSaver is a screen saver with desktop locking functionality. The desktop locking feature is designed to prevent access to the desktop by users without valid credentials. XScreenSaver is shipped on most Linux and Unix systems running the X11 Window System. The application is exposed to a locked screen bypass issue. The application crashes randomly when the packages with GL XScreenSaver hacks are installed and GL hack is launched without the "xscreensaver-gl-helper" binary installed. XScreenSaver version 5.03-10 with the "rss-glx-xscreensaver" and "tempest" packages is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=336331

• 07.44.27 - CVE: CVE-2007-4999
• Platform: Cross Platform
• Title: Pidgin HTML Processing Remote Denial of Service
• Description: Pidgin is a chat client available for multiple operating systems. The application is exposed to a remote denial of service issue that arises when the application processes an invalid HTML message. Specifically, the flaw presents itself due to a NULL pointer dereference condition in the "libpurple" library. Pidgin versions prior to 2.2.2 are affected.
• Ref: http://www.pidgin.im/news/security/?id=24

• 07.44.28 - CVE: Not Available
• Platform: Cross Platform
• Title: JustSystem Ichitaro JSTARO4.OCX and TJSVDA.DLL Multiple Buffer Overflow Vulnerabilities
• Description: JustSystem Ichitaro is a word processor available for Windows and Linux. The application is exposed to multiple buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers. Ichitaro versions 11, 12, 13, 2004, 2005, 2006, 2007, Ichitaro for Linux, Ichitaro Lite2, Punch and Ichitaro viewer are affected.
• Ref: http://www.securityfocus.com/bid/26206

• 07.44.29 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SocketKB Multiple Cross-Site Scripting Vulnerabilities
• Description: SocketKB is a knowledgebase application. The application is exposed to multiple cross-site scripting issues because it fails to adequately sanitize user-supplied input to the "node" or "art_id" parameters of the "index.php" script. SocketKB version 1.1.5 is affected.
• Ref: http://www.securityfocus.com/bid/26136

• 07.44.30 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SocketMail Lostpwd.PHP Cross-Site Scripting Vulnerability
• Description: SocketMail is a PHP-based webmail application. The application is exposed to an undisclosed cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects the "lost_id" parameter of the "lostpwd.php" script.
• Ref: http://www.securityfocus.com/bid/26138

• 07.44.31 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: rNote rnote.PHP Multiple Cross-Site Scripting Vulnerabilities
• Description: rNote is a web-based bulletin board application. The application is exposed to a cross-site scripting issue because the application fails to sufficiently sanitize user-supplied input to the "d" and "u" parameters of the "rnote.php" script. rNote version 0.9.7.5 is affected.
• Ref: http://www.securityfocus.com/bid/26140

• 07.44.32 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SearchSimon Lite Filename.ASP Cross-Site Scripting
• Description: SearchSimon Lite is search script implemented in ASP. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects the "QUERY" parameter of the "filename.asp" script. SearchSimon Lite version 1.0 is affected.
• Ref: http://www.securityfocus.com/bid/26142

• 07.44.33 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Nagios Unspecified Cross-Site Scripting
• Description: Nagios is an open-source application designed to monitor networks and services for interruptions and to notify administrators when various events occur. The software is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. Nagios versions 2.7, 2.8 and 2.9 are affected.
• Ref: http://www.nagios.org/development/changelog.php

• 07.44.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CandyPress Store Logon.ASP Cross-Site Scripting
• Description: CandyPress Store is an ASP-based e-commerce application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects the "msg" parameter of the "logon.asp" script. CandyPress Store version 4.1 is affected.
• Ref: http://www.securityfocus.com/bid/26153

• 07.44.35 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: WebIf Webif.exe Cross-Site Scripting
• Description: WebIf is a bibliography application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects the "cmd" parameter of the "cgi-bin/webif.exe" script.
• Ref: http://www.securityfocus.com/bid/26164

• 07.44.36 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Hackish Blocco.PHP Cross-Site Scripting
• Description: Hackish is a PHP-based web portal application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "go_shout" parameter of the "blocco.php" script. Hackish BETA version 1.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/482615

• 07.44.37 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: RSA Keon Registration Authority Multiple Cross-Site Scripting Vulnerabilities
• Description: RSA Keon Registration Authority is a commercially available certificate-authority software package. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. These issues affect unspecified parameters of the "Request-spk.xuda" and "Add-msie-request.xuda" components of the application. Keon Registration Authority version 1.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/482729

• 07.44.38 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SWAMP Login Pages Cross-Site Scripting
• Description: SWAMP is a work flow processing platform. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the user name form field of the login page.
• Ref: http://www.securityfocus.com/archive/1/482733

• 07.44.39 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TikiWiki Multiple Cross-Site Scripting and Local File Include Vulnerabilities
• Description: TikiWiki is a PHP-based wiki application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. TikiWiki versions prior to 1.9.8.2 are affected.
• Ref: http://www.securityfocus.com/archive/1/482801

• 07.44.40 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SMF Index.PHP SQL Injection
• Description: SMF is a web-based forum. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "SMFCookie218" parameter of the "index.php" script file before using it in an SQL query. SMF version 1.1.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/482569

• 07.44.41 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Lussumo Vanilla Sortcategories.PHP SQL Injection
• Description: Vanilla is a PHP-based discussion forum. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "CategoryID" parameter of the "sortcategories.php" script file before using it in an SQL query. Vanilla version 1.1.3 is affected.
• Ref: http://www.securityfocus.com/bid/26145

• 07.44.42 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Multi-Forums Directory.PHP Multiple SQL Injection Vulnerabilities
• Description: Multi-Forums is a module for Invision Power Board and phpBB. It enables a site to host multiple forums simultaneously. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "cat", and "go" parameters of "directory.php" before using it in SQL queries.
• Ref: http://www.securityfocus.com/bid/26213

• 07.44.43 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: BBsProcesS BBPortalS TNEWS.PHP SQL Injection
• Description: BBsProcesS BBPortalS is a PHP-based discussion forum. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "tnews.php" script file before using it in an SQL query. BBPortals versions 1.5.10, 1.5.11, 1.6.2 and 2.0 are affected.
• Ref: http://www.securityfocus.com/bid/26149

• 07.44.44 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PHP Project Management Multiple Remote File Include Vulnerabilities
• Description: PHP Project Management is an open-source project management application. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "full_path" parameter. PHP Project Management versions 0.8.10 and earlier are affected.
• Ref: http://sourceforge.net/projects/php-pm/

• 07.44.45 - CVE: CVE-2007-5679
• Platform: Web Application - SQL Injection
• Title: DM CMS Index.PHP SQL Injection
• Description: DM CMS is a web-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "index.php" script before using it in an SQL query. DM CMS version 0.7.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/482600

• 07.44.46 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CodeWidget Online Event Registration Template Multiple SQL Injection Vulnerabilities
• Description: Online Event Registration Template is an ASP-based event registration application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "Email address" form field parameter of the "login.asp" and "admin_login.asp" scripts.
• Ref: http://www.securityfocus.com/archive/1/482730

• 07.44.47 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: CodeWidgets Web Based Alpha Tabbed Address Book Index.ASP SQL Injection
• Description: CodeWidgets Web Based Alpha Tabbed Address Book is a web-based address book implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "alpha" parameter of the "index.asp" script before using it in an SQL query.
• Ref: http://www.securityfocus.com/archive/1/482724

• 07.44.48 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Aleris Web Publishing Server Page.ASP SQL Injection
• Description: Aleris Web Publishing Server is implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "mode" parameter of the "/calendar/page.asp" script before using it in an SQL query. Aleris Web Publishing Server version 3.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/482723

• 07.44.49 - CVE: Not Available
• Platform: Web Application
• Title: ZZ:FlashChat Help.PHP Local File Include
• Description: ZZ:FlashChat is a web-based instant messaging application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "file" parameter of the "/chat/admin/inc/help.php" script. ZZ:FlashChat version 3.1 [beta] is affected.
• Ref: http://www.securityfocus.com/bid/26135

• 07.44.50 - CVE: Not Available
• Platform: Web Application
• Title: A-Cart Multiple Input Validation Vulnerabilities
• Description: A-Cart is an ASP-based e-commerce application. The application is exposed to multiple input validation issues because the application fails to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/archive/1/482535

• 07.44.51 - CVE: Not Available
• Platform: Web Application
• Title: ReloadCMS Index.PHP Local File Include
• Description: ReloadCMS is a PHP-based content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "module" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/26143

• 07.44.52 - CVE: Not Available
• Platform: Web Application
• Title: Broadband Mechanics PeopleAggregator Multiple Remote File Include Vulnerabilities
• Description: Broadband Mechanics PeopleAggregator is a social networking platform. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/26147

• 07.44.53 - CVE: Not Available
• Platform: Web Application
• Title: PHP Project Management Multiple Local File Include Vulnerabilities
• Description: PHP Project Management is an open-source project management application. The application is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input. PHP Project Management versions 0.8.10 and earlier are affected.
• Ref: http://sourceforge.net/projects/php-pm/

• 07.44.54 - CVE: Not Available
• Platform: Web Application
• Title: Support Incident Tracker SiT! Multiple Unspecified Security Vulnerabilities
• Description: Support Incident Tracker (SiT!) is an open-source web application for tracking technical support requests. It is implemented based on PHP and MySQL. The application is exposed to multiple unspecified security issues. Support Incident Tracker (SiT!) versions prior to 3.30 are affected.
• Ref: http://sourceforge.net/forum/forum.php?forum_id=744890

• 07.44.55 - CVE: Not Available
• Platform: Web Application
• Title: Simple PHP Blog Multiple Remote Vulnerabilities
• Description: Simple PHP Blog is a PHP-based web-log application. The application is exposed to multiple remote issues. Simple PHP Blog versions 0.5.1 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/482603

• 07.44.56 - CVE: Not Available
• Platform: Web Application
• Title: Flatnuke3 File Manager Module Unauthorized Access
• Description: Flatnuke3 is a content management system implemented in PHP. It uses flat text files instead of a database. The application is exposed to an unauthorized access issue because it fails to adequately verify administrative credentials. Specifically, while logging in to the "File Manager" module, an attacker can use the "mod" parameter of the "index.php" script to perform actions on behalf of the administrator. Flatnuke3 version 2007-10-10 is affected.
• Ref: http://www.securityfocus.com/bid/26155

• 07.44.57 - CVE: Not Available2007-10-10 is affected.
• Platform: Web Application
• Title: Flatnuke3 Myforum Cookie Parameter Authentication Bypass
• Description: Flatnuke3 is a content management system implemented in PHP. It uses flat text files instead of a database. The application is exposed to an authentication bypass issue because it fails to adequately sanitize user-supplied input used for cookie-based authentication. Specifically, the "myforum" parameter, a cookie credential set when users log in to the application, may be manipulated to allow administrative privileges. Flatnuke3 version
• Ref: http://www.securityfocus.com/archive/1/482774

• 07.44.58 - CVE: Not Available
• Platform: Web Application
• Title: SocketMail FNC-Readmail3.PHP Remote File Include
• Description: SocketMail is a PHP-based webmail client. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "__SOCKETMAIL_ROOT" parameter of the "fnc-readmail3.php" script. SocketMail version 2.2.8 is affected.
• Ref: http://www.securityfocus.com/bid/26162

• 07.44.59 - CVE: Not Available
• Platform: Web Application
• Title: The Online Web Library Site Scripture.PHP Remote File Include
• Description: The Online Web Library Site (TOWeLS) is a web-based document repository. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "pageHeaderFile" parameter of the "scripture.php" script. The Online Web Library Site version 0.1 is affected.
• Ref: http://www.securityfocus.com/bid/26165

• 07.44.60 - CVE: Not Available
• Platform: Web Application
• Title: InstaGuide Weather Index.PHP Local File Include
• Description: InstaGuide Weather is a web-based application to display current weather. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "PageName" parameter of the "index.php" script.
• Ref: http://www.securityfocus.com/bid/26170

• 07.44.61 - CVE: Not Available
• Platform: Web Application
• Title: Jeebles Technology Jeebles Directory Download.PHP Local File Include
• Description: Jeebles Directory is a PHP-based file organizer application. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "file" parameter of the "download.php" script. Jeebles Directory version 2.9.60 is affected.
• Ref: http://www.securityfocus.com/archive/1/482612

• 07.44.62 - CVE: Not Available
• Platform: Web Application
• Title: Mobile-Spy Insecure Password Storage Information Disclosure
• Description: Mobile-Spy is an application for phones that use Windows Mobile. It logs data sent and received by the phone to a web server hosted by the application vendor. The application is exposed to an information disclosure issue because it fails to securely store sensitive data. Specifically, the username and password of the vulnerable application are stored in plain text in the registry.
• Ref: http://www.securityfocus.com/archive/1/482663

• 07.44.63 - CVE: Not Available
• Platform: Web Application
• Title: Japanese PHP Gallery Hosting Arbitrary File Upload
• Description: Japanese PHP Gallery Hosting is a web-based image gallery application. The application is exposed to an arbitrary file upload issue because it fails to adequately sanitize user-supplied input. This issue affects the "mode" parameter of the "/upload/upload.php" script when it handles specially crafted filenames. Japanese PHP Gallery Hosting versions released prior to 10/2007 are affected.
• Ref: http://www.securityfocus.com/archive/1/482676

• 07.44.64 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Prior To 4.7.8 and 5.3 Multiple Remote Vulnerabilities
• Description: Drupal is an open-source content manager that is available for a number of platforms, including Microsoft Windows and Unix/Linux variants. The application is exposed to multiple remote issues.
• Ref: http://drupal.org/node/184315

• 07.44.65 - CVE: Not Available
• Platform: Web Application
• Title: BugHotel Reservation System Main.PHP Authentication Bypass
• Description: BugHotel Reservation System is a PHP-based hotel reservation application. The application is exposed to an authentication bypass issue due to a missing login check in the "main.php" script. BugHotel Reservation System versions prior to 4.9.9 P3 are affected.
• Ref: http://www.securityfocus.com/bid/26178

• 07.44.66 - CVE: Not Available
• Platform: Web Application
• Title: GHBoard Multiple Arbitrary File Access Vulnerabilities
• Description: GHBoard is a PHP-based bulletin board application. The application is exposed to multiple arbitrary file access issues because the application fails to sufficiently sanitize user-supplied input
• Ref: http://www.securityfocus.com/archive/1/482687

• 07.44.67 - CVE: Not Available
• Platform: Web Application
• Title: Platinum Favorites.PHP Remote File Include
• Description: Platinum is a web-based content management system (CMS). Platinum was formerly known as Php Nuke Fusion. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "nuke_bb_root_path" parameter of the "modules/Forums/favorites.php" script. Platinum version 7.6.b.5 is affected.
• Ref: http://www.securityfocus.com/bid/26183

• 07.44.68 - CVE: Not Available
• Platform: Web Application
• Title: efileman Arbitrary File Upload And Access Validation Vulnerabilities
• Description: efileman is a web-based file management application implemented in Perl. The application is exposed to multiple issues including arbitrary file upload issues affecting the "/upload.html" and "/cgi-bin/efileman/upload.cgi" scripts. The application fails to verify the content of uploaded data, and an access validation issue affects the "/cgi-bin/efileman/efileman_config.pm" configuration file. The application fails to adequately restrict access to this script. efileman version 7.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/482683

• 07.44.69 - CVE: Not Available
• Platform: Web Application
• Title: FCKeditor Unspecified Arbitrary File Upload
• Description: FCKeditor is an online text/DHTML editor. The application is exposed to an unspecified arbitrary file upload issue because it fails to adequately sanitize user-supplied input. FCKeditor version 2.4.3 when file uploads are enabled in "config.php" is affected.
• Ref: http://www.securityfocus.com/archive/1/482683

• 07.44.70 - CVE: Not Available
• Platform: Web Application
• Title: PHP Image XArg Parameter Multiple Remote File Include Vulnerabilities
• Description: PHP Image is a PHP-based web gallery. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "xarg" parameter of the "xarg_corner.php", "xarg_corner_bottom.php" and "xarg_corner_top.php" scripts. PHP Image version 1.2 is affected.
• Ref: http://www.milw0rm.com/exploits/4565

• 07.44.71 - CVE: Not Available
• Platform: Web Application
• Title: Phpbasic basicFramework Includes.PHP Remote File Include
• Description: basicFramework is a web-based content management system (CMS). The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root" parameter of the "includes.php" script. basicFramework version 1.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/482680

• 07.44.72 - CVE: Not Available
• Platform: Web Application
• Title: BosDev BosMarket Multiple HTML Injection Vulnerabilities
• Description: BosDev BosMarket is a web-based business directory application implemented in ASP. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
• Ref: http://www.securityfocus.com/archive/1/482732

• 07.44.73 - CVE: Not Available
• Platform: Web Application
• Title: BosDev BosNews Multiple HTML Injection Vulnerabilities
• Description: BosDev BosNews is a web-based news management application. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
• Ref: http://www.securityfocus.com/archive/1/482732

• 07.44.74 - CVE: Not Available
• Platform: Web Application
• Title: OneOrZero USD250 Helpdesk Utility HTML Injection
• Description: OneOrZero is a web-based task management and help desk application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. This issue affects the comment field of the "usd250" helpdesk utility.
• Ref: http://www.securityfocus.com/archive/1/482790

• 07.44.75 - CVE: Not Available
• Platform: Network Device
• Title: Cisco Multiple Products Extensible Authentication Protocol Denial of Service
• Description: Extensible Authentication Protocol (EAP) an authentication framework for various Cisco devices. The application is exposed to a denial of service issue that exists in the Extensible Authentication Protocol (EAP). Specifically, the devices fail to handle specially crafted EAP Response Identity packets. The following devices are affected: Cisco Access Points and 1310 Wireless Bridges running Cisco IOS in autonomous mode, and all Cisco switches running vulnerable versions of Cisco IOS and Cisco CatOS.
• Ref: http://www.cisco.com/warp/public/707/cisco-sr-20071019-eap.shtml

• 07.44.76 - CVE: Not Available
• Platform: Network Device
• Title: GrandStream HandyTone-488 PSTN To VoIP Adapter Remote Denial of Service
• Description: GrandStream HandyTone-488 is a Voice over IP (VoIP) phone. The application is exposed to a denial of service issue that exists in the implementation of the SIP parser. Specifically, the device fails to handle specially crafted SIP INVITE messages when receiving data. Ref: http://www.sipera.com/index.php?action=resources,threat_advisory&tid=361&

• 07.44.77 - CVE: Not Available
• Platform: Network Device
• Title: Vonage VoIP Multiple Security Vulnerabilities
• Description: Vonage is a commercial provider of broadband telephone services using VoIP and SIP (Session Initiation Protocol) network protocols. The application is exposed to multiple issues. Ref: http://www.sipera.com/index.php?action=resources,threat_advisory&tid=358&

• 07.44.78 - CVE: Not Available
• Platform: Network Device
• Title: Globe7 SIP Soft Phone Weak Password Obfuscation Information Disclosure
• Description: Globe7 is a SIP soft phone available for multiple operating systems. The application is exposed to an information disclosure issue because it fails to adequately obfuscate user account credentials. Ref: http://www.sipera.com/index.php?action=resources,threat_advisory&tid=364&

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.