The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 47
November 19, 2007

SANS Newsletters Home

Security bug researchers (and others with more malicious purpose) have been focusing on Apple OS X, and they have been very successful. Quoting from the first item in this week's issue: "...several [OS X] vulnerabilities are exploitable by remote users. Several file format vulnerabilities are also present. Several implementation errors also exist in the Mac OS X application firewall."

If you are ever asked which operating system is safer, the following 'non-aligned' rule may be of some help. Given a fixed level of programming skill, the number of vulnerabilities in software is directly proportional to the number of lines of code and inversely proportional to the length of time the software has been in wide use. Large numbers of critical vulnerabilities are being, and were bound to be, discovered in Apple's operating system because Steve Jobs may design better hardware, but his programmers are no better at writing secure code than programmers in other software organizations. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 2 (#3, #4)
    • Microsoft Office
    • 1
    • Third Party Windows Apps
    • 6 (#7)
    • Mac Os
    • 4 (#1)
    • Linux
    • 6 (#5, #8)
    • Unix
    • 1
    • Novell
    • 1
    • Cross Platform
    • 15 (#2, #6)
    • Web Application - Cross Site Scripting
    • 9
    • Web Application - SQL Injection
    • 13
    • Web Application
    • 10
    • Network Device
    • 1

******************** Sponsored By Sourcefire, Inc. *********************

Security 3.0: Are You Ready? Sourcefire Webcast Featuring Gartner

Security 3.0 is about getting out of reactive mode and into proactive mode by building network security everywhere it can be. Learn how to build up security before, during, and after an attack with this archived Webcast. Watch Security 3.0 Webcast now http://www.sans.org/info/19481

*************************************************************************

TRAINING UPDATE Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses? - - Washington DC (12/13-12/18): http://www.sans.org/cdi07 - - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php - - London (11/26 - 12/1): http://www.sans.org/london07/ - - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Third Party Windows Apps
Mac Os
Linux
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

*********************** Sponsored Links *******************************

1) Don't let incorrect changes to device configurations bring down your network. FireMon: keeping networks operational. http://www.sans.org/info/19486

2) Utimaco Launches SafeGuard Enterprise 5.2 Raising the Bar on Cross-platform Data Protection http://www.sans.org/info/19491

3) A review and analysis of complex security threats and their impact on the SMB. http://www.sans.org/info/19496

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (Security Update 2007-008)
  • Affected:
    • Apple Mac OS X versions 10.4.10 and prior
    • Apple Mac OS X versions 10.5 and prior

  • Description: Apple Mac OS X contains multiple vulnerabilities. Vulnerabilities range in severity from remote code execution to information disclosure and denials-of-service. A large number of the vulnerabilities are exploitable only by local users or users on the local network, but several vulnerabilities are exploitable by remote users. Several file format vulnerabilities are also present. Several implementation errors also exist in the Mac OS X application firewall. The firewall flaws affect only Mac OS X 10.5. The other vulnerabilities affect only Mac OS X 10.4.10 and prior. Some of these vulnerabilities have been discussed in previous issues of @RISK. Technical details are available for some of these vulnerabilities.

  • Status: Apple confirmed, updates available.

  • References:
  • (6) MODERATE: Multiple FLAC Parsers Multiple Vulnerabilities
  • Affected:
    • LibFLAC versions prior to 1.2.1
    • Other FLAC parsers are reported vulnerable

  • Description: FLAC is the Free Lossless Audio Codec, used to compress audio data. It is supported by many popular software and hardware media players. Several flaws have been found in multiple FLAC parsers. A specially crafted FLAC file could trigger one of these vulnerabilities. Several of these vulnerabilities would allow an attacker to execute arbitrary code with the privileges of the current user. Note that, depending on the application used and system configuration, FLAC files may be opened automatically. Some of these vulnerabilities have been discussed in earlier issues of @RISK. Technical details for these vulnerabilities is available via source code analysis.

  • Status: LibFLAC confirmed, updates available.

  • References:
  • (7) MODERATE: Apple Safari for Windows Buffer Overflow Affected Apple Safari for Windows versions 3.0.3 and prior

  • Description: Apple Safari is Apple's web browser product for Apple Mac OS X and Microsoft Windows. The Microsoft Windows version contains a buffer overflow vulnerability in its handling of certain JavaScript constructs. A malicious web page containing a specially crafted JavaScript script could trigger this vulnerability and execute arbitrary code with the privileges of the current user. A proof-of-concept for this vulnerability is publicly available. Note that the version of Safari for Mac OS X does not appear to be affected. Several other vulnerabilities, including information disclosure and denial-of-service vulnerabilities are addressed by this update.

  • Status: Apple confirmed, updates available.

  • References:
  • (8) LOW: Linux Kernel TCP Processing Denial-of-Service
  • Affected:
    • Linux kernel versions prior to 2.6.23.8

  • Description: The Linux kernel, the core of operating systems generally described as Linux, contains a flaw in its handling of Transmission Control Protocol (TCP) packets. A specially crafted sequence of TCP packets could trigger a denial-of-service condition, leading to a system crash. Practically all systems exposed to the internet expose themselves to TCP packets, making this vulnerability potentially widely exploitable. It is not believed to be possible to leverage this vulnerability to lead to remote code execution. Full technical details are publicly available for this vulnerability.

  • Status: Linux kernel developers confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 47, 2007

This list is compiled by Qualys (www.qualys.com) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 07.47.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows Recursive DNS Spoofing
  • Description: Microsoft Windows DNS Server is exposed to an issue that permits an attacker to spoof responses to DNS requests. This issue occurs because the affected service fails to provide enough entropy when randomizing transaction values that are used in recursive DNS requests.
  • Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-062.mspx
  • 07.47.2 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Office Web Component Memory Access Violation Denial of Service
  • Description: Microsoft Office Component is a collection of Component Object Model (COM) controls for publishing and viewing spreadsheets, charts, and databases on websites. The application is exposed to a memory access violation denial of service issue that occurs when a new ActiveXObject "OWC.11.DataSourceControl" is instantiated in a web page. OWC11 for Microsoft Office 2003 is affected. Ref: http://www.microsoft.com/downloads/details.aspx?familyid=7287252c-402e-4f72-97a5-e0fd290d4b76&displaylang=en
  • 07.47.3 - CVE: CVE-2007-5396
  • Platform: Third Party Windows Apps
  • Title: Miranda IM EXT_YAHOO_CONTACT_ADDED Remote Format String
  • Description: Miranda IM is an open-source instant messenger for Windows. It supports many different protocols, including AIM, Gadu-Gadu, IAX, ICQ, IRC, Jabber, MSN and Yahoo. The application is exposed to a remote format string issue because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. Miranda IM version 0.7.1 is affected.
  • Ref: http://secunia.com/secunia_research/2007-89/advisory/
  • 07.47.4 - CVE: CVE-2007-5755
  • Platform: Third Party Windows Apps
  • Title: AOL Radio AmpX.DLL ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities
  • Description: AOL Radio is used for streaming audio files in web browsers. The application is exposed to multiple stack-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. "AmpX.dll" version 2.6.1.11 is affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=623
  • 07.47.5 - CVE: CVE-2007-5756
  • Platform: Third Party Windows Apps
  • Title: WinPcap NPF.SYS Bpf_Filter_Init Function Local Privilege Escalation
  • Description: WinPcap provides real time link-level network access on Windows operating systems. The application is exposed to a local privilege escalation issue because the software fails to adequately bounds check user-supplied data. WinPcap version 4.0.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/483581
  • 07.47.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Microsoft Forms 2.0 ActiveX Control Memory Access Violation Denial of Service Vulnerabilities
  • Description: Microsoft Forms 2.0 ActiveX Control is a collection of standard form controls that can be used on websites. It includes textboxes, different types of buttons, checkboxes, etc. Forms 2.0 ActiveX is distributed with any application that includes Visual Basic for Applications 5.0. The application is exposed to multiple memory access violation denial of service issues.
  • Ref: http://www.securityfocus.com/bid/26414
  • 07.47.7 - CVE: CVE-2005-4734
  • Platform: Third Party Windows Apps
  • Title: RSA Authentication Agent IISWebAgentIF.DLL Remote Stack-Based Buffer Overflow
  • Description: RSA Authentication Agent is an application that allows users to authenticate to servers. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs in the "IISWebAgentIF.dll" library. RSA WebAgent versions 5.2 and 5.3 for Web for Microsoft IIS are affected. Ref: http://www.metasploit.com/projects/Framework/exploits.html#rsa_iiswebagent_redirect
  • 07.47.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: WebEx GPCContainer Memory Access Violation Multiple Denial of Service Vulnerabilities
  • Description: WebEx is a sharing and conferencing application for Microsoft Windows. The application is exposed to multiple denial of service issues due to a memory access violation in the "GpcContainer" ActiveX Control. Specifically a memory access violation occurs in the "InitParam()" and "SetParam()" methods.
  • Ref: http://www.securityfocus.com/bid/26430
  • 07.47.9 - CVE: CVE-2007-4704
  • Platform: Mac Os
  • Title: Apple Max OS X Application Firewall Launchd Firewall Bypass Weakness
  • Description: Application Firewall is the firewall component distributed with Mac OS X. The application is exposed to a weakness regarding firewall settings and processes started by launchd. Specifically, changes to the firewall settings will not affect processes started by launchd until the processes are restarted. Mac OS X version 10.5 is affected.
  • Ref: http://docs.info.apple.com/article.html?artnum=307004
  • 07.47.10 - CVE: CVE-2007-4703
  • Platform: Mac Os
  • Title: Apple Mac OS X Application Firewall Unauthorized Network Access Weakness
  • Description: Apple Mac OS X is exposed to a weakness that results in unauthorized network access to certain applications. This issue affects the Application Firewall when "Set access for specific services and applications" is enabled.
  • Ref: http://docs.info.apple.com/article.html?artnum=307004
  • 07.47.11 - CVE: CVE-2007-4678, CVE-2007-4679, CVE-2007-4680,CVE-2007-4681, CVE-2007-4682, CVE-2007-4683, CVE-2007-4684,CVE-2007-4685, CVE-2007-4686, CVE-2007-4687, CVE-2007-4688,CVE-2007-4689, CVE-2007-3749, CVE-2007-4690, CVE-2007-4691,CVE-2007-4692, CVE-2007-4693,
  • Platform: Mac Os
  • Title: Apple Mac OS X v10.4.11 2007-008 Multiple Security Vulnerabilities
  • Description: Apple Mac OS X is exposed to multiple security issues that affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore and WebKit. Apple Mac OS X versions 10.4.10 and earlier are affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629
  • 07.47.12 - CVE: CVE-2007-4702
  • Platform: Mac Os
  • Title: Apple Mac OS X 10.5 Application Firewall Misleading Configuration Weakness
  • Description: Apple Mac OS X 10.5 includes an Application Firewall that is designed to filter network traffic at the application level rather than the port level. It is designed to allow users to select applications that can and cannot utilize network resources. The application is exposed to a misleading configuration weakness due to a flaw in the application's configuration dialog and documentation. Apple Mac OS X version 10.5 is affected.
  • Ref: http://docs.info.apple.com/article.html?artnum=307004
  • 07.47.13 - CVE: CVE-2007-4136
  • Platform: Linux
  • Title: Conga ricci Connection Limit Remote Denial of Service
  • Description: Conga is an agent/server architecture for administering a system remotely. The "ricci" component is the agent portion. The application is exposed to a denial of service issue because the daemon limits the number of connection requests.
  • Ref: https://rhn.redhat.com/errata/RHSA-2007-0640.html
  • 07.47.14 - CVE: CVE-2007-5770
  • Platform: Linux
  • Title: Ruby Multiple Libraries SSL Multiple Insecure Certificate Validation Weaknesses
  • Description: Ruby includes multiple "net::" libraries that implement a variety of net-related functionality. The application is exposed to multiple insecure certificate validation weaknesses because multiple libraries fail to properly perform validity checks on X.509 certificates.
  • Ref: https://rhn.redhat.com/errata/RHSA-2007-0965.html
  • 07.47.15 - CVE: CVE-2007-5904
  • Platform: Linux
  • Title: Linux Kernel CIFS Transport.C Remote Buffer Overflow
  • Description: The Linux kernel is exposed to a remote buffer overflow issue because it fails to properly bounds check user-supplied input before copying it into an insufficiently sized buffer. The Linux kernel version 2.6.23.1 is affected.
  • Ref: http://marc.info/?l=linux-kernel&m=119455843205403&w=2
  • 07.47.16 - CVE: CVE-2007-4476
  • Platform: Linux
  • Title: GNU TAR and CPIO safer_name_suffix Remote Denial of Service
  • Description: GNU's tar and cpio utilities are exposed to a denial of service issue. This issue is due to inappropriate use of the "alloca()" function with user-supplied data.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=280961
  • 07.47.17 - CVE: CVE-2005-4872, CVE-2006-7227, CVE-2006-7228
  • Platform: Linux
  • Title: PCRE Regular Expression Library Multiple Integer and Buffer Overflow Vulnerabilities
  • Description: PCRE is a set of functions that implement regular expressions using the same syntax and semantics as Perl 5. A buffer overflow issue affects the library because it fails to properly count the number of named capturing subpatterns in a regular expression. PCRE versions prior to 6.2 are affected.
  • Ref: http://scary.beasts.org/security/CESA-2007-006.html
  • 07.47.18 - CVE: CVE-2007-5794
  • Platform: Linux
  • Title: PADL Nss_ldap Race Condition Security
  • Description: PADL nss_ldap is a C library that allows access to X.500 and LDAP directory servers as sources for entities such as users, hosts, groups, passwords etc. The application is exposed to a race condition security issue that presents itself because the library incorrectly handles calls from applications that use the "pthreads" library and the "fork" commands. PADL nss_ldap versions prior to 259 are affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=367461
  • 07.47.19 - CVE: Not Available
  • Platform: Unix
  • Title: ClamAV Unspecified Remote Code Execution
  • Description: ClamAV is an open source antivirus toolkit for UNIX that is designed to scan email. The application is exposed to an unspecified remote code execution issue. ClamAV version 0.91.1 is affected. Ref: http://wabisabilabi.blogspot.com/2007/11/focus-on-clamav-remote-code-execution.html
  • 07.47.20 - CVE: CVE-2007-5667
  • Platform: Novell
  • Title: Novell Client for Windows NWFILTER.SYS Local Privilege Escalation
  • Description: Novell Client for Windows allows users to access Novell services from remote computers. The client is exposed to a local privilege escalation issue because it fails to adequately handle user-supplied input. The issue occurs due to an unspecified input validation error in "NWFILTER.SYS". Novell Client for Windows version 4.91 is affected. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=626
  • 07.47.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Pioneers Session Object Denial of Service
  • Description: Pioneers is an online board game that was formerly known as gnocatan. The application is exposed to a denial of service issue because it allows session objects to be deleted. Pioneers versions prior to 0.11.3 are affected.
  • Ref: http://sourceforge.net/forum/forum.php?forum_id=742693
  • 07.47.22 - CVE: CVE-2007-4887
  • Platform: Cross Platform
  • Title: PHP 5.2.4 and Prior Versions Multiple Vulnerabilities
  • Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to multiple security issues. PHP versions 5.2.4 and earlier are affected. Ref: http://www.securityfocus.com/archive/1/archive/1/478988/100/0/threaded
  • 07.47.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Oracle Database Server Installation Security Bypass
  • Description: The Oracle Database Server is an enterprise database server system available for multiple operating platforms. The application is exposed to a security bypass issue because of a design error. Oracle versions 10g and 11g are affected.
  • Ref: http://www.davidlitchfield.com/blog/archives/00000030.htm
  • 07.47.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PHP stream_wrapper_register() Function Denial of Service
  • Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The application is exposed to a denial of service issue that occurs in the "stream_wrapper_register()" function when handling an excessively long class name. PHP versions 5.2.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/483644
  • 07.47.25 - CVE: CVE-2007-5905
  • Platform: Cross Platform
  • Title: Adobe ColdFusion CFID CFTOKEN Session Hijacking
  • Description: Adobe ColdFusion is an application server and software development framework used for creating dynamic web-based content. The application is exposed to an issue that allows attackers to hijack browser sessions. ColdFusion versions MX 7 and 8 are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb07-19.html
  • 07.47.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere MQ Multiple Unspecified Remote Memory Corruption Vulnerabilities
  • Description: IBM WebSphere MQ is a commercially-available messaging engine for enterprises. The application is exposed to multiple unspecified remote memory corruption issues. IBM WebSphere MQ version 6.0 is affected.
  • Ref: http://www.irmplc.com/index.php/111-Vendor-Alerts#IBM
  • 07.47.27 - CVE: CVE-2007-4674
  • Platform: Cross Platform
  • Title: Apple QuickTime Movie Atom Remote Stack-Based Buffer Overflow
  • Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Apple QuickTime running on Microsoft Windows Vista, Microsoft Windows XP SP2, and Mac OS X are affected.
  • Ref: http://www.us-cert.gov/cas/techalerts/TA07-310A.html
  • 07.47.28 - CVE: CVE-2007-5398
  • Platform: Cross Platform
  • Title: Samba NMBD_Packets.C NetBIOS Replies Stack-Based Buffer Overflow
  • Description: Samba is a suite of software that provides file and print services for "SMB/CIFS" clients. It is available for multiple operating platforms. The application is exposed to a remote stack-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized buffer. Samba versions 3.0.0 through 3.0.26a are affected.
  • Ref: https://rhn.redhat.com/errata/RHSA-2007-1013.html
  • 07.47.29 - CVE: CVE-2007-5944
  • Platform: Cross Platform
  • Title: IBM WebSphere Application Server WebContainer HTTP Request Header Security Weakness
  • Description: IBM WebSphere Application Server is exposed to a security weakness regarding an HTTP request header because the application fails to sanitize specially-crafted HTTP request headers. In particular, the application fails to sanitize the "Expect" header when the data is redirected by WebContainer to an error message.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg24017314
  • 07.47.30 - CVE: CVE-2007-4698
  • Platform: Cross Platform
  • Title: Apple Safari Unspecified Frame Events Same-Origin Policy Bypass
  • Description: Apple Safari is a web browser available for multiple operating systems. The application is exposed to an issue that lets an attacker bypass the same-origin policy by associating unspecified events with frame data that is hosted in a different domain.
  • Ref: http://www.securityfocus.com/bid/26446
  • 07.47.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apple Safari Tabbed Browsing Information Disclosure
  • Description: Apple Safari is exposed to an information disclosure issue because of a design issue relating to tabbed browsing.
  • Ref: http://www.securityfocus.com/bid/26447
  • 07.47.32 - CVE: CVE-2007-4812
  • Platform: Cross Platform
  • Title: Apple Safari for Windows Document.Location.Hash Buffer Overflow
  • Description: Safari is a browser from Apple available for Mac OS X and Microsoft Windows. The application is exposed to a buffer overflow issue that is triggered when an attacker entices an unsuspecting user to view a maliciously crafted webpage.
  • Ref: http://www.securityfocus.com/archive/1/478802
  • 07.47.33 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM DB2 Multiple Privilege Escalation Vulnerabilities
  • Description: IBM DB2 Universal Database Server is a database server designed to run on various platforms including Linux, AIX, Solaris, and Microsoft Windows. THe application is exposed to multiple issues. IBM DB2 version 9.1 and IBM DB2 9.1 with fix pack 1, 2, 3, and 3a are affected.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=swg21255607#r4
  • 07.47.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Citrix Presentation Server Remote Unauthorized Code Execution
  • Description: Citrix Presentation Server is a solution that provides remote application access using the ICA protocol. The application is exposed to a potential remote unauthorized code execution issue due to a design error.
  • Ref: http://support.citrix.com/article/CTX114938
  • 07.47.35 - CVE: CVE-2007-4572
  • Platform: Cross Platform
  • Title: Samba NMBD Logon Request Remote Buffer Overflow
  • Description: Samba is a software suite that provides file and print services for "SMB/CIFS" clients. It is available for multiple operating platforms. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Samba versions 3.0.0 through 3.0.26a are affected.
  • Ref: http://www.securityfocus.com/archive/1/483742
  • 07.47.36 - CVE: CVE-2007-3694
  • Platform: Web Application - Cross Site Scripting
  • Title: Miro Broadcast Machine Login.PHP Cross Site Scripting
  • Description: Miro Broadcast Machine is a PHP-based application for managing and publishing video files on web pages. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "username" POST parameter of the "login.php" script. Broadcast Machine version 0.9.9.9 is affected.
  • Ref: http://www.securityfocus.com/archive/1/483575
  • 07.47.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Eggblog Rss.PHP Cross-Site Scripting
  • Description: Eggblog is a web-log application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sanitize user input. Specifically, this issue affects the "home/rss.php" script and dynamically generated URI's constructed from the contents of the "$_SERVER["PHP_SELF"]" variable. Eggblog version 3.1.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/483569
  • 07.47.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: AutoIndex PHP Script PHP_SELF Index.PHP Cross-Site Scripting
  • Description: AutoIndex PHP Script is a PHP-based indexing tool and file manager for web sites. The application is exposed to cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "index.php" script. AutoIndex PHP Script version 2.2.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/483592
  • 07.47.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: F5 FirePass 4100 SSL VPN Download_Plugin.PHP3 Cross-Site Scripting
  • Description: FirePass 4100 SSL VPN is a secure Virtual Private Network device that uses SSL connections to encapsulate network traffic. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. F5 FirePass 4100 SSL VPNs running firmware versions 5.4 through 5.5.2 and 6.0 and 6.0.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/483601
  • 07.47.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: X7 Chat Multiple Cross-Site Scripting Vulnerabilities
  • Description: X7 Chat is a free, open source, web-based chat application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. X7 Chat version 2.0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/26417
  • 07.47.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Grani Search Favorites Cross-Site Scripting
  • Description: Grani is an add-on for Internet Explorer. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. Specifically, this issue affects the "Search" field when used in conjunction with URIs designated as "Favorites". Grani version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/26418
  • 07.47.42 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: VTLS Web Gateway Searchtype Parameter Cross-Site Scripting
  • Description: Web Gateway is a web-based application that utilizes CGI. The application is exposed to a cross-site scripting issue because it fails to sanitize user input to the "searchtype" parameter of the "vtls.web.gateway" script. Web Gateway versions prior to 48.1.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/483622
  • 07.47.43 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WP-SlimStat WordPress Plugin Cross-Site Scripting
  • Description: WP-SlimStat is a plugin for WordPress that adds statistics functionality to a blog. WordPress allows users to generate news pages and web-logs dynamically. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "ft" parameter of the "wp-slimstat.php" script. WP-SlimStat Plugin version 0.9.2 is affected.
  • Ref: http://www.securityfocus.com/bid/26432
  • 07.47.44 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Nuked-Klan File Parameter News Module Cross-Site Scripting
  • Description: Nuked-Klan is a content management system (CMS). The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "file" parameter of the "index.php" script. Nuked-Klan version 1.7.5 is affected.
  • Ref: http://www.securityfocus.com/bid/26458
  • 07.47.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Xoops Mylinks Module Brokenlink.PHP SQL Injection
  • Description: Xoops is a PHP-based, open source content manager. Mylinks is a module included with the base package. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "lid" parameter of the "modules/mylinks/brokenlink.php" script before using it in an SQL query. Xoops version 2.0.17.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/483525
  • 07.47.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: JPortal Articles.PHP SQL Injection
  • Description: JPortal is a PHP-based web forum application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "topic" parameter of the "articles.php" script before using it in an SQL query. JPortal version 2.3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/26395
  • 07.47.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TBsource Index.PHP SQL Injection
  • Description: TBsource is a PHP-based set of components that can be used to build a BitTorrent tracker. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "choice" parameter of the "index.php" script before using it in an SQL query. TBsource version 7 alpha1.01 is affected.
  • Ref: http://www.securityfocus.com/archive/1/483552
  • 07.47.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Softbiz Online Auctions Script PRODUCT_DESC.PHP SQL Injection
  • Description: Softbiz Online Auctions Script is a web-based auction application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "product_desc.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/26399
  • 07.47.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Softbiz Ad Management PLUS Script ADS.PHP SQL Injection
  • Description: Softbiz Ad Management PLUS Script is a web-based application for automating the advertising interface. It is implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "package" parameter of the "ads.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/26400
  • 07.47.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Softbiz Banner Exchange Script CAMPAIGN_STATS.PHP SQL Injection
  • Description: Softbiz Banner Exchange Script is a web-based application for banner exchange networks. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "campaign_stats.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/26401
  • 07.47.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Softbiz Link Directory Script SEARCHRESULT.PHP SQL Injection
  • Description: Softbiz Link Directory Script is a web-based directory application for exchanging links. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "sbcat_id" parameter of the "searchresult.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/26402
  • 07.47.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Nuke Advertising Module Modules.PHP SQL Injection
  • Description: The Advertising Module is an ecommerce add-on for PHP-Nuke; it is implemented in PHP. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "login" POST parameter of the "modules.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/26406
  • 07.47.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: TorrentStrike INDEX.PHP SQL Injection
  • Description: TorrentStrike is a web-based BitTorrent tracker. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "choice" parameter of the "index.php" script before using it in an SQL query. TorrentStrike version 0.4 is affected.
  • Ref: http://www.securityfocus.com/bid/26415
  • 07.47.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Datecomm Social Networking Script Index.PHP SQL Injection
  • Description: Datecomm is a PHP-based, social networking application similar to MySpace. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Specifically, the "seid" parameter of the "index.php" script can be used to harvest administrator credentials.
  • Ref: http://www.securityfocus.com/bid/26422
  • 07.47.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Toko Instan Index.PHP Multiple SQL Injection Vulnerabilities
  • Description: Toko Instan is a web application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "id" and "katid" parameters of the "index.php" script before using it in an SQL query. Toko Instan version 7.6 is affected.
  • Ref: http://www.securityfocus.com/bid/26433
  • 07.47.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Free Forum Search SQL Injection
  • Description: Free Forum is a web forum application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "search" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/archive/1/483697
  • 07.47.57 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DocuSafe Search Parameter SQL Injection
  • Description: DocuSafe is a web-based application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "search" parameter of the "/includes/common.asp" script.
  • Ref: http://www.securityfocus.com/archive/1/483694
  • 07.47.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Updir.net Updir.PHP Cross Site Scripting
  • Description: Updir.net is a PHP-based application for uploading and managing digital photographs to web sites. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to an unspecified parameter of the "updir.php" script. Updir.net versions prior to 2.04 are affected.
  • Ref: http://www.securityfocus.com/bid/26394
  • 07.47.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Yappa-NG Check_Noimage.PHP Remote File Include
  • Description: Yappa-NG is a web-based photo album. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "config[path_src_include]" parameter of the "check_noimage.php" script. Yappa-NG version 2.3.2 is affected.
  • Ref: http://www.securityfocus.com/bid/26398
  • 07.47.60 - CVE: Not Available
  • Platform: Web Application
  • Title: AutoIndex PHP Script Index.PHP Denial of Service
  • Description: AutoIndex PHP Script is a PHP-based indexing tool and file manager for web sites. The application is exposed to a remote denial of service issue due to the failure of the application to properly handle unexpected input. AutoIndex PHP Script version2 2.2.2 and 2.2.3 are affected.
  • Ref: http://www.securityfocus.com/archive/1/483592
  • 07.47.61 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Application Tools patBBCode BBCODESOURCE.PHP Remote File Include
  • Description: PHP Application Tools patBBCode is a parser and renderer for BBCode syntax. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "example" parameter of the "examples/patExampleGen/bbcodeSource.php" script. patBBCode version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/26416
  • 07.47.62 - CVE: Not Available
  • Platform: Web Application
  • Title: ExoPHPDesk Index.PHP Multiple Input Validation Vulnerabilities
  • Description: ExoPHPDesk is a web-based helpdesk application. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data.
  • Ref: http://www.securityfocus.com/archive/1/483673
  • 07.47.63 - CVE: CVE-2007-5817
  • Platform: Web Application
  • Title: CONTENTCustomizer Dialog.PHP Unauthorized Access
  • Description: CONTENTCustomizer is a PHP-based web site editor. The application is exposed to an unauthorized access issue because the application fails to sufficiently sanitize user-supplied input to the "doc" parameter of the "dialog.php" script. CONTENTCustomizer version 3.1mp is affected.
  • Ref: http://www.securityfocus.com/bid/26437
  • 07.47.64 - CVE: Not Available
  • Platform: Web Application
  • Title: TestLink Unspecified Authentication Bypass
  • Description: TestLink is an application testing suite. The application is exposed to an unspecified authentication bypass issue. TestLink versions prior to 1.7.1 are affected. Ref: http://sourceforge.net/project/shownotes.php?release_id=548619&group_id=90976
  • 07.47.65 - CVE: Not Available
  • Platform: Web Application
  • Title: AIDA Web Frame.HTML Multiple Unauthorized Access Vulnerabilities
  • Description: AIDA Web is a web-based workflow application. The application is exposed to multiple unauthorized access vulnerabilities because it fails to restrict access to posts.
  • Ref: http://www.securityfocus.com/archive/1/483749
  • 07.47.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Aruba MC-800 Mobility Controller Screens Directory HTML Injection
  • Description: Aruba MC-800 Mobility Controller is used to scale ArubaOS and other software module capabilities on enterprise networks. The device is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. This input will be stored persistently on the affected site and may be rendered by a victim user when the page is viewed. Arbua-800 is affected.
  • Ref: http://www.securityfocus.com/archive/1/483778
  • 07.47.67 - CVE: Not Available
  • Platform: Web Application
  • Title: ExoPHPDesk Register.PHP Multiple HTML Injection Vulnerabilities
  • Description: ExoPHPDesk is a web-based helpdesk application. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. ExoPHPDesk version 1.2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/26453
  • 07.47.68 - CVE: Not Available
  • Platform: Network Device
  • Title: Lantronix SCS3200 Remote Denial of Service
  • Description: Lantronix SCS3200 is a secure console server device. The application is exposed to a remote denial of service issue. The exact cause of this issue is unknown.
  • Ref: http://www.securityfocus.com/bid/26404

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

SANS provides the best up to date training relating to security issues. The sessions are relevant and well presented with well written manuals.
-Ravindranath Goswami, The Power Generation Company of Trinidad and Tobago Ltd.

SANS Phoenix 2010-sky

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT