The most trusted source for computer security training, certification and research.

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 5
January 29, 2007

SANS Newsletters Home

Big problems this week with Cisco IOS and Citrix. Plus more than 50 new vulnerabilities confirmed in web applications.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 1
    • Microsoft Office
    • 1 (#4)
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 7 (#1, #3)
    • Mac Os
    • 9 (#6, #7, #8)
    • Linux
    • 5
    • Solaris
    • 3
    • Unix
    • 1
    • Cross Platform
    • 15 (#5)
    • Web Application - Cross Site Scripting
    • 8
    • Web Application - SQL Injection
    • 10
    • Web Application
    • 34
    • Network Device
    • 4 (#2, #9)
    • Hardware
    • 2

*************************************************************************

SECURITY TRAINING UPDATE: Several of the hands-on immersion security training courses at SANS 2007 (San Diego, March 29 - April 4) are starting to fill up. If you want a place, register early. You'll also save hundreds of dollars if you do it in the next few weeks. Full Schedule (53 courses): http://www.sans.org/sans2007/event.php

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Solaris
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: NCTsoft NCTAudioFile2 ActiveX Control Buffer Overflow
  • Affected:
    • NCTAudioFile2 ActiveX Control version 2.7.1 and prior
    • Note that this control is installed by many different applications.

  • Description: The NCTsoft NCTAudioFile2 ActiveX control contains a buffer overflow vulnerability in the processing of arguments passed to its "SetFormatLikeSample()" method. A web page that instantiates this control could trigger this vulnerability, and execute arbitrary code with the privileges of the current user. Technical details for this vulnerability are publicly available, as is a simple proof-of-concept. Reusable exploit code targeting ActiveX control vulnerabilities is widely available and easily adaptable to this specific vulnerability. Users can mitigate the impact of this vulnerability by disabling the control via Microsoft's "kill bit" mechanism for GUID "77829F14-D911-40FF-A2F0-D11DB8D6D0BC".

  • Status: NCTsoft has not confirmed, no updates available.

  • References:
  • (3) HIGH: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability
  • Affected:
    • Citrix Presentation Server version 4.0
    • Citrix MetaFrame Presentation Server version 3.0
    • Citrix MetaFrame XP version 1.0

  • Description: A print provider installed by several Citrix products contains a remotely-exploitable buffer overflow. By passing an overly-long argument to the "EnumPrintersW()" or "OpenPrinter()" functions, an attacker could exploit this buffer overflow and execute arbitrary code with "LocalSystem" privileges. These calls can be issued via an unauthenticated RPC request. Note that some technical details for this vulnerability are publicly available, and a working exploit is available to the members of Immunity's partner program. Users are advised to block access to TCP and UDP ports 135, 137, 138, 139, 445, and 593 at the network perimeter, if possible.

  • Status: Citrix confirmed, updates available.

  • References:
  • (4) MODERATE: Microsoft Word Unspecified Code Execution Vulnerability
  • Affected:
    • Microsoft Word 2000 and possibly other versions

  • Description: Microsoft Word is vulnerable to a code execution vulnerability. The exact nature of this vulnerability is currently undisclosed. According to SecurityFocus, Symantec believes this vulnerability is being actively exploited in the wild.

  • Status: Microsoft is investigating this issue.

  • References:
  • (6) MODERATE: Apple Mac OS X PICT Handling Memory Corruption
  • Affected:
    • Mac OS X 10.4.8 and prior

  • Description: Apple Mac OS X contains a flaw when parsing PICT image files. PICT is an old, rarely-used image file format. A PICT file with a specially-crafted "ARGB" field could exploit this vulnerability and create a denial-of-service condition. It is believed that this vulnerability could also lead to arbitrary code execution with the privileges of the current user, but this has not been confirmed. Technical details and a proof-of-concept for this vulnerability are publicly available. PICT files are opened automatically by Safari, Mail, and other applications. It is currently unknown if Apple QuickTime on Microsoft Windows is vulnerable.

  • Status: Apple has not confirmed, no updates available.

  • References:
  • (7) MODERATE: Apple iChat AIM URL Handler Format String Vulnerability
  • Affected:
    • Apple iChat version 3.1.6 and possibly prior

  • Description: Apple iChat, Apple's instant messaging client installed by default on Mac OS X systems, contains a format string vulnerability. A specially-crafted "aim://" URL, used to initiate an AOL Instant Message chat session, could exploit this vulnerability and execute arbitrary code with the privileges of the current user. The specially-crafted URL can be placed in a web page, and can be made to automatically open upon viewing the page. Technical details and a simple proof-of-concept for this vulnerability are publicly available. This vulnerability was disclosed by the Month of Apple Bugs project, whose goal is to disclose a security vulnerability in Apple or Apple-related software every day for a month.

  • Status: Apple has not confirmed, no updates available.

  • References:
  • (8) LOW: Apple Software Update Format String Vulnerability
  • Affected:
    • Apple Software Update version 2.0.5 and possibly prior

  • Description: Apple Software Update, a part of Apple Mac OS X used to download and install software updates, contains a format string vulnerability. A Software Update catalog file with a specially-crafted name can exploit this vulnerability. It is believed that code execution is possible with this vulnerability, though this has not been confirmed. Software Update catalog files are not opened by default in any software. Technical details and a simple proof-of-concept are publicly available.

  • Status: Apple has not confirmed, no updates available.

  • References:
Other Software
  • (9) LOW: Multiple VoIP Phones Session Hijacking Vulnerability
  • Affected:
    • VoIP phones using the Aredfox PA168 chipset with firmware versions 1.42 and 1.54

  • Description: Voice-over-IP (VoIP) phones that use the Aredfox chipset are vulnerable to a session-hijacking vulnerability. If an administrator logs into the phone's web-based administrative interface, that session can be easily hijacked by an attacker to execute arbitrary commands with adminitrative privilege. Note that the attacker's session is valid only so long as the administrator is logged in. A simple proof-of-concept for this vulnerability is available.

  • Status: Aredfox has not confirmed, no updates available.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 5, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5351 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 07.5.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Help Workshop .HPJ File Buffer Overflow
  • Description: Microsoft Help Workshop is prone to a buffer overflow vulnerability as it fails to properly bounds check user-supplied input in ".hpj" help project files. Please see the advisory for further information.
  • Ref: http://www.securityfocus.com/bid/22135
  • 07.5.2 - CVE: Not Available
  • Platform: Microsoft Office
  • Title: Microsoft Word 2000 Unspecified Code Execution
  • Description: Microsoft Word 2000 is prone to a remote code execution vulnerability that arises because of a memory corruption vulnerability. Exploit attempts against Word 2003/XP result in a denial of service due to complete CPU utilization, denying service to legitimate users. Various versions of Microsoft Word are affected.
  • Ref: http://www.securityfocus.com/bid/22225
  • 07.5.3 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Visual C++ Resource File Buffer Overflow
  • Description: Microsoft Visual C++ is prone to a stack-based buffer overflow issue because it fails to bounds check user-supplied data to the MSDEV.EXE process within the resource compiler RCDLL module.
  • Ref: http://www.securityfocus.com/bid/22170
  • 07.5.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: EarthLink TotalAccess ActiveX Control Unsafe Methods Weakness
  • Description: EarthLink TotalAccess is a suite of applications to protect against Internet attacks. The ActiveX control is vulnerable to a weakness with certain methods. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/22238
  • 07.5.5 - CVE: CVE-2007-0444
  • Platform: Third Party Windows Apps
  • Title: Citrix Presentation and MetaFrame Server Cpprov.DLL Stack Buffer Overflow
  • Description: The Citrix Presentation Server and MetaFrame server are ICA client applications that include Citrix support. They are prone to a stack-based buffer overflow vulnerability because they fail to properly bounds check user-supplied data to the "EnumPrinters()" and "OpenPrinter" functions residing in the "ccprov.dll" file. Citrix Presentation Server 4.0, Citrix MetaFrame XP 1.0 and Citrix MetaFrame Presentation Server 3.0 are all affected.
  • Ref: http://support.citrix.com/article/CTX111686
  • 07.5.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Computer Associates BrightStor ARCServe BackUp Multiple Remote Buffer Overflow Vulnerabilities
  • Description: Computer Associates BrightStor ARCServe BackUp is prone to multiple buffer overflow vulnerabilities which allow remote attackers to execute arbitrary code with SYSTEM privileges.
  • Ref: http://www.securityfocus.com/bid/22199
  • 07.5.7 - CVE: CVE-2007-0018
  • Platform: Third Party Windows Apps
  • Title: NCTsoft ActiveX Control Remote Buffer Overflow
  • Description: NCTsoft NCTAudioEditor ActiveX DLL is a visual multi-functional audio files editor. It is vulnerable to a buffer overflow issue in the NCTAudioFile2.AudioFile ActiveX control when handling the "SetFormatLikeSample()" method. See the advisory for further details.
  • Ref: http://secunia.com/secunia_research/2007-2/advisory/
  • 07.5.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: KarjaSoft Sami HTTP Server Request Remote Denial of Service
  • Description: Sami HTTP Server is a server application available for Microsoft Windows. It is prone to a remote denial of service vulnerability when the application receives an excessive amount of HTTP requests for nonexistent files and folders. Versions 2.0.1, 1.0.5 and 1.0.4 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22159
  • 07.5.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BitDefender Client Professional Plus Settings Local Format String Vulnerability
  • Description: BitDefender Client Professional Plus is prone to a format string vulnerability because it fails to properly sanitize user-supplied input before using it in the format specifier argument to a formatted printing function. BitDefender Client Professional Plus build 8.02 and prior versions are vulnerable to this issue. Ref: http://www.bitdefender.com/KB325-en--Format-string-vulnerability.html
  • 07.5.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: DivX Web Player NPDIVX32.DLL ActiveX Control Remote Denial of Service
  • Description: DivX Web Player is for watching DivX encoded video content. DivX Web Player is vulnerable to a denial of service issue when the "GoWindowed()" method of the vulnerable control is executed with a window size of 1x1 pixels. Version 1.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22133
  • 07.5.11 - CVE: CVE-2007-0462
  • Platform: Mac Os
  • Title: Mac OS X QuickDraw GetSrcBits32ARGB() Remote Memory Corruption
  • Description: Mac OS X QuickDraw is a library used by the operating system to perform image manipulation operations. It is vulnerable to a remote memory corruption issue because it fails to properly handle malformed PICT image files. See the advisory for further details.
  • Ref: http://projects.info-pull.com/moab/MOAB-23-01-2007.html
  • 07.5.12 - CVE: CVE-2007-0463
  • Platform: Mac Os
  • Title: Apple Software Update Format String Vulnerability
  • Description: Apple Software Update is an application for delivering patches to a user's MacOS X Operating System. It is vulnerable to a format string issue because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted printing function. Apple Software Update version 2.0.5 is vulnerable.
  • Ref: http://projects.info-pull.com/moab/MOAB-24-01-2007.html
  • 07.5.13 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X QuickDraw GetSrcBits32ARGB Remote Memory Corruption
  • Description: Mac OS X QuickDraw is prone to a remote memory corruption vulnerability due to the failure of the software to properly handle malformed PICT image files in the "GetSrcBits32ARGB()" function. Mac OS X version 10.4.8 is affected.
  • Ref: http://www.securityfocus.com/bid/22207
  • 07.5.14 - CVE: CVE-2007-002310.4.8 is vulnerable and other versions may also be affected.
  • Platform: Mac Os
  • Title: Apple UserNotificationCenter Local Privilege Escalation
  • Description: Apple Mac OS X is prone to a local privilege escalation vulnerability. The UserNotificationCenter application is executed on demand when messages are sent to the "com.apple.UNCUserNotification" port. It is executed by the operating system with the privileges of the logged in user but it retains group privileges. Apple Mac OS X version
  • Ref: http://projects.info-pull.com/moab/MOAB-22-01-2007.html
  • 07.5.15 - CVE: CVE-2007-0021
  • Platform: Mac Os
  • Title: iChat AIM URL Handler Remote Format String
  • Description: Apple iChat is an instant messaging client for Apple OS X. It is vulnerable to a remote format string issue due to insufficient handling of malformed data passed to the "aim://" handler. Apple iChat version 3.1.6 (v441) is vulnerable.
  • Ref: http://projects.info-pull.com/moab/MOAB-20-01-2007.html
  • 07.5.16 - CVE: Not Available
  • Platform: Mac Os
  • Title: Mac OS X System Preferences Writeconfig Local Privilege Escalation
  • Description: Mac OS X is prone to a local privilege escalation issue because the "writeconfig" script of the "System Preferences" utility does not verify the "PATH" environment variable when it calls the "launchctl" utility. Mac OS X version 10.4.8 is reported to be vulnerable.
  • Ref: http://projects.info-pull.com/moab/MOAB-21-01-2007.html
  • 07.5.17 - CVE: CVE-2007-0020
  • Platform: Mac Os
  • Title: Transmit 3 Remote Heap Overflow
  • Description: Transmit 3 is an FTP application designed for use on the Mac OS X operating system. It is exposed to a heap overflow vulnerability because the server fails to allocate enough space when dealing with strings passed on by the URL handler. Transmit 3 version 3.5.5 and earlier are affected.
  • Ref: http://projects.info-pull.com/moab/MOAB-19-01-2007.html
  • 07.5.18 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X Shared_Region_Map_File_NP System Call Memory Corruption
  • Description: Apple Mac OS X is prone to a memory corruption vulnerability because it fails to properly bounds check parameter values to the "shared_region_map_file_np()" kernel function call, which handles memory allocation. Mac OS X versions 10.4.8 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/457466
  • 07.5.19 - CVE: Not Available
  • Platform: Mac Os
  • Title: Rumpus FTP Server Multiple Vulnerabilities
  • Description: Rumpus FTP server is prone to multiple vulnerabilities. These include multiple remote heap overflows, denial of service conditions, and local privilege escalation issues. Versions 5.1 and prior are vulnerable. Please see the advisory for further information.
  • Ref: http://www.securityfocus.com/bid/22126
  • 07.5.20 - CVE: CVE-2007-0010
  • Platform: Linux
  • Title: GTK2 GDKPixBufLoader Remote Denial of Service
  • Description: GTK2 is a package containing the GIMP ToolKit (GTK+), a graphics library for use with the X Windows System. It is vulnerable to a denial of service issue because the "GdkPixbuLoader()" function fails to properly handle malformed image data. See the advisory for further details.
  • Ref: http://rhn.redhat.com/errata/RHSA-2007-0019.html
  • 07.5.21 - CVE: CVE-2007-0003
  • Platform: Linux
  • Title: Linux-PAM Pam_Unix.SO Authentication Bypass
  • Description: Linux-PAM is a package of Pluggable Authentication Modules. It is vulnerable to an authentication bypass issue because it fails to effectively verify user passwords during the authentication process. Linux-PAM version 0.99.7.0 is vulnerable.
  • Ref: https://www.redhat.com/archives/pam-list/2007-January/msg00017.html
  • 07.5.22 - CVE: CVE-2006-5754
  • Platform: Linux
  • Title: Linux Kernel AIO_Setup_Ring Local Denial of Service
  • Description: The Linux kernel is prone to a local denial of service vulnerability because it fails to properly initialize a variable. Specifically, the "aio_setup_ring()" function incorrectly initializes a variable that can be leveraged in an error path to free allocated resources. Several versions of the linux kernel are affected.
  • Ref: http://www.securityfocus.com/bid/22193
  • 07.5.23 - CVE: CVE-2007-0460
  • Platform: Linux
  • Title: Ulogd Unspecified Buffer Overflow
  • Description: Ulogd (usermode log daemon) is an opensource syslog based application. It is vulnerable to a buffer overflow issue due to an improper length calculation of an unspecified string. Ulogd version 1.23 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22139
  • 07.5.24 - CVE: CVE-2006-6939
  • Platform: Linux
  • Title: GNU Ed Insecure Temporary File Creation
  • Description: GNU Ed is a line oriented text editor. It is vulnerable to an insecure temporary file creation issue. GNU Ed versions 0.2 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22129
  • 07.5.25 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Ray Server Multiple Password Disclosure Vulnerabilities
  • Description: Sun Ray server is a proxy server. It is vulnerable to multiple password disclosure vulnerabilities due to a design error. Sun Ray Server Software versions 2.0 and 3.0 are vulnerable. See the advisory for futher details. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102779-1&searchclause=
  • 07.5.26 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris Tip Local Privilege Escalation
  • Description: Sun Solaris is prone to a local privilege escalation vulnerability due to an unspecified flaw in the tip(1) command. This command is installed setuid-uucp by default. Solaris versions 8, 9 and 10 are reportedly vulnerable. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102773-1&searchclause=
  • 07.5.27 - CVE: Not Available
  • Platform: Solaris
  • Title: Kodak Color Management System Utilities Local Arbitrary Command Execution
  • Description: Kodak Color Management System is prone to a local command execution vulnerability. Specifically, the "kcms_calibrate()" command can be leveraged by a local unprivileged user to execute arbitrary commands with superuser privileges. The version of Kodak Color Management System distributed with Sun Solaris versions 8 and 9 is vulnerable and other platforms may also be affected. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102728-1&searchclause=
  • 07.5.28 - CVE: Not Available
  • Platform: Unix
  • Title: ISC BIND Remote Fetch Context Denial of Service
  • Description: ISC BIND is prone to a remote denial of service vulnerability due to a failure of the application to properly handle unexpected DNS requests.
  • Ref: http://www.securityfocus.com/bid/22229
  • 07.5.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi HiRDB DataReplicator Server Unspecified Remote Denial of Service
  • Description: Hitachi HiRDB Datareplicator is an application for linking information with other databases. It is affected by a denial of service issue.
  • Ref: http://www.securityfocus.com/bid/22244
  • 07.5.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi JP1/HIBUN Servers Unspecified Remote Denial of Service
  • Description: Hitachi JP1/HIBUN is a bundled management server and log server package. It is affected by a denial of service issue.
  • Ref: http://www.securityfocus.com/bid/22237
  • 07.5.31 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Trend Micro InterScan VirusWall VSAPI Module Buffer Overflow
  • Description: Trend Micro InterScan VirusWall (ISVW) is an internet gateway virus scanning package. It is prone to a buffer overflow vulnerability due to insufficient input sanitization in the "libvsapi.so" library file. Version 3.81 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22240
  • 07.5.32 - CVE: Not Available
  • Platform: Cross Platform
  • Title: ISC BIND Remote DNSSEC Validation Denial of Service
  • Description: ISC BIND is vulnerable to a remote denial of service issue because the application fails to handle malformed DNSSEC validation requests. See the advisory for further details.
  • Ref: http://www.isc.org/index.pl?/sw/bind/bind-security.php
  • 07.5.33 - CVE: CVE-2007-0471
  • Platform: Cross Platform
  • Title: Multiple Check Point Products Integrity Clientless Security Security Bypass
  • Description: Connectra is a web security gateway and VPN-1 Power/UTM is a virtual private network package developed by Check Point. Both applications are prone to a security bypass vulnerability due to insufficient data sanitization in the "/sre/params.php" script. Please refer to the advisory for vulnerable versions.
  • Ref: http://www.securityfocus.com/bid/22233
  • 07.5.34 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi Web Server Multiple Vulnerabilities
  • Description: Hitachi Web Server is prone to multiple vulnerabilities. There are multiple cross-site scripting issues because the server fails to properly sanitize user-supplied input which affects image maps and an "Expect" header. A security bypass related to a protocol version rollback also affects the application during client connection. Various versions of the application are affected. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS06-022_e/01-e.html
  • 07.5.35 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Symantec Web Security Multiple Denial of Service And Cross-Site Scripting Vulnerabilities
  • Description: Symantec Web Security is an HTTP/FTP traffic scanner that scans and filters viruses and inappropriate content at the web gateway. It is affected by multiple denial of service and cross-site scripting issues. Symantec Web Security versions prior to 3.0.1.85 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22184
  • 07.5.36 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Hitachi OpenTP1 Unspecified Remote Denial of Service
  • Description: Hitachi OpenTP1 platform is a distributed transaction manager providing Mainframe equivalent services in business environments. It is affected by an unspecified denial of service issue. Hitachi OpenTP1 TPI1/LiNK versions 3-5, and OpenTP1 TPI1/Server Base versions 3-5 are affected.
  • Ref: http://www.securityfocus.com/bid/22223
  • 07.5.37 - CVE: CVE-2007-0248
  • Platform: Cross Platform
  • Title: Squid Proxy ACL Queue Overload Remote Denial of Service
  • Description: Squid is an open source proxy server. It is vulnerable to a remote denial of service issue because the proxy server fails to handle excessive data. Squid Web Proxy Cache version 2.6.STABLE7 resolves this issue.
  • Ref: http://www.squid-cache.org/bugs/show_bug.cgi?id=1848
  • 07.5.38 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Atozed Software Intraweb Component HTTP Remote Denial of Service
  • Description: Intraweb component for Borland Delphi and Kylix is prone to a denial of service vulnerability because the application fails to handle specially-crafted HTTP requests. Intraweb component versions 8.0 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/22185
  • 07.5.39 - CVE: Not Available
  • Platform: Cross Platform
  • Title: OpenLDAP Gentoo GenCert.SH Script Insecure Temporary File Creation
  • Description: OpenLDAP Software is an open source implementation of the LDAP protocol. The application creates temporary files in an insecure way that could allow an attacker with local access to perform symbolic link attacks, overwriting arbitrary files in the context of the affected application. This issue affects Gentoo ebuild for OpenLDAP.
  • Ref: http://www.securityfocus.com/bid/22195
  • 07.5.40 - CVE: CVE-2006-6678
  • Platform: Cross Platform
  • Title: Netrik Textarea Tag Remote Arbitrary Command Execution
  • Description: Netrik is a text-based web browser application. It is exposed to a vulnerability that allows attackers to execute remote arbitrary shell commands in the context of the web server application by injecting malicious shell metacharacters into temporary filenames via "textarea" tags. Netrik versions prior to 1.15.5 beta are affected.
  • Ref: http://www.securityfocus.com/bid/22158
  • 07.5.41 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Django Authentication Bypass Weakness
  • Description: Django is a high level Python Web framework. It is exposed to a weakness that may permit attackers to bypass the authentication mechanism of the application and obtain unauthorized access to persistent "request.user" data belonging to the victim. Django version 0.95 is affected.
  • Ref: http://www.securityfocus.com/bid/22138
  • 07.5.42 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Django Message Files Remote Arbitrary Command Execution
  • Description: Django is a high level Python Web framework used to build web applications. It is susceptible to a shell command execution vulnerability because it fails to properly sanitize user-supplied input before using it in a Python "os.system()" function call. Django version 0.95 is vulnerable and other versions may also be affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407519
  • 07.5.43 - CVE: Not Available
  • Platform: Cross Platform
  • Title: mbse-bbs MBSE_ROOT Multiple Local Privilege Escalation Vulnerabilities
  • Description: mbse-bbs is a bulletin board system available for UNIX, Linux, and other UNIX-like operating systems. It is prone to multiple local privilege escalation vulnerabilities because it fails to bounds check user-supplied data to the "MBSE_ROOT" parameter of the "mbuseradd.c" file before copying it into an insufficiently sized buffer. mbse-bbs versions 0.70.0 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/22112
  • 07.5.44 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ezDatabase Login.PHP Cross-Site Scripting
  • Description: ezDatabase is a database creation application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "admin/login.php" script. ezDatabase version 2.1.3 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/458062
  • 07.5.45 - CVE: CVE-2007-0363
  • Platform: Web Application - Cross Site Scripting
  • Title: Openads phpAdsNew Admin-Search.PHP Cross-Site Scripting
  • Description: Openads phpAdsNew is an application for hosting classified ads online. It is vulnerable to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "keyword" parameter of the "admin-search.php" script. Openads phpAdsNew and phpPgAds versions 2.0.9-r1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/457990
  • 07.5.46 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: 212cafeBoard Multiple Cross-Site Scripting Vulnerabilities
  • Description: 212cafeBoard is a web log application. It is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input to the "user" parameter of the "list3.php" script and the "keyword" parameter of the "search.php" script. 212cafeBoard versions 0.08 Beta and 6.30 Beta are vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22167
  • 07.5.47 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Bitweaver Articles and Blogs Multiple Cross-Site Scripting Vulnerabilities
  • Description: Bitweaver is a web-based framework and content manager application. It is vulnerable to multiple cross-site scripting issues due to insufficient sanitization of user-supplied input to various scripts. Bitweaver versions 1.3.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/457695
  • 07.5.48 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: 212Cafe Guestbook Show.PHP Cross-Site Scripting
  • Description: 212Cafe Guestbook is a web-based guest book application. It is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "user" parameter of the "show.php" script. 212Cafe version 4.00 beta is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22173
  • 07.5.49 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Openads for PostgreSQL Unspecified Cross-Site Scripting
  • Description: Openads for PostgreSQL is an open source ad server. It is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Openads for PostgreSQL versions prior to 2.0.10 are affected.
  • Ref: http://www.securityfocus.com/bid/22124
  • 07.5.50 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PostNuke Reviews Index.PHP Cross-Site Scripting
  • Description: PostNuke is a content management system. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "index.php" script in the "Reviews" section. PostNuke version 0.764 is vulnerable. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
  • 07.5.51 - CVE: CVE-2007-0390
  • Platform: Web Application - Cross Site Scripting
  • Title: Sabros.US Index.PHP Cross-Site Scripting
  • Description: The Sabros.US application is a web-based content manager for bookmarks. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "tag" parameter of the "index.php" script. Sabros.US version 1.7 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22115
  • 07.5.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Makit Newsposter Script News_Page.ASP SQL Injection
  • Description: Makit Newsposter Script is a web-based news posting script. It is affected by a SQL injection issue due to insufficient sanitization of the "uid" parameter of the "news_page.asp" script.
  • Ref: http://www.securityfocus.com/bid/22230
  • 07.5.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: GPS CMS Print.ASP SQL Injection
  • Description: GPS is a web-based content management system (CMS). It is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input to the "id" parameter of the "print.asp" script before using it in an SQL query. GPS version 1.2 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22232
  • 07.5.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ASP News News_Detail.ASP SQL Injection
  • Description: ASP NEWS is a web-based news application. Insufficient sanitization of the "id" parameter of the "news_detail.asp" script exposes the application to an SQL injection issue. ASP NEWS version 3 is affected.
  • Ref: http://www.securityfocus.com/bid/22214
  • 07.5.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ASP Edge User.ASP SQL Injection
  • Description: ASP EDGE is a content management system (CMS). It is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "user" parameter of the "user.asp" script before using it in an SQL query. ASP EDGE Version 1.2b is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22212
  • 07.5.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Drupal Acidfree Module Node Title SQL Injection
  • Description: The Acidfree Module for Drupal is a media management system. It is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query. Acidfree versions prior to 4.6.0-1.0 and 4.7.0-1.0 are affected.
  • Ref: http://drupal.org/node/112145
  • 07.5.57 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Website Baker Login.PHP SQL Injection
  • Description: Website Baker is a content management system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied data to the "REMEMBER_KEY" cookie parameter. Website Baker version 2.6.5 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/457684
  • 07.5.58 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: FishCart Olst Parameter SQL Injection
  • Description: FishCart is a cross platform shopping cart application. It is prone to an SQL injection vulnerability due to insufficient input sanitization of the "olst" parameter of the "display.php" script. Versions 3.1 and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22166
  • 07.5.59 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Unique Ads Banner.PHP SQL Injection
  • Description: Unique Ads is a web-based banner ad application. It is vulnerable to an SQL injection issue due to insufficient santization of user-supplied input to the "bid" parameter of the "banner.php" script. Unique Ads version 1 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/457667
  • 07.5.60 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Nuke Multiple SQL Injection Vulnerabilities
  • Description: PHP-Nuke is a web forum. It is prone to multiple SQL injection vulnerabilities because it fails to sufficiently sanitize user-supplied data to unspecified parameters of the "advertising", "weblinks" and "reviews" sections. PHP-Nuke version 7.9 is vulnerable and other versions may also be affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
  • 07.5.61 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla CMS Multiple SQL Injection Vulnerabilities
  • Description: Joomla CMS is a web-based content management systems. It is prone to multiple SQL injection issues because the application fails to properly sanitize user-supplied input to various parameters before using it in an SQL query. Joomla CMS version 1.5.0 beta is vulnerable and other versions may also be affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
  • 07.5.62 - CVE: Not Available
  • Platform: Web Application
  • Title: CGI Rescue WebForm Multiple Input Validation Vulnerabilities
  • Description: CGI Rescue WebForm is a web-based application. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. CGI Rescue WebForm versions 4.3 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22243
  • 07.5.63 - CVE: Not Available
  • Platform: Web Application
  • Title: High5 Review Script Search Field HTML Injection
  • Description: High5 Review Script is a review and rating application. It is vulnerable to an HTML injection issue due to insufficient sanitization of user-supplied inupt to the search field of the "index.php" script. All versions are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/458122
  • 07.5.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Virtual Path PHPBB Module Configure.PHP Remote File Include
  • Description: Virtual Path is a module for phpBB that makes the path (link) shorter and easier to remember. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "vp/configure.php" script before using it in an "include()" call. Virtual Path version 1.0 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22241
  • 07.5.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Digitalxero Xero Portal PHPBB_Root_Path Multiple Remote File Include Vulnerabilities
  • Description: Xero Portal is a web-based portal application. It is prone to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the various scripts. Xero Portal version 1.2 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22227
  • 07.5.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Project and Project Issues Tracking Modules Multiple Vulnerabilities
  • Description: Drupal "project" and "project issue tracking" modules are project management modules for the Drupal content management system. The applications are vulnerable to multiple vulnerabilities. Please see the advisory for further information.
  • Ref: http://www.securityfocus.com/bid/22224
  • 07.5.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Community Server Pingback SourceURI Denial of Service and Information Disclosure
  • Description: Community Server is a web-based blogging application. It is vulnerable to multiple issues due to its Pingback and XML-RPC implementation. Community Server versions 2.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/457999
  • 07.5.68 - CVE: Not Available
  • Platform: Web Application
  • Title: AWFFull Unspecified Multiple Buffer Overflow Vulnerabilities
  • Description: AWFFull is a web-based web server log analysis tool. It is affected by multiple buffer overflow issues due to insufficient sanitization of user-supplied input. AWFFull versions 3.7.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22215
  • 07.5.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Virtual Host Administrator Modules_Dir Remote File Include
  • Description: Virtual Host Administrator is a web-based control panel. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "MODULES_DIR" parameter of "modules/mail/main.php". Version 0.1 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22218
  • 07.5.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Wordpress Pingback SourceURI Denial of Service and Information Disclosure
  • Description: Wordpress is a blogging application. It is exposed to a denial of service vulnerability because the application fails to verify the "Content-Type" of incoming data and fails to limit the amount of data retrieved. It is also prone to an information disclosure vulnerability because the application fails to authenticate the "sourceURI" in Pingback requests. Wordpress versions prior to 2.1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22220
  • 07.5.71 - CVE: Not Available
  • Platform: Web Application
  • Title: RPW Config.PHP Remote File Include
  • Description: RPW is a web-based menu system module for phpBB. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "sql_language" parameter of the "config.php" script. RPW version 1.0.2 is vulnerable.
  • Ref: http://www.milw0rm.com/exploits/3185
  • 07.5.72 - CVE: Not Available
  • Platform: Web Application
  • Title: phpXD Path Remote File Include
  • Description: phpXD is an XML DOM implementation for PHP4. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "path" parameter. phpXD version 0.3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22201
  • 07.5.73 - CVE: Not Available
  • Platform: Web Application
  • Title: MyBB Private.PHP HTML Injection
  • Description: MyBB is a bulletin board application. It is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in the "Subject" field of the "private.php" script. MyBB versions 1.2.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22205
  • 07.5.74 - CVE: Not Available
  • Platform: Web Application
  • Title: MaklerPlus Multiple Unspecified Vulnerabilities
  • Description: MaklerPlus is a web-based real estate application. It is prone to multiple unspecified vulnerabilities. Versions prior to 1.2 are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22206
  • 07.5.75 - CVE: Not Available
  • Platform: Web Application
  • Title: Mini Web Server Unspecified Multiple Buffer Overflow Vulnerabilities
  • Description: Mini Web Server is a small web server application designed to be embedded into other applications. It is vulnerable to multiple buffer overflow issues when processing unspecified HTTP requests. Mini Web Server versions 0.04 and earlier are vulnerable. Ref: http://sourceforge.net/project/shownotes.php?release_id=479480&group_id=187000
  • 07.5.76 - CVE: Not Available
  • Platform: Web Application
  • Title: BBClone Selectlang.PHP Remote File Include
  • Description: BBClone is a web-based counter application. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "BBC_LANGUAGE_PATH" parameter of the "selectlang.php" script. BBClone version 0.31 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22197
  • 07.5.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Yana Framework Guestbook Unspecified Security Bypass
  • Description: Yana Framework is a freely-available guestbook application. It is affected by a security bypass issue. Yana Framework version 2.8.5 is affected.
  • Ref: http://www.securityfocus.com/bid/22178
  • 07.5.78 - CVE: Not Available
  • Platform: Web Application
  • Title: Vote! Pro Multiple PHP Code Execution Vulnerabilities
  • Description: Vote! Pro is a web-based voting application. It is vulnerable to multiple arbitrary PHP code execution issues due to insufficient sanitization of user-supplied input to various parameters. Vote! Pro version 4.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22187
  • 07.5.79 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Link Directory Link Submission HTML Injection
  • Description: PHP Link Directory is a link directory implemented. It is prone to an HTML injection vulnerability that occurs when an attacker entices an unsuspecting administrator to validate a specially crafted link. Versions 3.0.6 and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22174
  • 07.5.80 - CVE: Not Available
  • Platform: Web Application
  • Title: Zomp Index.PHP Local File Include
  • Description: Zomp is a web-based application. It is vulnerable to a local file include issue because it fails to properly sanitize user-supplied input to the "setting[[skin]" parameter of the "theme/default/index.php" script. All versions of Zomp are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22157
  • 07.5.81 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPIndexPage Config.PHP Remote File Include
  • Description: PHPIndexPage is a web-based application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "env[inc_path]" parameter of the "config.php" script. PHPIndexPage versions 1.0 and 1.0.1 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22161/info
  • 07.5.82 - CVE: Not Available
  • Platform: Web Application
  • Title: Neon Labs Website NL.PHP Remote File Include
  • Description: Neon Labs Website is a library of PHP modules and classes. Insufficient sanitization of the "g_strRootDir" parameter in the "lib/nl/nl.php" script exposes the application to a remote file include issue. Neon Labs Website version 3.2 is affected.
  • Ref: http://www.securityfocus.com/bid/22162
  • 07.5.83 - CVE: Not Available
  • Platform: Web Application
  • Title: XMB MemCP.PHP HTML Injection
  • Description: XMB is an instant messaging application, implemented in PHP. It is prone to an HTML injection vulnerability due to insufficient input sanitization of the "recipient" field when submitting a new message on the "memcp.php" page. Versions 1.9.6 and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22163
  • 07.5.84 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPSherpa Racine Parameter Remote File Include
  • Description: PhpSherpa is a web-based portal application. Insufficient sanitization in the "config.inc.php" of the "include()" function exposes the application to a remote file include issue.
  • Ref: http://www.securityfocus.com/bid/22156
  • 07.5.85 - CVE: Not Available
  • Platform: Web Application
  • Title: Upload Service Remote File Include
  • Description: Upload Service is a web-based application to upload files. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "maindir" parameter of the "top.php" script. Upload Service version 1.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22150
  • 07.5.86 - CVE: Not Available
  • Platform: Web Application
  • Title: Mafia Scum Tools Index.PHP Remote File Include
  • Description: Mafia Scum Tools is an application to generate numbers. The application is prone to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "gen" variable of the "index.php" script. Mafia Scum Tools version 2.0.0 is affected.
  • Ref: http://www.securityfocus.com/bid/22151
  • 07.5.87 - CVE: Not Available
  • Platform: Web Application
  • Title: WebChat Remote File Include
  • Description: WebChat is a chat application. It is exposed to a remote file include vulnerability because it fails to properly sanitize user-supplied input to the "WEBCHATPATH" parameter of "defines.php". WebChat version 0.77 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22153
  • 07.5.88 - CVE: Not Available
  • Platform: Web Application
  • Title: Bradabra Includes.PHP Remote File Include
  • Description: Bradabra is a web-based application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "include_path" parameter of the "includes.php" script. Bradabra version 2.0.5 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22155
  • 07.5.89 - CVE: Not Available
  • Platform: Web Application
  • Title: Easebay Resources Paypal Subscription Manager Multiple Input Validation Vulnerabilities
  • Description: Easebay Resources Paypal Subscription Manager is a payment system for online subscriptions. It is prone to an SQL injection vulnerability in the "keyword" parameter of the "memberlist.php" script and a cross-site scripting vulnerability in the "Admin" parameter of the "edit_member.php" script.
  • Ref: http://www.securityfocus.com/bid/22141
  • 07.5.90 - CVE: CVE-2007-0401,CVE-2007-0400
  • Platform: Web Application
  • Title: Easebay Resources Login Manager Multiple Input Validation Vulnerabilities
  • Description: Easebay Resources Login Manager is a web site management system. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various parameters. All versions are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/457505
  • 07.5.91 - CVE: Not Available
  • Platform: Web Application
  • Title: SMF Index.PHP HTML Injection
  • Description: Simple Machines Forum (SMF) is an open source web forum. It is exposed to an HTML injection vulnerability because it fails to properly sanitize user-supplied input to the "recipient" and "BCC" fields of the "index.php" page before using it in dynamically generated content. SMF version 1.1 RC3 is affected.
  • Ref: http://www.securityfocus.com/bid/22143
  • 07.5.92 - CVE: Not Available
  • Platform: Web Application
  • Title: DocMan Multiple Input Validation Vulnerabilities
  • Description: DocMan is a web-based document manager application for the Joomla content management system. It is exposed to multiple unspecified SQL injection validation vulnerabilities and an unspecified cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. DocMan version 1.3 RC2 is vulnerable and other versions may also be affected. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
  • 07.5.93 - CVE: Not Available
  • Platform: Web Application
  • Title: ArsDigita Community System Directory Traversal
  • Description: ArsDigita Community System is a web-based collaboration application. Insufficient sanitization of the "../" directory traversal sequence exposes the application to a directory traversal request.
  • Ref: http://www.securityfocus.com/bid/22121
  • 07.5.94 - CVE: CVE-2007-0376
  • Platform: Web Application
  • Title: VirtueMart Joomla ECommerce Edition Multiple Unspecified Input Validation Vulnerabilities
  • Description: VirtueMart is an ecommerce application and Joomla eCommerce Edition is a content manager. It is vulnerable to multiple input validation issues due to insufficient sanitization of user-supplied input to various scripts. VirtueMart Joomla eCommerce Edition version 1.0.7 is vulnerable. Ref: http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
  • 07.5.95 - CVE: Not Available
  • Platform: Web Application
  • Title: WebGUI Registration Username HTML Injection
  • Description: WebGUI is a content manager. Insufficient sanitization of the "username" parameter on the registration page exposes the application to an HTML injection issue. WebGUI versions prior to 7.3.5 beta are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22114
  • 07.5.96 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS IPv6 Source Routing Remote Memory Corruption
  • Description: Cisco IOS is prone to a remote memory corruption vulnerability. This issue is due to a failure of the software to properly handle IPv6 packets containing specially crafted type 0 routing headers. Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
  • 07.5.97 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco Multiple Devices Crafted IP Option Multiple Remote Code Execution Vulnerabilities
  • Description: Cisco IOS and Cisco IOS XR are network communications operating systems used in many Cisco routers and network switches. Multiple Cisco switches and routers running Cisco IOS and Cisco IOS XR are prone to multiple remote denial of service and code execution vulnerabilities. Please see the advisory for further information. Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb157.shtml
  • 07.5.98 - CVE: Not Available
  • Platform: Network Device
  • Title: AVM FRITZ!Box VoIP Remote Denial of Service
  • Description: FRITZ!Box is a wireless DSL modem and router. A zero-length UDP packet sent to the SIP port 5060 of the device through the IP interface or the DSL line causes the VoIP-telephony service to crash.
  • Ref: http://www.securityfocus.com/bid/22130
  • 07.5.99 - CVE: CVE-2007-0397
  • Platform: Network Device
  • Title: Cisco SSL/TLS Certificate and SSH Public Key Validation
  • Description: Cisco Security Monitoring, Analysis and Response System (CS-MARS) and Cisco Adaptive Security Device Manager (ASDM) are a security system that correlates and analyzes data in event logs received from various network devices. Both do not validate the SSL/TLS certificates or SSH public keys when connecting to devices, which allows remote attackers to spoof those devices to obtain sensitive information or generate incorrect information. See the advisory for further details.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml
  • 07.5.100 - CVE: Not Available
  • Platform: Hardware
  • Title: Multiple VOIP Phones Aredfox PA168 Chipset Session Hijacking
  • Description: Aredfox PA168 is a programmable chip for VoIP based devices. Multiple VoIP phones using the Aredfox PA168 Chipset are vulnerable to a session hijacking issue due to a design error. VoIP phones using the Aredfox PA168 chipset with SIP Firmware versions V1.42 and 1.54 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22191
  • 07.5.101 - CVE: Not Available
  • Platform: Hardware
  • Title: T-Com Speedport 500V 'LogInKey' Cookie Parameter Authentication Bypass
  • Description: T-Com Speedport 500V is a DSL modem and router. It is exposed to a vulnerability which allows attackers to bypass the firmware's authentication mechanism by providing a cookie with a "LOGINKEY" parameter and a value of "TECOM". T-Com Speed 500V with Firmware version 1.31 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22160

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

I have attended many conferences/training sessions, and SANS by far has been the best. The instructors are the top in the industry, examples are from real life experiences - terrific!
-Chris Bush, Novartis Pharmaceuticals

Forensics Website

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT