@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) CRITICAL: Cisco Security Agent Buffer Overflow
• (2) CRITICAL: Skype URI Handling Remote Code Execution
• (3) HIGH: HP OpenView Network Node Manager CGI Scripts Remote Code Execution
• (4) HIGH: Avast! Antivirus TAR File Processing Memory Corruption
• (5) HIGH: 3ivx MPEG-4 Codec Buffer Overflow
• (6) HIGH: Novell NetMail Antivirus Service Integer Overflow
• (7) MODERATE: HP Select Identity Undisclosed Authentication Bypass
• (8) MODERATE: OpenOffice.org Database File Arbitrary Code Execution
• (9) MODERATE: Novell BorderManager Multiple Vulnerabilities
• (10) MODERATE: MIT Kerberos Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 07.50.1 - Microsoft Web Proxy Auto-Discovery Proxy Spoofing

Other Microsoft Products

• 07.50.2 - Microsoft Optical Desktop Wireless Keyboard Weak Encryption Information Disclosure
• 07.50.3 - Microsoft December 2007 Advance Notification Multiple Vulnerabilities

Third Party Windows Apps

• 07.50.4 - Yahoo Toolbar Helper Class ActiveX Control Remote Buffer Overflow Denial of Service
• 07.50.5 - RealPlayer RMOC3260.DLL ActiveX Control Import Denial of Service
• 07.50.6 - Cisco Security Agent for Microsoft Windows SMB Remote Buffer Overflow
• 07.50.7 - VideoLan VLC ActiveX Plugin Memory Corruption
• 07.50.8 - SonicWALL Global VPN Client Remote Format String
• 07.50.9 - avast! Home/Professional TAR File Handling Unspecified Vulnerability
• 07.50.10 - HFS HTTP File Server Arbitrary File Upload

Mac Os

• 07.50.11 - Apple Mac OS X VPND Remote Denial of Service
• 07.50.12 - Apple Mac OS X Mach_Loader.C Local Denial of Service

Linux

• 07.50.13 - Red Hat Content Accelerator Memory Leak Local Denial of Service
• 07.50.14 - Zsh Insecure Temporary File Creation
• 07.50.15 - Linux Kernel DO_COREDUMP Local Information Disclosure
• 07.50.16 - PCRE Perl-Compatible Regular Expression Library POSIX Denial of Service
• 07.50.17 - PCRE Perl-Compatible Regular Expression Subpattern Memory Allocation Denial of Service

Solaris

• 07.50.18 - Sun Solaris LX(5) Branded Zones Unspecified Local Denial of Service

Unix

• 07.50.19 - IBM AIX chfs Command Denial of Service

Novell

• 07.50.20 - Novell BorderManager Multiple Vulnerabilities

Cross Platform

• 07.50.21 - Multiple Vendor Web Browser JavaScript Multiple Fields Key Filtering
• 07.50.22 - Typespeed Malformed Packet Divide By Zero Denial of Service
• 07.50.23 - IBM Tivoli Netcool Security Manager Unspecified Cross-Site Scripting
• 07.50.24 - QEMU Translation Block Local Denial of Service
• 07.50.25 - Opera Web Browser Bitmap File RLE Remote Denial of Service
• 07.50.26 - xterm Psuedo Terminal Insecure Permissions Local Insecure Permission Weakness
• 07.50.27 - IBM Tivoli Provisioning Manager Express Username User Enumeration Weakness
• 07.50.28 - Claws Mail Insecure Temporary File Creation
• 07.50.29 - Ascential DataStage Multiple Local Vulnerabilities
• 07.50.30 - SING Log Option Local Privilege Escalation
• 07.50.31 - Zabbix daemon_start Local Privilege Escalation
• 07.50.32 - Apple QuickTime Unspecified Remote
• 07.50.33 - Squid Proxy Cache Update Reply Processing Remote Denial of Service
• 07.50.34 - HP Select Identity Unspecified Remote Unauthorized Access
• 07.50.35 - Jetty Cookie Names Session Hijacking
• 07.50.36 - Jetty Unspecified HTTP Response Splitting
• 07.50.37 - OpenOffice HSQLDB Database Engine Unspecified Java Code Execution
• 07.50.38 - Citrix EdgeSight for Endpoints and Presentation Server Database Credential Disclosure Weakness
• 07.50.39 - HP OpenVMS Multiple Local Denial of Service Vulnerabilities
• 07.50.40 - Sun SPARC XSCF Control Package (XCP) Firmware Unspecified Denial of Service
• 07.50.41 - Xen mov_to_rr RID Local Security Bypass
• 07.50.42 - hugin Insecure Temporary File Creation
• 07.50.43 - HP OpenView Network Node Manager Unspecified Remote Arbitrary Code Execution
• 07.50.44 - SERWeb Multiple Remote and Local File Include Vulnerabilities
• 07.50.45 - Skype Technologies skype4com URI Handler Remote Heap Corruption
• 07.50.46 - MIT Kerberos Multiple Memory Corruption Vulnerabilities

Web Application - Cross Site Scripting

• 07.50.47 - F5 FirePass 4100 SSL VPN My.Logon.PHP3 Cross-Site Scripting
• 07.50.48 - F5 FirePass 4100 SSL VPN Download_Plugin.PHP3 Cross-Site Scripting
• 07.50.49 - Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
• 07.50.50 - Hitachi JP1/Cm2/Network Node Manager Unspecified Cross-Site Scripting
• 07.50.51 - Jetty Dump Servlet Cross-Site Scripting
• 07.50.52 - phpMyChat Multiple Scripts and Parameters Cross-Site Scripting Vulnerabilities
• 07.50.53 - Cisco CiscoWorks Login Script Cross-Site Scripting
• 07.50.54 - IBM Tivoli Provisioning Manager Express Multiple Cross-Site Scripting Vulnerabilities
• 07.50.55 - IBM Lotus Sametime Server WebRunMenuFrame Cross-Site Scripting
• 07.50.56 - Kayako SupportSuite PHP_SELF Trigger_Error Function Cross-Site Scripting
• 07.50.57 - OpenNewsletter Compose.PHP Cross-Site Scripting

Web Application - SQL Injection

• 07.50.58 - bcoos Adresses/Ratefile.PHP SQL Injection
• 07.50.59 - PhpBBGarage Garage.PHP SQL Injection
• 07.50.60 - Beehive Forum Post.PHP SQL Injection
• 07.50.61 - Snitz Forums 2000 Active.ASP SQL Injection
• 07.50.62 - Mambo/Joomla! RSGallery2 CATID Parameter SQL Injection
• 07.50.63 - Joomla! Index.PHP Multiple SQL Injection Vulnerabilities
• 07.50.64 - WordPress P Parameter SQL Injection
• 07.50.65 - Drupal TAXONOMY_SELECT_NODES() SQL Injection
• 07.50.66 - MWOpen E-Commerce leggi_commenti.asp SQL Injection

Web Application

• 07.50.67 - FTP Admin Multiple Remote Vulnerabilities
• 07.50.68 - Gadu-Gadu Remote User Addition Unauthorized Access
• 07.50.69 - Tellmatic tm_includepath Parameter Multiple Remote File Include Vulnerabilities
• 07.50.70 - Rayzz Class_HeaderHandler.Lib.PHP Remote File Include
• 07.50.71 - CRM-CTT CheckCustomerAccess Security Bypass
• 07.50.72 - Absolute News Manager .NET Multiple Input Validation and Information Disclosure Vulnerabilities
• 07.50.73 - Gadu-Gadu Skin Attribute Handling Remote Denial of Service
• 07.50.74 - Computer Associates eTrust Threat Management Console HTML Injection
• 07.50.75 - Drupal Shoutbox Module Multiple HTML Injection Vulnerabilities
• 07.50.76 - VisualShapers ezContents File Disclosure
• 07.50.77 - SineCms Multiple Input Validation Vulnerabilities
• 07.50.78 - Wordpress PictPress Plugin Resize.PHP Multiple Local File Include Vulnerabilities
• 07.50.79 - phpBB .PNG and .RAR Multiple Arbitrary File Upload Vulnerabilities
• 07.50.80 - Beehive Forum Links.PHP Multiple Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities

Network Device

• 07.50.81 - Cisco Unified IP Phone RTP Audio Stream Eavesdropping
• 07.50.82 - Cisco 7940 SIP Phone INVITE Message Remote Denial of Service
• 07.50.83 - Nokia N95 Phone SIP Cancelled INVITE Message Remote Denial of Service

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 50, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 07.50.1 - CVE: CVE-2007-5355
• Platform: Windows
• Title: Microsoft Web Proxy Auto-Discovery Proxy Spoofing
• Description: Microsoft Web Proxy Auto-Discovery (WPAD) enables web clients to automatically detect proxy settings without user-interaction. The application is exposed to an issue that may result in information disclosure. This issue occurs because of the way the application resolves host names that do not include fully qualified domain names.
• Ref: http://www.microsoft.com/technet/security/advisory/945713.mspx

• 07.50.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Optical Desktop Wireless Keyboard Weak Encryption Information Disclosure
• Description: Microsoft Optical Desktop is a wireless keyboard and mouse developed by Microsoft. The application is exposed to an information disclosure issue because keyboard events are encrypted using a weak encryption algorithm. Specifically, when keystrokes are transmitted to the wireless receiver, they are encrypted using an 8-bit XOR mechanism. Microsoft Optical Desktop versions 1000 and 2000 are affected. Ref: http://www.remote-exploit.org/advisories/27_Mhz_keyboard_insecurities.pdf

• 07.50.3 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft December 2007 Advance Notification Multiple Vulnerabilities
• Description: Microsoft has released advance notification that they will be releasing seven security bulletins on December 11, 2007. The highest severity rating for these issues is "Critical".
• Ref: http://www.microsoft.com/technet/security/bulletin/advance.mspx

• 07.50.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Yahoo Toolbar Helper Class ActiveX Control Remote Buffer Overflow Denial of Service
• Description: Yahoo Toolbar ActiveX Control is exposed to a buffer overflow denial of service issue because the application fails to properly bounds check user-supplied data. Yahoo Toolbar version 1.4.1 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.50.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: RealPlayer RMOC3260.DLL ActiveX Control Import Denial of Service
• Description: RealNetworks RealPlayer is an application that allows users to play various media formats. The application is exposed to a denial of service issue because it fails to perform adequate boundary checks on user-supplied data before copying it to an insufficiently-sized buffer. RealPlayer version 11 is affected.
• Ref: http://support.microsoft.com/kb/240797

• 07.50.6 - CVE: CVE-2007-5580
• Platform: Third Party Windows Apps
• Title: Cisco Security Agent for Microsoft Windows SMB Remote Buffer Overflow
• Description: Cisco Security Agent is a software agent used to protect server and desktop computers. The application is exposed to a remote buffer overflow issue because it fails to properly bounds check user-supplied data.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20071205-csa.shtml

• 07.50.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: VideoLan VLC ActiveX Plugin Memory Corruption
• Description: VLC media player is a multimedia application for playing audio and video files. The application is exposed to a memory corruption issue that affects the ActiveX plugin component of VLC. VLC media player versions 0.8.6 to 0.8.6c are affected.
• Ref: http://www.videolan.org/sa0703.html

• 07.50.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SonicWALL Global VPN Client Remote Format String
• Description: SonicWALL Global VPN Client provides virtual private networking for mobile users. The application is exposed to a remote format string issue because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. SonicWALL Global VPN Client versions prior to 4.0.0.830 are affected.
• Ref: http://www.sec-consult.com/305.html

• 07.50.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: avast! Home/Professional TAR File Handling Unspecified Vulnerability
• Description: avast! is an antivirus application for Microsoft Windows. The application is exposed to an unspecified issue when the application handles a TAR file. avast! Home and Professional versions prior to 4.7.1098 are affected.
• Ref: http://www.securityfocus.com/archive/1/484657

• 07.50.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: HFS HTTP File Server Arbitrary File Upload
• Description: HFS HTTP File Server is a file sharing application for Microsoft Windows platforms. The application is exposed to an issue that lets attackers upload files and place them in arbitrary locations on the server. The issue occurs because the software fails to adequately sanitize user-supplied input. HTTP File Server versions prior to 2.2b are affected.
• Ref: http://aluigi.altervista.org/adv/hfsup-adv.txt

• 07.50.11 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X VPND Remote Denial of Service
• Description: Virtual private network daemon (vpnd) is a VPN service daemon for L2TP over IPSec or PPTP VPNs. The application is exposed to a remote denial of service issue because the virtual private network daemon (vpnd) fails to handle malicious network packets. When the daemon processes a malicious packet an arithmetic exception occurs in the "accept_connections()" function, causing the daemon to crash. Apple Mac OS X version 10.5 is affected.
• Ref: http://www.securityfocus.com/bid/26699

• 07.50.12 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X Mach_Loader.C Local Denial of Service
• Description: Apple Mac OS X is exposed to a local denial of service issue because the kernel fails to properly handle exceptional conditions. Specifically, the "load_threadstack()" function of the "/bsd/kern/mach_loader.c" file is exposed to an integer overflow issue causing the kernel to enter an infinite loop and crash. Apple Mac OS X versions 10.4 and 10.5.1 are affected.
• Ref: http://www.securityfocus.com/bid/26700

• 07.50.13 - CVE: CVE-2007-5494
• Platform: Linux
• Title: Red Hat Content Accelerator Memory Leak Local Denial of Service
• Description: Red Hat Content Accelerator is a kernel-based HTTP server. The application is exposed to a local denial of service issue because of a programming error. Red Hat Enterprise Linux (v. 5 server) and Red Hat Enterprise Linux Desktop (v. 5 client) are affected.
• Ref: https://rhn.redhat.com/errata/RHSA-2007-0993.html

• 07.50.14 - CVE: Not Available
• Platform: Linux
• Title: Zsh Insecure Temporary File Creation
• Description: Zsh is a freely available interactive shell for Linux. The application is exposed to a security issue because it creates temporary files in an insecure manner. The issue affects the "difflog.pl" script because it creates insecure temporary files in the "tmp" directory. Zsh version 4.3.4 is affected.
• Ref: https://bugs.gentoo.org/show_bug.cgi?id=201022

• 07.50.15 - CVE: CVE-2007-6206
• Platform: Linux
• Title: Linux Kernel DO_COREDUMP Local Information Disclosure
• Description: The Linux kernel is exposed to an information disclosure issue because the "do_coredump" function of the "fs/exec.c" source file fails to check a coredump file's user ID before dumping the core into an existing user-owned file. This can allow a local attacker to gain access to potentially sensitive data if a superuser process dumps core into the attacker's file. Linux kernel versions prior to 2.6.24-rc4 are affected.
• Ref: http://bugzilla.kernel.org/show_bug.cgi?id=3043

• 07.50.16 - CVE: CVE-2006-7225
• Platform: Linux
• Title: PCRE Perl-Compatible Regular Expression Library POSIX Denial of Service
• Description: PCRE Perl-Compatible Regular Expression is a library of functions for reqular expression pattern matching. The library uses the same syntax and semantics as Perl 5. The library is exposed to a denial of service issue because it fails to adequately sanitize user-supplied regular expressions. PCRE versions prior to 6.7 are affected.
• Ref: http://rhn.redhat.com/errata/RHSA-2007-1059.html

• 07.50.17 - CVE: CVE-2006-7226
• Platform: Linux
• Title: PCRE Perl-Compatible Regular Expression Subpattern Memory Allocation Denial of Service
• Description: PCRE Perl-Compatible Regular Expression is a library of functions for regular expression pattern matching. The library uses the same syntax and semantics as Perl 5. The library is exposed to a denial of service issue because it fails to allocate sufficient memory for quantified subpatterns that contain a named recursion or subroutine reference. PCRE versions prior to 6.7 are affected.
• Ref: http://rhn.redhat.com/errata/RHSA-2007-1059.html

• 07.50.18 - CVE: Not Available
• Platform: Solaris
• Title: Sun Solaris LX(5) Branded Zones Unspecified Local Denial of Service
• Description: Sun Solaris is an enterprise-grade UNIX distribution. The problem occurs within the Linux branded zone "lx(5)", that may allow an attacker to cause the kernel to panic. Solaris version 10 x86 running in 64-bit mode is affected.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103153-1 &searchclause=

• 07.50.19 - CVE: Not Available
• Platform: Unix
• Title: IBM AIX chfs Command Denial of Service
• Description: AIX is UNIX operating system from IBM. The application is exposed to a denial of service issue when reducing the size of a concurrent volume group using the "chfs" command. IBM AIX version 5.3 is affected. Ref: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4032#IZ04953

• 07.50.20 - CVE: Not Available
• Platform: Novell
• Title: Novell BorderManager Multiple Vulnerabilities
• Description: Novell BorderManager is a security tool providing firewall and VPN functionality. It is commercially available for Microsoft Windows. The application is exposed to multiple issues. Novell BorderManager versions prior to 3.8 SP5 are affected.
• Ref: http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/ readme_5007301.html

• 07.50.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Vendor Web Browser JavaScript Multiple Fields Key Filtering
• Description: Multiple web browsers are exposed to a JavaScript key filtering issue because the browsers fail to securely handle keystroke input from users. The issue occurs when multiple fields are embedded within a single label. These fields include: File fields and Text fields. Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058740.html

• 07.50.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Typespeed Malformed Packet Divide By Zero Denial of Service
• Description: Typespeed is a typing tool and typing game. The application is exposed to a denial of service issue because the application fails to handle malformed packets. Specifically, a divide-by-zero error occurs when handling a malformed packet. Typespeed versions prior to 0.6.4 are affected.
• Ref: http://tobias.eyedacor.org/typespeed/ChangeLog

• 07.50.23 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Tivoli Netcool Security Manager Unspecified Cross-Site Scripting
• Description: IBM Tivoli Netcool Security Manager provides real-time performance and service management for service providers. It is available for multiple operating platforms. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. IBM Tivoli Netcool Security Manager version 1.3.0 is affected.
• Ref: http://www-1.ibm.com/support/docview.wss?uid=swg24017385

• 07.50.24 - CVE: Not Available
• Platform: Cross Platform
• Title: QEMU Translation Block Local Denial of Service
• Description: QEMU is a processor emulator used to virtualize computer systems and to run guest operating systems within a host. The application is exposed to a local denial of service issue because it fails to perform adequate boundary checks when handling user-supplied input. QEMU version 0.9.0 is affected.
• Ref: http://www.securityfocus.com/bid/26666

• 07.50.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Bitmap File RLE Remote Denial of Service
• Description: Opera Web Browser is a browser that runs on multiple operating systems. The application is exposed to a remote denial of service issue when processing the running length encoding (RLE) in a bitmap (BMP) file. Specifically, the issues is due to implementation of the 00 02 XX YY feature. The implementation performs XX+YY*width increments when displaying a BMP file. Opera versions 9.50 beta and 9.24 are affected.
• Ref: http://www.securityfocus.com/archive/1/484605

• 07.50.26 - CVE: CVE-2007-2797
• Platform: Cross Platform
• Title: xterm Psuedo Terminal Insecure Permissions Local Insecure Permission Weakness
• Description: xterm is a terminal emulator for the X Windows system. The application is exposed to a local insecure permission weakness because the application sets insecure permissions on psuedo-terminals.
• Ref: http://rhn.redhat.com/errata/RHSA-2007-0701.html

• 07.50.27 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Tivoli Provisioning Manager Express Username User Enumeration Weakness
• Description: IBM Tivoli Provisioning Manager Express is an application that allows users to deploy software updates. The application is exposed to a user enumeration weakness because the application returns certain data when failed login attempts used a valid username.
• Ref: http://www.securityfocus.com/archive/1/484607

• 07.50.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Claws Mail Insecure Temporary File Creation
• Description: Claws Mail is a freely available email client for Linux, UNIX, and Sun Solaris platforms. The application is exposed to a security issue because it creates temporary files in an insecure manner. The issue affects the "sylprint.pl" script because it creates insecure temporary files. Claws Mail version 3.1.0 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454089

• 07.50.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Ascential DataStage Multiple Local Vulnerabilities
• Description: Ascential DataStage is a tool for collecting, integrating, and transforming large volumes of data. It is available for Windows, UNIX, and Linux-based operating systems. The application is exposed to three security issues that may be exploited by a local user. Ascential DataStage version 7.5 is affected.
• Ref: http://www.securityfocus.com/bid/26677

• 07.50.30 - CVE: Not Available
• Platform: Cross Platform
• Title: SING Log Option Local Privilege Escalation
• Description: SING (Send ICMP Nasty Garbage) is a tool to send ICMP packets, customized with spoofed sources and ICMP codes. It is a replacement for the "ping" utility. The application is exposed to a local privilege escalation issue that arises because SING's binary is SUID. SING version 1.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/484472

• 07.50.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Zabbix daemon_start Local Privilege Escalation
• Description: Zabbix is a network monitoring tool available for Unix, Linux and other Unix-like operating systems. The application is exposed to a local privilege escalation issue that occurs in the "daemon_start()" function of "src/libs/zbxnix/daemon.c". Zabbix version 1.4.2 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452682

• 07.50.32 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple QuickTime Unspecified Remote
• Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to an unspecified remote issue. Apple QuickTime version 7.2 for Microsoft Windows XP is affected. Ref: http://wabisabilabi.blogspot.com/2007/11/quicktime-zeroday-vulnerability-still.html

• 07.50.33 - CVE: Not Available
• Platform: Cross Platform
• Title: Squid Proxy Cache Update Reply Processing Remote Denial of Service
• Description: Squid is an open-source proxy server available for a number of platforms. The application is exposed to a remote denial of service issue because the proxy server fails to perform boundary checks prior to copying user-supplied data into process buffers. Squid versions 2.6.STABLE16 and prior are affected.
• Ref: http://www.securityfocus.com/bid/26687

• 07.50.34 - CVE: CVE-2007-6194
• Platform: Cross Platform
• Title: HP Select Identity Unspecified Remote Unauthorized Access
• Description: HP Select Identity is an application used to manage user identities and access rights. The application is exposed to an unspecified unauthorized access issue. HP Select Identity versions 4.01 to 4.01.011 and 4.10 to 4.13.002 are affected.
• Ref: http://www.securityfocus.com/archive/1/484566

• 07.50.35 - CVE: CVE-2007-5614
• Platform: Cross Platform
• Title: Jetty Cookie Names Session Hijacking
• Description: Mortbay Jetty is an open source webserver implemented in Java. The application is exposed to an issue that allows attackers to hijack browser sessions because the server fails to adequately handle single quotes in cookie names. Jetty versions prior to 6.1.6 are affected.
• Ref: http://www.kb.cert.org/vuls/id/438616

• 07.50.36 - CVE: CVE-2007-5615
• Platform: Cross Platform
• Title: Jetty Unspecified HTTP Response Splitting
• Description: Jetty is a Java-based web server available for multiple platforms. The application is exposed to an HTTP-response-splitting issue because it fails to sanitize user-supplied input. This issue affects HTTP headers with CRLF sequences, which can allow an attacker to inject unspecified HTTP headers into server responses. Jetty versions prior to 6.1.6 are affected.
• Ref: http://www.kb.cert.org/vuls/id/212984

• 07.50.37 - CVE: CVE-2007-4575
• Platform: Cross Platform
• Title: OpenOffice HSQLDB Database Engine Unspecified Java Code Execution
• Description: OpenOffice is a multiplatform office suite. The application is exposed to a code execution issue that affects HSQLDB database engine supplies with the application. OpenOffice versions prior to 2.3.1 are affected.
• Ref: https://rhn.redhat.com/errata/RHSA-2007-1048.html

• 07.50.38 - CVE: Not Available
• Platform: Cross Platform
• Title: Citrix EdgeSight for Endpoints and Presentation Server Database Credential Disclosure Weakness
• Description: Citrix EdgeSight is a performance management suite comprised of EdgeSight for Endpoints and EdgeSight for Presentation Server. The application is exposed to a database credential disclosure weakness. Specifically, database credentials are stored in an insecure manner in unspecified configuration files.
• Ref: http://support.citrix.com/article/CTX115281

• 07.50.39 - CVE: Not Available
• Platform: Cross Platform
• Title: HP OpenVMS Multiple Local Denial of Service Vulnerabilities
• Description: OpenVMS is a mainframe-like operating system originally developed by Digital. It is maintained and distributed by HP. The application is exposed to multiple local denial of service issues. OpenVMS for Integrity Servers version V8.3 is affected. Ref: ftp://ftp.itrc.hp.com/openvms_patches/i64/V8.3/VMS83I_GRAPHICS-V0100.txt

• 07.50.40 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun SPARC XSCF Control Package (XCP) Firmware Unspecified Denial of Service
• Description: Sun XSCF (eXtended System Control Facility) Control Package (XCP) firmware for SPARC Enterprise M4000/M5000/M8000/M9000 systems is exposed to a denial of service issue that causes degradation of a XSCF response during telnet, SSH, and httpd communication. XCP versions prior to 1050 are vulnerable.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103159-1

• 07.50.41 - CVE: CVE-2007-6207
• Platform: Cross Platform
• Title: Xen mov_to_rr RID Local Security Bypass
• Description: Xen is an open-source hypervisor or virtual machine monitor. The application is exposed to a local security bypass issue because it fails to validate user-supplied input. The application fails to check the Region Identifier (RID) value during "mov_to_rr" calls. Xen versions prior to 3.1.2 on IA64 platforms are affected. Ref: http://lists.xensource.com/archives/html/xen-ia64-devel/2007-10/msg00189.html

• 07.50.42 - CVE: CVE-2007-5200
• Platform: Cross Platform
• Title: hugin Insecure Temporary File Creation
• Description: hugin is a freely-available panoramic stitching tool for manipulating digital images. It is available for multiple platforms. The application is exposed to an insecure temporary file creation issue that affects the "hugin_debug_optim_results.txt" file. hugin versions 0.6.1 and 0.7_beta4 are affected.
• Ref: http://www.novell.com/linux/security/advisories/2007_20_sr.html

• 07.50.43 - CVE: CVE-2007-6204
• Platform: Cross Platform
• Title: HP OpenView Network Node Manager Unspecified Remote Arbitrary Code Execution
• Description: HP OpenView Network Node Manager is a fault-management application for IP networks. The application is exposed to an unspecified remote code execution issue. HP OpenView Network Node Manager versions 6.41, 7.01, and 7.51 are affected when running on HP-UX, Solaris, Windows, and Linux platforms.
• Ref: http://www.securityfocus.com/archive/1/484658

• 07.50.44 - CVE: Not Available
• Platform: Cross Platform
• Title: SERWeb Multiple Remote and Local File Include Vulnerabilities
• Description: SERWeb is a self-provisioning web interface for SER-based SIP servers. The application is exposed to multiple remote and local file include issues because it fails to properly sanitize user-supplied input. SERWeb version 2.0.0 dev 1 is affected.
• Ref: http://www.securityfocus.com/bid/26747

• 07.50.45 - CVE: CVE-2007-5989
• Platform: Cross Platform
• Title: Skype Technologies skype4com URI Handler Remote Heap Corruption
• Description: Skype is peer-to-peer communications software that supports internet-based voice communications. The application is exposed to a remote heap-based memory corruption issue. Skype versions prior to 3.6.0.216 for Windows are affected.
• Ref: http://www.securityfocus.com/archive/1/484703

• 07.50.46 - CVE: CVE-2007-5894, CVE-2007-5901, CVE-2007-5902,CVE-2007-5971, CVE-2007-5972
• Platform: Cross Platform
• Title: MIT Kerberos Multiple Memory Corruption Vulnerabilities
• Description: MIT Kerberos 5 is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. It is freely available and operates on numerous platforms. The application is exposed to multiple memory corruption issues.
• Ref: http://bugs.gentoo.org/show_bug.cgi?id=199205

• 07.50.47 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: F5 FirePass 4100 SSL VPN My.Logon.PHP3 Cross-Site Scripting
• Description: FirePass 4100 SSL VPN is a secure Virtual Private Network device that uses SSL connections to encapsulate network traffic. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. F5 FirePass 4100 SSL VPNs running versions 5.4.1 through 5.5.2, 6.0 and 6.0.1 are affected.
• Ref: http://www.procheckup.com/Vulnerability_PR07-15.php

• 07.50.48 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: F5 FirePass 4100 SSL VPN Download_Plugin.PHP3 Cross-Site Scripting
• Description: FirePass 4100 SSL VPN is a secure Virtual Private Network device that uses SSL connections to encapsulate network traffic. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. This issue affects the "my.activation.php3" script. F5 FirePass 4100 SSL VPNs running firmware versions 5.4.1 through 5.5.2 and 6.0 through 6.0.1 are affected.
• Ref: http://www.procheckup.com/Vulnerability_PR07-14.php

• 07.50.49 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
• Description: Apache HTTP servers are prone to a cross-site scripting weakness. The issue occurs when the application fails to sanitize a specially-crafted HTTP request method that results in a 413 HTTP error. Apache versions 2.0.46 through 2.2.4 are affected.
• Ref: http://www.securityfocus.com/archive/1/484410

• 07.50.50 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Hitachi JP1/Cm2/Network Node Manager Unspecified Cross-Site Scripting
• Description: Hitachi JP1/Cm2/Network Node Manager are application servers available for multiple operating platforms. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. Ref: http://www.hitachi-support.com/security_e/vuls_e/HS07-040_e/index-e.html

• 07.50.51 - CVE: CVE-2007-5613
• Platform: Web Application - Cross Site Scripting
• Title: Jetty Dump Servlet Cross-Site Scripting
• Description: Jetty is a Java server available for various operating systems. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue occurs in the Jetty Dump Servlet. Jetty versions prior to 6.1.6 are affected.
• Ref: http://www.kb.cert.org/vuls/id/237888

• 07.50.52 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: phpMyChat Multiple Scripts and Parameters Cross-Site Scripting Vulnerabilities
• Description: phpMyChat is a web-based chat application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. phpMyChat version 0.14.5 is affected.
• Ref: http://www.securityfocus.com/archive/1/484575

• 07.50.53 - CVE: CVE-2007-5582
• Platform: Web Application - Cross Site Scripting
• Title: Cisco CiscoWorks Login Script Cross-Site Scripting
• Description: CiscoWorks is a device management and network monitoring tool for Cisco networks. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the login script. CiscoWorks version 2.6 is affected.
• Ref: http://www.securityfocus.com/archive/1/484609

• 07.50.54 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM Tivoli Provisioning Manager Express Multiple Cross-Site Scripting Vulnerabilities
• Description: IBM Tivoli Provisioning Manager Express is an application that allows administrators to deploy software updates. The application is exposed to multiple cross-site scripting issues because the application fails to sufficiently sanitize user-supplied input.
• Ref: http://www.securityfocus.com/archive/1/484607

• 07.50.55 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM Lotus Sametime Server WebRunMenuFrame Cross-Site Scripting
• Description: IBM Lotus Sametime Server is a commercially available instant-messaging and web-conferencing application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Sametime Server versions prior to 8.0 are affected. Ref: http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5007301.html

• 07.50.56 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Kayako SupportSuite PHP_SELF Trigger_Error Function Cross-Site Scripting
• Description: SupportSuite is a web-based customer service application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "PHP_SELF" parameter of the "trigger_error()" function. This function is called from many files (over 300), so several attack vectors exist. See the references section for a complete list of affected files. SupportSuite version 3.00.32 is affected.
• Ref: http://www.securityfocus.com/bid/26744

• 07.50.57 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: OpenNewsletter Compose.PHP Cross-Site Scripting
• Description: OpenNewsletter is a web-based application for publishing newsletters. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "type" parameter of the "compose.php" script. OpenNewsletter version 2.5 is affected.
• Ref: http://www.securityfocus.com/archive/1/484680

• 07.50.58 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: bcoos Adresses/Ratefile.PHP SQL Injection
• Description: bcoos is a content management system (CMS). The application is exposed to an SQL injection issue because it fails to adequately sanitize user-supplied input before using it in an SQL query. This issue affects the "lid" parameter of the "adresses/ratefile.php" script. bcoos version 1.0.10 is affected.
• Ref: http://www.securityfocus.com/bid/26664

• 07.50.59 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PhpBBGarage Garage.PHP SQL Injection
• Description: PhpBBGarage is a modification to phpBB that allows users to store information about their vehicle. PhpBB is an open-source forum application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "make_id" parameter of the "garage.php" script before using it in an SQL query. PhpBBGarage version 1.2.0 Beta 3 is affected.
• Ref: http://www.securityfocus.com/bid/26683

• 07.50.60 - CVE: CVE-2007-6014
• Platform: Web Application - SQL Injection
• Title: Beehive Forum Post.PHP SQL Injection
• Description: Beehive Forum is web-based forum software that has a MySQL backend. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "t_dedupe" parameter of the "post.php" script before using it in an SQL query. Beehive Forum versions 0.7.1 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/484501

• 07.50.61 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Snitz Forums 2000 Active.ASP SQL Injection
• Description: Snitz Forums 2000 is a web forum implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "active.asp" script. All versions of Snitz Forums 2000 are affected.
• Ref: http://www.securityfocus.com/bid/26688

• 07.50.62 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Mambo/Joomla! RSGallery2 CATID Parameter SQL Injection
• Description: RSGallery2 is a gallery plugin for Mambo/Joomla!. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "catid" parameter of "index.php" before using it in an SQL query. RSGallery2 version 2.0 beta 5 is affected.
• Ref: http://www.securityfocus.com/bid/26704

• 07.50.63 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! Index.PHP Multiple SQL Injection Vulnerabilities
• Description: Joomla! is a content management system (CMS). The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "view", "task" and "option" parameters of the "index.php" script before using it in an SQL query. Joomla! version 1.5 RC3 is affected.
• Ref: http://www.securityfocus.com/archive/1/484603

• 07.50.64 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WordPress P Parameter SQL Injection
• Description: WordPress is a PHP-based personal publishing application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input before using it in an SQL query. Specifically, the "p" parameter is affected when accessing an RSS feed. WordPress version 2.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/26709

• 07.50.65 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Drupal TAXONOMY_SELECT_NODES() SQL Injection
• Description: Drupal is an open-source content manager that is available for a number of platforms, including Microsoft Windows and Unix/Linux variants. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "taxonomy_select_nodes()" function before using it in an SQL query. Drupal versions prior to 4.7.9 and 5.4 are affected.
• Ref: http://drupal.org/node/198162

• 07.50.66 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MWOpen E-Commerce leggi_commenti.asp SQL Injection
• Description: MWOpen E-Commerce is a web-based shopping application implemented in ASP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "leggi_commenti.asp" before using it in an SQL query.
• Ref: http://www.securityfocus.com/bid/26746

• 07.50.67 - CVE: Not Available
• Platform: Web Application
• Title: FTP Admin Multiple Remote Vulnerabilities
• Description: FTP Admin is a web-based user management tool for vsFTPd FTP server. The application is exposed to multiple remote issues. FTP Admin version 1.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/26658

• 07.50.68 - CVE: Not Available
• Platform: Web Application
• Title: Gadu-Gadu Remote User Addition Unauthorized Access
• Description: Gadu-Gadu (Polish for "chit-chat") is a Polish instant-messaging client. The application is exposed to an issue that allows unauthorized users to add additional users. This issue occurs because of improper protocol handling by its default registered protocol handler "gg". Gadu-Gadu version 7.7 is affected.
• Ref: http://www.securityfocus.com/archive/1/484607

• 07.50.69 - CVE: Not Available
• Platform: Web Application
• Title: Tellmatic tm_includepath Parameter Multiple Remote File Include Vulnerabilities
• Description: Tellmatic is an application that allows users to create and manage newsletters. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "ccms_library_path" parameter. Tellmatic versions 1.0.7 and 1.0.7.1 are affected.
• Ref: http://www.securityfocus.com/bid/26678

• 07.50.70 - CVE: Not Available
• Platform: Web Application
• Title: Rayzz Class_HeaderHandler.Lib.PHP Remote File Include
• Description: Rayzz is a web-based social networking application. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "CFG[site][project_path]" parameter of the "/common/classes/class_HeaderHandler.lib.php" script. Rayzz version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/26681

• 07.50.71 - CVE: Not Available
• Platform: Web Application
• Title: CRM-CTT CheckCustomerAccess Security Bypass
• Description: CRM-CTT is a PHP-based process-automation application. The application is exposed to a security bypass issue because it fails to properly validate user credentials before performing certain actions. CRM-CTT version prior to 4.2.0 are affected.
• Ref: http://www.securityfocus.com/bid/26685

• 07.50.72 - CVE: Not Available
• Platform: Web Application
• Title: Absolute News Manager .NET Multiple Input Validation and Information Disclosure Vulnerabilities
• Description: Absolute News Manager .NET is a content manager implemented in ASP.NET. The application is exposed to multiple remote issues. Absolute News Manager .NET version 5.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/484560

• 07.50.73 - CVE: Not Available
• Platform: Web Application
• Title: Gadu-Gadu Skin Attribute Handling Remote Denial of Service
• Description: Gadu-Gadu (Polish for "chit-chat") is a Polish instant-messaging client. The application is exposed to a remote denial of service issue. The application fails to properly launch, causing denial of service conditions. Gadu-Gadu version 7.7 is affected.
• Ref: http://www.securityfocus.com/archive/1/484607

• 07.50.74 - CVE: Not Available
• Platform: Web Application
• Title: Computer Associates eTrust Threat Management Console HTML Injection
• Description: Computer Associates eTrust Threat Management Console is a web-based management application for the CA Integrated Threat Management product. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
• Ref: http://www.securityfocus.com/archive/1/484607

• 07.50.75 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Shoutbox Module Multiple HTML Injection Vulnerabilities
• Description: Drupal is an open-source content manager that is available for a number of platforms, including Microsoft Windows and Unix/Linux variants. The application is exposed to multiple HTML injection issues because the application fails to sufficiently sanitize user-supplied input data before using it in dynamically generated content. Shoutbox module versions prior to 5.x-1.1 are affected.
• Ref: http://drupal.org/node/198163

• 07.50.76 - CVE: Not Available
• Platform: Web Application
• Title: VisualShapers ezContents File Disclosure
• Description: VisualShapers ezContents is a web-based content management system. The application is exposed to an issue that allows remote attackers to display the contents of arbitrary local files in the context of the web server process. ezContents version 1.4.5 is affected.
• Ref: http://www.securityfocus.com/bid/26737

• 07.50.77 - CVE: Not Available
• Platform: Web Application
• Title: SineCms Multiple Input Validation Vulnerabilities
• Description: SineCms is a web-based content management system. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data. The issues consist of five SQL injection and two HTML injection vulnerabilities.
• Ref: http://www.securityfocus.com/bid/26738

• 07.50.78 - CVE: Not Available
• Platform: Web Application
• Title: Wordpress PictPress Plugin Resize.PHP Multiple Local File Include Vulnerabilities
• Description: Wordpress PictPress plugin is a tool for generating thumbnail-sized images for Wordpress web-log entries. Wordpress allows users to generate news pages and web logs dynamically. The application is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input to the "size" and "path" parameters of the "resize.php" script. Wordpress PictPress plugin version 0.91 is affected.
• Ref: http://www.securityfocus.com/bid/26743

• 07.50.79 - CVE: Not Available
• Platform: Web Application
• Title: phpBB .PNG and .RAR Multiple Arbitrary File Upload Vulnerabilities
• Description: phpBB is a web-based bulletin board application. The application is exposed to multiple arbitrary file upload issues because it fails to properly verify the content of attachments posted to web-log entries. phpBB version 2.0.22 is affected.
• Ref: http://www.securityfocus.com/bid/26740

• 07.50.80 - CVE: CVE-2007-6241
• Platform: Web Application
• Title: Beehive Forum Links.PHP Multiple Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: Beehive Forum is web-based forum software, which is implemented in PHP and has a MySQL backend. The application is exposed to multiple unspecified cross-site scripting and SQL injection issues because it fails to properly sanitize user-supplied input. Beehive Forum version 0.7.1 is affected. Ref: http://sourceforge.net/project/shownotes.php?group_id=50772&release_id=551758

• 07.50.81 - CVE: CVE-2007-6190
• Platform: Network Device
• Title: Cisco Unified IP Phone RTP Audio Stream Eavesdropping
• Description: Cisco Unified IP Phone is a Voice over IP (VoIP) phone. The application is exposed to an issue that allows eavesdropping. This issue occurs in Cisco Unified IP phones that are configured to use the Extension Mobility feature when receiving or transmitting RTP (Real-Time Transport Protocol) data. Ref: http://www.cisco.com/en/US/products/products_security_response09186a0080903a6d.html

• 07.50.82 - CVE: Not Available
• Platform: Network Device
• Title: Cisco 7940 SIP Phone INVITE Message Remote Denial of Service
• Description: Cisco 7940 devices are voice-over-IP (VoIP) phones. The application is exposed to a denial of service issue because the device fails to handle specially crafted SIP INVITE messages. Cisco IP phone 7940 is affected. Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058837.html

• 07.50.83 - CVE: Not Available
• Platform: Network Device
• Title: Nokia N95 Phone SIP Cancelled INVITE Message Remote Denial of Service
• Description: Nokia N95 devices are cell phones that include the ability to operate as SIP voice-over-IP (VoIP) devices. The application is exposed to a denial of service issue because the device fails to handle specially crafted SIP INVITE messages. RM-159 version V 12.0.013 of Nokia N95 phones is affected. Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058839.html

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.