Last Day to Save $200 on SANS Cyber Defense San Diego 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 6
February 5, 2007

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • -------------------------- -------------------------------------
    • Windows
    • 3
    • Microsoft Office
    • 1 (#1)
    • Third Party Windows Apps
    • 7
    • Mac Os
    • 5
    • Linux
    • 4
    • Solaris
    • 1 (#2)
    • Aix
    • 1
    • Unix
    • 1
    • Cross Platform
    • 7 (#4)
    • Web Application - Cross Site Scripting
    • 6
    • Web Application - SQL Injection
    • 8
    • Web Application
    • 30
    • Network Device
    • 5 (#3)

************************** Sponsored By SANS ****************************

SAVE BIG! Get 30% off of any of these courses when you sign up for OnDemand's pre-paid program. SEC 309: Intro to Information Security, SEC503: Intrusion Detection In-Depth, AUD507: Auditing Networks, Perimeters and Systems will all be available by July 31, 2007. For more information please contact ondemand@sans.org.

************************************************************************* TRAINING UPDATE: The early registration discount for SANS 2007 expires in three weeks. SANS 2007 is the world's largest security training conference with 56 immersion courses and a huge expo. It is in San Diego March 29 - April 5. Complete program: http://www.sans.org/sans2007/event.php *************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Third Party Windows Apps
Mac Os
Linux
Solaris
Aix
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) MODERATE: Sun Solaris FreeType 2 Integer Overflow
  • Affected:
    • Sun Solaris Operating System versions 8, 9, and 10
  • Description: Sun Solaris ships by default with a vulnerable version of the FreeType open source font engine. A specially-crafted font file could result in an integer overflow, and lead to arbitrary code execution. Depending on system setup, code could be executed with the privileges of the current user, or with root or other privileges. Note that this vulnerability exists only in the older version of FreeType shipped with Solaris; the current version of FreeType is not affected. This issue was discussed in an earlier issue of @RISK.

  • Status: Sun confirmed, updates available.

  • Council Site Actions: Only one of the responding council sites is using the affected software. However, they are not specifically running any graphical applications, but they are checking to see if the systems could still be vulnerable. If they find vulnerable systems, they will load the patches during their next regularly scheduled rollout of other system related patches.

  • References:
  • (3) LOW: Cisco SIP Packet Processing Denial-of-Service
  • Affected:
    • Cisco devices that support Voice-over-IP
  • Description: Cisco devices that support Voice-over-IP (VoIP), but that are not properly configured for VoIP, are prone to a denial-of-service vulnerability. Currently, the nature of the vulnerability is not publicly known, but has been confirmed to involve traffic on UDP port 5060 and the Session Initiation Protocol (SIP). Note that devices that are properly configured for VoIP are not vulnerable. Users are advised to block UDP port 5060 at the network perimeter, if possible.

  • Status: Cisco confirmed, updates available.

  • Council Site Actions: Most of the responding council sites are using the affected software. Their respective network support teams plan to roll-out the patched during their next regularly scheduled system update process.

  • References:
Other Software
  • (4) MODERATE: CHMlib Memory Corruption Vulnerability
  • Affected:
    • CHMlib versions prior to 0.39
  • Description: CHMlib, a library used to read Microsoft Compressed HTML (CHM) files (used commonly for eBooks and online help), contains a memory corruption vulnerability. A specially-crafted CHM file could trigger this vulnerability and execute arbitrary code with the privileges of the current user. Because CHMlib is open source software, technical details for this vulnerability may be discovered via source code analysis.

  • Status: Vendor confirmed, updates available.

  • Council Site Actions: Only one of the responding council sites is using the affected software. They have notified their server support team and plan to load the patches during their next regularly scheduled system update process.

  • References:
Exploit Code
  • (6) DETAILS: Oracle 10g R2 Enterprise Manager Directory Traversal Vulnerability
  • Description: Technical details have been publicly posted for a vulnerability patched in Oracle's January Critical Patch Update. A specially-crafted request to the "EmChartBean" component of the Enterprise Manager could exploit a directory traversal vulnerability. Successful exploitation of this vulnerability could disclose arbitrary file contents. This vulnerability was discussed in a previous issue of @RISK.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (7) DETAILS: Computer Associates BrightStor ARCserve Buffer Overflows (1) A specially-crafted packet with a length specified as greater than 32767 will trigger a buffer overflow and result in arbitrary code execution. The vulnerable process listens
  • Description: Technical details have been publicly posted two vulnerabilities in Computer Associates BrightStor ARCserve. Specially-crafted traffic sent to the "LGSSERVER.EXE" process can exploit these vulnerabilities and execute arbitrary code with SYSTEM privileges:

  • Council Site Actions: Only one of the responding council sites is using the affected software and they plan to load the patches during their next regularly schedule system update process.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 6, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5247 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 07.6.1 - CVE: Not Available
  • Platform: Windows
  • Title: Windows Vista Voice Recognition Command Execution
  • Description: Windows Vista is prone to a command execution vulnerability because of its built in voice recognition capability. When voice recognition is enabled and when the speakers and microphone are on and the volume is adjusted appropriately, voice commands given via an audio file may be executed by the operating system. Several versions of Windows Vista are affected. Ref: http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx

  • 07.6.2 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows Mobile Multiple Remote Denial of Service Vulnerabilities
  • Description: Microsoft Windows Mobile is an operating system for smart phones and PDAs. Due to insufficient input sanitization, it is prone to two remote denial of service vulnerabilities. Please refer to the advisory for further information.
  • Ref: http://www.securityfocus.com/bid/22343

  • 07.6.3 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Internet Explorer Multiple ActiveX Controls Denial of Service Vulnerabilities
  • Description: Microsoft Internet Explorer is prone to multiple denial of service vulnerabilities due to insufficient exception handling in various ActiveX controls. Internet Explorer versions 5, 6 and 7 are reportedly vulnerable. Please refer to the advisory for further information.
  • Ref: http://www.securityfocus.com/bid/22288

  • 07.6.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Comodo Firewall CMDMon.SYS Multiple Denial of Service
  • Description: Comodo is a firewall application. It is vulnerable to multiple denial of service issues because it fails to adequately validate user-supplied arguments while hooking functions in SSDT. Comodo Firewall Pro version 2.4.16.174 and Comodo Personal Firewall version 2.3.6.81 are vulnerable. Ref: http://www.matousec.com/info/advisories/Comodo-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php

  • 07.6.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Computer Associates BrightStor ARCserve BackUp LGServer Remote Stack Buffer Overflow
  • Description: Computer Associates BrightStor ARCserve Backup products provide backup and restore protection. BrightStor ARCserve Backup is prone to a remote stack based buffer overflow vulnerability due to inadequate bounds checks on user-supplied data prior to copying it to an insufficiently sized buffer. Computer Associates BrightStor ARCserve Backup versions 11.0, 11.1 and 11.1 SP1 are affected. Ref: http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp

  • 07.6.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Bloodshed Dev-C++ CPP Source File Buffer Overflow
  • Description: Bloodshed Dev-C++ is a freely available development tool for building applications on Microsoft platforms. It is prone to a buffer overflow vulnerability because when the application is used to compile a CPP file consisting of nothing but approximately 80000 "A" characters. Bloodshed Dev-C++ version 4.9.9.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22315

  • 07.6.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Javvin DiskAccess NFS Client DAPCNFSD.DLL Stack Buffer Overflow
  • Description: Javvin DiskAccess is an application to enable access of NFS based file and print resources on UNIX and mainframe hosts. It is prone to a stack based buffer overflow vulnerability because it fails to properly bounds check user-supplied data to the "EnumPrintersA()" function in the "dapcnfsd.dll" file before copying it into an insufficiently sized memory buffer.
  • Ref: http://www.securityfocus.com/bid/22301

  • 07.6.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Ipswitch WS_FTP 2007 SCP Handling Format String
  • Description: Ipswitch WS_FTP 2007 Professional is an FTP server written for the Microsoft Windows operating system. It is prone to a format string vulnerability due to insufficient input sanitization in the SCP handling module.
  • Ref: http://www.securityfocus.com/bid/22275

  • 07.6.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Yahoo! Messenger Notification Message HTML Injection
  • Description: Yahoo! Messenger is a instant messaging application. It is prone to an HTML injection vulnerability because it fails to properly sanitize user-supplied input to the "Lastname" field of a user account and changing the user status to the "signed out" state. Yahoo! Messenger versions prior to 2.1.0.29 and are affected.
  • Ref: http://www.securityfocus.com/bid/22269

  • 07.6.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: CHM Lib Multiple Unspecified Buffer Overflow Vulnerabilities
  • Description: CHM Lib is a library for dealing with Microsoft ITSS/CHM format files. It is vulnerable to multiple unspecified buffer overflow issues. CHM Lib versions 0.38 and earlier are vulnerable. Ref: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=468

  • 07.6.11 - CVE: Not Available
  • Platform: Mac Os
  • Title: Mac OS X Multiple Products Format String Vulnerabilities
  • Description: Multiple Products for Mac OS X are vulnerable to multiple remote format string vulnerabilities. The affected applications include Help Viewer, Safari, iPhoto and iMovie. See the advisory for further details.
  • Ref: http://www.digitalmunition.com/MOAB-30-01-2007.html#poc

  • 07.6.12 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple iChat Bonjour Multiple Remote Denial of Service Vulnerabilities
  • Description: Apple iChat is an instant messaging client for Apple OS X platforms. It is prone to multiple remote denial of service vulnerabilities. Version 3.1.6 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22304

  • 07.6.13 - CVE: CVE-2007-0466
  • Platform: Mac Os
  • Title: Telestream Flip4Mac WMV File Remote Memory Corruption
  • Description: Flip4Mac is a set of components for QuickTime that allow Windows Media (WMV) files to be played with QuickTime for Apple Mac OS X. Flip4Mac is prone to a remote memory corruption vulnerability because the application fails to properly handle user-supplied values to the size field of "ASF_File_Properties_Object". Flip4Mac Windows Media Components for QuickTime version 2.1.0.33 is reported to be vulnerable.
  • Ref: http://projects.info-pull.com/moab/MOAB-27-01-2007.html

  • 07.6.14 - CVE: CVE-2007-0465
  • Platform: Mac Os
  • Title: Apple Installer Package Filename Format String Vulnerability
  • Description: Apple Installer is an application for installing packages on the Mac OS X Operating System. It is vulnerable to a format string issue due to insufficient handling of package filename strings. Apple Installer versions 2.1.5 and earlier are vulnerable.
  • Ref: http://projects.info-pull.com/moab/MOAB-26-01-2007.html

  • 07.6.15 - CVE: CVE-2007-0464
  • Platform: Mac Os
  • Title: Apple CFNetwork HTTP NULL Pointer Dereference Denial of Service
  • Description: CFNetwork is part of the Core Services framework in Mac OS X. It is prone to a denial of service vulnerability that can be caused by malformed HTTP responses. Version 129.19 on Mac OS X 10.4.8 is vulnerable.
  • Ref: http://projects.info-pull.com/moab/MOAB-25-01-2007.html

  • 07.6.16 - CVE: Not Available
  • Platform: Linux
  • Title: Gentoo Linux Acme Thttpd File Access Information Disclosure
  • Description: Acme Thttpd is a tiny Web server. The version that is distributed with Gentoo Linux is prone to a vulnerability that allows attackers to access arbitrary files. Please refer to the advisory for further information.
  • Ref: http://www.securityfocus.com/bid/22349

  • 07.6.17 - CVE: CVE-2006-6535
  • Platform: Linux
  • Title: Linux Kernel Dev_Queue_XMIT Local Denial of Service
  • Description: The Linux kernel is vulnerable to a denial of service issue because of a design error in "dev_queue_xmit()", a network subsystem used to queue a buffer for transmission to a network device. See the advisory for further details.
  • Ref: http://rhn.redhat.com/errata/RHSA-2007-0014.html

  • 07.6.18 - CVE: CVE-2006-5753
  • Platform: Linux
  • Title: Linux Kernel ListXATTR Local Denial of Service
  • Description: The Linux kernel is prone to a local denial of service vulnerability that exists in the "listxattr()" system call. Please refer to the advisory for further information.
  • Ref: http://www.securityfocus.com/bid/22316

  • 07.6.19 - CVE: Not Available
  • Platform: Linux
  • Title: smb4K Multiple Vulnerabilities
  • Description: smb4K is an SMB/CIFS share browser for KDE. It is vulnerable to multiple issues. smb4K version 0.8 resolves those issues. See the advisory for further details. Ref: http://developer.berlios.de/bugs/?func=detailbug&bug_id=9631&group_id=769

  • 07.6.20 - CVE: Not Available
  • Platform: Solaris
  • Title: Sun Solaris ICMP Unspecified Remote Denial of Service
  • Description: Sun Solaris is prone to an unspecified remote denial of service vulnerability that resides in the ICMP handling process. Solaris version 10 is reportedly vulnerable. Please refer to the advisory for more information. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102697-1&searchclause=

  • 07.6.21 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX pop3d/pop3ds/imapd/imapds Authentication Bypass
  • Description: The bos.net.tcp.server fileset contains the pop3d, pop3ds, imapd and imapds services which are included as part of IBM AIX 5.3. The services are prone to an authentication bypass vulnerability because they fail to effectively verify user credentials during the authentication process. Please refer to the advisory for further details.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY93084

  • 07.6.22 - CVE: Not Available
  • Platform: Unix
  • Title: NoMachine NX Server NXCONFIGURE.SH Remote Denial Of Service
  • Description: NX Server is a terminal and remote access server. It is prone to a denial of service vulnerability that occurs because the "nxconfigure.sh" script fails to properly verify access permissions and allows arbitrary users to change certain values in the "server.cfg" configuration file. Versions prior to 2.1.0-18 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22308

  • 07.6.23 - CVE: CVE-2007-0459,CVE-2007-0458,CVE-2007-0457,CVE-2007-0456
  • Platform: Cross Platform
  • Title: Wireshark Multiple Protocol Denial of Service Vulnerabilities
  • Description: Wireshark is an application for analyzing network traffic. It is vulnerable to multiple denial of service issues when certain unspecified HTTP packets are reassembled. Wireshark versions 0.99.4 and earlier are vulnerable.
  • Ref: http://www.wireshark.org/security/wnpa-sec-2007-01.html

  • 07.6.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Computer Associates BrightStor ARCserve Backup LGSERVER.EXE Denial Of Service
  • Description: Computer Associates BrightStor ARCserve Backup products provide backup and restore protection for multiple platforms. BrightStor ARCserve Backup is prone to a denial of service vulnerability due to insufficient error handling in the "LGSERVER.EXE" service. Multiple versions are reportedly vulnerable. Please refer to the advisory for more information. Ref: http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp

  • 07.6.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Zabbix Unspecified Buffer Overflow
  • Description: ZABBIX is an IT monitoring system. ZABBIX is vulnerable to an unspecified buffer overflow issue when the application fails to perform adequate bounds checks on user-supplied SNMP IP data. Zabbix versions 1.1.4 and earlier are vulnerable.
  • Ref: http://www.zabbix.com/rn1.1.5.php

  • 07.6.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: gtalkbot Username and Password Multiple Information Disclosure Vulnerabilities
  • Description: gtalkbot is a bot system for Google Talk and other instant messaging applications. It prone to an information disclosure vulnerability because the application displays the username and passwords of users on the command line which results in the information being stored in the command history or the processing list. gtalkbot versions 1.1 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22322

  • 07.6.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Access Manager Undisclosed Cross-Site Scripting
  • Description: Sun Java System Access Manager is an application for managing secure access to web applications. It is prone to an undisclosed cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Sun Java System Access Manager versions 7 and 6.x are affected. Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102621-1&searchclause=

  • 07.6.28 - CVE: CVE-2007-0455
  • Platform: Cross Platform
  • Title: Graphics Library JIS-Encoded Font Buffer Overflow
  • Description: The GD Graphics Library (gdlib) is an open source graphics library available for multiple platforms. It is prone to a buffer overflow vulnerability in the "gdImageStringFTEx()" function of "gdft.c" that can be leveraged to cause a denial of service condition. Please refer to the advisory for more information.
  • Ref: http://www.securityfocus.com/bid/22289

  • 07.6.29 - CVE: CVE-2007-0255
  • Platform: Cross Platform
  • Title: xine M3U Remote Format String Vulnerability
  • Description: xine is an open source multimedia player for audio and video. It is prone to a remote format string vulnerability because it fails to properly sanitize user-supplied input before including it in the format specifier argument of a formatted printing function. Specifically, the vulnerability exists in the "udp://" handler when processing ".m3u" files that contain an excessively long "#EXTINF" parameter and an invalid format specifier. xine-ui version 0.99.4 is affected.
  • Ref: http://www.securityfocus.com/bid/22252

  • 07.6.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: OpenEMR Login_Frame.PHP Cross-Site Scripting
  • Description: OpenEMR is a web-based electronic medical recording application. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "rootdir" parameter of the "login_frame.php" script. OpenEMR version 2.8.2 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/458565/100/0/threaded

  • 07.6.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: DotNetNuke IFrame Module Unspecified Cross-Site Scripting
  • Description: IFrame is a DotNetNuke module that allows content from websites to be displayed within a frame. The module is vulnerable to a cross-site scripting issue because it fails to properly sanitize user-supplied input to an unspecified parameter and script. Versions prior to 03.02.01 are vulnerable.
  • Ref: http://www.dotnetnuke.com/Default.aspx?tabid=825&EntryID=1278

  • 07.6.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: HTTP Commander Multiple Cross-Site Scripting Vulnerabilities
  • Description: HTTP Commander is a web-based file manager. It is prone to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the "LogoffMessage" parameter of "logofflast.aspx" and the "txtUsername" parameter of "Default.aspx". HTTP Commander version 6.0 is affected.
  • Ref: http://www.securityfocus.com/bid/22298

  • 07.6.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Movable Type Unspecified Cross-Site Scripting Vulnerability
  • Description: Movable Type is a web log application. It is prone to an unspecified cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. Sites that have disabled the "nofollow" plug-in are vulnerable. Movable Type versions prior to 3.34 are affected.
  • Ref: http://www.securityfocus.com/bid/22292

  • 07.6.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHP Membership Manager Admin.PHP Cross-Site Scripting
  • Description: PHP Membership Manager is a web-based application that allows users to manage usernames and passwords. It is prone to a cross-site scripting vulnerability due to insufficient input sanitization of the "_p" parameter of "admin.php". Version 1.5 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22263

  • 07.6.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CMSimple Mailform Sender Cross-Site Scripting
  • Description: CMSimple is a content manager. It is vulnerable to a cross-site scripting issue due to insufficient sanitization of user-supplied input to the "sender" parameter of the mailform site feature. CMSimple version 2.7.0 fix1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22250

  • 07.6.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AspSide.com tForum User_Confirm.ASP Multiple SQL Injection
  • Description: tForum is a web-based discussion forum application. It is prone to multiple SQL injection issues because it fails to properly sanitize user-supplied input to the "username" and "password" parameters of "user_confirm.asp" before using it in an SQL query. tForum version 2.00 is affected.
  • Ref: http://www.securityfocus.com/bid/22350

  • 07.6.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ExoPHPDesk FAQ.PHP SQL Injection
  • Description: ExoPHPDesk is a web-based help desk application. It is prone to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "faq.php" script before using it in an SQL query. ExoPHPDesk versions 1.2.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22338

  • 07.6.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: CascadianFaq Index.PHP SQL Injection
  • Description: CascadianFAQ is a web-based Frequently Asked Questions (FAQ) application. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "catid" parameter of the "index.php" script. CasecadianFQA version 4.1 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22314

  • 07.6.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: MDPro Index.PHP SQL Injection
  • Description: MDPro is a content management system. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "startrow" parameter of the "index.php" script. MDPro version 1.0.76 is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/458438

  • 07.6.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ChernobiLe Default.ASP SQL Injection
  • Description: ChernobiLe is a web-based portal application. It is prone to an SQL injection issue because it fails to properly sanitize user-supplied input to the "username" and "password" fields of the "default.asp" script before using it in an SQL query. ChernobiLe version 1.0 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22280

  • 07.6.41 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: AdMentor Admin Login SQL Injection
  • Description: AdMentor is a web-based banner ad application. It is prone to an SQL injection vulnerability due to insufficient input sanitization of the "UserID" and "Password" fields of the administrator login page. Version 0 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22281

  • 07.6.42 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: SpoonLabs Vivvo Article Management CMS Show_Webfeed.PHP SQL Injection
  • Description: Vivvo Article Management CMS is a web-based content management system implemented in PHP. It is prone to an SQL injection vulnerability due to insufficient input sanitization of the "Headlines" parameter of "rss/show_webfeed.php". Version 3.40 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22282

  • 07.6.43 - CVE: CVE-2007-0630
  • Platform: Web Application - SQL Injection
  • Title: X-dev xNews xNews.php SQL Injection
  • Description: xNews is a web-based news script. It is vulnerable to an SQL injection issue due to insufficient sanitization of user-supplied input to the "id" parameter of the "xnews.php" script. X-dev xNews versions 1.3 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2007/0395

  • 07.6.44 - CVE: Not Available
  • Platform: Web Application
  • Title: JV2 Folder Gallery Template.PHP Remote File Include
  • Description: JV2 Folder Gallery is an image gallery. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "galleryfilesdir" parameter in "gallery/theme/include_mode/template.php". Version 3.0.2 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22354

  • 07.6.45 - CVE: Not Available
  • Platform: Web Application
  • Title: Omegaboard Functions.PHP Remote File Include
  • Description: Omegaboard is a bulletin board application. It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "includes/functions.php" script. Omegaboard versions 1.04b and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22355

  • 07.6.46 - CVE: Not Available
  • Platform: Web Application
  • Title: phpbb Tweaked PHPBB_Root_Path Remote File Include
  • Description: phpbb Tweaked is a prepackaged fork of phpBB 2. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "phpbb_root_path" parameter of the "includes/functions.php" script. phpbb Tweaked version 3 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22344

  • 07.6.47 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPMyRing LesLangues.PHP Remote File Include
  • Description: PHPMyRing is a webring management application. It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "fichier" parameter of the "leslangues.php" script. PHPMyRing versions 4.1.3b and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22345

  • 07.6.48 - CVE: Not Available
  • Platform: Web Application
  • Title: OpenEMR Import_XML.PHP Remote File Include
  • Description: OpenEMR is a web-based electronic medical records (EMR) application. It is prone to a remote file include vulnerability due to insufficient input sanitization in the "srcdir" parameter of "import_xml.php". Version 2.8.2 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22346

  • 07.6.49 - CVE: Not Available
  • Platform: Web Application
  • Title: Modx FileDownload Snippet Arbitrary File Download
  • Description: FileDownload is a file download application. It is prone to an arbitrary file download vulnerability because it fails to sufficiently sanitize user-supplied input to the "download.php" script. FileDownload versions prior to 2.5 are vulnerable. Ref: http://modxcms.com/forums/index.php/topic,10470.msg71284.html#msg71284

  • 07.6.50 - CVE: Not Available
  • Platform: Web Application
  • Title: HailBoards UserCP_ViewProfile.PHP Remote File Include
  • Description: HailBoards is a web-based message board system. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "phpbb_root_path" parameter of the "usercp_viewprofile.php" script. Version 1.2.0 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22333

  • 07.6.51 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB2 MODificat PHPBB_Root_Path Remote File Include
  • Description: phpBB2 MODificat is a prepackaged fork of phpBB2, a web forum. It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "includes/functions.php" script. phpBB2 MODificat version 0.2.0 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22320

  • 07.6.52 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Comment_Form_Add_Preview Code Execution
  • Description: Drupal is a content management application. It is vulnerable to an arbitrary PHP code execution issue because the application fails to properly sanitize user-supplied input to the "comment_form_add_preview()" function in the "comment.module" code.
  • Ref: http://drupal.org/node/113935

  • 07.6.53 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPFootball Show.PHP Information Disclosure
  • Description: PHPFootball is a web-based management application for football leagues. It is prone to an information disclosure vulnerability because user-supplied input to the "dbtable", "dbfield", "dbfieldv", and "dbfields" parameters of the "debug.php" script isn't sufficiently sanitized. PHPFootball version 1.6 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22312

  • 07.6.54 - CVE: Not Available
  • Platform: Web Application
  • Title: MyNews Themefunc.PHP Remote File Include
  • Description: MyNews is a web-based news reader. It is prone to a remote file include issue because it fails to properly sanitize user-supplied input to the "myNewsConf[path][sys][index]" parameter of the "themefunc.php" script.MyNews versions 4.2.2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22313

  • 07.6.55 - CVE: CVE-2007-0347
  • Platform: Web Application
  • Title: CVSTrac Remote Denial of Service
  • Description: CVSTrac is a web-based version control front end application. It is prone to a remote denial of service vulnerability due to insufficient input sanitization in the "is_eow()" function in "format.c". An attacker may introduce database corruption, resulting in denial of service. Please refer to the advisory for further information.
  • Ref: http://www.cvstrac.org/cvstrac/tktview?tn=683

  • 07.6.56 - CVE: Not Available
  • Platform: Web Application
  • Title: phpMyReport Lib_Head.PHP Remote File Include
  • Description: phpMyReport is a web-based report application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "cfgPathModule" parameter of the "lib_head.php" script. phpMyReport version 3.0.11 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22290

  • 07.6.57 - CVE: Not Available
  • Platform: Web Application
  • Title: Webfwlog Debug.PHP Information Disclosure
  • Description: Webfwlog is an application for analyzing firewall logs. It is prone to an information disclosure issue because user-supplied input to the "configfile" parameter of the "debug.php" script isn't sufficiently sanitized. Webfwlog version 0.92 is affected.
  • Ref: http://www.securityfocus.com/bid/22291

  • 07.6.58 - CVE: Not Available
  • Platform: Web Application
  • Title: WebGUI Asset Deletion Security Bypass Vulnerability
  • Description: WebGUI is a web-based application framework and content management system. It is prone to a security bypass vulnerability because the "www_purgeList()" function fails to validate user credentials and privileges. WebGUI versions 7.3.6 and earlier are affected. Ref: http://www.plainblack.com/getwebgui/advisories/security-defect-discovered-in-7.x-versions

  • 07.6.59 - CVE: Not Available
  • Platform: Web Application
  • Title: SQL-Ledger Redirect Arbitrary Code Execution
  • Description: SQL-Ledger is a double entry accounting system implemented in Perl. It is prone to an arbitrary code execution vulnerability during redirects. Versions 2.6 and prior are reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22295

  • 07.6.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Php Generic MembreManager.PHP Remote File Include
  • Description: Php Generic is a web-based application. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "include_path" parameter of the "membreManager.php" script. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/22287

  • 07.6.61 - CVE: Not Available
  • Platform: Web Application
  • Title: EclipseBB Phpbb_Root_Path Remote File Include
  • Description: EclipseBB is a web-based application. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "functions.php" script. EclipseBB version 0.5.0 Lite is affected.
  • Ref: http://www.securityfocus.com/bid/22283

  • 07.6.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Foro Domus Menu.PHP Remote File Include
  • Description: Domus is a web-based application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "session_idioma" parameter of the "menu.php" script. Foro Domus version 2.10 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22285

  • 07.6.63 - CVE: Not Available
  • Platform: Web Application
  • Title: Horde Groupware Calendar Component Local File Include
  • Description: Horde Groupware is a web-based collaboration suite. It is prone to a local file include vulnerability because it fails to properly sanitize user-supplied input to an unspecified parameter in the calendar component. Horde Groupware version 1.0-RC2 is affected.
  • Ref: http://www.securityfocus.com/bid/22273

  • 07.6.64 - CVE: CVE-2007-0576
  • Platform: Web Application
  • Title: Xt-Stats XT_Counter.PHP Remote File Include
  • Description: Xt-Stats is a web-based statistical gathering application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "server_base_dir" parameter of the "xt_counter.php" script. Xt-Stats version 2.4.0.b3 is vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2007/0387

  • 07.6.65 - CVE: CVE-2007-0573
  • Platform: Web Application
  • Title: nsGalPHP Config.Inc.PHP Remote File Include
  • Description: nsGalPHP is a web-based gallery application. It is vulnerable to a remote file include issue due to insufficient sanitization of user-supplied input to the "racineTBS" parameter of the "includes/config.inc.php" script. nsGalPHP versions 0.41 and earlier are vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2007/0392

  • 07.6.66 - CVE: Not Available
  • Platform: Web Application
  • Title: ACGVclick Function.Inc.PHP Remote File Include
  • Description: ACGVclick is a web-based application to track web use on a site. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "path" parameter of the "function.inc.php" script before using it in an "include()" call. ACGVclick version 0.2.0 is vulnerable and other versions may be affected as well.
  • Ref: http://www.securityfocus.com/bid/22278

  • 07.6.67 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP FOpen Safe_Mode Restriction Bypass
  • Description: PHP is a general purpose scripting language. It is vulnerable to a "safe_mode" restriction bypass issue due to a flawed interaction between multiple functions. PHP versions 5.2.0 and earlier are vulnerable.
  • Ref: http://securityreason.com/achievement_securityalert/44

  • 07.6.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Movable Type Comments HTML Injection
  • Description: Movable Type is a web log application. It is prone to an HTML injection vulnerability due to poor input sanitization in comment postings. Versions 3.33 and prior are reportedly vulnerable. Ref: http://www.sixapart.com/movabletype/beta/distros/MT-3.34-beta-Release-Notes.html

  • 07.6.69 - CVE: Not Available
  • Platform: Web Application
  • Title: PHProxy Index.Inc.PHP HTML Injection
  • Description: PHProxy is an HTTP proxy. It is prone to an HTML injection vulnerability because it fails to properly sanitize user-supplied input to the "Address Box" parameter of the "index.inc.php" script before using it in dynamically generated content. PHProxy versions prior to 0.5 beta 2 are affected.
  • Ref: http://www.securityfocus.com/bid/22255

  • 07.6.70 - CVE: Not Available
  • Platform: Web Application
  • Title: MyPHPCommander Package.PHP Remote File Include
  • Description: MyPHPCommander is a web-based interface to remotely manage a computer. It is prone to a remote file include vulnerability due to insufficient input sanitization of the "gl_root" parameter of "package.php". Version 2.0 is reportedly vulnerable.
  • Ref: http://www.securityfocus.com/bid/22257

  • 07.6.71 - CVE: Not Available
  • Platform: Web Application
  • Title: Forum Livre Multiple Input Validation Vulnerabilities
  • Description: Forum Livre is a web-based forum application. It is prone to multiple input validation vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "user" parameter of the "info_user.asp" script and to the "palavra" parameter of the "busca2.asp" script. Forum Livre version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/22246

  • 07.6.72 - CVE: CVE-2006-6965
  • Platform: Web Application
  • Title: DokuWiki Fetch.PHP HTTP Response Splitting
  • Description: DokuWiki is a web-based wiki application. It is vulnerable to an HTTP response splitting issue because it fails to properly sanitize user-supplied input to the "media" parameter of the "lib/exe/fetch.php" script. DokuWiki version 2006.03.09e is vulnerable.
  • Ref: http://www.frsirt.com/english/advisories/2007/0357

  • 07.6.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Aztek Forum Multiple Input Validation Vulnerabilities
  • Description: Aztek Forum is a web forum application. It is prone to multiple input validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input to various parameters of various scripts. Aztek Forum version 4.0 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22239

  • 07.6.74 - CVE: Not Available
  • Platform: Network Device
  • Title: Intel Southbridge 2 Baseboard Management Controller Remote Denial of Service
  • Description: Intel Enterprise Southbridge 2 Baseboard Management Controllers are devices designed to allow server management functionality over the network. They are prone to a remote denial of service vulnerability due to a failure of the devices to properly restrict remote access to authorized users. Firmware versions prior to release 57 are affected. Ref: http://lz1.intel.com/psirt/advisory.aspx?intelid=INTEL-SA-00012&languageid=en-fr

  • 07.6.75 - CVE: Not Available
  • Platform: Network Device
  • Title: Computer Associates BrightStor ARCserve Backup LGServer.EXE Denial of Service
  • Description: Computer Associates BrightStor ARCserve Backup products provide backup and restore protection. They are vulnerable to a remote denial of service issue due to insufficient handling of specially crafted packets sent to the LGSERVER.EXE processes running on TCP port 2200. See the advisory for further details.
  • Ref: http://www.securityfocus.com/bid/22337

  • 07.6.76 - CVE: Not Available
  • Platform: Network Device
  • Title: BrightStor ARCServe BackUp LGServer Remote Heap Buffer Overflow
  • Description: Computer Associates BrightStor ARCserve Backup products provide backup and restore protection. They are vulnerable to a remote heap based buffer overflow issue when receiving packets containing "x4ex3dx2cx1b" followed by 65535 characters, causing heap memory to be overwritten and the termination of the process. Computer Associates BrightStor ARCserve Backup Laptop and Desktop version 11.1 SP2 resolves this issue. Ref: http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp

  • 07.6.77 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco IOS SIP Packet Handling Remote Denial of Service
  • Description: CISCO IOS is prone to a denial of service vulnerability affecting devices that support voice communications but don't have Session Initiated Protocol (SIP) enabled. CISCO IOS releases subsequent to 12.3(14)T, 12.3(8)YC1, and 12.3(8)YG are vulnerable. All releases of 12.4 are affected as well.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml

  • 07.6.78 - CVE: Not Available
  • Platform: Network Device
  • Title: Intel 2200BG 802.11 Driver Beacon Frame Denial of Service
  • Description: Intel 2200BG driver is prone to a remote code execution vulnerability due to a race condition. The vulnerability occurs when the affected device driver "w29n51.sys" fails to properly handle malformed disassociation packets. Intel 2200 driver version 9.0.3.9 is vulnerable, and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22260

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.