IT Security in Health Care: Where Are We Now? Take Survey - Enter to Win iPad

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 7
February 12, 2007

One of the oldest vulnerable services, telnet, is newly vulnerable on Solaris (#1). A working exploit is available, but Sun has not even confirmed the vulnerability nor provided a patch. Security vendor Trend Micro's antivirus system is now a back door into systems on which it is deployed (#2)

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 5
    • Microsoft Office
    • 1
    • Third-Party Microsoft Application
    • 1 (#5)
    • Mac Os
    • 1
    • HP-UX
    • 1
    • Aix
    • 2 (#4)
    • Unix
    • 1 (#1)
    • Cross Platform
    • 11 (#2, #3, #6)
    • Web Application - Cross Site Scripting
    • 6
    • Web Application - SQL Injection
    • 9
    • Web Application
    • 41
    • Network Device
    • 1

***************** Sponsored By Fiberlink Communications *****************

Mobile Preparedness for Business Continuity. Are you prepared to turn office workers into mobile workers during times of crisis? Does your plan consider complete endpoint security and easy-to-use network connectivity for all users? This whitepaper discusses steps you should take to ensure protection and productivity during an emergency. http://www.sans.org/info/3371

*************************************************************************

TRAINING UPDATE: Why Attend SANS 2007 in San Diego? Ask past SANS attendees:

1) "This training provided the opportunity to learn from many of the people who are defining the future direction of information technology" (Larry Anderson, Computer Sciences Corp.)

2 )"The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." (David Ritch, Department of Defense)

3) "The best aspect of SANS is that it is tailored each year to what I, as an administrator, need to learn. SANS does an excellent job of keeping pace with current technologies, issues and trends." (John Mechalas, Intel)

4) "Fantastic! Tons of information! My brain is now Jello - I'll be back next year." (Kurt Danielson, National Marrow Donor Program) SANS2007: http://www.sans.org/sans2007/index.php More venues (100 cities) http://www.sans.org/index.php

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Mac Os
HP-UX
Aix
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device

****************** Sponsored By SANS Encryption Summit *****************

1) The SANS Encryption Summit, April 23-25, provides concrete, actionable information you can deploy as soon as you return to work. http://www.sans.org/info/3366

*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (2) HIGH: Trend Micro Antivirus UPX File Parsing Buffer Overflow
  • Affected:
    • Trend Micro Antivirus Engine with a Virus Pattern File prior to 4.245.00.
    • The Trend Micro Antivirus Engine is deployed in a wide array of Trend
    • Micro and third-party OEM products. Please consult the official security
    • advisory to determine if a product is vulnerable.
  • Description: Trend Micro Antivirus, a popular antivirus solution, contains a buffer overflow vulnerability when parsing executables compressed with the UPX executable compression program. A specially-crafted executable could trigger this buffer overflow and execute arbitrary code with SYSTEM/root privileges, allowing complete control of the vulnerable system. Note that the malicious file can be sent to a vulnerable system via email (spam messages), web, FTP, Instant Messaging or Peer-to-Peer file sharing. UPX file format vulnerabilities have been widely-reported in the past, and UPX file fuzzers are commonly available.

  • Status: Trend Micro confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (3) MODERATE: Samba Multiple Remote Code Execution Vulnerabilities
  • Affected:
    • Samba version 30.23d and prior
  • Description: Samba, an open source implementation of the Microsoft Server Message Block (SMB) or Common Internet Filesystem (CIFS) protocol, contains multiple vulnerabilities: 1) Samba provides a "winbind" module that is loadable by the Name Service Switch facility on several UNIX and UNIX-like systems. This module allows nameservice lookups via the WINS protocol. On Sun Solaris systems configured to use this module, a specially-crafted request can trigger a stack-based buffer overflow to execute arbitrary code with root privileges. 2) Samba contains a format string vulnerability that can be triggered while serving Andrew File System (AFS) directories via CIFS. If the "afsacl.so" module is loaded on a vulnerable system, a user with write privileges could exploit this format string to execute arbitrary code with the privileges of the Samba process. Both the vulnerable configurations are rare, and are not the default configuration. Note that, because Samba is open source, technical details for these vulnerabilities are available via source code analysis.

  • Status: Samba confirmed, updates available.

  • Council Site Actions: Two of the reporting council sites are using the affected software. Both sites plan to update their systems during their next regularly scheduled system maintenance period. One of the sites commented that even though they are not using the vulnerable features right now, they can't say that they will not be used in the future. Thus, they feel the best practice is to install the patches now.

  • References:
  • (4) LOW: IBM AIX Remote Access Commands Unspecified Buffer Overflow
  • Affected:
    • IBM AIX versions 5.2 and 5.3
  • Description: IBM AIX, IBM's UNIX-based operating system, contains an unspecified buffer overflow vulnerability in its remote-access commands. Currently, only the "rdist" command (used to distribute files among multiple systems) is confirmed vulnerable, but other remote access commands (such as "rsh") may also be vulnerable. A specially-crafted request could trigger this buffer overflow and allow an authenticated attacker to execute arbitrary code with root privileges. Note that traditional ".rhosts" authentication is believed to be sufficient; this authentication method is generally regarded as easy to bypass. No details are available on the exact nature of this vulnerability.

  • Status: IBM confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Other Software
  • (5) CRITICAL: Alipay Password Input ActiveX Control Buffer Overflow
  • Affected:
    • Alipay Password Input ActiveX Control current version and possibly prior
  • Description: The Alipay Password Input ActiveX control is an ActiveX component used for securely entering passwords and other authentication information. It is widely deployed throughout Asia, and is (according to the vendor's website) the leading online payment service in China. This ActiveX control contains a buffer overflow vulnerability. A specially-crafted web page could instantiate this control and exploit this vulnerability, leading to arbitrary code execution with the privileges of the current user. Technical details and a proof-of-concept for this vulnerability are publicly available. Additionally, reusable exploit code targeting arbitrary ActiveX controls is widely available.

  • Status: Vendor has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling this control via Microsoft's "kill bit" mechanism for GUID "66F50F46-70A0-4A05-BD5E-FBCC0F9641EC". Note that this may impact normal usability of websites that depend on the affected control.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
  • (6) HIGH: HP Mercury Software Suite Buffer Overflow
  • Affected:
    • Mercury LoadRunner Agent versions 8.0 and 8.1
    • Mercury Performance Center Agent versions 8.0 and 8.1
    • Mercury Monitor Over Firewall version 8.1
  • Description: Mercury LoadRunner, a popular solution for application performance and load testing, contains a stack-based buffer overflow vulnerability. A specially-crafted request with an overlong "server_ip_name" could exploit this vulnerability, and execute arbitrary code with the privileges of the LoadRunner process. Users are advised to block access to TCP port 54345 at the network perimeter, if possible. Technical details for this vulnerability are publicly available.

  • Status: HP confirmed, updates available.

  • Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 7, 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5362 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


  • 07.7.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft February Advance Notification Multiple Vulnerabilities
  • Description: Microsoft has released advance notification that the vendor will be releasing 12 security bulletins on February 13, 2007. The highest severity rating for these issues is "Critical". Please refer to the link below for further details.
  • Ref: http://www.microsoft.com/technet/security/bulletin/rating.mspx

  • 07.7.2 - CVE: Not Available
  • Platform: Windows
  • Title: FlashFXP PWD Command Remote Buffer Overflow
  • Description: FlashFXP is an FTP server for use on Microsoft Windows operating systems. The application is prone to a buffer overflow vulnerability because it fails to properly bounds check user-supplied data, copying it into an insufficiently-sized buffer. Version 3.4.0 build 1145 is affected.
  • Ref: http://www.securityfocus.com/bid/22433

  • 07.7.3 - CVE: Not Available
  • Platform: Windows
  • Title: Avast! Antivirus Server Edition Password Setting Security Bypass
  • Description: Avast! Antivirus Server Edition is an anti-virus application for servers. The application is available for Microsoft Windows. It is prone to a security bypass vulnerability due to an access validation error. When a password is set, the application does not always request the password to be entered before changing certain settings. Versions prior to 4.7.726 are affected.
  • Ref: http://www.avast.com/eng/avast-4-server-revision-history.html http://www.securityfocus.com/bid/22425

  • 07.7.4 - CVE: Not Available
  • Platform: Windows
  • Title: Blue Coat Systems WinProxy Connect Remote Heap Overflow
  • Description: WinProxy is an Internet sharing proxy server for the Windows operating system. The application is prone to a heap overflow issue as it fails to perform sufficient boundary checks on user-supplied data before copying it into an insufficiently-sized buffer. Versions prior to 6.1r1c are affected.
  • Ref: http://www.securityfocus.com/archive/1/459199 http://www.securityfocus.com/bid/22393

  • 07.7.5 - CVE: Not Available
  • Platform: Windows
  • Title: SmartFTP Banner Remote Heap Buffer Overflow
  • Description: SmartFTP is an FTP client application for the Microsoft Windows operating system. SmartFTP is prone to a remote heap-based buffer overflow vulnerability because the application fails to properly bounds check user-supplied data prior to copying it to an insufficiently-sized memory buffer. SmartFTP version 2.0.1002. is affected.
  • Ref: http://www.securityfocus.com/bid/22390

  • 07.7.6 - CVE: CVE-2007-0671
  • Platform: Microsoft Office
  • Title: Microsoft Office Malformed String Remote Code Execution
  • Description: Microsoft Office is prone to a remote code execution vulnerability. This issue occurs when the application processes maliciously crafted files. Microsoft Office XP SP3 and prior are affected. Ref: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-020717-0252-99 http://www.kb.cert.org/vuls/id/613740 http://www.microsoft.com/technet/security/advisory/932553.mspx

  • 07.7.7 - CVE: Not Available
  • Platform: Mac Os
  • Title: Chicken of the VNC Remote Denial of Service
  • Description: Chicken of the VNC is a freely available remote VNC client for Apple Mac OS X computers. It is prone to a remote denial of service vulnerability because it fails to properly handle malformed server-supplied content. Chicken of the VNC version 2.0b4 is affected.
  • Ref: http://www.securityfocus.com/bid/22372

  • 07.7.8 - CVE: CVE-2007-0446
  • Platform: HP-UX
  • Title: Multiple Mercury Products Magnetproc.EXE Buffer Overflow Vulnerabilities
  • Description: Mercury LoadRunner Agent, Performance Center Agent and Monitor over Firewall are applications that perform load testing and monitor performance on computers. These products are prone to a stack-based buffer overflow vulnerability because the applications fail to bounds check user-supplied data before copying it into an insufficiently-sized buffer. HP Mercury Performance Center Agent versions 8.1 FP4 and prior are affected.
  • Ref: http://www.zerodayinitiative.com/advisories/ZDI-07-007.html http://www.securityfocus.com/archive/1/459496 http://www.securityfocus.com/bid/22487


  • 07.7.10 - CVE: Not Available
  • Platform: Aix
  • Title: IBM AIX RDist Unspecified Buffer Overflow
  • Description: IBM AIX is exposed to an unspecified buffer overflow issue. This issue is due to insufficient bounds checks when copying user-supplied input to insufficiently-sized memory buffers. This issue affects "rdist" due to an issue in the "bos.rte.libc" library. AIX version 5.3 is affected.
  • Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY94301 http://www.securityfocus.com/bid/22370

  • 07.7.11 - CVE: Not Available
  • Platform: Unix
  • Title: Axigen Mail Server Multiple Denial of Service Vulnerabilities
  • Description: Axigen Mail Server is an email server available for Unix and Unix-like operating systems. The application is prone to multiple denial of service vulnerabilities because the application fails to handle exceptional conditions. Axigen Mail Server 2.0.0b1 and 1.2.6 are affected.
  • Ref: http://www.securityfocus.com/bid/22473



  • 07.7.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: STLPort Library Multiple Unspecified Buffer Overflow Vulnerabilities
  • Description: STLport is a C++ Standard Template Library (STL). The STLport library is susceptible to multiple unspecified buffer overflow vulnerabilities because the library fails to properly bounds check user-supplied input before copying it to insufficiently-sized memory buffers. STLport versions prior to 5.0.3 are affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=483468 http://www.securityfocus.com/bid/22423

  • 07.7.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: VMware Clipboard Multiple Information Disclosure Vulnerabilities
  • Description: VMware is an operating system emulation environment. It is prone to multiple information disclosure vulnerabilities due to design errors in the clipboard and copy and paste functions of VMware. VMware version 5.5.3 build 34685 is affected.
  • Ref: http://www.securityfocus.com/bid/22413

  • 07.7.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Jetty Insecure Random Number Generation
  • Description: Jetty is a java server available for various operating systems. It is prone to a vulnerability that allows an attacker to determine the seed of a random number generator because the application uses the "java.util.Random" class to generate session IDs. This issue affects versions prior to 4.2.27 for the 4.x series, 5.1.12 for the 5.x series, 6.0.2 for the 6.0x series, and 6.1.0pre3 for the 6.1.x series.
  • Ref: http://www.securityfocus.com/bid/22405/info http://fisheye.codehaus.org/changelog/jetty/?cs=1274

  • 07.7.17 - CVE: CVE-2007-0453
  • Platform: Cross Platform
  • Title: Samba NSS host lookup Winbind Multiple Remote Buffer Overflow Vulnerabilities
  • Description: Samba is a file and print server. It is available for multiple operating platforms. The application is prone to multiple remote buffer overflow vulnerabilities because the application fails to bounds check user-supplied data before copying it into an insufficiently-sized buffer. This issue affects versions 3.0.21 to 3.0.23d.
  • Ref: http://www.securityfocus.com/archive/1/459168 http://www.securityfocus.com/bid/22410/info

  • 07.7.18 - CVE: CVE-2007-0454
  • Platform: Cross Platform
  • Title: Samba Server VFS Plugin AFSACL.SO Remote Format String
  • Description: Samba is a file and print server for use with "SMB/CIFS" clients. It is prone to a remote format string vulnerability because it fails to properly sanitize user-supplied input before including it in the format specifier argument of a formatted printing function. Samba versions 3.06 to 3.0.23d are affected.
  • Ref: http://www.kb.cert.org/vuls/id/649732

  • 07.7.19 - CVE: CVE-2007-0555, CVE-2007-0556
  • Platform: Cross Platform
  • Title: PostgreSQL Information Disclosure and Denial of Service Vulnerabilities
  • Description: PostgreSQL is a relational database suite. It is available for UNIX, Linux, and variants, as well as Apple Mac OS X and Microsoft Windows operating systems. Versions 7.3, 7.4, 8.0, 8.1 and 8.2 are affected.
  • Ref: http://rhn.redhat.com/errata/RHSA-2007-0064.html http://www.postgresql.org/support/security

  • 07.7.20 - CVE: CVE-2007-0452
  • Platform: Cross Platform
  • Title: Samba Deferred CIFS File Open Denial of Service
  • Description: Samba is a freely available file and printer sharing application. The smbd daemon is prone to a denial of service vulnerability because requests are never removed from the deferred file open request queue. This forms an infinite loop. Samba versions 3.0.6 through 3.0.23d are affected.
  • Ref: http://www.securityfocus.com/bid/22395

  • 07.7.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Remotesoft .NET Explorer Remote Stack Buffer Overflow
  • Description: Remotesoft .NET Explorer is an object browser and MSIL disassembler for Microsoft Windows operating systems. It is prone to a remote stack-based buffer overflow issue as the application fails to properly bounds check user-supplied data prior to copying it to an insufficiently-sized buffer. Remotesoft .NET Explorer 2.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22377

  • 07.7.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Computer Associates BrightStor ARCserve Backup Catirpc.EXE Denial Of Service
  • Description: Computer Associates BrightStor ARCserve Backup products provide backup and restore protection for Windows, NetWare, Linux, and UNIX servers as well as Windows, Mac OS X, Linux, UNIX, AS/400, and VMS clients. The application is prone to a denial of service vulnerability because it mishandles unexpected user-supplied input. Computer Associates BrightStor ARCServe Backup versions 11.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22365

  • 07.7.23 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CPanel PassWDMySQL Cross-Site Scripting
  • Description: cPanel is a web hosting control panel. It is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "password" parameter of the "passwdmysql.php" script. cPanel versions 11.0.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22474

  • 07.7.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: vBulletin Attachment.PHP Cross-Site Scripting
  • Description: vBulletin is a web forum implemented in PHP. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the form field "Extension" of the "admincp/attachment.php" script. Version 3.6.4 is affected.
  • Ref: http://www.securityfocus.com/bid/22466

  • 07.7.25 - CVE: CVE-2007-0537, CVE-2007-0478
  • Platform: Web Application - Cross Site Scripting
  • Title: KDE Konqueror KHTML Library Title Cross Site Scripting
  • Description: Konquerer is a web browser application included in the KDE desktop environment. The application is prone to a cross-site scripting vulnerability because the KHTML library fails to sufficiently sanitize user-supplied data from HTML "title" tags. Versions 3.5.6 and prior are affected. Apple Safari web browser is also affected. Ref: http://www.securityfocus.com/archive/1/archive/1/457924/100/0/threaded http://www.kde.org/info/security/advisory-20070206-1.txt http://www.securityfocus.com/bid/22428

  • 07.7.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Adobe ColdFusion User_Agent Error Page Cross-Site Scripting
  • Description: ColdFusion is web application development software. The application is vulnerable to cross-site scripting attacks because it fails to sufficiently sanitize user-supplied input to the "USER_AGENT" parameter before displaying it in dynamically generated error pages. Adobe ColdFusion MX 7.02, 7.01, and 6.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/459178 http://www.securityfocus.com/bid/22401

  • 07.7.27 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: MySearchEngine Unspecified Cross-Site Scripting Vulnerability
  • Description: MySearchEngine is a web-based search engine implemented in PHP. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/archive/1/459145

  • 07.7.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Uebimiau Index.PHP Cross-Site Scripting
  • Description: UebiMiau is a webmail client. The application is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input to the "f_user" parameter of the "index.php" script. Version 2.7.10 is affected.
  • Ref: http://www.securityfocus.com/bid/22375

  • 07.7.29 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: DevTrack HTML Injection and SQL Injection Vulnerabilities
  • Description: DevTrack is a defect and project tracking tool. It is prone to multiple input validation issues because it fails to sufficiently sanitize user-supplied data to the "keyword search" and the "username" fields. DevTrack version 6.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/22460

  • 07.7.30 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: LushiNews Comments.PHP SQL Injection
  • Description: Lushinews is a web-based news application. It is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "common.php" script before using it in an SQL query. Lushinews versions 1.01 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22469

  • 07.7.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: LushiWarPlaner Register.PHP SQL Injection
  • Description: LushiWarPlaner is a web-based game tracking utility for Counterstrike implemented in PHP. The application is prone to an SQL injection vulnerability because it fails to properly sanitize user-supplied input to the "id" parameter of the "register.php" script. LushiWarPlaner version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/22470

  • 07.7.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Kisisel Site 2007 SQL Injection
  • Description: Kisisel Site 2007 is a web-based forum. It is prone to an SQL injection issue as it fails to properly sanitize user-supplied input to the "forumid" parameter of the "forum.asp" script. Kisisel Site 2007 is affected.
  • Ref: http://www.securityfocus.com/bid/22435

  • 07.7.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Woltlab Burning Board Lite Pms.PHP SQL Injection
  • Description: Woltlab Burning Board Lite is a free web-based bulletin board package. It is prone to an SQL Injection issue because it fails to properly sanitize user-supplied input to the "pmid" parameter of the "pms.php" script. Woltlab Burning Board Lite version 1.0.2 pl3e is affected.
  • Ref: http://www.securityfocus.com/bid/22415

  • 07.7.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Xoops Multiple Unspecified SQL Injection Vulnerabilities
  • Description: Xoops is a web portal application. It is prone to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in SQL queries. Xoops version 2.0.16 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22399

  • 07.7.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Ublog Reload HTML Injection and SQL Injection Vulnerabilities
  • Description: Ublog Reload is a blog application implemented in ASP. Ublog Reload is prone to multiple input validation issues because it fails to sufficiently sanitize user-supplied data. Multiple HTML injection vulnerabilities affect unspecified forms in the "login.asp", "badword.asp", "polls.asp" and "users.asp" scripts. An SQL injection vulnerability affects an unspecified parameter of the "badword.asp" script. Version 1.0.5 is affected.
  • Ref: http://www.securityfocus.com/archive/1/459027 http://www.securityfocus.com/bid/22382/info

  • 07.7.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Photo Galerie View.PHP SQL Injection
  • Description: Photo Galerie is a web-based application. It is prone to an SQL injection issue as it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "view.php" script before using it in an SQL query. Photo Galerie Standard versions 1.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22384

  • 07.7.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Curium CMS News.PHP SQL Injection
  • Description: Curium CMS is a content management system implemented in PHP. The application is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data to the "c_id" parameter of the "news.php" script before using it in an SQL query. Versions 1.03 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/22373

  • 07.7.38 - CVE: CVE-2007-0669
  • Platform: Web Application
  • Title: TWiki CGI Session File Code Execution
  • Description: TWiki is a wiki-based content managment system (CMS). Twiki is prone to a code execution issue because it allows attackers with write access to the "/tmp" CGI session directory to create CGI session files containing arbitrary Perl code that will be executed with the privileges of the webserver process. TWiki versions 4.0.0 to 4.1.0 and all versions using "SessionPlugin" are vulnerable.
  • Ref: http://www.kb.cert.org/vuls/id/584436

  • 07.7.39 - CVE: Not Available
  • Platform: Web Application
  • Title: Sage Extension Feed HTML Injection
  • Description: Sage is a newsfeed aggregator plugin for the Firefox browser. The application is prone to an input validation vulnerability that allows malicious HTML and script code to be injected before the input is used in dynamically generated content. Version 1.3.9 is affected.
  • Ref: http://mozdev.org/bugs/show_bug.cgi?id=16320 http://www.securityfocus.com/bid/22493

  • 07.7.40 - CVE: Not Available
  • Platform: Web Application
  • Title: Site-Assistant Menu.PHP Remote File Include
  • Description: Site-Assistant is a web-based content management system. It is prone to a remote file include issue as it fails to sufficiently sanitize user-supplied input to the "path[versions]" parameter of the "menu.php" script before using it in an "include()" function call. Site-Assistant version 0990 is affected.
  • Ref: http://www.securityfocus.com/bid/22467

  • 07.7.41 - CVE: Not Available
  • Platform: Web Application
  • Title: cPanel Web Hosting Manager OBJCache.PHP Remote File Include
  • Description: cPanel Web Hosting Manager is a web site management application, implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "obj" parameter of the "objcache.php" script. Versions 11.1.0 (build 53) and prior are vulnerable.
  • Ref: http://changelog.cpanel.net/ http://www.securityfocus.com/archive/1/459449 http://www.securityfocus.com/bid/22455

  • 07.7.42 - CVE: Not Available
  • Platform: Web Application
  • Title: OTSCMS Multiple Input Validation Vulnerabilities
  • Description: OTSCMS is a content management system. It is prone to input validation vulnerabilities because it fails to sufficiently sanitize user-supplied input in the "name" parameter of the "forum.php" script and in the "id" parameter of the "priv.php" script. OTSCMS versions 2.1.5 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/22450


  • 07.7.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Advanced Poll Admin Index.PHP Information Disclosure
  • Description: Advanced Poll is a web-based polling application. It is prone to an information-disclosure vulnerability because the application discloses information about the administrative session variables. Versions 2.0.0 thru to 2.0.5-dev inclusive are affected.
  • Ref: http://www.securityfocus.com/bid/22451

  • 07.7.45 - CVE: Not Available
  • Platform: Web Application
  • Title: SYSCP System Control Panel CronJob Arbitrary Code Execution
  • Description: SysCP is an application for internet service providers that allows customers to administrate their accounts via a web-based control panel. It is prone to an arbitrary code execution issue that affects directory structures inside a customer's "homedir" directory. SysCP version 1.2.15 is affected.
  • Ref: http://www.securityfocus.com/bid/22453

  • 07.7.46 - CVE: Not Available
  • Platform: Web Application
  • Title: SYSCP System Control Panel Panel_CronScript Table Local File Include
  • Description: SysCP is an application for internet service providers that allows customers to administrate their accounts via a web-based control panel. It is prone to a local file include vulnerability due to a failure to validate user-supplied data. SysCP version 1.2.15 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/22454

  • 07.7.47 - CVE: Not Available
  • Platform: Web Application
  • Title: AgerMenu Top.Inc.PHP Remote File Include
  • Description: AgerMenu is a menu generator application implemented in PHP. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "rootdir" parameter of the "top.inc.php" script. Version 0.01 is affected.
  • Ref: http://www.securityfocus.com/bid/22442

  • 07.7.48 - CVE: Not Available
  • Platform: Web Application
  • Title: WebMatic Index_Album.PHP Multiple Remote File Include Vulnerabilities
  • Description: WebMatic is an application that allows users to develop websites. The application is prone to multiple remote file include vulnerabilities because it fails to properly sanitize user-supplied input to the "P_LIB" and "P_INDEX" parameters of the "index_album.php" script. Version 2.6 is affected.
  • Ref: http://www.securityfocus.com/bid/22444

  • 07.7.49 - CVE: Not Available
  • Platform: Web Application
  • Title: FreeProxy Proxy Request Denial of Service
  • Description: FreeProxy HTTP proxy server is a web proxy application. It is prone to a denial of service vulnerability when an attacker initiates a hostname and port number request to the application server itself. FreeProxy version 3.92 1623 is affected.
  • Ref: http://www.securityfocus.com/bid/22445

  • 07.7.50 - CVE: Not Available
  • Platform: Web Application
  • Title: Alipay Password Input ActiveX Control Remote Code Execution
  • Description: Alipay ActiveX Control is a web browser add on application designed to work with the Alipay online payment service. The issue occurs when input is passed to the "idx" parameter of the library's "remove()" function. The user-supplied input is used as a function pointer after being multiplied by (2**4) and added to 16.
  • Ref: http://www.securityfocus.com/bid/22446

  • 07.7.51 - CVE: Not Available
  • Platform: Web Application
  • Title: MySQLNewsEngine Affichearticles.PHP3 Remote File Include
  • Description: MySQLNewsEngine is a PHP-based news manager. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "newsenginedir" parameter of the "affichearticles.php3" script before using it in a "require()" function call.
  • Ref: http://www.securityfocus.com/bid/22431

  • 07.7.52 - CVE: Not Available
  • Platform: Web Application
  • Title: FlashChat Info.PHP HTML Injection
  • Description: FlashChat is a web-based chat application implemented in PHP. The application is prone to an HTML injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Versions 4.7.8 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/459160 http://www.securityfocus.com/bid/22411

  • 07.7.53 - CVE: CVE-2007-0436
  • Platform: Web Application
  • Title: X-Kryptor Secure Client Privilege Escalation
  • Description: X-Kryptor Secure Client is a client application to dynamic VPN products to secure site to site, remote access and wireless LAN networks. X-Kryptor Secure Client is is prone to a local privilege escalation vulnerability.This issue occurs when the user is presented with a prompt for RSA credentials. Instead of entering the required credentials, the attacker may press the F1 key and be presented with an instance of Windows Explorer, which runs with SYSTEM privileges. X-Kryptor Xgntr BMS1351, Driver BMS1446HRR and Install BMS1472 are affected
  • Ref: http://www.securityfocus.com/bid/22424 http://www.barronmccann.com/ISec/s2pressrelease.asp?PRID=141&S2ID=14

  • 07.7.54 - CVE: Not Available
  • Platform: Web Application
  • Title: LightRO CMS Inhalt.PHP Remote File Include
  • Description: LightRO CMS is a content management system. It is prone to a remote file include issue as it fails to properly sanitize user-supplied input to the "dateien[news]" parameter of the "inhalt.php" script. LightRO CMS 1 Beta is affected.
  • Ref: http://www.securityfocus.com/bid/22430

  • 07.7.55 - CVE: Not Available
  • Platform: Web Application
  • Title: Yahoo! Messenger Chat Room Denial of Service
  • Description: Yahoo! Messenger is a chat and instant messaging application. It is prone to a denial of service issue and it can be triggered sending a large number of messages in rapid succession when in a Yahoo! Messenger chat room. Yahoo! Messenger versions 8.1.0.239 and earlier are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22407

  • 07.7.56 - CVE: Not Available
  • Platform: Web Application
  • Title: Coppermine Photo Gallery Multiple Remote and Local File Include Vulnerabilities
  • Description: Coppermine Photo Gallery is a web-based photo gallery application, implemented in PHP. The application is prone to multiple remote and local file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "Path to custom header include" and "Path to custom footer include" form fields in the "admin.php" script. Coppermine Photo Gallery 1.4.10 is affected.
  • Ref: http://www.securityfocus.com/bid/22409

  • 07.7.57 - CVE: Not Available
  • Platform: Web Application
  • Title: GGCMS Remote PHP Code Execution
  • Description: GGCMS is a content management application, written in PHP. The application is prone to an arbitrary PHP code execution vulnerability as the "admin/subpages.php" script fails to properly sanitize configuration variables when storing user template files, and allows a malicious user to inject malicious PHP script code. Version 1.1.0 RC2 is affected .
  • Ref: http://www.securityfocus.com/bid/22412

  • 07.7.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Geeklog Multiple Remote File Include Vulnerabilities
  • Description: Geeklog is a web content management system. The application is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input. The vulnerability resides in the "glConf" parameter of the "Geeklog/MVCnPHP/BaseView.php" and "Geeklog/MVCnPHP/ViewInterface.php" scripts. Versions 2.0 and prior are affected..
  • Ref: http://www.securityfocus.com/bid/22386

  • 07.7.59 - CVE: Not Available
  • Platform: Web Application
  • Title: Microsoft Internet Explorer Malformed HTML For Script Denial of Service
  • Description: Microsoft Internet Explorer is prone to a denial of service vulnerability because the application fails to handle a malformed web page properly. The issue occurs when the application processes a malicious page that contains a malformed "for" loop. The problem is reported as a NULL pointer dereference error in "mshtml.dll". Internet Explorer version 6 is affected.
  • Ref: http://www.securityfocus.com/bid/22408

  • 07.7.60 - CVE: Not Available
  • Platform: Web Application
  • Title: Categories Hierarchy Class_Template.PHP Remote File Include
  • Description: Categories hierarchy is a web-based development application. It is prone to a remote file include vulnerability because the application fails to properly sanitize user-supplied input to the "phpbb_root_path" of the "class_template.php" script. Categories hierarchy version 2.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/22400

  • 07.7.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Uapplication Uphotogallery Thumbnails.ASP HTML Injection
  • Description: Uapplication Uphotogallery is an web-based photo gallery application implemented in ASP. The application is prone to an HTML injection vulnerability because it fails to properly sanitize user-supplied input to the "s" parameter of the "thumbnails.asp" script. Uapplication Uphotogallery version 1.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/459187 http://www.securityfocus.com/bid/22404

  • 07.7.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Coppermine Photo Gallery Admin.PHP Shell Command Execution
  • Description: Coppermine Photo Gallery is a web-based photo application. The application is prone to a shell command execution vulnerability because it fails to properly sanitize user-supplied input. This issue affects version 1.4.10.
  • Ref: http://www.securityfocus.com/bid/22406


  • 07.7.64 - CVE: Not Available
  • Platform: Web Application
  • Title: SMA-DB Settings.PHP Remote File Include
  • Description: SMA-DB is a database manager application. It is prone to a remote file include vulnerability as the application fails to properly sanitize user-supplied input to the "pfad_z" parameter, which is used in the include path in "theme/settings.php". SMA-DB versions 0.3.9 and earlier are affected.
  • Ref: http://people.ee.ethz.ch/~dmaeder/bluevirus/main.php?tpc=programs

  • 07.7.65 - CVE: Not Available
  • Platform: Web Application
  • Title: Adrenalin's ASP Chat HTML Injection
  • Description: Adrenalin's ASP Chat is a web-based chat application. It is prone to an HTML injection vulnerability as it fails to properly sanitize HTML and script code from input submitted in a chat box or at a user's "psuedo".
  • Ref: http://www.securityfocus.com/bid/22392

  • 07.7.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Mozilla Firefox Popup Blocker Cross Zone Security Bypass Weakness
  • Description: Mozilla Firefox is prone to a cross-zone security bypass weakness. This issue allows attackers to open "file://" URIs from remote web sites. This issue presents itself if an unsuspecting user manually allows a remote web site to display a popup window. The built-in security checks for remote "file://" URIs is bypassed, resulting in the popup window beging able to open "file://" URIs, even when the popup originates from a non-local source. Mozilla Firefox version 1.5.0.9 is affected.
  • Ref: http://www.securityfocus.com/archive/1/459162 http://www.securityfocus.com/bid/22396

  • 07.7.67 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB++ PHPBB_Root_Path Remote File Include
  • Description: phpBB++ is a web-based bulletin board. It is prone to a remote file include vulnerability as it fails to sufficiently sanitize user-supplied input to the "phpbb_root_path" parameter of the "includes/functions.php" script. phpBB++ build 100 is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22376

  • 07.7.68 - CVE: Not Available
  • Platform: Web Application
  • Title: PortailPHP Multiple Remote File Include Vulnerabilities
  • Description: PortailPHP is a forum application. It is prone to remote file include vulnerabilities because it fails to properly sanitize user-supplied input to the "chemin" parameter of various scripts. PortailPHP version 2 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/22381

  • 07.7.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Flip Multiple Remote File Include Vulnerabilities
  • Description: Flip is a weblog application. It is prone to multiple remote file include vulnerabilities because it fails to sufficiently sanitize user-supplied input to the "inc_path" parameter of the "Previewtheme.php", "options.php" and "head.php" scripts. Flip version 2.01-final 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/22385

  • 07.7.70 - CVE: Not Available
  • Platform: Web Application
  • Title: F3Site Index.PHP HTML Injection
  • Description: F3Site is a web application implemented in PHP. The application is prone to an HTML injection vulnerability as it fails to properly sanitize user-supplied input before using it in dynamically generated content. Versions 2.1 and prior are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22379

  • 07.7.71 - CVE: Not Available
  • Platform: Web Application
  • Title: Simple Invoices Controller.PHP Multiple Local File Include Vulnerabilities
  • Description: Simple Invoices is a web-based invoicing system. The application is prone to multiple local file include vulnerabilities because it fails to properly sanitize user-supplied input to the "module" and "view" parameters of the "controller.php" script. Versions prior to 20070202 are vulnerable.
  • Ref: http://www.simpleinvoices.org/index.php?news=25 http://www.securityfocus.com/bid/22389

  • 07.7.72 - CVE: Not Available
  • Platform: Web Application
  • Title: EasyMoblog Multiple Input Validation Vulnerabilities
  • Description: EasyMoblog is a blog application implemented in PHP. The application is prone to multiple input validation vulnerabilities because it fails to sufficiently sanitize user-supplied input. EasyMoblog version 0.5.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22369

  • 07.7.73 - CVE: Not Available
  • Platform: Web Application
  • Title: DreamStats System Rootpath Remote File Include
  • Description: DreamStats System is a web-based server statistics application. It is prone to this issue as it fails to sufficiently sanitize user-supplied input to the "rootpath" parameter of the "index.php" script. Dreamstats version 4.2 is affected.
  • Ref: http://www.securityfocus.com/bid/22371

  • 07.7.74 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPProbid Lang.PHP Remote File Include
  • Description: PHPProbid is a web-based auction application. The application is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "lang" parameter of the "lang.php" script. PHPProbid Version 5.24 is affected.
  • Ref: http://www.securityfocus.com/bid/22374


  • 07.7.76 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPEventMan Multiple Remote File Include Vulnerabilities
  • Description: PHPEventMan is a forum application implemented in PHP. The application is prone to remote file include vulnerabilities because it fails to properly sanitize user-supplied input. The vulnerability exists in the "level" parameter of the "/shared/controller/text.ctrl.php" and "/UserMan/controller/common.function.php" scripts. Version 1.0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/22358

  • 07.7.77 - CVE: Not Available
  • Platform: Web Application
  • Title: Epistemon Common.Inc.PHP Remote File Include
  • Description: Epistemon is an educational content manager implemented in PHP. The application is prone to a remote file include vulnerability as it fails to sufficiently sanitize user-supplied input to the "inc_path" parameter of the "common.inc.php" script. Version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/22360

  • 07.7.78 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Web Portail Includes.PHP Remote File Include
  • Description: PHP Web Portail is a web portal. It is prone to a remote file include vulnerability because it fails to sufficiently sanitize user-supplied input to the "site_path" parameter of the "/includes/includes.php" script. PHP Web Portail version 2.5.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22361

  • 07.7.79 - CVE: Not Available
  • Platform: Network Device
  • Title: HP OpenView Network Node Manager Insecure Permissions
  • Description: HP OpenView Network Node Manager is used to perform remote network administration. HP OpenView Network Node Manager is prone to a local insecure permissions vulnerability due to a flaw in the installation process of the application that results in insecure permissions of the HP OpenView installation. Versions 7.5.0 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/22475

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.