Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VI, Issue: 9
February 26, 2007

SANS Newsletters Home

All four of the most critical vulnerabilities this week are associated with security products (the fifth is in FireFox). No surprise here; most security products were written when attacks focused on vulnerabilities in system software. Today, however, more attacks focus on applications - especially security applications that run with high privileges. Secure programming skills are now far more valuable than programming skills alone. Sadly colleges and universities have continued to graduate computer scientists and computer engineers and programmers without ever teaching them secure coding techniques in any required courses. Buyers have no way to know whether suppliers of software have a clue about secure coding techniques. When the National Secure Coding Exam is released this summer, organizations that buy software may want to ask their vendors and consultants how well their programmers did on the exam. They may be ashamed to report bad scores, and that could lead to sharply improved security skills.

Alan

P.S. Cisco's IP phone also has a lot of vulnerabilities.

P.P.S. SANS 2007 (San Diego at the end of March) early registration discount deadline is this Wednesday, Feb. 28. www.sans.org/sans2007/

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 3
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 10 (#2, #3, #4, #8)
    • Mac OS
    • 2
    • Linux
    • 2
    • Unix
    • 2
    • Cross Platform
    • 7 (#1, #5, #6, #7, #10)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 10
    • Web Application
    • 33
    • Network Device
    • 2 (#9)

*************** Sponsored By SANS Encryption Summit *********************

The SANS Encryption Summit April 23-25 is an in-depth program featuring user-to-user discussions focused on lessons learned, mistakes to avoid, and technologies and processes that work in protecting sensitive data on laptops and desktops. Get your burning questions answered by those who have already fought the wars. http://www.sans.org/info/3996 *************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Unix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Snort DCE-RPC Preprocessor Buffer Overflow
  • Affected:
    • Snort versions prior to 2.6.1.3
    • Snort is shipped as part of many other products including Sourcefire's
    • commercial intrusion prevention/detection products and several Linux
    • distributions.

  • Description: Snort, a popular open source intrusion detection and prevention system, contains a buffer overflow in its handling of the DCE-RPC protocol. Microsoft RPC protocol, based on the DCE-RPC reference, is decoded by Snort to detect numerous attacks targeting RPC vulnerabilities. A sequence of specially-crafted DCE-RPC requests could trigger this buffer overflow and execute arbitrary code with the privileges of the Snort process, often root. Since Snort's DCE-RPC preprocessor is enabled by default, attackers can easily send malicious traffic on a network segment monitored by Snort to exploit this flaw. The technical details can be obtained via source code analysis.

  • Status: Snort confirmed, updates available.

  • References:
  • (2) CRITICAL: Trend Micro ServerProtect Multiple Vulnerabilities
  • Affected:
    • Trend Micro ServerProtect for Windows version 5.58
    • Trend Micro ServerProtect for EMC version 5.58
    • Trend Micro ServerProtect for Network Appliance Filer versions 5.61 and 5.62

  • Description: Trend Micro ServerProtect, an anti-virus product designed for file-servers and web-servers, contains multiple vulnerabilities: [a] ServerProtect runs an RPC service, which can be accessed without authentication, on the TCP port 5168. A specially-crafted request to this service can trigger buffer overflows in the "StCommon.DLL" or "eng50.dll" libraries. Successfully exploiting these overflows allows an attacker to execute arbitrary code with "SYSTEM" privileges. Comprehensive technical details for these vulnerabilities are publicly available. [b] ServerProtect's web configuration interface contains an authentication-bypass vulnerability. An easily-determined session identifier can be sent to the server to spoof an authenticated session. Successfully exploiting this vulnerability can allow an attacker to reconfigure or disable the anti-virus checks.

  • Status: Trend Micro confirmed, updates available. A workaround is to block the port tcp/5168 at the network perimeter to prevent attacks from the Internet.

  • References:
  • (3) HIGH: SupportSoft ActiveX Controls Remote Code Execution
  • Affected:
    • SupportSoft SmartIssue, RemoteAssist, and Probe ActiveX controls running
    • on SupportSoft software versions 5.6 and 6.x Note that SupportSoft
    • ActiveX Controls are used by multiple vendors including Symantec.

  • Description: SupportSoft provides "support automation" software to resolve end-user technical issues and is used by a number of vendors including Symantec. The software uses SmartIssue, RemoteAssist, and Probe ActiveX controls that contain stack-based buffer overflow and unauthorized access vulnerabilities. A malicious webpage can exploit these vulnerabilities to execute arbitrary code on a client system with the privileges of the logged-on user. The technical details regarding the vulnerabilities have not been publicly posted.

  • Status: SupportSoft has released an update for its software versions 5.6 and 6.x. These ActiveX controls are included in Symantec's Symantec Automated Support Assistant, Symantec Norton AntiVirus 2006, Symantec Norton Internet Security 2006 and Symantec Norton System Works 2006. Symantec disabled the vulnerable controls in its installed product base via LiveUpdate in November 2006. Symantec has also released software updates for its affected products.

  • References:
  • (4) HIGH: VeriSign Managed PKI Configuration Checker ActiveX Control Buffer Overflow
  • Affected:
    • VeriSign VSCnfChk.dll version 2.0.0.2

  • Description: The Configuration Checker ActiveX control, VSCndChk.dll, is included in VeriSign's Managed PKI Client Local Hosting and Remote Hosting kits.. This ActiveX control contains a stack-based buffer overflow that can be triggered by passing a parameter (over 28 bytes) to the control's VerCompare() method. A malicious webpage can exploit this overflow to execute arbitrary code on the client system with the privileges of the logged-on user.

  • Status: VeriSign has updated the ActiveX control to fix this flaw.

  • References:
  • (5) HIGH: Mozilla Firefox Multiple Vulnerabilities
  • Affected:
    • Firefox versions 2.x prior to 2.0.0.2
    • Firefox versions 1.5.x prior to 1.5.0.10

  • Description: Mozilla released a security update for Firefox browser last week. This update fixes 8 security issues with 2 issues rated critical and 1 issue rated high by the Mozilla team. The memory corruption vulnerability, addressed by this patch, involving the "onUnload" Javascript event handler can be potentially exploited to execute arbitrary code. The patch also fixes a vulnerability that can allow malicious webpages to alter cookies for other domains.

  • Status: Firefox version 2.0.0.2 and 1.5.0.10, containing the patches, have been released. Some of the vulnerabilities also affect Thunderbird and SeaMonkey software. Thunderbird version 1.5.0.10 and SeaMonkey version 1.0.8, when released, will address those vulnerabilities.

  • References: Mozilla Security Advisory
Other Software
  • (7) MODERATE: S&H Computer Systems News Rover Buffer Overflow
  • Affected:
    • News Rover versions 12.x

  • Description: S&S Computer System News Rover, a popular Usenet news reader, contains a buffer overflow vulnerability in the processing of NZB files (used to store Usenet posts). A specially-crafted NZB file could exploit this buffer overflow and execute arbitrary code with the privileges of the current user. Depending on configuration, NZB files may be opened by default by the vulnerable application.

  • Status: S&H has not confirmed, no updates available.

  • References:
  • (8) MODERATE: Quiksoft EasyMail IMAP4 Component Buffer Overflow
  • Affected:
    • Quiksoft EasyMail Objects prior to version 6.5

  • Description: Quiksoft EasyMail contains several ActiveX components that provide various email-related functions. The IMAP4 component contains a buffer overflow in the "hostname" parameter of its "Connect" method. A web page that instantiates this component could trigger a buffer overflow by passing an overlong argument to this method, and execute arbitrary code with the privileges of the current user.

  • Status: Quiksoft confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's "kill bit" mechanism for CLSID "703B353E-FA2E-4072-8DDF-F70AAC7E527E".

  • References:
Exploit Code
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 9, 2007

  • 07.9.1 - CVE: CVE-2007-0843
  • Platform: Windows
  • Title: Microsoft Windows ReadDirectoryChangesW Information Disclosure
  • Description: Microsoft Windows is prone to a local information disclosure vulnerability because the "bWatchSubtree" parameter in the "ReadDirectoryChangesW()" API allows users to monitor changes within a directory tree. Multiple versions of Microsoft Windows 2000, XP, 2003 and Vista are affected. See the reference below for details.
  • Ref: http://www.securityfocus.com/bid/22664
  • 07.9.2 - CVE: CVE-2007-1070
  • Platform: Windows
  • Title: Trend Micro ServerProtect SPNTSVC.EXE Multiple Stack-Based Buffer Overflow Vulnerabilities
  • Description: Trend Micro ServerProtect is an antivirus application designed specifically for servers. It is exposed to multiple remote stack-based buffer overflow issues because the application fails to properly bounds check user-supplied input. Trend Micro ServerProtect for Windows 5.58, for Network Appliance Filer 5.62, 5.61, and for EMC 5.58 are affected.
  • Ref: http://www.tippingpoint.com/security/advisories/TSRT-07-01.html http://www.securityfocus.com/archive/1/460690
  • 07.9.3 - CVE: Not Available
  • Platform: Windows
  • Title: Multiple Newsreader Applications .NZB File Remote Heap Overflow Vulnerability
  • Description: NewsReactor and NewsBin Pro are news collector applications. They are prone to a remote heap-based buffer overflow issue because they fail to perform sufficient boundary checks on user-supplied data before copying it into an insufficiently-sized buffer. NewsBin Pro versions 5.33 and 4.3.2 are affected.
  • Ref: http://www.securityfocus.com/bid/22620
  • 07.9.4 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Local File Access Vulnerabilities
  • Description: Microsoft Internet Explorer is the native web browser for Windows systems. It is exposed to multiple local file access issues because it fails to properly handle HTML tags. Internet Explorer version 6 on a fully patched Windows XP SP2 system is affected.
  • Ref: http://www.xdisclose.com/XD100099.txt
  • 07.9.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: VeriSign Configuration Checker ActiveX Control Remote Buffer Overflow
  • Description: VeriSign Configuration Checker is an activeX control that provides digital authentication. It is exposed to multiple remote buffer overflow issues because the software fails to properly bounds check user-supplied input.
  • Ref: http://www.kb.cert.org/vuls/id/308087
  • 07.9.6 - CVE: CVE-2006-6490
  • Platform: Third Party Windows Apps
  • Title: SupportSoft ActiveX Controls Remote Buffer Overflow Vulnerabilities
  • Description: SupportSoft is a software package for delivering technical support. It is included in multiple products from various vendors. Once installed, ActiveX controls are made available for websites to use. SupportSoft ActiveX controls are prone to multiple remote buffer overflow issues because the software fails to properly bounds check user-supplied input.
  • Ref: http://www.symantec.com/avcenter/security/Content/2007.02.22.html
  • 07.9.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: NewsBin Pro NBI File Remote Buffer Overflow Vulnerabilities
  • Description: NewsBin Pro is a NNTP news reader application. It is exposed to two remote buffer overflow issues due to a failure of the application to properly sanitize user-supplied input prior to copying it to insufficiently sized memory buffers. NewsBin Pro 5.33 is affected.
  • Ref: http://www.securityfocus.com/bid/22652
  • 07.9.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: BrowseDialog ActiveX Control CCRPBDS6.DLL Buffer Overflow Vulnerabilities
  • Description: The BrowseDialog ActiveX control allows applications to utilize Microsoft Windows' "Browse for Folders" functionality. The control is exposed to multiple buffer overflow vulnerabilities due to a lack of adequate bounds checking on user-supplied data before copying it to an insufficiently-sized buffer.
  • Ref: http://support.microsoft.com/kb/240797
  • 07.9.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FTP Explorer PWD Parameter Denial of Service
  • Description: FTP Explorer is an FTP (File Transfer Protocol) application. The application is prone to a denial of service issue because it fails to properly handle overly long PWD responses. Version 1.0.1 Build 047 is affected.
  • Ref: http://www.securityfocus.com/bid/22640
  • 07.9.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: FTP Voyager CWD Parameter Remote Stack-Based Buffer Overflow
  • Description: FTP Voyager is exposed to a remote stack-based buffer overflow issue because it fails to properly bounds check user-supplied input before copying it to an insufficiently-sized memory buffer. FTP Voyager version 14.0.0.3 is affected.
  • Ref: http://www.securityfocus.com/bid/22637
  • 07.9.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: News File Grabber Subject Line Remote Stack-Based Buffer Overflow
  • Description: News File Grabber is a newsreader application. It is exposed to a remote stack-based buffer overflow issue because the application fails to properly bounds check user-supplied input before copying it to an insufficiently-sized memory buffer. Version 4.1.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22617
  • 07.9.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: News Rover Subject Line Remote Stack-Based Buffer Overflow
  • Description: News Rover is a newsreader application. It is exposed to a remote stack-based buffer overflow issue because the application fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. Specifically, the application fails to handle "nbz" files with arbitrarily long subject lines. Version 4.1.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22618
  • 07.9.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Grabit Field Handling Denial of Service
  • Description: Grabit is a newsreader application. It is exposed to a denial of service issue because the application fails to handle ".nbz" files with fields containing semicolons. Grabit versions 4.1.0.1 and 1.5.3 are affected.
  • Ref: http://www.securityfocus.com/bid/22619
  • 07.9.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: VicFTPS Remote Buffer Overflow
  • Description: VicFTPS is a file transfer protocol server. The application is exposed to a remote buffer overflow issue because it fails to properly validate the length of user-supplied strings prior to copying them into finite-sized process buffers. VicFTPS versions prior to 5.0 are affected.
  • Ref: http://www.securityfocus.com/bid/22608
  • 07.9.15 - CVE: Not Available
  • Platform: Mac Os
  • Title: Apple Mac OS X ImageIO GIF Image Integer Overflow
  • Description: Apple Mac OS X ImageIO is an image processing framework that provides applications with read and write functionality for various image file formats. It was introduced in Mac OS X 10.4 Tiger. It is prone to an integer overflow issue because it fails to handle specially-crafted image files. Mac OS X version 10.4.8 is affected.
  • Ref: http://security-protocols.com/sp-x39-advisory.php
  • 07.9.16 - CVE: Not Available
  • Platform: Mac Os
  • Title: Parallel Drag and Drop Hidden Share
  • Description: Parallel is a desktop virtualization solution. The application is prone to a drag and drop hidden share issue due to a design flaw in the affected application. This flaw enables the drag and drop feature on the guest operating system but implements it as a hidden share that allows read/write access to the entire host file system.
  • Ref: http://www.securityfocus.com/bid/22597
  • 07.9.17 - CVE: CVE-2007-0772
  • Platform: Linux
  • Title: Linux Kernel NFSACL Denial of Service
  • Description: Linux kernel is an essential part of Linux responsible for resource allocation, low-level hardware interfaces, security, etc. It is exposed to a denial of service issue due to a free wrong pointer error when handling NFSACL version 2 "ACCESS" requests. Versions in the Linux kernel 2.6 series up to 2.6.20 are affected.
  • Ref: http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.1
  • - CVE: CVE-2007-1007, CVE-2007-1006
  • Platform: Linux
  • Title: Ekigia GM_Main_Window_Flash_Message Remote Format String Vulnerability
  • Description: Ekigia is a VoIP and video conferencing application. It is prone to a remote format string issue because it fails to properly sanitize user-supplied input before including it in the format specifier argument of a "gm_main_window_flash_message()" function. Ekigia versions prior to 2.0.5 are affected.
  • Ref: http://rhn.redhat.com/errata/RHSA-2007-0086.html
  • 07.9.19 - CVE: CVE-2007-0007
  • Platform: Unix
  • Title: GNUCash Insecure Temporary File Creation
  • Description: GNUCash is GNU/GPL licensed financial accounting software. It creates temporary files in an insecure way. GNUCash 2.0.5 and prior versions are affected.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=487446
  • 07.9.20 - CVE: Not Available
  • Platform: Unix
  • Title: Axigen POP3 Service Remote Format String
  • Description: Axigen is a mail server. It is prone to a remote format string issue because it fails to properly sanitize user-supplied input before including it in the format specifier argument of a formatted printing function. Axigen version 2.0.0-beta1 is affected. Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052507.html
  • 07.9.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox Bookmarks HTML Injection
  • Description: Mozilla Firefox is a web browser. It is prone to an HTML injection issue because of the way URIs containing inline script code are handled. Mozilla Firefox 2.0.1 and earlier versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/460885
  • 07.9.22 - CVE: CVE-2006-5276
  • Platform: Cross Platform
  • Title: Snort/Sourcefire DCE/RPC Packet Reassembly Stack-Based Buffer Overflow
  • Description: Snort is a freely available, open-source NID system. Snort IDS and Sourcefire Intrusion Sensor are prone to a stack-based buffer overflow vulnerability because the network intrusion detection (NID) systems fail to handle specially-crafted "DCE" and "RPC" network packets. This vulnerability can be exploited to execute malicious code in the context of the user running the affected application. Snort Project versions 2.6.1.2 and earlier versions are affected.
  • Ref: http://www.securityfocus.com/bid/22616
  • 07.9.23 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apple iTunes XML Parsing Remote Memory Corruption
  • Description: Apple iTunes is a media player for Microsoft Windows and Apple MAC OS X. The application is exposed to a remote memory corruption issue because it fails to properly handle malformed XML playlist files. Apple iTunes version 7.0.2 for Intel and PowerPC are affected.
  • Ref: http://www.securityfocus.com/archive/1/460544
  • 07.9.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Powerschool Javascript File Request Information Disclosure
  • Description: Powerschool is a school management system. It is prone to an information disclosure issue because the application fails to sufficiently sanitize user-supplied input when requesting a "js" file. Version 4.3.6 is affected.
  • Ref: http://www.securityfocus.com/archive/1/460533
  • 07.9.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM DB2 DB2DIAG.LOG File Local Arbitrary File Overwrite
  • Description: IBM DB2 is exposed to a local arbitrary file overwrite issue due to insufficient permissions on the "DB2DIAG.LOG" file. IBM DB2 versions prior to version 9 fix pack 2 are affected.
  • Ref: http://www.securityfocus.com/bid/22614/info
  • 07.9.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Libevent DNS Parsing Denial of Service
  • Description: Libevent is an API that provides an interface to execute callback functions due to signals, timeouts, or events upon file descriptors. It is a common component in system security and network interface software such as honeypots, scanning, intrusion detection, proxying, and malware detection applications. The denial of service issue occurs when the application processes DNS response packets. Versions 1.2 to 1.2a are affected.
  • Ref: http://monkey.org/~provos/libevent/
  • 07.9.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox About:Blank Spoof
  • Description: Mozilla Firefox is exposed to a vulnerability that may allow attackers to spoof browser windows. This occurs due to a flaw in the security model of the application's JavaScript engine. Mozilla Firefox 2.0.1 and earlier versions are affected.
  • Ref: http://www.securityfocus.com/archive/1/460369
  • 07.9.28 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: CedStat Index.PHP Cross-Site Scripting
  • Description: CedStat is an alert delivery application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to "hier" parameter of the "index.php" script. CedStat versions 1.31 and earlier versions are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22653
  • 07.9.29 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Google Desktop Cross-Site Scripting Weakness
  • Description: Google Desktop is a freely-available application that allows users to search the contents of their computer. It is implemented as a combination of a local webserver bound to the loopback interface and a sidebar application. It also ties heavily into services provided by google.com. Google Desktop is prone to a cross-site scripting weakness because the application fails to properly sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/bid/22650
  • 07.9.30 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: AbleDesign MyCalendar Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: AbleDesign MyCalendar is a calendar application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. This vulnerability affects the "go" parameter and the "search", "username" and "password" input fields of the "index.php" script. Version 2.20.3 is affected.
  • Ref: http://www.securityfocus.com/bid/22635
  • 07.9.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: webSPELL Printview.PHP SQL Injection
  • Description: webSPELL is a clan and gaming CMS. The application is prone to a SQL injection issue because it fails to properly sanitize user-supplied input to the "topic" parameter of the "printview.php" script. webSPELL version 4.1.2 is affected.
  • Ref: http://www.securityfocus.com/bid/22659/info
  • 07.9.32 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Nabopoll Result.PHP SQL Injection
  • Description: Nabopoll is a voting and survey application. The application is prone to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "surv" parameter of the "result.php" script before using it in an SQL query. Nabopoll version 1.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/460765
  • 07.9.33 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Design4Online Userpages2 Page.ASP SQL Injection
  • Description: Userpages2 is a content management system (CMS). The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "art_id" parameter of the "page.asp" script. Version 2.0 is affected.
  • Ref: http://www.securityfocus.com/bid/22636
  • 07.9.34 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Nuke Multiple SQL Injection Vulnerabilities
  • Description: PHP-Nuke is a web-based CMS application. It is exposed to multiple SQL injection vulnerabilities because it fails to properly sanitize user-supplied input to the "var" variable of the "index.php" and "modules/News/categories.php" scripts. PHP-Nuke version 8.0 Final is vulnerable.
  • Ref: http://www.securityfocus.com/bid/22638
  • 07.9.35 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: NukeSentinel Multiple SQL Injection Vulnerabilities
  • Description: NukeSentinel is a clan management add-on for PHP-Nuke. The application is exposed to multiple SQL injection issues because it fails to properly sanitize user-supplied input to the "tid" parameter of the "nsbypass.php" script and the "Client-IP" parameter of the "nukesentinel.php" script. NukeSentinel version 2.5.5 is affected.
  • Ref: http://www.securityfocus.com/archive/1/460599
  • 07.9.36 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP-Nuke Emporium Module Modules.PHP SQL Injection
  • Description: The Emporium Module is an ecommerce add-on for PHP-Nuke. The application is prone to SQL injection issues because it fails to properly sanitize user-supplied input to the "category_id" parameter of the "modules.php" script. PHP-Nuke Emporium Module 2.3 is affected.
  • Ref: http://www.securityfocus.com/bid/22612
  • 07.9.37 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: XLAtunes View.PHP SQL Injection
  • Description: XLAtunes is an album list application designed to work with iTunes XML-based library files. The application is prone to an SQL injection issue because it fails to properly sanitize user-supplied input to the "album" parameter of the "view.php" script. Viktor Jackson XLAtunes version 0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22602
  • 07.9.38 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Turuncu Portal H_Goster.ASP SQL Injection
  • Description: Turuncu Portal is a web portal system. The application is prone to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "h_goster.asp" script before using it in an SQL query. Version 1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/22591
  • 07.9.39 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Snitz Forums 2000 Pop_Profile.ASP SQL Injection
  • Description: Snitz Forums 2000 is a web forum application. The application is prone to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "pop_profile.asp" script. Version 3.1 SR4 is affected.
  • Ref: http://www.securityfocus.com/bid/22593
  • 07.9.40 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: webSPELL 'showonly' Parameter SQL Injection
  • Description: webSPELL is a gaming CMS (content management system). The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "showonly" parameter of the "index.php" script before using it in an SQL query. Version 4.01.02 is affected.
  • Ref: http://www.securityfocus.com/bid/22541
  • 07.9.41 - CVE: Not Available
  • Platform: Web Application
  • Title: Invision Power Board Profile.PHP Input Validation
  • Description: Invision Power Board is a bulletin board. It is prone to an unspecified input validation issue because the application fails to properly sanitize unspecified parameters of the "profile.php" script. Versions 2.0.0 through 2.1.4 are affected.
  • Ref: http://www.securityfocus.com/bid/16518
  • 07.9.42 - CVE: Not Available
  • Platform: Web Application
  • Title: CutePHP CuteNews Multiple Remote File Include Vulnerabilities
  • Description: CutePHP CuteNews is a news and web log application. The application is prone to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "cutepath" parameter of the "show_archives.php" and "show_news" scripts. CutePHP CuteNews version 1.3.6 is affected.
  • Ref: http://www.securityfocus.com/bid/22674
  • 07.9.43 - CVE: CVE-2006-4838, CVE-2006-4836, CVE-2006-4837
  • Platform: Web Application
  • Title: Connectix Board Multiple Input Validation Vulnerabilities
  • Description: Connectix is a web forum application. It is prone to multiple input validation issues because the application fails to properly sanitize user-supplied input. Connectix version 0.7 is affected.
  • Ref: http://www.securityfocus.com/bid/22656
  • 07.9.44 - CVE: Not Available
  • Platform: Web Application
  • Title: Trend Micro ServerProtect Session ID Authentication Bypass
  • Description: Trend Micro ServerProtect is an antivirus application which runs on file servers. The application is prone to an authentication bypass issue because the web interface does not properly validate the "splx_2376_info" cookie which is used to authenticate the administrative user of the application.
  • Ref: http://www.securityfocus.com/archive/1/460805
  • 07.9.45 - CVE: Not Available
  • Platform: Web Application
  • Title: TYPO3 Internal Form Engine Email Header Injection
  • Description: TYPO3 is a web content management application. The package is prone to an email header injection issue because it fails to properly sanitize data in the email form engine before using it to construct email messages. Typo3 versions 4.0.4 and earlier are affected.
  • Ref: http://typo3.org/teams/security/security-bulletins/typo3-20070221-1
  • 07.9.46 - CVE: Not Available
  • Platform: Web Application
  • Title: Pheap Edit.PHP Directory Traversal
  • Description: Pheap is a web-based content management system (CMS). The application is prone to a directory traversal issue because it fails to properly sanitize user-supplied input. The issue occurs when specially crafted HTTP GET requests containing a directory traversal string are sent to the "filename" parameter of the "edit.php" script. Pheap versions 2.0 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/460920
  • 07.9.47 - CVE: Not Available
  • Platform: Web Application
  • Title: Pyrophobia Multiple Input Validation Vulnerabilities
  • Description: Pyrophobia is a content manager. The application is prone to multiple input validation issues because it fails to sufficiently sanitize user-supplied data. Pyrophobia version 2.1.3.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22667
  • 07.9.48 - CVE: Not Available
  • Platform: Web Application
  • Title: Reamday Enterprises Magic News Pro Multiple Input Validation Vulnerabilities
  • Description: Magic News Pro is a web-based news management application. It is exposed to multiple input validation issues because the application fails to properly sanitize user-supplied input. Version 1.0.2 is affected.
  • Ref: http://www.securityfocus.com/bid/22661
  • 07.9.49 - CVE: Not Available
  • Platform: Web Application
  • Title: SimBin Development Team Multiple Games Denial of Service
  • Description: SimBin Development Team creates a variety of car racing games. Multiple games are prone to a denial of service vulnerability. SimBin Development Team RACE - The WTCC Game versions 1.0 (0.6.3.0) and prior are affected.
  • Ref: http://www.securityfocus.com/bid/22651
  • 07.9.50 - CVE: CVE-2006-5063
  • Platform: Web Application
  • Title: Call-Center-Software Add_Call.PHP HTML Injection
  • Description: Call-Center-Software is a web-based call center system. The application is prone to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. It affects the "problem_desc" input field of the "add_call.php" script. Call-Center-Software version 0.93 is affected.
  • Ref: http://www.securityfocus.com/bid/22654
  • 07.9.51 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPTrafficA Multiple Directory Traversal Vulnerabilities
  • Description: PHPTrafficA is a web traffic analysis tool. The application is exposed to multiple directory traversal issues because it fails to properly sanitize user-supplied input to the "file" parameter of the "plotStat.php" script and the "lang" parameter of the "banref.php" script. PHPTrafficA version 1.4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22655
  • 07.9.52 - CVE: Not Available
  • Platform: Web Application
  • Title: DBImageGallery DonsImg_Base_Path Parameter Multiple Remote File Include Vulnerabilities
  • Description: DBImageGallery is a web-based photo gallery application. The application is prone to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "donsimg_base_path" parameter. Version 1.2.2 is affected.
  • Ref: http://www.securityfocus.com/bid/22657
  • 07.9.53 - CVE: Not Available
  • Platform: Web Application
  • Title: DBGuestBook DBS_Base_Path Parameter Multiple Remote File Include Vulnerabilities
  • Description: DBGuestbook is a guestbook application. The application is prone to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "dbs_base_path" parameter. Version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22658
  • 07.9.54 - CVE: Not Available
  • Platform: Web Application
  • Title: deV!Lz Clanportal Browser.PHP Information Disclosure
  • Description: deV!Lz Clanportal is a web-based portal. The application is exposed to an information disclosure issue because the application does not properly filter user-supplied input to the "file" parameter of "browser.php". Version 1.4.5 is affected.
  • Ref: http://www.securityfocus.com/bid/22660
  • 07.9.55 - CVE: Not Available2004.14 is affected.
  • Platform: Web Application
  • Title: Interspire SendStudio Multiple Remote File Include Vulnerabilities
  • Description: Interspire SendStudio is a MySQL and PHP-based email newsletter application. The application is prone to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "ROOTDIR" parameter of the scripts "admin/includes/createemails.inc.php" and "admin/includes/send_emails.inc.php". SendStudio version
  • Ref: http://www.securityfocus.com/bid/22642
  • 07.9.56 - CVE: Not Available
  • Platform: Web Application
  • Title: FlashGameScript Index.PHP Remote File Include
  • Description: FlashGameScript is an arcade web site. The application is exposed to a remote file include issue, because it fails to sufficiently sanitize user-supplied input to the "func" parameter of the "index.php" script before using it in an "include()" call. Version 1.5.4 is affected.
  • Ref: http://www.securityfocus.com/bid/22646
  • 07.9.57 - CVE: Not Available
  • Platform: Web Application
  • Title: TurboFTP Denial of Service and Buffer Overflow Vulnerabilities
  • Description: TurboFTP is a FTP (File Transfer Protocol) server application. The application is exposed to a denial of service and multiple remote heap buffer overflow issues because of sending overly long responses and file name parameters. TurboFTP version 5.30 Build 572 is affected.
  • Ref: http://www.securityfocus.com/bid/22634
  • 07.9.58 - CVE: Not Available
  • Platform: Web Application
  • Title: Ultimate Fun Book Function.PHP Remote File Include
  • Description: Ultimate Fun Book is a guestbook application. The application is exposed to a remote file include issue, because it fails to sufficiently sanitize user-supplied input to the "gbpfad" parameter of the "function.php" script. Version 1.02 is affected.
  • Ref: http://www.securityfocus.com/bid/22633
  • 07.9.59 - CVE: Not Available
  • Platform: Web Application
  • Title: PeanutKB Multiple Unspecified Input Validation Vulnerabilities
  • Description: PeanutKB is a knowledge-base system. The application is exposed to multiple unspecified input validation issues. Versions prior to 0.0.4 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/22628
  • 07.9.60 - CVE: CVE-2006-5063
  • Platform: Web Application
  • Title: Kayako SupportSuite Index.PHP Multiple HTML Injection Vulnerabilities
  • Description: Kayako SupportSuite is a web-based support center application. It is prone to multiple HTML injection vulnerabilities, because it fails to properly sanitize user-supplied input before using it in dynamically generated content. SupportSuite versions 3.00.13 and 3.04.10 are affected.
  • Ref: http://www.securityfocus.com/bid/22631
  • 07.9.61 - CVE: Not Available
  • Platform: Web Application
  • Title: Nortel SSL VPN Net Direct Client Local Privilege Escalation
  • Description: Nortel SSL VPN Net Direct Client is an SSL VPN client application. It is delivered via a web interface from VPN servers and contains a mix of JavaScript, a Java applet and native binaries. It is prone to a local privilege escalation issue due to the insecure use of "/tmp" when installing and executing the vulnerable software. Nortel Networks SSL VPN Net Direct Client versions 6.0.1, 6.0.2 and 6.0.3 are affected. Ref: http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071&RenditionID=&poid=null
  • 07.9.62 - CVE: Not Available
  • Platform: Web Application
  • Title: Xpression News Xnews-Template Multiple Directory Traversal Vulnerabilities
  • Description: Xpression News is a news management system. It is prone to multiple directory traversal issues because it fails to properly sanitize user-supplied input to the "xnews-template" parameter of the "archives.php" and "news.php" scripts. Xpression News version 1.0.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22609
  • 07.9.63 - CVE: Not Available
  • Platform: Web Application
  • Title: HTAccess Passwort Generator Generate.PHP Remote File Include
  • Description: Htaccess Passwort Generator is a web-based password generation application. The application is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "ht_pfad" parameter of the "generate.php" script before using it in an "include()" call. Version 1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22598
  • 07.9.64 - CVE: Not Available
  • Platform: Web Application
  • Title: Vivvo Article Manager DBConn.PHP Remote File Include
  • Description: Vivvo Article Manager is a web-based news script. The application is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "root" parameter of the "db_conn.php" script. Version 3.4 is affected.
  • Ref: http://www.securityfocus.com/bid/22600
  • 07.9.65 - CVE: Not Available
  • Platform: Web Application
  • Title: VS-Gastebuch Gb_Pfad Remote File Include
  • Description: VS-Gastebuch is a web-based guestbook script. The application is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "bg_pfad" parameter of the "/languages/german.php" script. VS-Gastebuch version 1.5.3 is affected.
  • Ref: http://www.securityfocus.com/bid/22605/info
  • 07.9.66 - CVE: Not Available
  • Platform: Web Application
  • Title: Meganoide's News Include.PHP Remote File Include
  • Description: Meganoide's News is a web-based newsscript. The application is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "$_SERVER[DOCUMENT_ROOT]" parameter of the "include.php" script. Meganoide's News version 1.1.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22589
  • 07.9.67 - CVE: Not Available
  • Platform: Web Application
  • Title: Ezboo Webstats Administrative Authentication Bypass
  • Description: Ezboo webstats is a web site statisstics application. The application is prone to a vulnerability that let attackers gain administrative access to the application due to insufficient access validation of scripts such as "update.php" and "config.php" without supplying a password. Ezboo webstats version 3.03 is affected.
  • Ref: http://www.securityfocus.com/archive/1/460325
  • 07.9.68 - CVE: Not Available
  • Platform: Web Application
  • Title: VS-News-System Show_News_Inc.PHP Remote File Include
  • Description: VS-News-System is a web-based news feed aggregator application. The application is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "newsordner" parameter of the "show_news_inc.php" script before using it in an "include()" call. Version 1.2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22592
  • 07.9.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Retired: Drake CMS Admin Header.PHP Remote File Include
  • Description: Drake CMS is a web-based content management system. The application is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "aclasses_dir" parameter of the "admin/includes/header.php" script before using it in an "include()" call. Version 0.3.2 is affected.
  • Ref: http://www.securityfocus.com/archive/1/460337
  • 07.9.70 - CVE: Not Available
  • Platform: Web Application
  • Title: VS-Link-Partner Functions.Inc.PHP Remote File Include
  • Description: VS-Link-Partner is a web link management application. It is prone to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "gb_pfad" parameter of the "functions.inc.php" script. VS-Link-Partner version 2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/22594
  • 07.9.71 - CVE: Not Available
  • Platform: Web Application
  • Title: CedStat Index.PHP Remote File Include
  • Description: CedStat is an application for gathering web site statistics. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "hier" parameter of the "index.php" script. Version 1.31 is affected.
  • Ref: http://www.securityfocus.com/archive/1/460260
  • 07.9.72 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Image Pager Module Image Tag HTML Injection
  • Description: The Drupal Image Pager module is an application that allows users to view a selected subset of web page images. The Drupal Image Pager module is prone to an HTML injection issue because it fails to properly sanitize user-supplied input when processing specially crafted "IMG" tags.
  • Ref: http://drupal.org/node/119293
  • 07.9.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Drupal Audio and Mediafield Modules GetID3 Remote Command Execution
  • Description: Drupal is a content manager. The Audio and Mediafield modules add media-handling functionality to Drupal. It is exposed to a remote command execution issue because the application fails to properly sanitize user-supplied input. Drupal Mediafield Module version 5.x-1.x-dev and earlier are affected.
  • Ref: http://drupal.org/node/119385
  • 07.9.74 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco Unified IP Conference Station and Unified IP Phone Vulnerabilities
  • Description: Cisco Unified IP Conference Station and Unified IP Phone are prone to multiple remote vulnerabilities. Cisco Unified IP Phone versions 8.0(4)SR1 and earlier are affected. Refer to the advisory for further details.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070221-phone.shtml
  • 07.9.75 - CVE: Not Available
  • Platform: Network Device
  • Title: Cisco 802.1X Authentication Deployment Products Multiple Vulnerabilities
  • Description: Cisco CSSC and CTA products are used to deploy a single authentication framework using the 802.1X authentication standard across multiple wired and wireless networks. It is prone to an information disclosure issue and multiple privilege escalation issues because of design flaws in the software. Cisco Trust Agent 2.0 and 2.1, Cisco Security Agent 5.1 and 5.0, and Cisco Secure Services Client 4.0 are affected. Refer to the advisory for further details. Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml

(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

The instructor changed the way I, a network engineer, thought about questions.
-Mike Dye, PTG

Forensics 526

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU