Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VII, Issue: 18
May 1, 2008

SANS Newsletters Home

A breather this week - only Castle Rock Computing users have an immediate security action to take. Novell has not yet confirmed the critical vulnerability in its GroupWise product. Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 12 (#1, #2, #3, #4, #5, #7, #9)
    • Linux
    • 2
    • Novell
    • 1
    • Cross Platform
    • 15 (#6, #8)
    • Web Application - Cross Site Scripting
    • 12
    • Web Application - SQL Injection
    • 15
    • Web Application
    • 19

********************** Sponsored By Rapid7 Inc. ************************

If developers could produce completely secure Web applications 100% of the time, there would be no vulnerabilities in software. Unfortunately, Web 2.0 and Web applications contain many vulnerabilities. Find out what you need to secure Web 2.0 and Web applications.

http://www.sans.org/info/28453

*************************************************************************

TRAINING UPDATE Where can you find the newest Penetration Testing techniques, Application Pen Testing, Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, both new Pen Testing courses, CISSP, and SANS' other top-rated courses plus evening sessions with Internet Storm Center handlers. - - SANSFIRE 2008 in Washington DC (7/22-7/31) SANS' biggest summer program with many bonus sessions and a big exhibition of security products: http://www.sans.org/info/26774 - - London (6/2-6/7) and Amsterdam (6/16-6/21) http://www.sans.org/secureeurope08 - - San Diego (5/9-5/16) http://www.sans.org/securitywest08 - - Toronto (5/10-5/16) http://www.sans.org/toronto08 - - and in 100 other cites and on line any time: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

*************************** SANS Europe 2008 ************************

If you live in the US and missed all 4 chances to attend Ed Skoudis' extraordinary new Penetration Testing and Ethical Hacking course, (because they were all sold out in less than two weeks), we are running it again at SANS Europe in Amsterdam June 16-21. It's a great excuse to take your family to Europe this summer. And if you want to attend Intrusion Detection, Hacker Exploits, Security Essentials, Firewalls and Perimeter Protection, Auditing, Pen Testing Wireless, Securing Windows or other popular SANS courses, they are spread out over Amsterdam, Brussels and London 3 wonderful cities to visit wherever you live in the world. www.sans.org/SecureEurope08

************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: Castle Rock Computing SNMPc Buffer Overflow
  • Affected:
    • Castle Rock Computing SNMPc versions 7.1 and prior

  • Description: SNMPc is a popular enterprise and workgroup monitoring and management solution from Castle Rock Computing. It uses the Simple Network Management Protocol (SNMP) for large portions of its functionality. SNMP supports various authentication mechanisms, including the concept of a "community" name. When used, this name is included in all requests, and provides a simple authentication mechanism. SNMPc contains a buffer overflow in its processing of certain SNMP TRAP messages. A specially crafted TRAP message containing an overlong community string could trigger this buffer overflow. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the vulnerable process (usually LocalSystem). Technical details for this vulnerability are publicly available.

  • Status: Vendor confirmed, updates available.

  • References:
  • (2) CRITICAL: Novell GroupWise "mailto:" Handling Buffer Overflow
  • Affected:
    • Novell GroupWise versions 7.0 and prior

  • Description: Novell GroupWise is a popular mail and groupware application. It contains a flaw in its handling of "mailto:" URLs. These URLs are usually embedded in web pages and other documents and allow users to send email to specified addresses when the URL is accessed. If Novell GroupWise is the user's default mail client, a specially crafted mailto URL could trigger a buffer overflow in the application. Successfully exploiting this buffer overflow would allow an attacker to execute arbitrary code with the privileges of the current user. No user interaction other than viewing a malicious web page is necessary for exploitation. Full technical details and a proof-of-concept are publicly available for this vulnerability.

  • Status: Novell has not confirmed, no updates available.

  • References:
  • (3) HIGH: Trillian Crafted Name Buffer Overflow
  • Affected:
    • Trillian 3.1 and prior

  • Description: Trillian is a popular multi-protocol instant messaging client from Cerulean Studios. It contains a flaw in its handling of remote messages. A specially crafted message sent via the MSN instant messaging network containing an overlong nickname field could trigger this flaw, leading to a buffer overflow. It is believed, but not confirmed, that successfully exploiting this overflow would allow an attacker to execute arbitrary code with the privileges of the current user. Full technical details and a simple proof-of-concept for this vulnerability are publicly available.

  • Status: Cerulean Studios has not confirmed, no updates available.

  • References:
  • (4) HIGH: HP HpeDiag ActiveX Control Multiple Vulnerabilities
  • Affected:
    • HP HPeDiag ActiveX Controls

  • Description: The HP HPeDiag ActiveX control is installed as part of the Microsoft Windows software suite for various HP LaserJet printers. This control contains multiple vulnerabilities, including multiple insecure methods and a buffer overflow. A malicious web page that instantiated this control could exploit one of these vulnerabilities, allowing an attacker to execute arbitrary code with the privileges of the current user. Technical details for these vulnerabilities are publicly available.

  • Status: HP confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the affected controls via Microsoft's "kill bit" mechanism. CLSIDs for the affected control are available in HP's advisory, referenced below.

  • References:
  • (5) HIGH: Akamai Download Manager ActiveX Control Remote Code Execution
  • Affected:
    • Akamai Download Manager ActiveX control versions prior to 2.2.3.5

  • Description: The Akamai Download Manager is a popular application to assist with downloads. Part of its functionality is provided by an ActiveX control. This control contains a remote code execution vulnerability. A specially crafted web page that instantiates this control could trigger this vulnerability, allowing an attacker to execute arbitrary code with the privileges of the current user.

  • Status: Akamai confirmed, updates available.

  • References:
  • (6) HIGH: KDE KHTML PNG Handling Buffer Overflow
  • Affected:
    • KDE versions 4.0.3 and prior

  • Description: KDE, the K Desktop Environment, is a popular cross-platform desktop environment. Its HTML parsing and rendering engine, KHTML, contains a flaw in its handling of Portable Network Graphics (PNG) files. A specially crafted PNG file could trigger this flaw, leading to a buffer overflow vulnerability. Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. Full technical details for this vulnerability are publicly available via source code analysis. KDE is the default desktop environment for a number of Linux distributions. Apple's Safari web browser uses a large amount of KHTML code, but it is unknown if Safari is affected.

  • Status: KDE confirmed, updates available.

  • References:
  • (9) MODERATE: Apple QuickTime Undisclosed Remote Code Execution
  • Affected:
    • Apple QuickTime for Microsoft Windows

  • Description: QuickTime is Apple's streaming media framework for Microsoft Windows and Apple Mac OS X. The Windows version is reported to contain a flaw in its handling of user input; a specially crafted data stream could trigger this flaw and allow an attacker to execute arbitrary code with the privileges of the current user. A proof-of-concept reportedly exists in the hands of the discoverer; it is unknown if the proof-of-concept is more widely available. Very few technical details are publicly available for this issue.

  • Status: Apple has not confirmed, no updates available.

  • References:
Other Software
  • (10) CORRECTION: In last week's edition of @RISK, the entry discussing a vulnerability in the Microsoft Windows driver for Intel Centrino wireless network cards was inaccurate. This entry was to note that a new, working, and publicly available e
  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 18, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 08.18.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: National Rail Enquiries Live Departure Boards Gadget Remote Script Code Execution
  • Description: National Rail Enquiries Live Departure Boards Gadget is a railroad departure application for use on the Microsoft Windows Vista "Windows Sidebar" application. The application is exposed to an issue that lets remote attackers execute arbitrary script code because the application fails to properly sanitize user-supplied input. National Rail Enquiries Live Departure Boards Gadget versions prior to 1.1 are affected.
  • Ref: http://www.mwrinfosecurity.com/news/1690.html
  • 08.18.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Realtek HD Audio Codec Drivers for Windows Vista Multiple Local Privilege Escalation Vulnerabilities
  • Description: Realtek HD Audio Codec Drivers for Windows Vista are exposed to multiple local privilege escalation issues. Internal routines allow user-mode applications to create or modify arbitrary registry keys from a specially-crafted IOCTL request. Additionally, the drivers fail to sufficiently validate user-mode buffers, which can allow memory overwrites because of integer overflows. RTKVHDA.sys file versions prior to 6.0.1.5605 (32-bit) and RTKVHDA64.sys file versions prior to 6.0.1.5605 (64-bit) are affected.
  • Ref: http://www.securityfocus.com/archive/1/491249
  • 08.18.3 - CVE: CVE-2007-6713
  • Platform: Third Party Windows Apps
  • Title: Flip4Mac WMV File Handling Unspecified Security Issue
  • Description: Flip4Mac WMV is a set of components for QuickTime that add support for Windows Media files. The application is exposed to an unspecified issue when processing specially-crafted WMV files. Flip4Mac WMV versions prior to 2.2.0.49 are affected.
  • Ref: http://www.securityfocus.com/bid/28912
  • 08.18.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Trillian Overly Long Nickname Remote Denial of Service
  • Description: Trillian is an instant messaging application. The application is exposed to a remote denial of service issue because it fails to sufficiently bounds check user-supplied data. Trillian version 3.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/491281
  • 08.18.5 - CVE: CVE-2008-0712
  • Platform: Third Party Windows Apps
  • Title: HP HPeDiag ActiveX Control Multiple Information Disclosure and Remote Code Execution Vulnerabilities
  • Description: HPeDiag ActiveX is an ActiveX control used to aid in web-based support. The application is exposed to multiple information disclosure and remote code execution issues.
  • Ref: http://support.microsoft.com/kb/240797
  • 08.18.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Kantaris SSA Subtitle File Remote Buffer Overflow
  • Description: Kantaris is a freely available media player available for Microsoft Windows operating systems. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. The issue occurs when the application handles SSA subtitle files that contain overly long subtitle "Dialogue" data. Kantaris version 0.3.4 is affected.
  • Ref: http://www.securityfocus.com/bid/28939
  • 08.18.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Watchfire AppScan ActiveX Control Multiple Arbitrary File Overwrite Vulnerabilities
  • Description: Watchfire AppScan is web application security software. The application is exposed to multiple issues that allow attackers overwrite arbitrary files. Watchfire AppScan version 7.0 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 08.18.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: HP Software Update "Hpufunction.dll" ActiveX Control Insecure Method Vulnerabilities
  • Description: HP Software Update application uses ActiveX controls to update user computers. The application is exposed to multiple insecure method issues which affect the ActiveX control "Hpufunction.dll". Hpufunction.dll version 4.0.0.1 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 08.18.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Lhaplus ZOO Archive Processing Remote Buffer Overflow
  • Description: Lhaplus is a file compression utility for the Windows platform. It handles most industry standard compression formats, including b64(base64), bh, bz, cab, gz, lzh, tar, tbz, tgz, zip(jar), uue, xxe, and exe. The application is exposed to an unspecified remote buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized buffer while processing ZOO archives. Lhaplus version 1.56 is affected.
  • Ref: http://www.securityfocus.com/bid/28953
  • 08.18.10 - CVE: CVE-2008-173511.0.11 is affected.
  • Platform: Third Party Windows Apps
  • Title: BitDefender Antivirus 2008 Hooked SSDT Denial of Service
  • Description: BitDefender Antivirus 2008 is a security application for Microsoft Windows operating platforms. The application is exposed to a local denial of service issue because it fails to adequately bounds check user-supplied data. BitDefender Antivirus 2008 Build version
  • Ref: http://www.coresecurity.com/?action=item&id=2249
  • 08.18.11 - CVE: CVE-2008-173819.60.0.0 is affected.
  • Platform: Third Party Windows Apps
  • Title: Rising Antivirus SSDT "NtOpenProcess()" Hook Local Denial of Service
  • Description: Rising Antivirus is an antivirus application available for multiple Microsoft Windows operating systems. The application is exposed to a local denial of service issue. Rising Antivirus version
  • Ref: http://www.coresecurity.com/?action=item&id=2249
  • 08.18.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: VicFTPS "LIST" Command Remote Denial of Service
  • Description: VicFTPS is an FTP server available for Microsoft Windows. The application is exposed to a remote denial of service issue due to a NULL-pointer dereference. This issue occurs when handling specially crafted "LIST" commands.
  • Ref: http://www.securityfocus.com/bid/28967
  • 08.18.13 - CVE: CVE-2008-1926
  • Platform: Linux
  • Title: util-linux-ng "login" Remote Log Injection Weakness
  • Description: The "util-linux-ng" package is a fork of the original "util-linux" package. It contains a number of utilities for Linux operating systems. The "login" utility in the "util-linux-ng" package is exposed to a weakness that allows remote attackers to inject false information into log files. This issue occurs because the utility fails to properly sanitize user-supplied input. util-linux-ng versions prior to 2.13.1.1 are affected. Ref: http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commitdiff;h=8ccf0b253ac0f4f58d64bc9674de18bff5a88782
  • 08.18.14 - CVE: CVE-2008-1293
  • Platform: Linux
  • Title: Linux Terminal Server Project "ldm" Information Disclosure
  • Description: Linux Terminal Server Project (LTSP) adds thin-client support to Linux servers; "ldm" is the LTSP X11 display manager. The application is exposed to an information disclosure issue.
  • Ref: http://www.securityfocus.com/bid/28960
  • 08.18.15 - CVE: Not Available
  • Platform: Novell
  • Title: Novell GroupWise "mailto" URI Handler Buffer Overflow
  • Description: Novell GroupWise is a cross platform collaborative software product. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. GroupWise version 7.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/491376
  • 08.18.16 - CVE: CVE-2008-1103
  • Platform: Cross Platform
  • Title: Blender Unspecified Insecure Temporary File Creation
  • Description: Blender is an open source suite for creating 3D content. Blender creates temporary files in an insecure manner. Successfully mounting a symlink attack may allow an attacker to delete or corrupt sensitive files, which may result in a denial of service.
  • Ref: http://www.securityfocus.com/bid/28936
  • 08.18.17 - CVE: CVE-2008-1897
  • Platform: Cross Platform
  • Title: Asterisk IAX2 Packet Amplification Remote Denial of Service
  • Description: Asterisk is a private branch exchange (PBX) application. The application is exposed to a remote denial of service issue due to a flaw in the UDP-based IAX2 protocol.
  • Ref: http://bugs.digium.com/view.php?id=10078
  • 08.18.18 - CVE: CVE-2008-1768
  • Platform: Cross Platform
  • Title: VLC Media Player MP4 Demuxer Buffer Overflow
  • Description: VLC is a cross-platform media player that can be used to serve streaming data. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue stems from an integer overflow vulnerability occurring in the MP4 demuxer. VLC media player versions prior to 0.8.6f are affected.
  • Ref: http://www.videolan.org/security/sa0803.php
  • 08.18.19 - CVE: CVE-2008-1769
  • Platform: Cross Platform
  • Title: VLC Media Player Cinepak Codec Buffer Overflow
  • Description: VLC is a cross-platform media player that can be used to serve streaming data. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. The issue stems from an integer overflow within the Cinepak decoder. VLC media player version 0.8.6e is affected.
  • Ref: http://www.videolan.org/security/sa0803.php
  • 08.18.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: xine-lib NES Sound Format Demuxer "copyright" Buffer Overflow
  • Description: The "xine-lib" library allows various media players to play various media formats. The library is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data when processing it with the NES Sound Format demuxer. xine-lib versions 1.1.12 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/491274
  • 08.18.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM Lotus Expeditor URI Handler Command Execution
  • Description: IBM Lotus Expeditor is a client, server, and toolkit package designed to aid in creating and deploying client applications. The application is exposed to a command execution issue because it fails to properly sanitize input. Ref: http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061750.html
  • 08.18.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Computer Associates ARCserve Backup Discovery Service Remote Denial of Service
  • Description: Computer Associates ARCserve Backup products provide backup and restore protection. ARCserve Backup is affected by a denial of service issue because the application mishandles malformed user-supplied input. This issue occurs in the Discovery Service component of the application, which is listening on TCP port 41523. ARCserve Backup version 12.0.5454.0 is affected.
  • Ref: http://aluigi.altervista.org/adv/carcbackazz-adv.txt
  • 08.18.23 - CVE: CVE-2008-1927
  • Platform: Cross Platform
  • Title: Perl Unicode "Q...E" Quoting Construct Regular Expression Buffer Overflow
  • Description: Perl is exposed to a buffer overflow issue because it fails to sufficiently bounds check user-supplied input. This issue presents itself when certain Unicode data is passed as part of a regular expression. This issue will occur if the offending characters are contained in a variable reference protected by the "Q...E" quoting construct. Perl version 5.8.8 is affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454792
  • 08.18.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PeerCast "getAuthUserPass" Multiple Buffer Overflow Vulnerabilities
  • Description: PeerCast is a peer-to-peer (P2P) radio streaming application implemented in C++. The application is exposed to multiple buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. PeerCast version 0.1218 is affected.
  • Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478573
  • 08.18.25 - CVE: CVE-2008-1671
  • Platform: Cross Platform
  • Title: KDE "start_kdeinit" Multiple Local Privilege Escalation Vulnerabilities
  • Description: KDE includes a "start_kdeinit" utility that is installed as setuid superuser by default. This utility is used to alter the kernel's out of memory killer properties to attempt to ensure that it does not kill a user's entire KDE session in out of memory conditions. The "start_kdeinit" utility in KDE is exposed to multiple local privilege escalation issues due to a lack of proper input sanitization.
  • Ref: http://www.kde.org/info/security/advisory-20080426-2.txt
  • 08.18.26 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Sun Java System Directory Proxy Server Remote Unauthorized Access
  • Description: Sun Java System Directory Server is an LDAP (Lightweight Directory Access Protocol) protocol level gateway server distributed with Sun Directory Server Enterprise Edition. The application is exposed to a remote unauthorized access issue.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-235381-1
  • 08.18.27 - CVE: Not Available
  • Platform: Cross Platform
  • Title: E-Post MailServer Remote Information Disclosure
  • Description: E-Post MailServer is an email server for Microsoft Windows. It supports SMTP, POP3, and IMAP. The application is exposed to a remote information disclosure issue. E-Post Mail Server version 4.10 with EPSTPOP3S.EXE 4.22 is affected.
  • Ref: http://vuln.sg/epostmailserver410-en.html
  • 08.18.28 - CVE: CVE-2008-1737
  • Platform: Cross Platform
  • Title: Sophos Anti-Virus SSDT Hooks Local Denial of Service
  • Description: Sophos Anti-Virus is cross-platform security software providing antivirus, antispyware, and firewalling capabilities for both enterprise and endpoint-based systems. The application is exposed to a local denial of service issue because it fails to adequately bounds check user-supplied data. Sophos Anti-Virus version 7.0.5 is affected. Ref: http://www.sophos.com/support/knowledgebase/article/37810.html?_log_from=rss
  • 08.18.29 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Apple QuickTime Unspecified Remote Code Execution
  • Description: Apple QuickTime is a media player that supports multiple file formats. QuickTime is exposed to an unspecified remote code execution issue. To exploit this issue, an attacker must trick a victim into viewing a malicious file. QuickTime version 7.4 for Microsoft Windows XP is affected.
  • Ref: http://www.securityfocus.com/bid/28959
  • 08.18.30 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Acritum Femitter Server "RETR" Command Remote Denial of Service
  • Description: Acritum Femitter Server is an FTP and HTTP server application available for Microsoft Windows. The application is exposed to a remote denial of service issue because the application fails to handle exceptional conditions. Acritum Femitter Server version 1.03 is affected.
  • Ref: http://www.securityfocus.com/bid/28973
  • 08.18.31 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Magnolia Enterprise Edition Sitedesigner module "query" Parameter Cross-Site Scripting
  • Description: Sitedesigner is a module of Magnolia Enterprise Edition to create HTML templates. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "query" parameter of the "webapp/templates/jsp/samples/search.jsp" script. Sitedesigner version 1.1.4 is affected.
  • Ref: http://www.securityfocus.com/bid/28897
  • 08.18.32 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Horde Webmail "addevent.php" Cross-Site Scripting
  • Description: Horde Webmail is a web-based communication application that allows users to send and receive emails and manage shared calendars. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "url" parameter of the "addevent.php" script.
  • Ref: http://www.securityfocus.com/archive/1/491230
  • 08.18.33 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: F5 Networks FirePass 4100 SSL VPN "installControl.php3" Cross-Site Scripting
  • Description: FirePass 4100 SSL VPN is a secure Virtual Private Network device that uses SSL connections to encapsulate network traffic. The devices are exposed to a cross-site scripting issue because they fail to properly sanitize user-supplied input. This issue affects the "installControl.php3" script.
  • Ref: http://www.securityfocus.com/bid/28902
  • 08.18.34 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Drupal Ubercart Module Multiple HTML Injection Vulnerabilities
  • Description: Drupal is an open source content manager that is available for a number of platforms. The Ubercart module is an e-commerce suite for Drupal. The Ubercart module for Drupal is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Ubercart versions prior to 5.x-1.0-rc3 are affected.
  • Ref: http://drupal.org/node/250343
  • 08.18.35 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: e107 CMS Multiple Cross-Site Scripting Vulnerabilities
  • Description: e107 CMS is a content manager. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input in the following scripts and parameters: "news.php : day" and "search.php : q". e107 version 0.7.0 is affected.
  • Ref: http://www.securityfocus.com/bid/28917
  • 08.18.36 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Digital Hive "base.php" Parameter Cross-Site Scripting
  • Description: Digital Hive is PHP-based forum application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "mt" parameter of "base.php" when the "page" parameter is set to "membres.php". Digital Hive version 2.0 RC2 is affected.
  • Ref: http://www.securityfocus.com/bid/28918
  • 08.18.37 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Pixel Motion Blog "list_article.php" Cross-Site Scripting
  • Description: Pixel Motion Blog is a weblog application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "jours" parameter of the "list_article.php" script.
  • Ref: http://www.securityfocus.com/bid/28920
  • 08.18.38 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PHCDownload Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: PHCDownload is remote file management application. The application is exposed to multiple input validation issues, including a cross-site scripting issue and an SQL injection issue affecting the "hash" parameter of the "upload/admin/index.php" script. PHCDownload version 1.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/28922
  • 08.18.39 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SiteXS CMS "adm/index.php" Cross-Site Scripting
  • Description: SiteXS CMS is a content management application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "user" parameter of the "admin/index.php" script.
  • Ref: http://www.securityfocus.com/archive/1/491426
  • 08.18.40 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Siteman "module" Parameter Cross-Site Scripting and Local File Include
  • Description: Siteman is a PHP-based content manager. The application is exposed to a local file include issue and a cross-site scripting issue. These issues are due to a failure of the application to properly sanitize user-supplied input in the "module" parameter of the "index.php" script. Siteman version 2.0.x2 is affected.
  • Ref: http://ircrash.com/english/index.php?topic=29.0
  • 08.18.41 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: miniBB "bb_admin.php" Cross-Site Scripting
  • Description: miniBB is a bulletin board application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "whatus" parameter of the "bb_admin" script. miniBB version 2.2a is affected.
  • Ref: http://www.securityfocus.com/archive/1/491375
  • 08.18.42 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Multiple Bluemoon inc. Modules for XOOPS Unspecified Cross-Site Scripting Vulnerabilities
  • Description: XOOPS is a PHP-based content management application; Bluemoon inc. provides modules for XOOPS. Multiple Bluemoon inc. modules for XOOPS are exposed to unspecified cross-site scripting issues because the applications fail to sufficiently sanitize user-supplied data.
  • Ref: http://www.securityfocus.com/bid/28966
  • 08.18.43 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PostNuke PostSchedule Component "eid" Parameter SQL Injection
  • Description: PostSchedule is a calendar application for the PostNuke content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "eid" parameter of the "PostSchedule" module before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/28931
  • 08.18.44 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: E RESERV "ID_loc" Parameter SQL Injection
  • Description: E RESERV is a web-based reservation management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ID_loc" parameter of the "index.php" script before using it in an SQL query. E RESERV version 2.1 is affected.
  • Ref: http://www.securityfocus.com/bid/28899
  • 08.18.45 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! and Mambo Filiale Component "idFiliale" Parameter SQL Injection
  • Description: Filiale is a plugin for the Joomla! and Mambo content managers. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "idFiliale" parameter of the "com_filiale" component before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/28900
  • 08.18.46 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! and Mambo Community Builder "com_profiler" Component SQL Injection
  • Description: Community Builder "com_profiler" is a plugin for the Joomla! and Mambo content managers. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "user" parameter before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/28911
  • 08.18.47 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Web Calendar Pro "one_day.php" SQL Injection
  • Description: Web Calendar Pro is a web-based calendar application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "user_id" parameter of the "one_day.php" script. Web Calendar Pro version 4.1 is affected.
  • Ref: http://www.securityfocus.com/bid/28921
  • 08.18.48 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joomla! and Mambo Jpad Component "cid" Parameter SQL Injection
  • Description: Jpad is a note pad application for the Joomla! and Mambo content managers. It is also known as BrightCode Notepad. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cid" parameter of the "com_jpad" component before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/28923
  • 08.18.49 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: PHP Forge "id" Parameter SQL Injection
  • Description: PHP Forge is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "admin.php" script before using it in an SQL query. PHP Forge versions 3 beta 2 and earlier are affected.
  • Ref: http://www.securityfocus.com/bid/28950
  • 08.18.50 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: RunCMS MyArticles module "topic_id" Parameter SQL Injection
  • Description: MyArticles is a module for RunCMS. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "topic_id" parameter of the "modules/myarticles/topics.php" script before using it in an SQL query. MyArticles module version 0.6 Beta-1 is affected.
  • Ref: https://sourceforge.net/project/showfiles.php?group_id=155086
  • 08.18.51 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ODFaq "index.php" SQL Injection
  • Description: ODFaq is a PHP script for managing frequently asked questions (FAQs). The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat" parameter of the "index.php" script before using it in an SQL query. ODFaq version 2.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/28962
  • 08.18.52 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Jokes Site Script "categorie" Parameter SQL Injection
  • Description: Jokes Site Script is a web-based script. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "categorie" parameter of the "jokes.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/28963
  • 08.18.53 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: FluentCMS "view.php" SQL Injection
  • Description: FluentCMS is a PHP-based content manager. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "sid" parameter of the "view.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/28965
  • 08.18.54 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Prozilla Hosting Index "directory.php" SQL Injection
  • Description: Prozilla Hosting Index is a web application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "cat_id" parameter of the "directory.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/28970
  • 08.18.55 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Softbiz Web Host Directory Script "search_result.php" SQL Injection
  • Description: Web Host Directory script from Softbiz is a web-based script. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "host_id" parameter of the "search_result.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/archive/1/491396
  • 08.18.56 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Wordpress Download Monitor Plugin "id" Parameter SQL Injection
  • Description: Wordpress Download Monitor is a plugin for the WordPress web-based publishing application. The plugin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "id" parameter of the "wp-download_monitor/download.php" script before using it in an SQL query. Wordpress Download Monitor version 2.0.6 is affected.
  • Ref: http://www.securityfocus.com/bid/28975
  • 08.18.57 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Joovili "category" Parameter SQL Injection
  • Description: Joovili is a web-based application for social networking. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "category" parameter of the "browse.videos.php" script before using it in an SQL query. Joovili version 3.1.0 is affected.
  • Ref: http://www.securityfocus.com/bid/28979
  • 08.18.58 - CVE: CVE-2008-1930
  • Platform: Web Application
  • Title: WordPress Cookie Integrity Protection Unauthorized Access
  • Description: WordPress is a blogging application. The application is exposed to an issue that allows unauthorized users to gain access to the affected application. This issue occurs because the "USERNAME" and "EXPIRY_TIME" parameters contained in the authentication cookie are not appended with the MAC calculation. WordPress versions prior to 2.5.1 are affected.
  • Ref: http://trac.wordpress.org/ticket/5367
  • 08.18.59 - CVE: CVE-2008-1924
  • Platform: Web Application
  • Title: phpMyAdmin Shared Host Remote Information Disclosure
  • Description: phpMyAdmin is a web-based administration interface for MySQL databases. The application is exposed to a remote information disclosure issue because it fails to properly sanitize user-supplied input. The issue occurs when handling specially crafted HTTP POST requests. phpMyAdmin versions prior to 2.11.5.2 are affected.
  • Ref: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-3
  • 08.18.60 - CVE: Not Available
  • Platform: Web Application
  • Title: RSA Authentication Agent for Web URI Redirection
  • Description: RSA Authentication Agent for Web for Internet Information Services is a web application for providing authentication services. The application is exposed to a remote URI redirection issue because it fails to adequately sanitize user-supplied input. RSA Authentication Agent for Web for Internet Information Services version 5.3.0.258 is affected.
  • Ref: http://www.rsa.com/node.aspx?id=2807
  • 08.18.61 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke DownloadsPlus Module Arbitrary File Upload
  • Description: DownloadsPlus is a module for the PHP-Nuke content manager. The DownloadsPlus module of PHP-Nuke is exposed to an issue that lets remote attackers upload and execute arbitrary code because it fails to properly sanitize user-supplied input to the "from=adddownload" action.
  • Ref: http://www.securityfocus.com/bid/28919
  • 08.18.62 - CVE: Not Available
  • Platform: Web Application
  • Title: miniBB Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: miniBB is a bulletin board application. The application is exposed to multiple input validation issues. miniBB versions prior to 2.2a are affected.
  • Ref: http://www.securityfocus.com/bid/28930
  • 08.18.63 - CVE: CVE-2008-1928
  • Platform: Web Application
  • Title: Imager Image-based Fill Heap Buffer Overflow
  • Description: Imager is a Perl extension library used for generating 24-bit images. The library is exposed to a remote buffer overflow issue because it fails to perform adequate bounds checking on user-supplied input while processing malicious image files. Imager versions prior to 0.64 are affected.
  • Ref: http://imager.perl.org/i/release064/Imager_0_64
  • 08.18.64 - CVE: Not Available
  • Platform: Web Application
  • Title: SugarCRM Community Edition RSS Module Information Disclosure
  • Description: SugarCRM is a customer relationship management suite that is implemented in Java and PHP. The application is exposed to an information disclosure issue because it fails to properly sanitize user-supplied URI values passed to the RSS module. SugarCRM Community Edition versions 4.5.1 and 5.0.0 are affected.
  • Ref: http://www.securityfocus.com/archive/1/491417
  • 08.18.65 - CVE: Not Available
  • Platform: Web Application
  • Title: e107 CMS "submitnews.php" Multiple HTML Injection Vulnerabilities
  • Description: e107 CMS is a content manager. The application is exposed to multiple HTML injection issues because it fails to sanitize user-supplied input to the "author_name", "itemtitle", and "item" parameters of the "submitnews.php" script. e107 CMS version 0.7.11 is affected.
  • Ref: http://www.securityfocus.com/bid/28982
  • 08.18.66 - CVE: Not Available
  • Platform: Web Application
  • Title: LokiCMS "admin.php" Arbitrary File Deletion
  • Description: LokiCMS is a PHP-based content manager. The application is exposed to an issue that allows attackers to delete arbitrary files because it fails to properly sanitize user-supplied input to the "delete" parameter of the "admin.php" script. LokiCMS version 0.3.3 is affected.
  • Ref: http://www.securityfocus.com/bid/28985
  • 08.18.67 - CVE: CVE-2008-1670
  • Platform: Web Application
  • Title: KDE KHTML PNGLoader Heap Buffer Overflow
  • Description: KHTML is a freely available HTML rendering library included with the KDE environment. The application is exposed to a remote buffer overflow issue because it fails to perform adequate bounds checking for user-supplied input while processing malicious PNG files. KHTML versions included with KDE versions 4.0 to 4.0.3 are affected.
  • Ref: http://www.kde.org/info/security/advisory-20080426-1.txt
  • 08.18.68 - CVE: Not Available
  • Platform: Web Application
  • Title: Joomla Visites Component mosConfig_absolute_path Remote File Include
  • Description: Visites is a statistics component for the Joomla! content manager. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "mosConfig_absolute_path" parameter of the component's "core/include/myMailer.class.php" script. Visites version 1.1 RC2 is affected.
  • Ref: http://www.securityfocus.com/bid/28942
  • 08.18.69 - CVE: Not Available
  • Platform: Web Application
  • Title: Novell GroupWise HTML Injection and Denial of Service Vulnerabilities
  • Description: Novell GroupWise WebAccess is a secure, mobile option for GroupWise collaboration software. The application is exposed to an HTML injection issue and a denial of service issue. Novell GroupWise version 7 is affected.
  • Ref: http://www.securityfocus.com/archive/1/491359
  • 08.18.70 - CVE: Not Available
  • Platform: Web Application
  • Title: Angelo-Emlak Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: Angelo-Emlak is exposed to multiple input validation issues. A cross-site scripting issue affects the "sayfa" parameter of the "hpz/admin/Default.asp" script. A SQL injection issue affects the "id" parameter of the "hpz/profil.asp" script. A SQL injection issue affects the "id" parameter of the "hpz/prodetail.asp" script. Angelo-Emlak version 1.0 is affected.
  • Ref: http://www.milw0rm.com/exploits/5503
  • 08.18.71 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPizabi "template.class.php" Remote Information Disclosure
  • Description: PHPizabi is a web-based application for social networking. The application is exposed to a remote information disclosure issue because it fails to properly sanitize user-supplied input. The issue occurs in "template.class.php" when handling comments posted by users. PHPizabi version 0.848b C1 HFP3 is affected.
  • Ref: http://www.securityfocus.com/bid/28954
  • 08.18.72 - CVE: Not Available
  • Platform: Web Application
  • Title: PHPG Upload "form_upload.php" Arbitrary File Upload
  • Description: PHPG Upload is a file upload script. The application is exposed to an issue that lets remote attackers upload and execute arbitrary script code because it fails to properly sanitize user-supplied input to the "form_upload.php" script.
  • Ref: http://www.securityfocus.com/bid/28955
  • 08.18.73 - CVE: Not Available
  • Platform: Web Application
  • Title: Content Management System for Phprojekt "graphie.php" Local File Include
  • Description: Content Management System for Phprojekt is a content manager for Phpprojekt. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "cm_imgpath" parameter of the "graphie.php" script. Content Management System for Phprojekt version 0.6.1 is affected.
  • Ref: http://www.securityfocus.com/bid/28958
  • 08.18.74 - CVE: Not Available
  • Platform: Web Application
  • Title: MegaBBS Multiple SQL Injection and Cross-Site Scripting Vulnerabilities
  • Description: MegaBBS is an ASP based bulletin board. The application is exposed to multiple input validation issues. MegaBBS version 2.2 is affected.
  • Ref: http://bugreport.ir/index.php?/37
  • 08.18.75 - CVE: Not Available
  • Platform: Web Application
  • Title: ZoneMinder Multiple Unspecified Remote Code Execution Vulnerabilities
  • Description: ZoneMinder is a freely available application designed to control and record video from security cameras. It contains a web-based administrative application. It is exposed to multiple unspecified remote code execution issues. ZoneMinder versions prior to 1.23.3 are affected. Ref: http://www.zoneminder.com/wiki/index.php/Change_History#Release_1.23.3
  • 08.18.76 - CVE: Not Available
  • Platform: Web Application
  • Title: PhpGedView Unspecified Remote Vulnerability
  • Description: PhpGedView is a web-based application designed to view and edit genealogy on a web site. The application is exposed to an unspecified issue. PhpGedView versions prior to 4.1.5 are affected.
  • Ref: http://www.securityfocus.com/bid/28978

(c) 2008. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Consistently some of the best training available. It is apparent that SANS updates their course content and SANS instructors are established experts in the field.
-Ryan Macfarlane, FBI

Get an iPad or Nexus 10 with Online Training

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc