Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: VII, Issue: 2
January 7, 2008

SANS Newsletters Home

Real Networks RealPlayer and the SSL capability in MySQL are the newly discovered critical vulnerabilities for this week.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 3 (#4, #6)
    • Linux
    • 1
    • Cross Platform
    • 12 (#1, #2, #3, #5, #7)
    • Web Application - Cross Site Scripting
    • 9
    • Web Application - SQL Injection
    • 5
    • Web Application
    • 9

************************* SECURITY TRAINING UPDATE *********************

Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP Prep, and SANS' other top-rated courses? - - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php - - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php - - Prague (2/18-2/23): http://www.sans.org/prague08 - - Washington DC (VA) (3/24-3/31) http://www.sans.org/tysonscorner08 - - Orlando (SANS2008) (4/18-4/25) http://www.sans.org/sans2008 - - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rob King at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) CRITICAL: yaSSL Multiple Vulnerabilities
  • Affected:
    • yaSSL versions 1.7.5 and prior

  • Description: YaSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) standards, used for adding authentication and encryption to network traffic. It contains multiple vulnerabilities in its handling of SSL streams. A specially crafted request from a client could exploit one of these vulnerabilities, and allow an attacker to execute arbitrary code with the privileges of the vulnerable process using the library. Full technical details and proofs-of-concept are publicly available for these vulnerabilities. Note that the popular MySQL database server uses yaSSL; if SSL support is enabled on MySQL, it has been confirmed that it is vulnerable to a pre-authentication code execution attack. A proof-of-concept for the MySQL vulnerability is also publicly available.

  • Status: YaSSL has not confirmed, no updates available.

  • References:
  • (2) CRITICAL: Real Networks RealPlayer and Helix Server Undisclosed Remote Code Execution
  • Affected:
    • Versions 11 and prior

  • Description: Real Networks RealPlayer, a popular streaming media player, and Helix Server, a popular streaming media server, contain an undisclosed remote code execution vulnerability. A specially crafted RealPlayer datastream or Real Time Streaming Protocol (RTSP) request could trigger one of these vulnerabilities and allow an attacker to execute arbitrary code with the privileges of the vulnerable process. RealPlayer content is generally displayed by default, without first prompting the user, and Helix Server generally accepts arbitrary requests. No further technical details are publicly available for this vulnerability, but a proof-of-concept is available for members of the Immunity Security Partners' Program. It is believed that RealPlayer on all supported platforms is vulnerable.

  • Status: Real Networks has not confirmed, no updates available.

  • References:
  • (3) HIGH: Multiple Products SWF File Cross Site Scripting Vulnerabilities
  • Affected:
    • Adobe Flash Player versions released prior to December, 2007
    • InfoSoft Fusion Charts
    • Techsmith Camtasia

  • Description: SWF is the native file format for Adobe/Macromedia Flash content. Several tools that automatically generate SWF files for web content do so in an insecure manner, allowing arbitrary injection of JavaScript code. Servers that host these files are vulnerable to a cross site scripting (XSS) attack. Full technical details and multiple proofs-of-concept for these vulnerabilities are publicly available. The advisory indicates that numerous tools are vulnerable; however, only those tools that have have been fixed are listed in the advisory. Several of these vulnerabilities may have been addressed in earlier editions of @RISK detailing updates to individual products.

  • Status: Vendors confirmed, updates available.

  • References:
  • (4) HIGH: Georgia SoftWorks SSH2 Server Multiple Vulnerabilities
  • Affected:
    • Georgia SoftWorks SSH2 Server versions 7 and prior

  • Description: Georgia SoftWorks SSH2 Server is a popular Secure Shell server for Microsoft Windows. Secure Shell is an internet-standard secure data transmission and session protocol. It is often used for remote administration. Georgia SoftWorks SSH2 server contains multiple vulnerabilities in the handling of user input, including two buffer overflows in the handling of log messages and overlong passwords, and a format string vulnerability in the handling of log messages. Successfully exploiting these vulnerabilities would allow an attacker to execute arbitrary code with the privileges of the vulnerable process, or create a denial-of-service condition. Full technical details and a proof-of-concept are publicly available for these vulnerabilities.

  • Status: Georgia SoftWorks has not confirmed, no updates available.

  • References:
  • (5) MODERATE: Mozilla Firefox Basic Authentication Spoofing Vulnerability
  • Affected:
    • Mozilla Firefox versions 2.0.0.11 and prior

  • Description: "Basic Authentication" is an authentication mechanism defined by the Hypertext Transfer Protocol (HTTP) specification and supported by practically all web browsers. It allows web sites to authenticate users via a username and a password. Most web browsers, including Mozilla Firefox, display the prompt for the username and password in a separate window. In Mozilla Firefox, this window also displays the authentication "realm", which indicates the entity requesting authentication information. Mozilla Firefox fails to properly sanitize the server-provided realm information. A specially crafted web page could exploit this vulnerability to arbitrarily rewrite the realm as displayed to the user. This would allow an attacker to spoof the source of an authentication request, possibly tricking the user into disclosing personal authentication information. Full technical details and a proof-of-concept are publicly available for this vulnerability.

  • Status: Mozilla has not confirmed, no updates available.

  • References:
Other Software
  • (7) MODERATE: Politecnico di Torino Libnemesi Multiple Vulnerabilities
  • Affected:
    • Libnemesi versions prior to 0.6.4-rc2

  • Description: Libnemesi is a popular open source library used for developing streaming media applications based on internet standards such as the Real Time Streaming Protocol (RTSP). It is a product of the Politecnico di Torino (Polytechnic University of Turin). This library contains multiple vulnerabilities in its handling of streaming media data. A specially crafted file or stream could trigger one of these vulnerabilities, allowing an attacker to execute arbitrary code with the privileges of the vulnerable application. Applications that use this library are presumably vulnerable to these issues. Full technical details for these vulnerabilities are publicly available via source code analysis. A proof-of-concept is also available.

  • Status: Politecnico di Torino confirmed, updates available.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 2, 2008

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5549 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 08.2.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Microsoft January 2008 Advance Notification Multiple Vulnerabilities
  • Description: Microsoft has provided advance notification that they will be releasing two security bulletins on January 8, 2008. The highest severity rating for these issues is "Critical".
  • Ref: http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx
  • 08.2.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: DivX Web Player "npUpload.dll" ActiveX Control Remote Denial of Service
  • Description: DivX Web Player is a freely available ActiveX control for watching DivX-encoded video content. It is included with software provided by DivX Inc. The application is exposed to a denial of service issue because the application fails to perform adequate boundary checks on user-supplied data. DivX Web Player version 6.6 is affected.
  • Ref: http://support.microsoft.com/kb/240797
  • 08.2.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Georgia SoftWorks Secure Shell Server Multiple Remote Code Execution Vulnerabilities
  • Description: Georgia SoftWorks Secure Shell Server is a commercially-available SSH server for Microsoft Windows based computers. The application is exposed to multiple remote code execution issues. Georgia Softworks Secure Shell Server version 7.01.0003 is affected.
  • Ref: http://www.securityfocus.com/archive/1/485725
  • 08.2.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RealPlayer 11 Unspecified Buffer Overflow
  • Description: RealPlayer allows users to stream various media files through their browser. The application is exposed to an unspecified buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized buffer. RealPlayer version 11 is affected.
  • Ref: http://www.securityfocus.com/bid/27091
  • 08.2.5 - CVE: CVE-2007-6613
  • Platform: Linux
  • Title: libcdio GNU Compact Disc Input and Control Library Buffer Overflow Vulnerabilities
  • Description: GNU Compact Disc Input and Control Library libcdio is a library that provides CD-ROM and CD image access. The library is exposed to multiple buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data in the "cd-info" and "iso-info" programs. libcdio version 0.79 is affected.
  • Ref: http://bugs.gentoo.org/show_bug.cgi?id=203777
  • 08.2.6 - CVE: Not Available
  • Platform: Cross Platform
  • Title: InfoSoft FusionCharts SWF Flash File Remote Code Execution
  • Description: InfoSoft FusionCharts is a Flash-based charting component available for multiple operating platforms. The application is exposed to a remote code execution issue because it fails to properly sanitize user-supplied input. The issue affects the "dataURL" parameter and can be leveraged to have arbitrary SWF (Adobe Flash) files executed by the application.
  • Ref: http://www.securityfocus.com/archive/1/485722
  • 08.2.7 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Asterisk BYE Message Remote Denial of Service
  • Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. The application is exposed to a remote denial of service issue when handling malformed "BYE" messages. Specifically, a NULL-pointer exception occurs when the "Also header" is set in a "BYE" message during a transfer attempt.
  • Ref: http://downloads.digium.com/pub/security/AST-2008-001.html
  • 08.2.8 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Mozilla Firefox "Basic Realm" Basic Authentication Header Spoofing
  • Description: Mozilla Firefox is a web browser available for multiple operating platforms. The application is exposed to an HTTP basic authentication domain spoofing issue because the application fails to sanitize single quotation marks and spaces from the "Basic realm" value of the "WWW-Authenticate" header when displaying the dialog box for the HTTP basic authentication prompt. Firefox version 2.0.0.11 is affected. Ref: http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx
  • 08.2.9 - CVE: Not Available
  • Platform: Cross Platform
  • Title: White_Dune Multiple Local Code Execution Vulnerabilities
  • Description: White_Dune is a 3D modeling tool for VRML97 files. VRML97 (Virtual Reality Modeling Language) is an ISO specification for displaying 3D data via appropriate browser plugins. The application is exposed to multiple code execution issues. White_Dune versions prior to 0.29beta795 are affected.
  • Ref: http://www.securityfocus.com/archive/1/485724
  • 08.2.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Dovecot Authentication Cache Security Bypass
  • Description: Dovecot is a mail-server application for Linux and UNIX-like operating systems. It is exposed to a security bypass issue due to an error in LDAP authentication with authentication cache enabled. Dovecot versions higher than 1.0.rc11 and prior to 1.0.10 are affected.
  • Ref: http://www.dovecot.org/list/dovecot-news/2007-December/000057.html
  • 08.2.11 - CVE: CVE-2007-5965
  • Platform: Cross Platform
  • Title: Trolltech Qt QSslSocket Class Certificate Verification Security Bypass
  • Description: Trolltech Qt is an application framework for developing graphical user interfaces (GUIs) for the X Window System. It is primarily used in KDE and supports windowing, multimedia, and other functionality. The QSslSocket class provides a socket encrypted with SSL. The application is exposed to a security bypass issue due to an unspecified error in the certificate validation functionality. Qt versions 4.3.0, 4.3.1 and 4.3.2 are affected. Ref: http://trolltech.com/company/newsroom/announcements/press.2007-12-21.2182567220
  • 08.2.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Jetty Double Slash URI Information Disclosure
  • Description: Jetty is a Java-based web server available for various operating systems. The application is exposed to an issue that allows attackers to access source code because it fails to properly sanitize user-supplied input. The issue exists when handling URIs containing double slashes (//). Jetty versions 6.1.5 and 6.1.6 are affected.
  • Ref: http://www.kb.cert.org/vuls/id/553235
  • 08.2.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Real Networks Helix Server Unspecified Remote Heap Buffer Overflow
  • Description: Real Networks Helix Server is a multi-format, cross-platform streaming server. The application is exposed to a remote heap-based buffer overflow issue. Helix Server version 11.1.6 is affected. Other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/27122
  • 08.2.14 - CVE: CVE-2008-0061
  • Platform: Cross Platform
  • Title: MaraDNS Malformed Packet Remote Denial of Service
  • Description: MaraDNS is an open-source DNS server application. The application is exposed to a remote denial of service issue when handling malformed DNS packets. Please refer to the link below for further information. Ref: http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html
  • 08.2.15 - CVE: CVE-2007-6599
  • Platform: Cross Platform
  • Title: OpenAFS Fileserver Denial of Service
  • Description: OpenAFS is an open-source implementation of the AFS network filesystem protocol. It is available for many platforms including Microsoft Windows, UNIX, Linux, and other UNIX-like operating systems. The application is exposed to a denial of service condition due to a race condition error when tracking client callbacks on files. Specifically, the handler for the "GiveUpAllCallBacks" RPC does not properly use the "host_glock" "pthread" lock to safely access internally held linked lists with callback details. OpenAFS versions 1.3.50-1.4.5 and 1.5.0-1.5.27 are affected.
  • Ref: http://www.openafs.org/security/OPENAFS-SA-2007-003.txt
  • 08.2.16 - CVE: CVE-2007-6612
  • Platform: Cross Platform
  • Title: Mongrel "DirHandler" Class Directory Traversal Information Disclosure
  • Description: Mongrel is an HTTP server implemented in ruby and available for a variety of platforms. The application is exposed to an information disclosure issue because it fails to sufficiently sanitize user-supplied input. Specifically, the issue occurs in the "DirHandler" class in the "lib/mongrel/handlers.rb" script and can be exploited by supplying the "/.%252e" directory-traversal sequences in URIs. Mongrel version 1.0.4 and versions prior to 1.1.3 are affected. Ref: http://rubyforge.org/pipermail/mongrel-users/2007-December/004733.html
  • 08.2.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SeattleLab SLNet RF Telnet Server NULL-Pointer Dereference Denial of Service
  • Description: SLNet RF is a telnet server for Windows servers. The application is exposed to a denial of service issue because it fails to adequately sanitize user-supplied input. SLNet RF version 4.1 is affected.
  • Ref: http://aluigi.altervista.org/adv/slnetmsg-adv.txt
  • 08.2.18 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Camtasia Studio "csPreloader" Cross-Site Scripting
  • Description: Camtasia Studio is a screen recorder application for use on Microsoft Windows. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied data. The issue occurs in the "csPreloader" parameter, which allows arbitrary SWF (Adobe Flash) files to be loaded to the application.
  • Ref: http://www.securityfocus.com/archive/1/485722
  • 08.2.19 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: phpWebSite Search Module Cross-Site Scripting
  • Description: phpWebSite is a web-based content management system. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "search" parameter of the search module. phpWebSite version 1.4.0 is affected.
  • Ref: http://www.securityfocus.com/archive/1/485704
  • 08.2.20 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Atlassian JIRA "500page.jsp" Cross-Site Scripting
  • Description: Atlassian JIRA is a web-based issue tracking system. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "500page.jsp" script. This affects all issue actions. JIRA versions 3.6.4, 3.6.5, 3.10.2, 3.11 and 3.12 are affected.
  • Ref: http://www.dovecot.org/list/dovecot-news/2007-December/000057.html
  • 08.2.21 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: W3-mSQL Error Page Cross-Site Scripting
  • Description: W3-mSQL is an HTML scripting application implemented in Perl. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input when displaying URI address data in an error page.
  • Ref: http://www.securityfocus.com/archive/1/485736
  • 08.2.22 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: InstantSoftwares Dating Site "login_form.asp" Cross-Site Scripting
  • Description: InstantSoftwares Dating Site is a web-based dating application implemented in ASP. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "msg" parameter of the "login_form.asp" script.
  • Ref: http://www.securityfocus.com/bid/27121
  • 08.2.23 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: WordPress Multiple Cross-Site Scripting Vulnerabilities
  • Description: WordPress is a web-based publishing application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input.
  • Ref: http://www.securityfocus.com/archive/1/484818
  • 08.2.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: AwesomeTemplateEngine Multiple Cross-Site Scripting Vulnerabilities
  • Description: AwesomeTemplateEngine is a PHP-based content manager. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. AwesomeTemplateEngine version 1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/485786
  • 08.2.25 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: PRO-Search Index.PHP Multiple Cross-Site Scripting Vulnerabilities
  • Description: PRO-Search is a search engine application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input of the "index.php" script. PRO-Search version 0.17 is affected.
  • Ref: http://www.securityfocus.com/archive/1/484818
  • 08.2.26 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: ExpressionEngine HTTP Response Splitting and Cross-Site Scripting Vulnerabilities
  • Description: ExpressionEngine is a content management system. The application is exposed to an HTTP response splitting issue and a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "URL" parameter of the "index.php" script. ExpressionEngine version 1.2.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/485786
  • 08.2.27 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: ClipShare "uprofile.php" SQL Injection
  • Description: ClipShare is a PHP-based application that allows users to develop video sharing websites. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "UID" parameter of the "uprofile.php" script before using it in an SQL query.
  • Ref: http://www.securityfocus.com/bid/27108
  • 08.2.28 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: WebPortal CMS "index.php" SQL Injection
  • Description: WebPortal CMS is a web-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "m" parameter of the "index.php" script before using it in an SQL query. WebPortal CMS version 0.6.0 is affected.
  • Ref: http://www.securityfocus.com/bid/27088
  • 08.2.29 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Pragmatic Utopia PU Arcade "fid" parameter SQL Injection
  • Description: PU Arcade is an Arcade component for the Joomla! content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "fid" parameter of the PU Arcade component. PU Arcade versions 2.0.3 and 2.1.3 Beta are affected.
  • Ref: http://www.securityfocus.com/bid/27089
  • 08.2.30 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Site@School "slideshow_full.php" SQL Injection
  • Description: Site@School is a PHP-based content manager for primary schools. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "album_name" parameter of the "/starnet/addons/slideshow_full.php" script before using it in an SQL query. Site@School version 2.3.10 is affected.
  • Ref: http://www.securityfocus.com/bid/27120
  • 08.2.31 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: Nucleus CMS "myid" Parameter SQL Injection Weakness
  • Description: Nucleus CMS is a PHP-based content manager. The application is exposed to an SQL injection weakness because it fails to sufficiently sanitize user-supplied data via the "myid" parameter used during the "addcoment" action (and possibly other actions) before using it in an SQL query. Nucleus CMS version 3.01 is affected.
  • Ref: http://www.securityfocus.com/archive/1/485784
  • 08.2.32 - CVE: Not Available
  • Platform: Web Application
  • Title: MODx "AjaxSearch.php" Local File Include
  • Description: MODx is a PHP-based content management system framework. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "as_language" parameter of the "/assets/snippets/AjaxSearch/AjaxSearch.php" script. MODx version 0.9.6.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/485707
  • 08.2.33 - CVE: Not Available
  • Platform: Web Application
  • Title: Plone "LiveSearch" Module HTML Injection
  • Description: Plone is a content management system implemented in Python. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input data. The vulnerability exists in the "LiveSearch" module. Specifically the application fails to sanitize user-supplied input to the "Description" form field parameter when creating a new item. Plone versions 3.0.3 and earlier are affected.
  • Ref: http://dev.plone.org/plone/ticket/7439
  • 08.2.34 - CVE: Not Available
  • Platform: Web Application
  • Title: phpBB "admin_group.php" HTML Injection
  • Description: phpBB is a PHP-based bulletin board application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "Group description" form field parameter of the "admin_groups.php" script. phpBB version 2.0.22 is affected.
  • Ref: http://www.securityfocus.com/bid/27104
  • 08.2.35 - CVE: Not Available
  • Platform: Web Application
  • Title: AGENCY4NET WEBFTP "download2.php" Local File Include
  • Description: AGENCY4NET WEBFTP is a web-based FTP client. The application is exposed to a local file include issue because it fails to sufficiently sanitize user-supplied input to the "file" parameter of the "download2.php" script.
  • Ref: http://www.securityfocus.com/bid/27092
  • 08.2.36 - CVE: Not Available
  • Platform: Web Application
  • Title: Atlassian JIRA Multiple Security Bypass Weaknesses
  • Description: Atlassian JIRA is a web-based issue tracking system. The application is exposed to multiple issues. A security bypass issue exists because the first page of the Setup Wizard can be accessed by unauthorized users to change the default language settings and a security bypass weakness allows users to delete filters that are shared but not owned by them. JIRA versions prior to 3.12.1 are affected. Ref: http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2007-12-24
  • 08.2.37 - CVE: Not Available
  • Platform: Web Application
  • Title: MODx "htcmime.php" Source Code Information Disclosure
  • Description: MODx is a PHP-based content management system framework. The application is exposed to an issue that allows attackers to access source code because it fails to properly sanitize user-supplied input. Specifically, this issue affects the "file" parameter of the "/assets/js/htcmime.php" script. MODx version 0.9.6.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/485707
  • 08.2.38 - CVE: Not Available
  • Platform: Web Application
  • Title: MyPHP Forum "Search.php" and Multiple Unspecified SQL Injection Vulnerabilities
  • Description: MyPHP Forum is a PHP-based web application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data. Specifically, the "searchtext" parameter of the "Search.php" script is not sanitized before being used in an SQL query. MyPHP Forum version 3.0 is affected.
  • Ref: http://www.securityfocus.com/bid/27118
  • 08.2.39 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP-Nuke "CAPTCHA" Registration Automation Multiple Security Bypass Weaknesses
  • Description: PHP-Nuke is a web-based content management system (CMS) implemented in PHP. The application is exposed to multiple security-bypass weaknesses because it fails to properly sanitize user-supplied input. The weaknesses exist in the "CAPTCHA" process when registering users. Specifically, the application allows users to use the same "gfx_check" and "random_number" parameters or NULL characters when creating new users. PHP-Nuke version 8.1 is affected.
  • Ref: http://www.securityfocus.com/archive/1/485784
  • 08.2.40 - CVE: Not Available
  • Platform: Web Application
  • Title: eTicket "newticket.php" Multiple Cross-Site Scripting Vulnerabilities
  • Description: eTicket is an electronic ticket system. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the "name" and "subject" parameters of the "newticket.php" script. eTicket versions 1.5.6-RC3, 1.5.6-RC2 and 1.5.5.2 are affected. Ref: http://www.digitrustgroup.com/advisories/web-application-security-eticket.html

(c) 2008. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

Intense, fast paced. Modern day Sherlock Holmes!
-Cody Drake, Allstate Ins. Co.

NetWars - Cyber Range

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage