NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2003

RISK: The Consensus Security Vulnerability Alert Vol. 2 No. 52

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Wed Dec 24 2003 - 09:18:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

***********************************************************************
RISK: The Consensus Security Vulnerability Alert
December 24, 2003 Vol. 2. Week 52
***********************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week
Category - # of Updates & Vulnerabilities (Found in Part I or Part II)
- -----------------------------------------------------------------------
Other Microsoft Products - 1 (II)
Third Party Windows Apps - 10 (I & II)
Mac Os - 1 (II)
Linux - 1 (II)
UNIX - 5 (II)
Web Applications - 15 (I & II)
Network Device - 3 (II)

Part I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint
(www.tippingpoint.com) as a by-product of that company's continuous
effort to ensure that its intrusion prevention products effectively
block exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed
description on the process may be found at
http://www.sans.org/newsletters/cva/#process

Archives at http://www.sans.org/newsletters/

Table of Contents

Contents of Part I

Widely Deployed Software
(1) LOW: lftp Client Buffer Overflows

Other Software
(2) HIGH: Dameware Mini Remote Control Server Buffer Overflow
(3) HIGH: SiteInteractive SubscribeMe Remote Command Execution
(4) MODERATE: DUware DUportal Multiple Vulnerabilities
(5) MODERATE: Various PHP Software Remote File Include Vulnerabilities

*************** Sponsored By SANS 2004 This Week ************************

Announcing: SANS2004, The First Security Mega Conference
April 1 - 9, at the Dolphin at Disneyland in Orlando, Florida

In the most substantial advance in security training in the past six
years, SANS has expanded its security education programs to more than
600 hours of unique training and education programs for:
--Security Technologists (five new programs)
--Auditors (four extraordinary tracks)
--Security Managers and Security Officers (three great tracks)
Plus new programs on the legal aspects of security, on ISO 17799, on
E-Warfare and many more. Even the world's only training program on the
newest developments in hacker exploits. Plus evening sessions and a
great vendor exposition. A complete list of the training programs is at
the end of this issue. Get the full program and register before your
favorite courses fill up (SANS annual conference sessions always fill
faster than any of our other programs.)
http://www.sans.org/sans2004

===========================
Widely Deployed Software
============================

(1) LOW: lftp Client Buffer Overflows
Affected Products: lftp versions 2.3.0, 2.4.9, 2.6.6, 2.6.7,
2.6.8, 2.6.9 and potentially other versions

*Description: lftp is a sophisticated open source FTP/HTTP client that
can perform file transfers via six different protocols: ftp, ftps, http,
https, ftp-over-http-proxy and fish. Two buffer overflow vulnerabilities
have been identified in lftp, specifically in the functions
try_netscape_proxy() and try_squid_eplf(). Both flaws allow a malicious
server to execute arbitrary code on a vulnerable client system.
Exploitation can occur if an lftp user connects to a hostile server
using HTTP or HTTPS, and then issues a "ls" or "rels" command to view
the contents of a directory. Technical details are available but no
exploit code has been posted.

*Status: The problem is reportedly fixed in version 2.6.10. A patch for
version 2.6.9 has also been made available. Several Linux vendors have
released fixed packages.

*Council Site Actions: Only two of the reporting council sites are
running the affected software. Both sites plan to upgrade to version
2.6.10 during the next regularly scheduled system update process.

*References:
Posting by Ulf Harnhammar
  http://archives.neohapsis.com/archives/bugtraq/2003-12/0229.html
Secunia Advisory
  http://archives.neohapsis.com/archives/secunia/2003-q4/0523.html
Vendor Web Page
  http://lftp.yar.ru/
Securiteam Posting
  http://www.securiteam.com/unixfocus/6S00H1595E.html
SecurityFocus BIDs
  http://www.securityfocus.com/bid/9212
  http://www.securityfocus.com/bid/9210

=========================
Other Software
=========================

(2) HIGH: Dameware Mini Remote Control Server Buffer Overflow
Affected Products: Dameware Mini Remote Control Server versions prior
to 3.73

*Description: Dameware is a lightweight program used to remotely manage
desktop systems. The Dameware daemon, which listens on port 6129/tcp by
default, contains a buffer overflow vulnerability in a section of code
responsible for handling user authentication. The flaw can be exploited
remotely by unauthenticated attackers to execute arbitrary code with
the privileges of the Dameware application. Exploit code has been posted
and CERT has received reports of active exploitation in the wild. Note
that attackers often install Dameware on compromised systems as a
backdoor program.

*Status: The problem is fixed in versions 3.73 and later.

*Council Site Actions: Three of the reporting council sites are taking
action on this vulnerability. One site only chose to send out an
announcement to affected users. Another site will upgrade to version
3.73 at a later date. They only have a few servers and they are not
externally accessible. The third sites stated that they probably have
dozens of installations of Dameware software in their environment.
However, all or nearly all of the installations were most likely
performed by intruders. They will actively try to locate any
installations and plan to disconnect and rebuild the machine, regardless
of whether the Dameware software is or isn't vulnerable.

*References:
Posting by wirepair
  http://archives.neohapsis.com/archives/bugtraq/2003-12/0221.html
  http://www.securiteam.com/windowsntfocus/6N00B1P95I.html
CERT Vulnerability Note
  http://www.kb.cert.org/vuls/id/909678
Secunia Advisory
  http://archives.neohapsis.com/archives/secunia/2003-q4/0536.html
Exploit code by Adik
  http://archives.neohapsis.com/archives/bugtraq/2003-12/0286.html
  http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3706.html
  http://www.securiteam.com/exploits/6R00L0K95W.html
Exploit code posted by sh0dan.org
  http://sh0dan.org/files/dwmrcexp.c
Vendor Web Page
  http://www.dameware.com
SecurityFocus BID
  http://www.securityfocus.com/bid/9213

- --------------------------------------------------------
(3) HIGH: SiteInteractive SubscribeMe Remote Command Execution
Affected Products: SiteInteractive SubscribeMe Pro/Enterprise

*Description: Two vulnerabilities have been reported in SubscribeMe
Pro/Enterprise, a commercial mailing list management software for web
servers. By exploiting the flaws together, remote attackers can execute
arbitrary shell commands on a SubscribeMe server. An attack relies on
invoking the "setup.pl" script with parameters that trick the server
into thinking that the software has just been installed and is being
configured for the first time. The technical details required for
exploitation have been posted.

*Status: The vendor has reportedly been notified but has not
responded/confirmed. A workaround is suggested in the advisory.

*Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.

*References:
Posting by Paul Craig
  http://archives.neohapsis.com/archives/bugtraq/2003-12/0287.html
Secunia Advisory
  http://archives.neohapsis.com/archives/secunia/2003-q4/0569.html
Securiteam Posting
  http://www.securiteam.com/unixfocus/6S00M0K95E.html
Vendor Product Page
  http://www.siteinteractive.com/subpro/
SecurityFocus BID
  http://www.securityfocus.com/bid/9253

- ------------------------------------------
(4) MODERATE: DUware DUportal Multiple Vulnerabilities
Affected Products: DUware DUportal 3.0, DUportal 3.0 SQL,
DUportal Pro 3.2, and DUportal Pro 3.2 SQL

*Description: Multiple vulnerabilities have been reported in DUportal,
a commercial web portal and online community software. The most serious
problem arises from a lack of sanity checking when performing file
uploads, and allows remote attackers to execute arbitrary code on the
DUportal server. Other problems allow attackers to seize control of
arbitrary user accounts including the administrative account. In
general, DUportal is reported to suffer from a number of security
weaknesses due to a pervasive dependence on client-side data validation.
The technical details required for exploitation have been posted.

*Status: The vendor has reportedly confirmed and plans to release fixes
in the next version of the software. No patch releases are planned.

* Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.

*References:
Postings and Demonstration Exploits by JeiAr
  http://archives.neohapsis.com/archives/bugtraq/2003-12/0239.html
  http://www.gulftech.org/vuln/DUd3.html
Secunia Advisory
  http://archives.neohapsis.com/archives/secunia/2003-q4/0552.html
Securiteam Posting
  http://www.securiteam.com/windowsntfocus/6A00B2A96I.html
Vendor Product Page
  http://www.duware.com/products/category.asp?iCat=8&nCat=Portal%20&%20Site
SecurityFocus BID
  http://www.securityfocus.com/bid/9246

- ---------------------------------------------------------
(5) MODERATE: Various PHP Software Remote File Include Vulnerabilities

Affected Software:
W-Agora web publishing software, versions prior to 4.1.6Solmetra SPAW
Editor, versions prior to 1.0.4
Double Choco Latte issue tracking software, versions prior to
0.9.4BES-CMS PHP web publishing software, versions prior to 0.5rc4

*Description: The following software packages have been reported to
contain one or more PHP file include vulnerabilities: W-Agora, Solmetra
SPAW Editor, Double Choco Latte and BES-CMS. Web servers running
affected versions of these packages are vulnerable to compromise by
remote attackers. Each flaw allows for the execution of arbitrary
attacker-supplied code.

*Status: In all cases, the relevant vendor has confirmed the issue(s)
and users should upgrade to the indicated non-vulnerable version of the
software.

*Council Site Actions: The affected software packages are not in
production or widespread use at any of the council sites. They reported
that no action was necessary.

*References:
W-Agora web publishing software
http://archives.neohapsis.com/archives/secunia/2003-q4/0527.html
http://www.securityfocus.com/bid/9226
Solmetra SPAW Editor
http://archives.neohapsis.com/archives/secunia/2003-q4/0551.html
http://www.securityfocus.com/bid/9247
Double Choco Latte issue tracking software
http://archives.neohapsis.com/archives/secunia/2003-q4/0576.html
http://www.securityfocus.com/bid/9235
BES-CMS PHP web publishing software
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0071.html
http://archives.neohapsis.com/archives/secunia/2003-q4/0575.html
http://www.securiteam.com/unixfocus/6S00L0K96S.html
http://www.securityfocus.com/bid/9268

______________________________________________________________________

PART II
Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 52 2003
_____________________________________________________________________

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3136 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that can not be scanned remotely.
______________________________________________________________________

Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities

- ------------------------ -------------------------------------

Other Microsoft Products 1
Third Party Windows Apps 10
Mac Os 1
Linux 1
Unix 5
Web Application 15
Network Device 3

______________________________________________________________________

03.52.1 - Other Microsoft Products - Microsoft Internet Explorer File
Download Warning Bypass Vulnerability
03.52.2 - Third Party Windows Apps - ECW-Shop Cross-Site Scripting
Vulnerability
03.52.3 - Third Party Windows Apps - Openwares.org Internet Explorer
Patch Buffer Overrun Vulnerability
03.52.4 - Third Party Windows Apps - PY Software Active Webcam
Directory Traversal Vulnerability
03.52.5 - Third Party Windows Apps - PY Software Active Webcam
Cross-Site Scripting Vulnerability
03.52.6 - Third Party Windows Apps - PlatinumFTPServer Format String
Vulnerability
03.52.7 - Third Party Windows Apps - AOL Instant Messenger Buddy Icon
Warning Denial Of Service Vulnerability
03.52.8 - Third Party Windows Apps - Kerio Personal Firewall
Unspecified Firewall Bypassing Issue
03.52.9 - Third Party Windows Apps - Multiple Vulnerabililties in
DUware DUportal
03.52.10 - Third Party Windows Apps - Ipswitch WS_FTP Server Remote
Denial Of Service
03.52.11 - Third Party Windows Apps - DCAM WebCam Server Directory
Traversal Vulnerability
03.52.12 - Mac Os - MacOS X ASN.1 Decoding Denial Of Service
Vulnerability
03.52.13 - Linux - P3Scan Attachment Scanning Bypass Vulnerability
03.52.14 - Unix - Security Auditor Research Assistant HTML Injection
Vulnerability
03.52.15 - Unix - Tcpdump L2TP Parser Denial Of Service Vulnerability
03.52.16 - Unix - Dada Mail Blank Password Authentication Bypass
03.52.17 - Unix - Dada Mail Subscription Confirmation Spoofing
03.52.18 - Unix - sipd Remote Format String Vulnerability
03.52.19 - Web Application - Multiple ASPapp Vulnerabilities
03.52.20 - Web Application - Autorank SQL Injection Vulnerability
03.52.21 - Web Application - BES-CMS PHP File Include Vulnerability
03.52.22 - Web Application - Xoops MyLinks Myheader.php Cross-Site
Scripting Vulnerability
03.52.23 - Web Application - SiteInteractive Subscribe Me Command
Execution Vulnerability
03.52.24 - Web Application - Elektropost EPIServer Multiple
Vulnerabilities
03.52.25 - Web Application - SOLMETRA SPAW Editor Remote File Include
Vulnerability
03.52.26 - Web Application - Double Choco Latte Remote File Include
Vulnerability
03.52.27 - Web Application - osCommerce Cross-Site Scripting
Vulnerability
03.52.28 - Web Application - BN Soft BoastMachine Comment Form HTML
Injection Vulnerability
03.52.29 - Web Application - ProjectForum Denial of Service
Vulnerability
03.52.30 - Web Application - ProjectForum HTML Injection
Vulnerability
03.52.31 - Web Application - osCommerce products_id SQL Injection
Vulnerability
03.52.32 - Web Application - osCommerce manufacturers_id Cross-Site
Scripting Vulnerability
03.52.33 - Web Application - My Little Forum Cross-Site Scripting
Vulnerability
03.52.34 - Network Device - CyberGuard Firewall/VPN 5.1 Cross-Site
Scripting Issue
03.52.35 - Network Device - Xerox_MicroServer/Xerox11 Directory
Traversal Vulnerability
03.52.36 - Network Device - SEH InterCon Smart PrintServer
Configuration Access
______________________________________________________________________

03.52.1

CVE: Not Available

Platform: Other Microsoft Products

Title: Microsoft Internet Explorer File Download Warning Bypass
Vulnerability

Description: A vulnerability has been reported for Microsoft Internet
Explorer which allows an attacker, by simply renaming the files in a
certain way, to trick the browser into bypassing the security warning
displayed before downloading executable files (such as .exe or .bat
files).
Ref: http://www.securityfocus.com/archive/1/348225

______________________________________________________________________

03.52.2
CVE: Not Available
Platform: Third Party Windows Apps
Title: ECW-Shop Cross-Site Scripting Vulnerability
Description: ECW-Shop is an e-commerce package for Microsoft Windows,
it is prone to a cross-site scripting attack through data supplied via
the 'cat' parameter in the URL. Attackers could construct links which
would render malicious code in a user's browser.
Ref: http://www.secunia.com/advisories/10458/
______________________________________________________________________

03.52.3
CVE: Not Available
Platform: Third Party Windows Apps
Title: Openwares.org Internet Explorer Patch Buffer Overrun
Vulnerability
Description: Openwares has released a patch to fix a Browser URL
Obfuscation problem with internet explorer, however it has been
reported that this patch is itself vulnerable to a buffer overflow
issue. An attacker could potentially exploit this vulnerability to
execute arbitrary code on the affected browser, or merely deny service
to the user.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/3683.html
______________________________________________________________________

03.52.4
CVE: Not Available
Platform: Third Party Windows Apps
Title: PY Software Active Webcam Directory Traversal Vulnerability
Description: Active Webcam is an application used for sharing video
streams from webcams, it includes a built in webserver. This webserver
may allow a remote attacker to traverse outside the server root
directory using '../' or '..' sequences in the URL.
Ref: http://aluigi.altervista.org/adv/activecam-adv.txt
______________________________________________________________________

03.52.5
CVE: Not Available
Platform: Third Party Windows Apps
Title: PY Software Active Webcam Cross-Site Scripting Vulnerability
Description: Active Webcam is an application used for sharing video
streams from webcams, it includes a built in webserver. This webserver
suffers from a cross-site scripting issue in error pages which may be
exploited by malicious users to execute HTML code in a target's
browser.
Ref: http://aluigi.altervista.org/adv/activecam-adv.txt
______________________________________________________________________

03.52.6
CVE: Not Available
Platform: Third Party Windows Apps
Title: PlatinumFTPServer Format String Vulnerability
Description: PlatinumFTPServer is an FTP server for Microsoft Windows
systems, it has been reported that many of the FTP commands are
vulnerable to format string attacks, including "user", "mkdir" and
"rename". Format string vulnerabilities may be exploited to kill the
server process, and in some cases code execution may be possilble.
Ref: http://www.securityfocus.com/bid/9262
______________________________________________________________________

03.52.7
CVE: Not Available
Platform: Third Party Windows Apps
Title: AOL Instant Messenger Buddy Icon Warning Denial Of Service
Vulnerability
Description: AOL Instant Messenger (AIM) suffers from an issue that
may allow malicious parties to deny the availability of the service to
other users. It is possible for malicious users to raise the warning
level of other users until they are unable to use the service,
normally warnings can only occur if a message has been sent by the
victim, however it is possible to bypass this limitation by exploiting
a flaw in the buddy icon implementation.
Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0288.html
______________________________________________________________________

03.52.8
CVE: Not Available
Platform: Third Party Windows Apps
Title: Kerio Personal Firewall Unspecified Firewall Bypassing Issue
Description: Kerio Personal Firewall (KPF) is a desktop firewall
solution for Microsoft Windows that performs stateful packet
inspection. It has been discovered that certain types of stealth TCP
scans will bypass the firewall filtering, allowing an attacker to gain
information about open ports on a supposedly protected host.
Ref: http://www.kerio.com/kpf_releasehistory.html
______________________________________________________________________

03.52.9
CVE: Not Avalable
Platform: Third Party Windows Apps
Title: Multiple Vulnerabililties in DUware DUportal
Description: DUware DUportal is a web based portal portal application
for the Microsoft Windows Operating system. Multiple vulnerabilities
have been identified in the software including remote code execution,
file upload, unauthorised access and cross site scripting.
Ref: http://www.gulftech.org/vuln/DUd3.html
______________________________________________________________________

03.52.10
CVE: Not Available
Platform: Third Party Windows Apps
Title: Ipswitch WS_FTP Server Remote Denial Of Service
Description: Ipswitch WS_FTP Server is an FTP server for Microsoft
Windows, it has been reported that a resource consumption issue with
the software may lead to a denial of service condition. The issue can
be exploited by any user able to use the 'CWD' and 'MKD' commands.
Ref: http://www.securityfocus.com/bid/9237
______________________________________________________________________

03.52.11
CVE: Not Available
Platform: Third Party Windows Apps
Title: DCAM WebCam Server Directory Traversal Vulnerability
Description: DCAM WebCam server is a webcam server. Due to this
vulnerability a remote user can traverse outside the server root
directory by using '.' character sequences.
Ref: http://aluigi.altervista.org/adv/dcam-adv.txt
______________________________________________________________________

03.52.12
CVE: Not Available
Platform: Mac Os
Title: MacOS X ASN.1 Decoding Denial Of Service Vulnerability
Description: A vulnerability has been reported in the handling of
ASN.1 sequences used in the Public Key Infrastructure (PKI)
implementation on Mac OS X. Services which use the vulnerable
implementation could potentially be crashed by an attacker delivering
specially crafted data to the server.
Ref: http://www.secunia.com/advisories/10474/
______________________________________________________________________

03.52.13
CVE: Not Available
Platform: Linux
Title: P3Scan Attachment Scanning Bypass Vulnerability
Description: P3Scan is a pop3 proxy server which scans incoming email
messages for malicious attachments, It has been reported that when Pop
3 Scan is used with the renattach package, the software may allow
malicious code through undetected.
Ref: http://p3scan.sourceforge.net/changelog.html
______________________________________________________________________

03.52.14
CVE: Not Available
Platform: Unix
Title: Security Auditor Research Assistant HTML Injection
Vulnerability
Description: The HTTP server component of SARA does not completely
sanitise banner data recived from scanned hosts when displaying them
to users, thus it is possible to inject malicious html into the
browser of the SARA administrator.
Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0260.html
______________________________________________________________________

03.52.15
CVE: Not Available
Platform: Unix
Title: Tcpdump L2TP Parser Denial Of Service Vulnerability
Description: Reports indicat that tcpdump 3.7 is vulnerable to a
denial of service condition in the L2TP protocol parser, specially
crafted packets can throw the parser into an infinite loop which
eventually consumes all memory resources. While this was originaly
discovered on OpenBSD, it appears that tcpdump implementations on
other unices are affected by the same issue.
Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0295.html
______________________________________________________________________

03.52.16
CVE: Not Available
Platform: Unix
Title: Dada Mail Blank Password Authentication Bypass
Description: Dada Mail is mailing list management software, it is
vulnerable to an issue whereby a blank list password disables
authentication, this may be an issue during software upgrades. If the
list password is blank, it is possible to successfully authenticate
using any password.
Ref: http://mojo.skazat.com/project/security-2_8_11.html
______________________________________________________________________

03.52.17
CVE: Not Available
Platform: Unix
Title: Dada Mail Subscription Confirmation Spoofing
Description: Dada Mail is mailing list management software, the
software suffers from a flaw in the way the software generates
subscription confirmation PINs. The PIN's are generated purely based
upon the e-mail address, thus a malicious user could spoof
confirmation e-mails for a list.
Ref: http://mojo.skazat.com/project/security-2_8_11.html
______________________________________________________________________

03.52.18
CVE: Not Available
Platform: Unix
Title: sipd Remote Format String Vulnerability
Description: sipd is a SIP proxy and location server for VOIP
applications, reports suggest that older versions are vulnerable to a
format string issue which may be triggered remotely. This has been
reported for sipd versions up to and including 0.1.4.
Ref: http://www.securityfocus.com/bid/9236
______________________________________________________________________

03.52.19
CVE: Not Available
Platform: Web Application
Title: Multiple ASPapp Vulnerabilities
Description: ASPapp ProjectApp, PortalApp and IntranetApp are ASP
based web portal packages,it has been reported that they are
vulnerable to multiple problems including priviledge escalation,
account hijacking, cross site scripting and information disclosure.
Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0274.html
______________________________________________________________________

03.52.20
CVE: Not Available
Platform: Web Application
Title: Autorank SQL Injection Vulnerability
Description: AutoRank is a PHP web application for charts, it has been
discovered that it is affected by multiple SQL injection
vulnerabilities resulting from incorrect sanitization of user data
supplied in form fields. As a result, it is possible to modify the
structure and logic of SQL queries.
Ref: http://www.gulftech.org/12182003b.php
______________________________________________________________________

03.52.21
CVE: Not Available
Platform: Web Application
Title: BES-CMS PHP File Include Vulnerability
Description: BES-CMS is a PHP based content management system, it is
vulnerable to a number of remote file include vulnerabilties which
could be exploited by an attacker to run artitrary code on the
affected server.
Ref: http://www.security-corporation.com/advisories-024.html
______________________________________________________________________

03.52.22
CVE: Not Available
Platform: Web Application
Title: Xoops MyLinks Myheader.php Cross-Site Scripting Vulnerability
Description: Xoops is a freely available web portal software written
in PHP, it is vulnerable to a cross-site scripting vulnerability in
the 'myheader.php' file. Exploitation allows attackers to insert
arbitrary HTML code into a users browser potentially allowing the
theft of authentication credentials from other users, other attacks
may also be possible.
Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0303.html
______________________________________________________________________

03.52.23
CVE: Not Available
Platform: Web Application
Title: SiteInteractive Subscribe Me Command Execution Vulnerability
Description: SiteInteractive Subscribe Me is a Newsletter and Mailing
List management software implemented in Perl, it is intended to be
used via a web interface. An attacker may exploit a flaw in the
'setup.pl' script to create a new 'config.pl', this file may contain
malicious code which could ultimately be executed in the context of
the web server.
Ref: http://www.pimp-industries.com/pimp-0003.txt
______________________________________________________________________

03.52.24
CVE: Not Available
Platform: Web Application
Title: Elektropost EPIServer Multiple Vulnerabilities
Description: Elektropost EPIServer is a web content management system,
multiple vulnerabilities have been reported for this application
including directory traversal, information disclosure, and denial of
service. These issues are the result of insufficient sanitization of
user-supplied data.
Ref: http://www.securityfocus.com/bid/9223/info/
______________________________________________________________________

03.52.25
CVE: Not Available
Platform: Web Application
Title: SOLMETRA SPAW Editor Remote File Include Vulnerability
Description: SOLMETRA SPAW Editor is a web based editor implemented in
PHP, a vulnerability exists in the software which permits attackers to
execute arbitrary PHP code on the server. A new version of the
software has been released to correct this issue.
Ref:
http://sourceforge.net/mailarchive/forum.php?thread_id=3565737&forum_id=32624
______________________________________________________________________

03.52.26
CVE: Not Available
Platform: Web Application
Title: Double Choco Latte Remote File Include Vulnerability
Description: Double Choco Latte is an open source PHP web application
for software development management. A number of remote file inclusion
vulnerabilities have been reported in many of the modules, these
vulnerabilities may be exploited to include a malicious script which
will be executed by the webserver.
Ref: http://www.secunia.com/advisories/10476/
______________________________________________________________________

03.52.27
CVE: Not Available
Platform: Web Application
Title: osCommerce Cross-Site Scripting Vulnerability
Description: osCommerce is an open-source e-commerce suite implemented
in PHP, a Cross Site Scripting issue has been discovered, it results
from incomplete sanitization of user supplied data in the 'osCsid'
parameter. Successful exploitation of this attack may allow an
attacker to steal authentication credentials from other users.
Ref: http://www.gulftech.org/12172003.php
______________________________________________________________________

03.52.28
CVE: Not Available
Platform: Web Application
Title: BN Soft BoastMachine Comment Form HTML Injection Vulnerability
Description: BoastMachine is a web-based application used for
publishing blogs and articles. Due to a problem in sanitizing of
user-supplied data in the 'Comment' form, it may be possible for an
attacker to include malicious HTML code in one of the vulnerable
fields.
Ref: http://www.systemsecure.org/forum/viewtopic.php?t=74
______________________________________________________________________

03.52.29
CVE: Not Available
Platform: Web Application
Title: ProjectForum Denial of Service Vulnerability
Description: ProjectForum is a web-based forum application. Due to a
problem in 'projectforum.exe' malicious users can cause the server to
crash by sending an excessively long string via the 'find' request to
the server.
Ref: http://www.elitehaven.net/pfbugs.txt
______________________________________________________________________

03.52.30
CVE: Not Available
Platform: Web Application
Title: ProjectForum HTML Injection Vulnerability
Description: ProjectForum is a web-based forum application. Due to
improper sanitizing of user-supplied data in the administrator login
page, the find function, and the error page. It may be possible for
an attacker to include malicious HTML code in one of the vulnerable
fields.
Ref: http://www.elitehaven.net/pfbugs.txt
______________________________________________________________________

03.52.31
CVE: Not Available
Platform: Web Application
Title: osCommerce products_id SQL Injection Vulnerability
Description: osCommerce is an open-source PHP e-commerce suite. It has
been reported that 'default.php' script fails to validate
user-supplied input, rendering it vulnerable to a SQL injection
attack.
Ref: http://www.gulftech.org/12222003.php
______________________________________________________________________

03.52.32
CVE: Not Available
Platform: Web Application
Title: osCommerce manufacturers_id Cross-Site Scripting Vulnerability
Description: osCommerce is an open-source PHP e-commerce suite. Due to
improper sanitizing of user-supplied data in the 'manufacturers_id'
parameter passed to the default.php script, cross site scripting
attacks can be performed againts the software.
Ref: http://www.gulftech.org/12222003.php
______________________________________________________________________

03.52.33
CVE: Not Available
Platform: Web Application
Title: My Little Forum Cross-Site Scripting Vulnerability
Description: my little forum, a simple web-forum, is vulnerable to a
cross-site scripting vulnerability in the 'email.php' script due to
inadequate user input sanitization.
Ref: http://www.secunia.com/advisories/10489/
______________________________________________________________________

03.52.34
CVE: Not Available
Platform: Network Device
Title: CyberGuard Firewall/VPN 5.1 Cross-Site Scripting Issue
Description: CyberGuard is a Firewall/VPN application, a cross site
scripting vulnerability has been reported in the software's web
interface. The problem exists due to incomplete sanitization of
user-supplied data which allows an attacker to construct a URL
containing malicious html code.
Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0263.html
______________________________________________________________________

03.52.35
CVE: Not Available
Platform: Network Device
Title: Xerox_MicroServer/Xerox11 Directory Traversal Vulnerability
Description: Xerox_MicroServer/Xerox11 is web server software included
with Xerox Document Centre 470, 255ST and others. It appears that this
server is vulnerable to directory traversal attacks allowing an
attacker to traverse content outside of the server root direcotry by
using '/..' and '/.' sequences appended to a URL.
Ref: http://archives.neohapsis.com/archives/bugtraq/2003-12/0283.html
______________________________________________________________________

03.52.36
CVE: Not Available
Platform: Network Device
Title: SEH InterCon Smart PrintServer Configuration Access
Description: SEH InterCon Smart PrintServer is an IEEE 1284 compatible
device, is is reported that the location of server configuration files
can be obtained via the server and an attacker may exploit this to
access sensitive resources.
Ref: http://www.securityfocus.com/bid/9224
______________________________________________________________________

(c) 2003. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

==END OF PART II==

Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/6Zum+LUG5KFpTkYRAgsGAKCkKGvQbsw8k5cmTkgxhZhZfjX4SwCghgVB
bLeRPEfaX9XR5DoMCdt2mco=
=tQwC
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]