|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 9
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Mar 03 2005 - 22:05:35 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Everyone who uses Computer Associates software should evaluate the
critical buffer overflows (Item 1 below).
We hope to see you at SANS 2005 in San Diego, or at the conferences in
Denver or Atlanta. Extraordinary courses for security professionals,
auditors, and managers. See details at www.sans.org
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
March 3, 2005 Vol. 4. Week 9
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of the vulnerabilities reported this week:
=========================================================================
Category # of Updates & Vulnerabilities
- ----------------------------------------------------------------------
Windows 1
Other Microsoft Products 1
Third Party Windows Apps 7
Linux 5
HP-UX 1
Unix 3
Cross Platform 13 (#1, #2, #3)
Web Application 22 (#5)
Network Device 2 (#4)
- ------------------------------------------------------------------------
**************** This Issue Sponsored By Sourcefire *********************
Sourcefire, the creators of Snort, offers a comprehensive training
curriculum that provides the Open Source Snort community with vendor
neutral training on Building and Operating Snort and Snort Rules. Learn
to use Snort effectively - understand the powerful technology and the
rules that make it work. Register before March 31st and receive a 10%
discount.
http://www.snort.org and http://www.sourcefire.com
*************************************************************************
Table of Contents:
Part I -- Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)
Widely Deployed Software
(1) CRITICAL: Computer Associates License Manager Buffer Overflows
(2) HIGH: RealNetworks RealPlayer SMIL Processing Buffer Overflow
Other Software
(3) HIGH: Mozilla Browsers Multiple Vulnerabilities
(4) MODERATE: Cisco ACNS DoS and Default Administrator Password
(5) MODERATE: TWiki Remote Command Execution Vulnerabilities
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
-- Windows
05.9.1 - Computer Associates Unicenter Multiple Vulnerabilities
-- Other Microsoft Products
05.9.2 - Microsoft SharePoint Portal Remote Arbitrary File Creation
-- Third Party Windows Apps
05.9.3 - Golden FTP Server Username Remote Buffer Overflow
05.9.4 - Trillian PNG Image Buffer Overflow
05.9.5 - RaidenHTTPD Multiple Remote Vulnerabilities
05.9.6 - MercurySteam Scrapland Game Server Remote Denial of Service
05.9.7 - Stormy Studios KNet Remote Buffer Overflow
05.9.8 - BadBlue MFCISAPICommand Remote Buffer Overflow
05.9.9 - ArGoSoft FTP Server Site Copy Shortcut File Upload Vulnerability
-- Linux
05.9.10 - Debian Reportbug Multiple Information Disclosure Vulnerabilities
05.9.11 - WPA_Supplicant Remote Buffer Overflow Vulnerability
05.9.12 - DNA MKBold-MKItalic Remote Format String Vulnerability
05.9.13 - Cyrus IMAPD Multiple Remote Buffer Overflow Vulnerabilities
05.9.14 - Winace UnAce ACE Archive Multiple Remote Buffer Overflow Vulnerabilities
-- HP-UX
05.9.15 - HP-UX FTP Server Unspecified Restricted File Access
-- Unix
05.9.16 - bsmtpd Remote Command Execution
05.9.17 - ELOG Web Logbook Attached Filename Remote Buffer Overflow
05.9.18 - ProZilla Client-Side Format String Vulnerability
-- Cross Platform
05.9.19 - Computer Associates License Application Multiple Vulnerabilities
05.9.20 - PHPNews Auth.PHP Remote File Include Vulnerability
05.9.21 - RealOne/RealPlayer SMIL File Remote Buffer Overflow
05.9.22 - 427BB Multiple Cross-Site Scripting Vulnerabilities
05.9.23 - PostNuke SHOW Parameter Remote SQL Injection
05.9.24 - PaNews Multiple Input Validation Vulnerabilities
05.9.25 - WebMod Content-Length Remote Heap Overflow
05.9.26 - Mozilla Suite Multiple Remote Vulnerabilities
05.9.27 - Gaim Remote Denial of Service Vulnerability
05.9.28 - AlterPath Manager Multiple Remote Vulnerabilities
05.9.29 - phpMyAdmin Multiple File Include Vulnerabilities
05.9.30 - phpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
05.9.31 - Trend Micro VSAPI ARJ Heap Overflow
-- Web Application
05.9.32 - MercuryBoard Index.PHP SQL Injection
05.9.33 - ProjectBB Multiple Cross-Site Scripting Vulnerabilities
05.9.34 - Forumwa Multiple Remote Input Validation Vulnerabilities
05.9.35 - CutePHP CuteNews X-Forwarded-For Script Injection
05.9.36 - SafeHTML Multiple HTML Bypass Vulnerabilities
05.9.37 - PBLang Bulletin Board Personal Message Deletion Vulnerability
05.9.38 - PBLang Directory Traversal
05.9.39 - PostNuke Pheonix SQL Injection
05.9.40 - phpCOIN Multiple Remote Input Validation Vulnerabilities
05.9.41 - Mitel 3300 Web Interface Authentication Bypass
05.9.42 - PostNuke Phoenix Download Module Cross-Site Scripting
05.9.43 - phpBB Authentication Bypass Vulnerability
05.9.44 - FCKeditor For PHP-Nuke Arbitrary File Upload
05.9.45 - CIS WebServer Directory Traversal
05.9.46 - CubeCart Multiple Cross-Site Scripting Vulnerabilities
05.9.47 - phpWebSite Remote Arbitrary PHP File Upload
05.9.48 - PunBB Multiple Remote Input Validation Vulnerabilities
05.9.49 - OOApp Guestbook Multiple HTML Injection Vulnerabilities
05.9.50 - ginp File Disclosure Vulnerability
05.9.51 - TWiki ImageGalleryPlugin Shell Command Injection
05.9.52 - PBLang Bulletin Board System Cross-Site Scripting
05.9.53 - PBLang Bulletin Board HTML Injection Vulnerability
-- Network Device
05.9.54 - Symantec Gateway Security SMTP Data Leak
05.9.55 - Cisco Application and Content Networking Systems Multiple
Remote Vulnerabilities
************************ Sponsored Link *********************************
Visit Radware at the SANS Lone Star 2005 Tabletop Vendor Expo, Houston,
TX, March 11, 2005. Download DefensePro whitepaper
http://www.sans.org/info.php?id=732
*************************************************************************
______________________________________________________________________
PART I Critical Vulnerabilities
Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at
TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk
************************
Widely Deployed Software
************************
(1) CRITICAL: Computer Associate License Manager Buffer Overflows
Affected:
CA License Package versions 1.53 through 1.61.8
All CA products that use the vulnerable CA License Package on AIX, DEC,
HP-UX, Linux Intel, Linux s/390, Solaris, Windows and Apple Mac OSs are
affected.
Description: The Computer Associates License Management software, which
is bundled with most of the CA products, is designed to remotely manage
and track licenses. This software contains a client (enabled by default)
and a server component (disabled by default). Both the client and the
server components contain multiple buffer overflow vulnerabilities that
can be triggered by specially crafted commands such as "PUTOLF",
"GETCONFIG", "GCR" etc. These flaws can be exploited to execute
arbitrary code with "SYSTEM/root" privileges. eEye and iDefense
advisories describe the structure of the various licensing commands, and
how to craft malicious requests to leverage these flaws. Exploit code
has already been included in the Metasploit tool (www.metasploit.com).
Status: CA has issued updates for various platforms. Upgrade to version
1.61.9 for the licensing software. The CA advisory lists the commands
that may be used to locate the vulnerable CA packages. A workaround is
to block ports 10203/tcp and 10204/tcp (ports used by the client
component) and 10202/tcp (the port used by the server component) at the
network perimeter to stop the attacks originating from the Internet.
Council Site Actions: Due to the late breaking nature of the
vulnerability, we were unable to solicit council site input for this
item.
References:
eEye Advisory
http://archives.neohapsis.com/archives/ntbugtraq/2005-q1/0104.html
iDefense Advisories
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0056.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0057.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0058.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0059.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0060.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0061.html
Exploit Code
http://www.k-otik.com/exploits/20050303.calicserv_getconfig.pm.php
http://www.k-otik.com/exploits/20050303.calicclnt_getconfig.pm.php
Computer Associates Advisory
http://archives.neohapsis.com/archives/ntbugtraq/2005-q1/0103.html
SecurityFocus BID
http://www.securityfocus.com/bid/12705/
***********************************************************************
(2) HIGH: RealNetworks RealPlayer SMIL Processing Buffer Overflow
Affected:
Windows OS
RealPlayer version 10.5 Builds 6.0.12.1040-1056
RealPlayer version 10
RealOne Player v2 Builds 6.0.11.853 - 872
RealOne Player v2 Builds 6.0.11.818 - 840
RealOne Player v1
RealPlayer 8
RealPlayer Enterprise
Mac OS
Mac RealPlayer 10 Builds 10.0.0.305 - 325
Mac RealOne Player
Linux OS
Linux RealPlayer 10
Helix Player
Description: RealPlayer, a media player installed on millions of
systems, contains a stack-based buffer overflow vulnerability. The
overflow can be triggered by a specially crafted Synchronized Multimedia
Integration Language (SMIL) file. An SMIL file defines the lay out of a
video presentation. The problem arises because the length of the
"system-Screen-size" parameter in a SMIL file is not checked prior to
copying it in a fixed size buffer. Hence, a "system-screen-size" longer
than 256 bytes can trigger the overflow, which can be exploited to
execute arbitrary code. Note that browsers such as Internet Explorer
automatically open a SMIL file without user interaction. Hence, browsing
a webpage or opening an email is sufficient for exploiting the
vulnerability.
Status: Vendor confirmed, updates available. The RealNetwork's advisory
also mentions fixing another buffer overflow in WAV file processing
reported by NGSSoftware. The details of this vulnerability are not
posted to the public mailing lists yet.
Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at most of the council
sites. One site plans to patch during their next regularly scheduled
system maintenance process. Another site commented that they were not
worried about this item since the RealPlayer software auto-updates. A
few other sites notified their system support staff of the issue, but
do not plan any further action.
References:
RealNetworks Advisory
http://service.real.com/help/faq/security/050224_player/EN/
iDefense Advisory
http://marc.theaimsgroup.com/?l=vulnwatch&m=110971493409972&w=2
NGSSoftware Advisory
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0077.html
SMIL File Format
http://www.w3.org/TR/SMIL2/
SecurityFocus BID
http://www.securityfocus.com/bid/12698
http://www.securityfocus.com/bid/12697
****************************************************************
****************
Other Software
****************
(3) HIGH: Mozilla Browsers Multiple Vulnerabilities
Affected:
Mozilla version 1.7.5 and prior
Firefox version 1.0 and prior
Description: Mozilla and Firefox browsers contain multiple
vulnerabilities that may be exploited by a malicious webpage to execute
arbitrary code on a client system. A proof-of-concept exploit was posted
last week that combines Mozilla's insufficient validation of dragging
"javascript" URLs and access to restricted URLs like "about:config" via
plug-in flaws to execute arbitrary code. Successful exploitation
requires user interaction i.e., the user needs to drag the scrollbar
twice while viewing the attacker's webpage. A heap corruption
vulnerability, in Mozilla and Firefox browsers, that can be possibly
exploited to execute arbitrary code has also been reported. This problem
occurs because the return value of certain string functions is not
properly checked. However, in order to exploit this flaw, a malicious
web server would need to send a large amount of data to the client
browser.
Status: Vendor confirmed. Upgrade to Firefox 1.0.1 and Mozilla 1.7.6.
The updates fix a number of other issues.
Council Site Actions: Most of the council sites either do not use
Firefox and Mozilla or do not support it in an official manner. Thus,
they are not taking any action. One site does plan to distribute
patches during their next regularly scheduled system update process. A
few other sites have notified either their system support staff or the
small number of users who use the applications. However, no further
action is planned.
References:
iDefense Advisory
http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities
Mozilla Security Group Posting
http://marc.theaimsgroup.com/?l=vulndiscuss&m=110968999613236&w=2
Proof of Concept Exploit by Mikx
http://mikx.de/index.php?p=11
SecurityFocus BIDs
http://www.securityfocus.com/bid/12655
http://www.securityfocus.com/bid/12659
***********************************************************************
(4) MODERATE: Cisco ACNS DoS and Default Administrator Password
Affected:
ACNS Software versions 4.x, 5.0, 5.1 and 5.2
Description: Cisco Application and Content Networking Software (ACNS)
runs on Cisco devices like Content Engines, Content Routers and Content
Distribution Manager, and provides support for web caching. This
software contains multiple denial of service vulnerabilities that may
be triggered by specially crafted packets. In addition, the software has
a default administrative password if the ACNS set up has not been run.
A remote attacker can take a complete control of the device running ACNS
software using the default password. The technical details about the DoS
flaws are not available at this time.
Status: Cisco confirmed, fixes available. A workaround is to manually
change the administrator password on devices running ACNS by issuing
"username admin password <password>" command.
Council Site Actions: Only two of the reporting council sites are using
the affected software. One site has already implemented the fix for this
issue, and the second site plans to address the issue in their next
regularly schedule system update process.
References:
Cisco Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20050224-acnsdos.shtml
ACNS Software Homepage
http://www.cisco.com/en/US/products/sw/conntsw/ps491/ps4637/index.html
SecurityFocus BID
http://www.securityfocus.com/bid/12648
****************************************************************
(5) MODERATE: TWiki Remote Command Execution Vulnerabilities
Affected:
Possibly all current versions
Description: TWiki, a Perl-based CGI software, allows multiple users to
manage a web site's content through a web browser. TWiki is popularly
used for intranet content management by many companies. The software's
"imagegalleryplugin" contains a remote command injection vulnerability.
The flaw can be reportedly exploited by any attacker, who can create or
edit topics with image galleries, to execute arbitrary commands on the
TWiki server. In addition, an unofficial patch has been released that
claims to fix all command injection vulnerabilities. According to the
discoverer's posting, there may be yet undisclosed vulnerabilities in
TWiki, which are fixed via this patch.
Status: TWiki has not confirmed.
Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary. One site did send
notification to their system support group.
References:
Posting by Florian Weimer
http://www.enyo.de/fw/security/notes/twiki-robustness.html
TWiki Homepage
http://twiki.org/
SecurityFocus BIDs
http://www.securityfocus.com/bid/12637/
http://www.securityfocus.com/bid/12638/
*********************************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 9, 2005
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4086 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.
______________________________________________________________________
05.9.1 CVE: Not Available
Platform: Windows
Title: Computer Associates Unicenter Multiple Vulnerabilities
Description: Computer Associates Unicenter is an enterprise asset
management solution. It is vulnerable to multiple issues that may
allow attackers to disclose sensitive information and carry out HTML
injection and SQL injection attacks. Unicenter Asset Management 4.0
for Windows is vulnerable.
Ref: http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo64323
______________________________________________________________________
05.9.2 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft SharePoint Portal Remote Arbitrary File Creation
Description: Microsoft SharePoint Portal Client is reported to be
vulnerable to an arbitrary file creation issue. Certain functions of
the ActiveX control installed with this application can be used to
create arbitrary files on the vulnerable host. Attackers could
leverage this to compromise the remote vulnerable system.
Ref: http://support.microsoft.com/default.aspx?scid=kb;en-us;321780
______________________________________________________________________
05.9.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Golden FTP Server Username Remote Buffer Overflow
Description: Golden FTP Server is a commercial FTP server application.
It is reported to be vulnerable to a buffer overflow issue due to
insufficient bounds checking when processing the "USER" command.
Golden FTP server version 1.92 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12704
______________________________________________________________________
05.9.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Trillian PNG Image Buffer Overflow
Description: Cerulean Studios Trillian is an instant messaging client.
There is a remote buffer overflow vulnerability due to the failure of
the application to handle malformed PNG image files. Cerulean Studios
Trillian versions 3.0 and PRO 3.0 are vulnerable.
Ref: http://www.securityfocus.com/bid/12703
______________________________________________________________________
05.9.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: RaidenHTTPD Multiple Remote Vulnerabilities
Description: RaidenHTTPD is web server software. RaidenHTTPD is
affected by multiple remote vulnerabilities. RaidenHTTPD versions
1.1.32 and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/391800
______________________________________________________________________
05.9.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: MercurySteam Scrapland Game Server Remote Denial of Service
Description: Scrapland is a network enabled client server game.
Scrapland game server is affected by various denial of service
vulnerabilities. Scrapland versions 1.0 and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/bid/12680
______________________________________________________________________
05.9.7 CVE: CAN-2005-0575
Platform: Third Party Windows Apps
Title: Stormy Studios KNet Remote Buffer Overflow
Description: Stormy Studios KNet is an HTTP server. It is reported to
be vulnerable to a remote buffer overflow issue, due to improper
boundary checks. Stormy Studios KNet versions 1.4b and earlier are
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12657
______________________________________________________________________
05.9.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: BadBlue MFCISAPICommand Remote Buffer Overflow
Description: Working Resources BadBlue Web server is intended to
facilitate the sharing of various resources over a network. Working
Resources BadBlue is affected by a remote buffer overflow
vulnerability. Working Resources BadBlue version 2.55 is known to be
affected.
Ref: http://www.securityfocus.com/bid/12673
______________________________________________________________________
05.9.9 CVE: CAN-2005-0520
Platform: Third Party Windows Apps
Title: ArGoSoft FTP Server Site Copy Shortcut File Upload
Vulnerability
Description: ArGoSoft FTP server is an FTP server. The FTP "SITE COPY"
command may be used to upload a malicious shortcut file to the server.
ArGoSoft FTP server versions 1.4.2.7 and earlier are known to be
vulnerable.
Ref: http://www.argosoft.com/ftpserver/changelist.aspx
______________________________________________________________________
05.9.10 CVE: Not Available
Platform: Linux
Title: Debian Reportbug Multiple Information Disclosure Vulnerabilities
Description: Debian reportbug is a utility designed to facilitate bug
reporting. It is reported to be affected by multiple information
disclosure issues. Attackers could leverage this issue to fetch the
email smarthost passwords for legitimate users, or other sensitive
information.
Ref: http://www.securityfocus.com/advisories/8154
______________________________________________________________________
05.9.11 CVE: CAN-2005-0470
Platform: Linux
Title: WPA_Supplicant Remote Buffer Overflow Vulnerability
Description: wpa_supplicant is a daemon designed to support Wi-Fi
Protected Access (WPA). It is reported to be vulnerable to a buffer
overflow issue while handling malicious EAPOL-key frames. Attackers
could leverage this to execute arbitrary code on the system or cause a
denial of service condition.
Ref: http://www.securityfocus.com/advisories/8148
______________________________________________________________________
05.9.12 CVE: CAN-2005-0577
Platform: Linux
Title: DNA MKBold-MKItalic Remote Format String Vulnerability
Description: DNA mkbold-mkitalic is a utility designed to convert
standard font X BDF format font files to bold or italic fonts. It is
reported to be vulnerable to a format string issue. DNA
mkbold-mkitalic versions 0.6 and earlier are reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/12657
______________________________________________________________________
05.9.13 CVE: CAN-2005-0546
Platform: Linux
Title: Cyrus IMAPD Multiple Remote Buffer Overflow Vulnerabilities
Description: Cyrus IMAPD is an IMAP daemon. It is reported to be
vulnerable to multiple buffer overflow issues, due to improper
santiziation of network input. Cyrus IMAPD versions 2.0.11 and earlier
are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12636
______________________________________________________________________
05.9.14 CVE: CAN-2005-0160
Platform: Linux
Title: Winace UnAce ACE Archive Multiple Remote Buffer Overflow Vulnerabilities
Description: Winace UnAce is an ACE file format archiver and
unarchiver for the Linux platform. UnAce is affected by multiple
remotely exploitable client-side buffer overflow vulnerabilities.
UnAce versions 1.x and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/advisories/8161
______________________________________________________________________
05.9.15 CVE: CAN-2005-0547
Platform: HP-UX
Title: HP-UX FTP Server Unspecified Restricted File Access
Description: The FTP server included with HP-UX is reported to be
vulnerable to an unspecified issue. An authenticated remote attacker
may exploit the issue to access restricted files.
Ref: http://www.securityfocus.com/bid/12651
______________________________________________________________________
05.9.16 CVE: CAN-2005-0107
Platform: Unix
Title: bsmtpd Remote Command Execution
Description: bsmtpd is a batched SMTP mailer for sendmail and postfix.
It is vulnerable to a remote command execution due to insufficient
sanitization of email addresses during mail delivery. bsmtpd versions
2.3 and earlier are vulnerable.
Ref: http://www.debian.org/security/2005/dsa-690
______________________________________________________________________
05.9.17 CVE: CAN-2005-0439
Platform: Unix
Title: ELOG Web Logbook Attached Filename Remote Buffer Overflow
Description: ELOG Web Logbook is an open source package designed to
provide a logbook capable of being used through a web interface. ELOG
Web Logbook is affected by a remote buffer overflow vulnerability.
ELOG versions 2.5.6 and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/bid/12639
______________________________________________________________________
05.9.18 CVE: CAN-2004-1120
Platform: Unix
Title: ProZilla Client-Side Format String Vulnerability
Description: ProZilla is a download accelerator for Unix like
operating systems. It is vulnerable to a remote client-side format
string issue due to an improper format string function and may be
leveraged to execute arbitrary code on the affected system. ProZilla
versions 1.3.7.3 and before are vulnerable.
Ref: http://secunia.com/advisories/13294/
______________________________________________________________________
05.9.19 CVE: CAN-2005-0581, CAN-2005-0582, CAN-2005-0583
Platform: Cross Platform
Title: Computer Associates License Application Multiple Vulnerabilities
Description: Computer Associates License application is a remote
license registration program for Computer Associates products.
Computer Associates License client and server are vulnerable to
multiple buffer overflow issues. Computer Associates License
application versions 1.53 to 1.61.8 are known to be vulnerable.
Ref: http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp
______________________________________________________________________
05.9.20 CVE: Not Available
Platform: Cross Platform
Title: PHPNews Auth.PHP Remote File Include Vulnerability
Description: PHPNews is an open source PHP news application. PHPNews
is affected by a remote PHP file include vulnerability. PHPNews
versions 1.2.4 and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/391896
______________________________________________________________________
05.9.21 CVE: CAN-2005-0455
Platform: Cross Platform
Title: RealOne/RealPlayer SMIL File Remote Buffer Overflow
Description: RealNetworks RealPlayer and RealOne Player are reported
vulnerable to a remote stack based buffer overflow issue. The issue
exists due to a lack of boundary checks performed by the application
when parsing Synchronized Multimedia Integration Language (SMIL)
files. A remote attacker may execute arbitrary code on a vulnerable
computer to gain unauthorized access.
Ref: http://service.real.com/help/faq/security/050224_player/EN/
______________________________________________________________________
05.9.22 CVE: Not Available
Platform: Cross Platform
Title: 427BB Multiple Cross-Site Scripting Vulnerabilities
Description: 427BB is a bulletin board system. It is vulnerable to
multiple cross-site scripting vulnerablites due to the application
failing to properly sanitize user-supplied input before using it in
dynamically generated content. All versions of 427BB are vulnerable.
Ref: http://www.securityfocus.com/archive/1/391848
______________________________________________________________________
05.9.23 CVE: Not Available
Platform: Cross Platform
Title: PostNuke SHOW Parameter Remote SQL Injection
Description: PostNuke is a Content Management System (CMS) available
on Windows and Unix. It is vulnerable to an SQL injection issue due to
insufficient sanitization of user-supplied input in the
"dl-search.php" script and may allow a remote attacker to access
unauthorized data. PostNuke versions 0.760-RC2 and earlier are
vulnerable.
Ref: http://news.postnuke.com/Article2669.html
______________________________________________________________________
05.9.24 CVE: Not Available
Platform: Cross Platform
Title: PaNews Multiple Input Validation Vulnerabilities
Description: PaNews is a news management script. There are multiple
input validation vulnerabilities due to the failure of the application
to properly sanitize user-supplied input. PaNews version 2.0b4 and
earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12687
______________________________________________________________________
05.9.25 CVE: Not Available
Platform: Cross Platform
Title: WebMod Content-Length Remote Heap Overflow
Description: WebMod is a multi-threaded HTTP web server. It is
reported to be vulnerable to a remote heap overflow issue, due to
improper boundary checks in the "server.cpp" file. WebMod versions
0.47 and earlier are reported to be vulnerable.
Ref: http://secunia.com/advisories/14302/
______________________________________________________________________
05.9.26 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Suite Multiple Remote Vulnerabilities
Description: Mozilla Suite is vulnerable to multiple remote
vulnerabilities including buffer overflow, temporary directory
creation, information disclosure and arbitrary file overwrite. Mozilla
Firefox versions earlier than 1.0.1 and Mozilla Thunderbird versions
earlier than 1.0.1 are vulnerable.
Ref: http://www.securityfocus.com/advisories/8160
______________________________________________________________________
05.9.27 CVE: CAN-2005-0208
Platform: Cross Platform
Title: Gaim Remote Denial of Service Vulnerability
Description: Gaim is an instant messaging client that supports
numerous protocols. Gaim is affected by a remote denial of service
vulnerability. Gaim versions 1.1.4 and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/advisories/8167
______________________________________________________________________
05.9.28 CVE: CAN-2005-0540, CAN-2005-0541, CAN-2005-0542
Platform: Cross Platform
Title: AlterPath Manager Multiple Remote Vulnerabilities
Description: Cyclades AlterPath Manager is a web-based remote network
administration tool. There are multiple remote vulnerabilities such as
information disclosure and bypassing access validation through the
"consolename" parameter of the "consoleConnect.jsp" script. Cyclades
AlterPath Manager version 1.x is reported to be vulnerable.
Ref: http://www.cirt.net/advisories/alterpath_disclosure.shtml http://
www.cirt.net/advisories/alterpath_console.shtml http://www.cirt.net/advisories/alterpath_privesc.shtml
______________________________________________________________________
05.9.29 CVE: CAN-2005-0544, CAN-2005-0567
Platform: Cross Platform
Title: phpMyAdmin Multiple File Include Vulnerabilities
Description: phpMyAdmin is a tool that provides a web interface for
handling MySQL administrative tasks. It is vulnerable to multiple file
include vulnerabilities due to failing to properly sanitize
user-supplied input prior to using it in a PHP "include()" or similar
function call. phpMyAdmin versions 2.6.1 -rc1 and earlier are reported
to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/391590
______________________________________________________________________
05.9.30 CVE: CAN-2005-0543
Platform: Cross Platform
Title: phpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
Description: phpMyAdmin is a tool that provides a web interface for
handling MySQL administrative tasks. phpMyAdmin is affected by
multiple remote cross-site scripting vulnerabilities. phpMyAdmin
versions prior to 2.6.1 pl1 are known to be vulnerable.
Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1149383&group_id=23067&atid=377408
______________________________________________________________________
05.9.31 CVE: CAN-2005-0533
Platform: Cross Platform
Title: Trend Micro VSAPI ARJ Heap Overflow
Description: The Trend Micro VSAPI scan engine library is vulnerable
to a heap-based buffer overflow vulnerability. Insufficient
sanitization of filenames in an ARJ archive exposes the application to
a heap overflow issue. The vulnerability affects multiple Trend Micro
products.
Ref: http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution
______________________________________________________________________
05.9.32 CVE: Not Available
Platform: Web Application
Title: MercuryBoard Index.PHP SQL Injection
Description: MercuryBoard is a web-based message board application. It
is reported vulnerable to an SQL injection issue. Attackers could
leverage this to compromise the remote backend database. MecuryBoard
version 1.1.2 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12707/
______________________________________________________________________
05.9.33 CVE: Not Available
Platform: Web Application
Title: ProjectBB Multiple Cross-Site Scripting Vulnerabilities
Description: ProjectBB is a bulletin board system. Insufficient
sanitization of the "pages" parameter of the "drivers.php" script
exposes the application to a cross-site scripting issue. Similar
attacks are also possible using the text areas of the forum name, site
name, maximum avatar size, category and forum fields. ProjectBB
version 0.4.5.1 is affected.
Ref: http://www.securityfocus.com/bid/12709/info/
______________________________________________________________________
05.9.34 CVE: Not Available
Platform: Web Application
Title: Forumwa Multiple Remote Input Validation Vulnerabilities
Description: Forumwa is a web-based discussion forum. It is reported
to be vulnerable to multiple cross-site scripting and HTML injection
issues due to improper sanitization of user-supplied input. Forumwa
version 1 is reported to be vulnerable.
Ref: http://secunia.com/advisories/14418/
______________________________________________________________________
05.9.35 CVE: Not Available
Platform: Web Application
Title: CutePHP CuteNews X-Forwarded-For Script Injection
Description: CutePHP CuteNews is a news and web log management system.
It is reported to be vulnerable to a remote script injection issue in
the "X-Forwarded-For" POST parameter. An attacker may leverage this
issue to inject arbitrary server-side scripts locally and client-side
scripts remotely. CutePHP version 1.3.6 is reported to be affected.
Ref: http://www.securityfocus.com/archive/1/391807
______________________________________________________________________
05.9.36 CVE: Not Available
Platform: Web Application
Title: SafeHTML Multiple HTML Bypass Vulnerabilities
Description: SafeHTML is an HTML parser designed to strip potentially
malicious content in HTML files. Insufficient sanitization of
malicious HTML content in conjunction with x00 symbols exposes the
application to an HTML bypass issue. SafeHTML versions 1.2.1 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/12692/info/
______________________________________________________________________
05.9.37 CVE: Not Available
Platform: Web Application
Title: PBLang Bulletin Board Personal Message Deletion Vulnerability
Description: PBLang is a PHP based bulletin board system. It is
vulnerable to a design issue that can allow a registered user to
delete arbitrary personal messages. PBLang versions 4.63 and earlier
are vulnerable.
Ref: http://www.securityfocus.com/archive/1/391858
______________________________________________________________________
05.9.38 CVE: CAN-2005-0526
Platform: Web Application
Title: PBLang Directory Traversal
Description: PBLang is a web-based bulletin board application. PBLang
is vulnerable to a directory traversal issue due to insufficient
sanitization of user-supplied data in the "orig" parameter of the
"sendpm.php" script.
Ref: http://www.securityfocus.com/archive/1/391867
______________________________________________________________________
05.9.39 CVE: Not Available
Platform: Web Application
Title: PostNuke Pheonix SQL Injection
Description: PostNuke is a weblog and content management System.
Insufficient sanitization of the "catid" parameter of the "index.php"
script exposes the application to an SQL injection issue. PostNuke
versions 0.760-RC2 and earlier are affected.
Ref: http://www.securityfocus.com/bid/12676/info/
______________________________________________________________________
05.9.40 CVE: Not Available
Platform: Web Application
Title: phpCOIN Multiple Remote Input Validation Vulnerabilities
Description: phpCOIN is a web-based customer information and shopping
application. It is reported to be vulnerable to multiple SQL injection
and cross-site scripting issues. The issues exist due to improper
sanitization of user-supplied input.
Ref: http://secunia.com/advisories/14439/
______________________________________________________________________
05.9.41 CVE: CAN-2004-0944
Platform: Web Application
Title: Mitel 3300 Web Interface Authentication Bypass
Description: Mitel 3300 Integrated Communications Platform is a LAN
PBX. It is vulnerable to an authentication bypass issue in its web
interface. Mitel 3300 Integrated Communication Platform is known to be
vulnerable.
Ref: http://www.corsaire.com/advisories/c040817-002.txt
______________________________________________________________________
05.9.42 CVE: Not Available
Platform: Web Application
Title: PostNuke Phoenix Download Module Cross-Site Scripting
Description: PostNuke is affected by multiple cross-site scripting
vulnerabilities. PostNuke Phoenix versions prior to version 0.760 RC3
are reported to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/391700
______________________________________________________________________
05.9.43 CVE: Not Available
Platform: Web Application
Title: phpBB Authentication Bypass Vulnerability
Description: phpBB is a web forum application. It is vulnerable to an
authentication bypass issue due to improper sanitization of user input
during login and may be exploited by an attacker to authenticate as
administrator. phpBB versions prior to 2.0.13 are vulnerable.
Ref: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=267563
______________________________________________________________________
05.9.44 CVE: Not Available
Platform: Web Application
Title: FCKeditor For PHP-Nuke Arbitrary File Upload
Description: FCKeditor is an online text and DHTML editor.
Insufficient sanitization of filename extensions allows remote
attackers to upload arbitrary files to a computer when it is used with
PHP-Nuke. FCKeditor version 2.0 RC2 is affected.
Ref: http://www.securityfocus.com/bid/12676/info/
______________________________________________________________________
05.9.45 CVE: CAN-2005-0574
Platform: Web Application
Title: CIS WebServer Directory Traversal
Description: CIS WebServer is vulnerable to a directory traversal
attack. CIS WebServer version 3.5.13 is known to be vulnerable.
Ref: http://secunia.com/advisories/14392/
______________________________________________________________________
05.9.46 CVE: Not Available
Platform: Web Application
Title: CubeCart Multiple Cross-Site Scripting Vulnerabilities
Description: CubeCart is an online storefront application.
Insufficient sanitization of user-supplied input in various scripts
exposes the application to multiple cross-site scripting issues.
CubeCart versions 2.0.5 and earlier are affected.
Ref: http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.html
______________________________________________________________________
05.9.47 CVE: CAN-2005-0565
Platform: Web Application
Title: phpWebSite Remote Arbitrary PHP File Upload
Description: phpWebSite is a portal content management system. It is
vulnerable to a remote arbitrary PHP file upload issue due to
insufficient sanitization of uploaded image files. phpWebSite versions
0.10.0 and earlier are known to be vulnerable.
Ref: http://phpwebsite.appstate.edu/index.php?module=announce&ANN_id=922&ANN_user_op=view
______________________________________________________________________
05.9.48 CVE: CAN-2005-0569, CAN-2005-0570, CAN-2005-0571
Platform: Web Application
Title: PunBB Multiple Remote Input Validation Vulnerabilities
Description: PunBB is a web-based bulletin board application
implemented in PHP with an SQL database back-end. PunBB is affected by
multiple remote input validation vulnerabilities. PunBB versions 1.2.1
and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/391463
______________________________________________________________________
05.9.49 CVE: Not Available
Platform: Web Application
Title: OOApp Guestbook Multiple HTML Injection Vulnerabilities
Description: OOApp Guestbook is affected by multiple HTML injection
issues. Insufficient sanitization of the "id" and the "page" parameter
of the "home.php" script exposes these issues. All current versions
are affected.
Ref: http://www.securityfocus.com/bid/12647/info/
______________________________________________________________________
05.9.50 CVE: CAN-2005-0538
Platform: Web Application
Title: ginp File Disclosure Vulnerability
Description: ginp is a web-based photo gallery. It is reported to be
vulnerable to a file disclosure issue, due to improper sanitization of
user-supplied input. ginp versions 0.21 and earlier are reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/12642
______________________________________________________________________
05.9.51 CVE: CAN-2005-0516
Platform: Web Application
Title: TWiki ImageGalleryPlugin Shell Command Injection
Description: TWiki is a web-based application that allows for creation
and maintenance of web sites. The ImageGalleryPlugin can be exploited
to inject arbitrary shell commands due to some configuration options
used in ImageMagick. TWiki ImageGalleryPlugin version 1.x is
vulnerable.
Ref: http://www.enyo.de/fw/security/notes/twiki-robustness.html
______________________________________________________________________
05.9.52 CVE: CAN-2005-0526
Platform: Web Application
Title: PBLang Bulletin Board System Cross-Site Scripting
Description: PBLang Bulletin Board System is vulnerable to a
cross-site scripting issue. Attackers could leverage this towards
theft of authentication credentials from legitimate clients. Version
4.65 of the application is reported to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/391270
______________________________________________________________________
05.9.53 CVE: CAN-2005-0526
Platform: Web Application
Title: PBLang Bulletin Board HTML Injection Vulnerability
Description: PBLang is a bulletin board system. Insufficient
sanitization of special characters in the body of the message by the
"pmpshow.php" script exposes the application to an HTML injection
issue. PBLang versions 4.65 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/391271
______________________________________________________________________
05.9.54 CVE: Not Available
Platform: Network Device
Title: Symantec Gateway Security SMTP Data Leak
Description: Symantec Gateway Security is a firewall appliance. It has
been reported that this appliance leaks sensitive SMTP data when
configured to load-balance two WAN network connections. The versions
are vulnerable: Symantec Firewall/VPN Appliance 200/200R with firmware
builds prior to build 1.68 and later than 1.5Z, Symantec Gateway
Security 360/360R with firmware builds prior to build 858, Symantec
Gateway Security 460/460R with firmware builds prior to build 858 and
Nexland Pro800turbo with firmware builds earlier than build 1.6X and
later than 1.5Z.
Ref: http://securityresponse.symantec.com/avcenter/security/Content/2005.02.28.html
______________________________________________________________________
05.9.55 CVE: Not Available
Platform: Network Device
Title: Cisco Application and Content Networking Systems Multiple
Remote Vulnerabilities
Description: Cisco Application and Content Networking Systems (ACNS)
are vulnerable to multiple denial of service conditions due to
improper handling of malformed network data.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20050224-acnsdos.shtml
______________________________________________________________________
(c) 2005. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.
==end==
Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit
http://portal.sans.org
Copyright 2005. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFCJ9Hu+LUG5KFpTkYRAmjZAJ9lRv4hlIj9F75Wz5+T1rPUEVse3gCfVEAp
y3xp743E2V80zEjU0wcovUo=
=ulgC
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]