NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2005

RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 13

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Mar 31 2005 - 21:57:29 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

telnet client users on Linux, UNIX, Apple Macs and Kerberos should
install the updates if you are using telnet extensively.

Also, to attend SANS training with our top instructors in small classes,
come to Colorado in May for SANS Rocky Mountain. You get Auditing
Wireless Security, Forensics, both basic and advanced Hacker Techniques,
plus Forensics and Firewalls and IDS and Security Management and
Security Essentials and even training for the ISC2 CISSP exam.
See: http://www.sans.org/rockymnt2005/

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
March 31, 2005 Vol. 4. Week 13
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
Platform # of Updates & Vulnerabilities

Windows 1
Third Party Windows Apps 4
Linux 1
Unix 4 (#1, #3)
Cross Platform 4 (#2)
Web Application 35 (#4)
Network Device 3

********************** Sponsored by Shavlik******************************

Now Available! Introducing Shavlik HFNetChkPro(tm) 5, the next
generation of security patch management. With over 50 awesome new
features including detailed reporting, advanced reboot options, email
notification, and distribution servers, staying up to date on patches
has never been easier and your network has never been more secure. Keep
your world in Chk with Shavlik. Download the trial version today at
http://www.sans.org/info.php?id=744

*************************************************************************

Table of Contents:
Part I -- Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)

Widely Deployed Software
(1) MODERATE: Multiple Telnet Clients Buffer Overflows
(2) LOW: Apple QuickTime JPEG Processing Buffer Overflow

Other Software
(3) HIGH: Smail-3 MAIL FROM Buffer Overflow
(4) HIGH: Double Choco Latte PHP Code Execution

************************* SPONSORED LINKS *******************************

These links may point to sites outside of SANS:

1) Learn more about Radware (Booth 921) at the SANS 2005 Conference,
San Diego, April 7-8, 2005
Download DefensePro whitepaper http://www.sans.org/info.php?id=745

2) Download your free trial of SecurityEXPERT. Automate the enforcement
of policy settings across your network.
http://www.sans.org/info.php?id=746

3) SANS is happy to bring you the latest in our complimentary series of
Secure Software Webcasts. Database risks explored in depth at
https://www.sans.org/webcasts/show.php?webcastid=90568

*************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
05.13.1 - Windows XP TSShutdn.exe Remote Denial of Service
-- Third Party Windows Apps
05.13.2 - FastStone 4in1 Browser Web Server Directory Traversal
05.13.3 - Norton AntiVirus AutoProtect Module Remote Denial of Service
05.13.4 - QuickTime PictureViewer Buffer Overflow
05.13.5 - Trillian Multiple Remote HTTP Response Buffer Overflow Vulnerabilities
-- Linux
05.13.6 - YepYep mtftpd Remote CWD Format String
-- Unix
05.13.7 - Sylpheed MIME-Encoded Attachment Buffer Overflow
05.13.8 - Telnet Client Multiple Buffer Overflow Vulnerabilities
05.13.9 - Smail-3 Unspecified Remote Vulnerability
05.13.10 - Dnsmasq Multiple Remote Vulnerabilities
-- Cross Platform
05.13.11 - AntiGen For Lotus Domino Multiple Remote Denial of Service Vulnerabilities
05.13.12 - Tincat Network Library Remote Buffer Overflow
05.13.13 - Nuke Bookmarks marks.php Path Disclosure
05.13.14 - Oracle Reports Server 10g Cross-Site Scripting
-- Web Application
05.13.15 - Adventia Chat Server Pro Remote HTML Injection
05.13.16 - Mailreader Remote HTML Injection
05.13.17 - Horde Application Framework Cross-Site Scripting
05.13.18 - Squirrelcart SQL Injection Vulnerability
05.13.19 - PortalAPP Multiple Input Validation Vulnerabilities
05.13.20 - WebAPP File Disclosure Vulnerability
05.13.21 - WackoWiki Cross-Site Scripting Vulnerabilities
05.13.22 - Smarty Template Engine Remote Script Execution
05.13.23 - Chatness Message Form Field HTML Injection
05.13.24 - EncapsBB File Include Vulnerability
05.13.25 - PhotoPost Pro Multiple Input Validation Vulnerabilities
05.13.26 - CPG Dragonfly Multiple Cross-Site Scripting Vulnerabilities
05.13.27 - Ublog Cross-Site Scripting
05.13.28 - Adventia E-Data Remote HTML Injection Vulnerability
05.13.29 - Includer Remote Code Execution
05.13.30 - phpCOIN Multiple Remote Vulnerabilities
05.13.31 - Bugtracker.NET Multiple SQL Injection Vulnerabilities
05.13.32 - Valdersoft Shopping Cart Multiple Vulnerabilities
05.13.33 - EXoops Multiple Input Validation Vulnerabilities
05.13.34 - ACS Blog Name Field HTML Injection Vulnerability
05.13.35 - Nuke Bookmarks Multiple Cross-Site Scripting Vulnerabilities
05.13.36 - Nuke Bookmarks marks.php SQL Injection
05.13.37 - E-Store Kit-2 PayPal Edition Cross-Site Scripting
05.13.38 - E-Store Kit-2 PayPal Edition Remote File Include Vulnerability
05.13.39 - Tkai's Shoutbox Query Parameter URI Redirection
05.13.40 - phpMyDirectory review.php Multiple Cross-Site Scripting Vulnerabilities
05.13.41 - ESMI PayPal Storefront Cross-Site Scripting Vulnerability
05.13.42 - Koobi CMS Cross Site-Scripting
05.13.43 - Koobi CMS index.php SQL Injection
05.13.44 - Calendar scheduler.php Cross-Site Scripting
05.13.45 - Double Choco Latte Multiple Vulnerabilities
05.13.46 - phpSysInfo Multiple Cross-Site Scripting Vulnerabilities
05.13.47 - DigitalHive base.php Cross-Site Scripting
05.13.48 - XMB Forum Multiple Cross-Site Scripting Vulnerabilities
05.13.49 - Invision Power Board HTML Injection
-- Network Device
05.13.50 - Cisco VPN 3000 Concentrator Denial of Service
05.13.51 - Netcomm NB1300 Modem/Router Remote Denial of Service
05.13.52 - Samsung DSL Modem Multiple Remote Vulnerabilities
______________________________________________________________________

PART I Critical Vulnerabilities
Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at
TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

************************
Widely Deployed Software
************************

(1) MODERATE: Multiple Telnet Clients Buffer Overflows
Affected:
Telnet Clients distributed by:
ALT Linux distribution
Apple Mac OS
FreeBSD
Openwall
Red Hat Linux
Sun Solaris
MIT Kerberos

Description: Telnet LINEMODE option can be used to let the telnet
client-side perform more character processing, which helps to reduce the
amount of telnet traffic on a network. A number of telnet client
implementations contain a buffer overflow in the way they process a
certain telnet LINEMODE sub-option. Specifically, a telnet server can
trigger the buffer overflow by sending a large number of "Set Local
Character (SLC)" sub-options within the LINEMODE option command. The
clients also contain another heap-based buffer overflow in the
"env_opt_add()" function. This overflow can be triggered by sending the
telnet client a buffer containing a large number of telnet escape
characters. These flaws can be exploited to execute arbitrary code on
the client system with the privileges of the logged-on user. In order
to exploit these overflows, an attacker has to force a victim to connect
to his malicious telnet server. This, in turn, can be accomplished in
some cases via a specially crafted webpage or an HTML email containing
a "telnet://" URL. Proof-of-concept exploits have been posted for the
overflows.

Status: Many vendors have confirmed this flaw and have released updates.

Council Site Actions: Most of the council sites are running the
affected software on various platforms within their environments. A few
sites do not plan to take any action since none of their affected
systems are used to establish telnet connections to unknown or untrusted
locations. Three sites do plan to distribute the patches during their
next regularly scheduled system update process or have already updated
their systems through automatic software update features. One of these
sites commented that they have a large number of Linux and Solaris
systems which are vulnerable. However, as far as they know, very few of
them have an installed web browser configured to recognize "telnet://"
URLs. Clicking on a "telnet://" link produces an error window stating
"telnet is not a registered protocol". Also, it is not common for their
users to run the telnet program directly, and thus the chance of
encountering a malicious telnet server is small. They plan to update
these systems, but at a much slower pace. Another site commented that
telnet is banned from their critical application systems, and most of
their systems don't allow telnet at all.

References:
iDefense Advisories
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
Posting by Gael Dellaleu (the discoverer of the flaws)
http://www.cppsecurity.com/telnet_slc_overflow.txt
CERT Advisory
http://www.kb.cert.org/vuls/id/291924
Posting by Solar Designer (PoC)
http://www.securityfocus.com/archive/1/394417/2005-03-26/2005-04-01/0
Posting by Tavis Ormandy (PoC)
http://archives.neohapsis.com/archives/bugtraq/2005-03/0482.html
Telnet RFC 1184 Linemode Option
http://www.faqs.org/rfcs/rfc1184.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/12918
http://www.securityfocus.com/bid/12919

*******************************************************************

(2) LOW: Apple QuickTime JPEG Processing Buffer Overflow
Affected:
QuickTime version 6.5.1

Description: Apple's QuickTime media player is reportedly vulnerable to
a buffer overflow while processing specially crafted JPEG images. The
flaw is triggered by a malformed "Haufmann segment" in a JPEG image. The
discoverer reports that the crash results in an "access violation" error
(crash). Hence, the flaw may be possibly exploited for code execution
purposes (not confirmed). Note that Internet Explorer and other browsers
open files associated with QuickTime player without user interaction,
which may facilitate easy exploitation.

Status: Apple has not confirmed. The flaw may be related to an older
vulnerability in QuickTime that was fixed in October 2004. An upgrade
to version 6.5.2 is recommended.

Council Site Actions: Most of the council sites are running the
affected software, although not officially supported by their
perspective support group. All are awaiting official word from the
vendor along with a patch. Several of the sites specified they would
install the patches during a normal system update process. One site
commented that many of their Windows systems were updated to QuickTime
6.5.2 last year because of the October 2004 vulnerability
(http://www.securityfocus.com/bid/11553/info/), and their Mac OS X
systems have been updated to QuickTime 6.5.2 through Software Update.

References:
Posting by liquid
http://www.securityfocus.com/archive/1/394309/2005-03-26/2005-04-01/0
SecurityFocus BID
http://www.securityfocus.com/bid/12905

*******************************************************************

*****************
Other Software
*****************

(3) HIGH: Smail-3 MAIL FROM Buffer Overflow
Affected:
smail version 3.2.0.120 (current version)

Description: Smail-3 is a mail transfer agent (MTA) for UNIX systems
similar to sendmail. This MTA is reportedly vulnerable to a heap-based
buffer overflow that can be triggered by an overlong argument to the
"MAIL FROM" SMTP command. A remote attacker, who can connect to the
Smail-3 server, can exploit this flaw to possibly execute arbitrary code
with root privileges. Exploit code has been publicly posted.

Status: Vendor did not initially acknowledge the flaw as being
exploitable. The vendor status after the discoverer posted his exploit
code is not known. Unofficial patch has been included in one of the
discoverer's postings.

Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary.

References:
Postings by sean
http://www.securityfocus.com/archive/1/394286/2005-03-19/2005-03-25/0
http://www.securityfocus.com/archive/1/394318/2005-03-26/2005-04-01/0
Vendor's Posting
http://www.securityfocus.com/archive/1/394315/2005-03-19/2005-03-25/0
Exploit Code
http://www.securityfocus.com/archive/1/394413
Vendor Homepage
http://www.weird.com/~woods/projects/smail.html
SecurityFocus BID
http://www.securityfocus.com/bid/12899
http://www.securityfocus.com/bid/12922

*******************************************************************

(4) HIGH: Double Choco Latte PHP Code Execution
Affected:
Double Choco Latte version 0.9.4.2 and prior

Description: Double Choco Latte is enterprise-class software designed
for project management, online documents, call tracking, etc that is
being used by a number of organizations. This software contains a remote
PHP code execution vulnerability that can be exploited to compromise the
server running Double Choco Latte. The technical details can be obtained
via examining the fixed and the affected versions of the software.

Status: Vendor confirmed, upgrade to version 0.9.4.4.

Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary.

References:
Double Choco Latte News
http://sourceforge.net/forum/forum.php?forum_id=455798
Vendor Homepage
http://dcl.sourceforge.net/
SecurityFocus BID
http://www.securityfocus.com/bid/12894

*******************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 13, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4167 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

______________________________________________________________________

05.13.1 CVE: Not Available
Platform: Windows
Title: Windows XP TSShutdn.exe Remote Denial of Service
Description: Microsoft Windows XP is affected by a remote denial of
service vulnerability. Microsoft Windows XP Service Pack 1 is known to
be vulnerable.
Ref: http://support.microsoft.com/kb/889323/
______________________________________________________________________

05.13.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: FastStone 4in1 Browser Web Server Directory Traversal
Description: FastStone 4in1 is a web browser that includes a web
server application. Insufficient sanitization of the "..", "../" and
"/.../" directory traversal sequences exposes the application.
FastStone 4in1 browser versions 1.2 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/394507
______________________________________________________________________

05.13.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Norton AntiVirus AutoProtect Module Remote Denial of Service
Description: Symantec Norton AntiVirus AutoProtect is a virtual device
driver that scans files for malicious applications. It is vulnerable
to a remote denial of service issue that can be exploited by a remote
attaker to crash the machine. Please refer the link below for the
vulnerable versions.
Ref: http://www.symantec.com/avcenter/security/Content/2005.03.28.html

______________________________________________________________________

05.13.4 CVE: CAN-2005-0903
Platform: Third Party Windows Apps
Title: QuickTime PictureViewer Buffer Overflow
Description: Apple QuickTime Player is a media player. It is
vulnerable to a buffer overflow issue when used to view malformed JPEG
files. QuickTime version 6.5.1 for Windows is affected.
Ref: http://www.securityfocus.com/bid/12905
______________________________________________________________________

05.13.5 CVE: CAN-2005-0874
Platform: Third Party Windows Apps
Title: Trillian Multiple Remote HTTP Response Buffer Overflow
Vulnerabilities
Description: Cerulean Studios Trillian is an instant messaging client.
It is reported vulnerable to multiple buffer overflow conditions while
parsing HTTP responses from web servers. Attackers could leverage this
to execute arbitrary code on the vulnerable client's system. Trillian
version 3.1 and earlier are affected.
Ref: http://www.securityfocus.com/bid/12890/
______________________________________________________________________

05.13.6 CVE: Not Available
Platform: Linux
Title: YepYep mtftpd Remote CWD Format String
Description: mtftpd is FTP server software. It is reported to be
vulnerable to a remote format string issue. The issue presents itself
when a specially crafted "CWD" command is used. mtftpd versions 0.0.3
and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12947
______________________________________________________________________

05.13.7 CVE: CAN-2005-0926
Platform: Unix
Title: Sylpheed MIME-Encoded Attachment Buffer Overflow
Description: Sylpheed is a GTK+ based email client. It is vulnerable
to a buffer overflow when a malformed MIME-encoded file named is
processed. Sylpheed versions 0.8.0 to 1.0.3 and 1.9.0 to 1.9.4 are
vulnerable.
Ref: http://www.tmtm.org/cgi-bin/w3ml/sylpheed/msg/24429
______________________________________________________________________

05.13.8 CVE: CAN-2005-0468,CAN-2005-0469
Platform: Unix
Title: Telnet Client Multiple Buffer Overflow Vulnerabilities
Description: Multiple telnet client implementations are vulnerable to
a buffer overlow issue in the "env_opt_add" function of the "telnet.c"
code. Some telnet implementation are also affected by LINEMODE buffer
overflow issues.
Ref: http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
______________________________________________________________________

05.13.9 CVE: CAN-2005-0893
Platform: Unix
Title: Smail-3 Unspecified Remote Vulnerability
Description: Smail-3 is a Mail Transport Agent (MTA). It is reported
to be vulnerable to an unspecified security issue. It is conjectured
that attackers could leverage this towards code execution or denial of
service on the vulnerable system.
Ref: http://www.securityfocus.com/archive/1/394413
______________________________________________________________________

05.13.10 CVE: Not Available
Platform: Unix
Title: Dnsmasq Multiple Remote Vulnerabilities
Description: Dnsmasq is a DHCP and DNS server. Dnsmasq is vulnerable
to cache poisoning attacks and a buffer overflow issue. Dnsmasq
versions 2.20 and earlier are known to be vulnerable.
Ref: http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
______________________________________________________________________

05.13.11 CVE: Not Available
Platform: Cross Platform
Title: AntiGen For Lotus Domino Multiple Remote Denial of Service
Vulnerabilities
Description: Sybari AntiGen For Lotus Domino is antivirus software
designed for Lotus Domino. It is reported to be vulnerable to multiple
remote denial of service issues. The issues present themselves when a
specially crafted RAR archive is processed.
Ref: http://secunia.com/advisories/14726/
______________________________________________________________________

05.13.12 CVE: CAN-2005-0906
Platform: Cross Platform
Title: Tincat Network Library Remote Buffer Overflow
Description: Tincat is a network API used by various games. It is
reported vulnerable to a remote buffer overflow condition. Attackers
could leverage this towards arbitrary remote code execution or a
denial of service on the vulnerable server.
Ref: http://www.securityfocus.com/archive/1/394404
______________________________________________________________________

05.13.13 CVE: CAN-2005-0900, CAN-2005-0901, CAN-2005-0902
Platform: Cross Platform
Title: Nuke Bookmarks marks.php Path Disclosure
Description: Nuke Bookmarks is a module for PHP-Nuke that allows users
to store their bookmarks on the server. Nuke Bookmarks is affected by
a path disclosure issue when invalid data is submitted. Nuke Bookmarks
versions 0.6 and earlier are known to be vulnerable.
Ref: http://www.zone-h.org/en/advisories/read/id=7356/
______________________________________________________________________

05.13.14 CVE: CAN-2005-0873
Platform: Cross Platform
Title: Oracle Reports Server 10g Cross-Site Scripting
Description: Oracle Reports Server is a web reporting application
designed to provide access to various reporting formats for selected
data sets. Insufficient sanitization of the "desname" and "repprod"
parameters in the "test.jsp" script exposes the application to
multiple cross-site scripting issues. Oracle Reports Server 10g
version 9.0.4.3.3 is affected.
Ref: http://www.securityfocus.com/archive/1/394159
______________________________________________________________________

05.13.15 CVE: Not Available
Platform: Web Application
Title: Adventia Chat Server Pro Remote HTML Injection
Description: Adventia Chat Server Pro is a chat server implemented
with ASP technology. It is reported to be vulnerable to an HTML
injection issue. Attackers can inject HTML code into the chat windows
of legitimate users. This can be leveraged towards theft of
cookie-based authentication credentials and other attacks via
malicious script execution.
Ref: http://www.securityfocus.com/bid/12940/
______________________________________________________________________

05.13.16 CVE: CAN-2005-0386
Platform: Web Application
Title: Mailreader Remote HTML Injection
Description: Mailreader is a web-based email client. It is affeceted
by a HTML injection issue. Mail messages that have MIME types
"text/enriched" or "text/richtext" are not sanitized for HTML
injection and script execution issues. Mailreader versions 2.3.29 and
earlier are affected.
Ref: http://www.debian.org/security/2005/dsa-700
______________________________________________________________________

05.13.17 CVE: CAN-2005-0378
Platform: Web Application
Title: Horde Application Framework Cross-Site Scripting
Description: The Horde Application Framework is a series of web
applications implemented in PHP. Horde Application Framework is
affected by a cross-site scripting vulnerability. Horde versions
3.0.4-RC2 and earlier are known to be vulnerable.
Ref: http://lists.horde.org/archives/announce/2005/000176.html
______________________________________________________________________

05.13.18 CVE: Not Available
Platform: Web Application
Title: Squirrelcart SQL Injection Vulnerability
Description: Lighthouse Development Squirrelcart is a shopping cart
application. It is vulnerable to an SQL injection issue due to
insufficient sanitization of the "crn" parameter of the "index.php"
script. All versions of Squirrelcart are known to be vulnerable.
Ref: http://icis.digitalparadox.org/~dcrab/sqc.txt
______________________________________________________________________

05.13.19 CVE: Not Available
Platform: Web Application
Title: PortalAPP Multiple Input Validation Vulnerabilities
Description: PortalApp is a web application for web publication. It is
vulnerable to multiple SQL injection and cross-site scripting issues
due to insufficient sanitization of user-supplied data in the
"content.asp" and the "ad_click.asp" scripts.
Ref: http://icis.digitalparadox.org/~dcrab/portalapp.txt
______________________________________________________________________

05.13.20 CVE: CAN-2005-0927
Platform: Web Application
Title: WebAPP File Disclosure Vulnerability
Description: WebAPP (Web Automated Perl Portal) is a web portal
application. It is reported vulnerable to an unspecified file
disclosure issue that allows attackers to gain access to sensitive
information from a vulnerable system. All versions of WebAPP are
considered vulnerable to this issue.
Ref: http://www.securityfocus.com/bid/12938/
______________________________________________________________________

05.13.21 CVE: CAN-2005-0934
Platform: Web Application
Title: WackoWiki Cross-Site Scripting Vulnerabilities
Description: WackoWiki is a PHP wiki clone. It is vulnerable to
multiple unspecified cross-site scripting issues due to improper
sanitization of user input and may be exploited to steal cookie-based
authentication credentials. WackoWiki versions earlier to 4.2 are
vulnerable.
Ref: http://wackowiki.com/WackoDownload/InEnglish
______________________________________________________________________

05.13.22 CVE: CAN-2005-0913
Platform: Web Application
Title: Smarty Template Engine Remote Script Execution
Description: Smarty is a PHP script template for development of PHP
Web applications. The Smarty Template Engine is vulnerable to remote
execution of PHP code due to the "regex_replace" modifier. Smarty
versions prior to 2.6.8 are reported to be vulnerable.
Ref: http://smarty.php.net/
______________________________________________________________________

05.13.23 CVE: CAN-2005-0930
Platform: Web Application
Title: Chatness Message Form Field HTML Injection
Description: Chatness is a web-based chat system. It is vulnerable to
an HTML injection issue exposed through various chat message form
fields and may be exploited by an attacker to steal cookie-based
authentication credentials. Chatness 2.5.1 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/394526
______________________________________________________________________

05.13.24 CVE: CAN-2005-0917
Platform: Web Application
Title: EncapsBB File Include Vulnerability
Description: EncapsBB is a web-based forum. It is reported to be
vulnerable to a file include issue due to improper sanitization of
user-supplied input to the "root" parameter of the "index_header.php"
script. EncapsBB version 0.3.2_fixed is reported to be vulnerable.
Ref: http://secunia.com/advisories/14761
______________________________________________________________________

05.13.25 CVE: CAN-2005-0928, CAN-2005-0929
Platform: Web Application
Title: PhotoPost Pro Multiple Input Validation Vulnerabilities
Description: PhotoPost Pro is photograph-viewing software. It is
affected by multiple input validation vulnerabilities. All versions of
PhotoPost Pro are known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/394407
______________________________________________________________________

05.13.26 CVE: CAN-2005-0914
Platform: Web Application
Title: CPG Dragonfly Multiple Cross-Site Scripting Vulnerabilities
Description: CPG Dragonfly is a content management portal. It is
reported to be vulnerable to multiple cross-site scripting issues.
These can be leveraged towards theft of cookie-based authentication
credentials. CPG Dragonfly version 9.0.2.0 is reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/12930/
______________________________________________________________________

05.13.27 CVE: CAN-2005-0925
Platform: Web Application
Title: Ublog Cross-Site Scripting
Description: Ublog is a weblog application. Insufficient sanitization
of user-supplied input of the "msg" parameter in the "login.asp"
script exposes it to a cross-site scripting issue. Ublog versions
1.0.4 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/394543
______________________________________________________________________

05.13.28 CVE: CAN-2005-0924
Platform: Web Application
Title: Adventia E-Data Remote HTML Injection Vulnerability
Description: Adventia E-Data is an email directory written in Perl. It
is reported to be vulnerable to an HTML injection issue due to
improper sanitization of user-supplied input. Adventia E-data version
2.0 is reported to be vulnerable.
Ref: http://secunia.com/advisories/14739
______________________________________________________________________

05.13.29 CVE: CAN-2005-0931
Platform: Web Application
Title: Includer Remote Code Execution
Description: The Includer provides server side includes for web sites.
It is affected by a remote code execution vulnerability due to a
failure to sanitize user-supplied input in the "include()" function.
All versions of the Includer are vulnerable.
Ref: http://www.securityfocus.com/bid/12926
______________________________________________________________________

05.13.30 CVE: CAN-2005-0669, CAN-2005-0670
Platform: Web Application
Title: phpCOIN Multiple Remote Vulnerabilities
Description: phpCOIN is a customer information and shopping
application designed for integration into an existing website. phpCOIN
is affected by multiple remote input validation vulnerabilities.
phpCOIN versions 1.2.1b and earlier are known to be vulnerable.
Ref: http://lostmon.blogspot.com/2005...sible-sql-injection-comands.ht
ml
http://www.gulftech.org/?node=research&article_id=00065-03292005
______________________________________________________________________

05.13.31 CVE: CAN-2005-0920
Platform: Web Application
Title: Bugtracker.NET Multiple SQL Injection Vulnerabilities
Description: Bugtracker.NET is a web-based bug tracker application. It
is vulnerable to multiple SQL injection issues. Bugtracker.NET version
2.0.2 has been released to fix this issues.
Ref: http://sourceforge.net/project/shownotes.php?release_id=315830
______________________________________________________________________

05.13.32 CVE: CAN-2005-0907, CAN-2005-0908
Platform: Web Application
Title: Valdersoft Shopping Cart Multiple Vulnerabilities
Description: Valdersoft Shopping Cart is web-based e-commerce
software. There are multiple input validation vulnerabilities such as
failing to properly sanitize user-supplied input and SQL injection
issues. Valdersoft Shopping Cart version 3.0 is vulnerable.
Ref: http://www.securityfocus.com/bid/12916
______________________________________________________________________

05.13.33 CVE: CAN-2005-0911
Platform: Web Application
Title: EXoops Multiple Input Validation Vulnerabilities
Description: EXoops is web portal software written in PHP. It is
vulnerable to multiple cross-site scripting and SQL injection issues
that can be exploited by an attacker to steal authentication
credentials and cause the destruction or disclosure of sensitive data.
All current versions of EXoops are vulnerable.
Ref: http://www.securityfocus.com/archive/1/394410
______________________________________________________________________

05.13.34 CVE: CAN-2005-0802
Platform: Web Application
Title: ACS Blog Name Field HTML Injection Vulnerability
Description: ACS Blog is web blog software. It is reported to be
vulnerable to an HTML injection issue due to improper sanitization of
user-supplied input to the "Name" parameter. ACS Blog 1.1.1 is
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12904
______________________________________________________________________

05.13.35 CVE: CAN-2005-0901
Platform: Web Application
Title: Nuke Bookmarks Multiple Cross-Site Scripting Vulnerabilities
Description: Nuke Bookmarks is a PHP-Nuke module used to store
bookmarks online. Nuke Bookmarks is vulnerable to multiple cross-site
scripting issues due to insufficient sanitization of user-supplied
data. Nuke Bookmarks version 0.6 is known to be vulnerable.
Ref: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0901
______________________________________________________________________

05.13.36 CVE: Not Available
Platform: Web Application
Title: Nuke Bookmarks marks.php SQL Injection
Description: Nuke Bookmarks is a module for PHP-Nuke that allows users
to store their bookmarks on the server. It is reported to be
vulnerable to an SQL injection issue. Attackers could leverage this
to compromise the remote backend database.
Ref: http://www.securityfocus.com/archive/1/394307
______________________________________________________________________

05.13.37 CVE: CAN-2005-0898
Platform: Web Application
Title: E-Store Kit-2 PayPal Edition Cross-Site Scripting
Description: MagicScripts E-Store Kit-2 PayPal Edition is a script for
using PayPal to accept online payments. Insufficient sanitization of
the "txn_id" parameter in the "downloadform.php" script exposes the
application to a cross-site scripting issue. All current versions are
affected.
Ref: http://www.securityfocus.com/archive/1/394312
______________________________________________________________________

05.13.38 CVE: Not Available
Platform: Web Application
Title: E-Store Kit-2 PayPal Edition Remote File Include Vulnerability
Description: MagicScripts E-Store Kit-2 PayPal Edition is a script for
using PayPal to accept online payments. It is vulnerable to a a remote
file include issue due to a failure in the application to properly
sanitize user-supplied input to the "catalog.php" script. All known
versions of E-Store Kit-2 PayPal are vulnerable.
Ref: http://www.securityfocus.com/archive/1/394312
______________________________________________________________________

05.13.39 CVE: CAN-2005-0909
Platform: Web Application
Title: Tkai's Shoutbox Query Parameter URI Redirection
Description: Tkai's Shoutbox is a web-based chat and forum
application. Insufficient sanitization of the "query" URI parameter
exposes the application to a URI redirection issue in which users will
be redirected to malicious web sites. All current versions are
affected.
Ref: http://www.securityfocus.com/archive/1/394312
______________________________________________________________________

05.13.40 CVE: CAN-2005-0896
Platform: Web Application
Title: phpMyDirectory review.php Multiple Cross-Site Scripting
Vulnerabilities
Description: phpMyDirectory is a web-based business directory script.
It is reported to be vulnerable to a cross-site scripting issue via
various script parameters. Attackers could leverage this towards theft
of cookie-based authentication credentials. phpMyDirectory version
10.1.3-rel is reported to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/394284
______________________________________________________________________

05.13.41 CVE: CAN-2005-0936
Platform: Web Application
Title: ESMI PayPal Storefront Cross-Site Scripting Vulnerability
Description: ESMI PayPal Storefront is a PHP script for building
e-commerce web sites using PayPal as a payment system. It is reported
to be vulnerable to a cross-site scripting issue due to improper
sanitization of user-supplied input to the "id" parameter of
"products1h.php". ESMI PayPal Storefront version 1.7 is reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/12904
______________________________________________________________________

05.13.42 CVE: CAN-2005-0889
Platform: Web Application
Title: Koobi CMS Cross Site-Scripting
Description: Koobi CMS is web-based content management software. It is
vulnerable to a cross-site scripting vulnerablitiy due to a failure to
sanitize user-supplied input to the "area" parameter. Dream4 Koobi
version 4.2.3 is vulnerable.
Ref: http://www.securityfocus.com/bid/12895
______________________________________________________________________

05.13.43 CVE: CAN-2005-0890
Platform: Web Application
Title: Koobi CMS index.php SQL Injection
Description: Koobi CMS is web-based content management software. Koobi
CMS is affected by an SQL injection vulnerability. Koobi CMS versions
4.2.3 and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/bid/12896/info/
______________________________________________________________________

05.13.44 CVE: CAN-2005-0872
Platform: Web Application
Title: Calendar scheduler.php Cross-Site Scripting
Description: Topic Calendar is a phpBB module that adds a calendar to
the board. It is vulnerable to a cross-site scripting issue due to a
failure in the application to properly sanitize user-supplied input to
the "start" parameter of the "calendar_scheduler.php" script. Topic
Calender version 1.0.1 is affected.
Ref: http://www.securityfocus.com/archive/1/394154
______________________________________________________________________

05.13.45 CVE: CAN-2005-0888
Platform: Web Application
Title: Double Choco Latte Multiple Vulnerabilities
Description: Double Choco Latte is a web-based application for
managing software development. It is reported to be vulnerable to
multiple cross-site scripting and arbitrary code execution issues due
to improper sanitization of user-supplied input. Double Choco Latte
versions 0.9.4.3 and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12894
______________________________________________________________________

05.13.46 CVE: CAN-2005-0869,CAN-2005-0870
Platform: Web Application
Title: phpSysInfo Multiple Cross-Site Scripting Vulnerabilities
Description: phpSysInfo is a PHP script which generates a web page
containing information about the "/proc" filesystem. It is vulnerable
to multiple cross-site scripting issues in the "index.php" and
"system_footer.php" scripts. phpSysInfo version 2.3 is known to be
vulnerable.
Ref: http://www.securityfocus.com/archive/1/394086
______________________________________________________________________

05.13.47 CVE: CAN-2005-0883
Platform: Web Application
Title: DigitalHive base.php Cross-Site Scripting
Description: DigitalHive is a web forum. Insufficient sanitization of
the "page" parameter in the "base.php" script exposes the application
to a cross-site scripting issue. DigitalHive version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/12883/info/
______________________________________________________________________

05.13.48 CVE: CAN-2005-0885
Platform: Web Application
Title: XMB Forum Multiple Cross-Site Scripting Vulnerabilities
Description: XMB Forum is a web-based message board application. It is
reported to be vulnerable to multiple cross-site scripting issues due
to improper sanitization of user-supplied input. XMB Forum version
1.9.1 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12886
______________________________________________________________________

05.13.49 CVE: CAN-2005-0886
Platform: Web Application
Title: Invision Power Board HTML Injection
Description: Invision Power Board is web forum software. It is
vulnerable to an HTML injection vulnerability due to a failure to
sanitize user-supplied data. All versions of Invision Power Board are
vulnerable.
Ref: http://www.securityfocus.com/bid/12888
______________________________________________________________________

05.13.50 CVE: Not Available
Platform: Network Device
Title: Cisco VPN 3000 Concentrator Denial of Service
Description: Cisco VPN 3000 Concentrator products provide Virtual
Private Network (VPN) services. It is vulnerable to a remote denial of
service issue due to a failure to handle malformed data in its SSL
protocol module and can be exploited to cause the affected device to
reload or drop connections. Cisco VPN 3000 Concentrator products
running software versions 4.1.7.A and prior are vulnerable.
Ref: http://www.securityfocus.com/advisories/8322
______________________________________________________________________

05.13.51 CVE: CAN-2005-0895
Platform: Network Device
Title: Netcomm NB1300 Modem/Router Remote Denial of Service
Description: Netcomm NB1300 is a router that includes a modem. It is
affected by a denial of service condition when a large amount of ping
requests are sent to the device. The device hangs due to resource
exhaustion. Netcomm NB1300 versions 4.4.1 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/394287
______________________________________________________________________

05.13.52 CVE: CAN-2005-0864, CAN-2005-0865
Platform: Network Device
Title: Samsung DSL Modem Multiple Remote Vulnerabilites
Description: Samsung DSL modems are affected by multiple remote
vulnerabilities. Samsung DSL modems running software versions
SMDK8947v1.2 and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/bid/12864
______________________________________________________________________

(c) 2005. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==
Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org Copyright 2005. All rights reserved. No posting
or reuse allowed, other that listed above, without prior written
permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCTLuz+LUG5KFpTkYRAr0cAJ9+nCFmoZP2sG10NOB6GQtEF/ttQACeN7kd
X6TbAtW7OfZxFzNDXsgij+g=
=+S4P
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]