NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2005

RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 15

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Fri Apr 22 2005 - 10:52:07 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Users who moved away from Microsoft products (to Firefox and RealPlayer)
in an effort to avoid security problems are facing high risk
vulnerabilities this week. Even Mac users needto install a security
patch this week. Not to be out done, users of Internet Explorer also
have a critical new vulnerability to contend with. See #1, #2, #4, and
#3 below. Also, because working exploit code is now circulating,
Microsoft Exchange users and Oracle users should install patches on a
priority basis if they haven't already. (#6 and #7 below)

Alan

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
April 21, 2005 Vol. 4. Week 16
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
- ----------------------------------------------------------------------
Platform # of Updates & Vulnerabilities
- ----------------------------------------------------------------------
Windows 1 (#3, #6, #8)
Third Party Windows Apps 6
Mac Os 2 (#4)
Linux 4
BSD 1
Unix 5 (#5)
Cross Platform 26 (#1, #2, #7)
Web Application 32
Network Device 3
______________________________________________________________________

Table of Contents:

Part I -- Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)

Widely Deployed Software
(1) HIGH: Mozilla Firefox Remote Code Execution
(2) HIGH: RealNetworks RealPlayer RAM File Processing Overflow
(3) MODERATE: Microsoft Windows Explorer Remote Script Injection
(4) MODERATE: Mac OS X Cumulative Security Update (April 15, 2005)

Other Software
(5) MODERATE: xv Remote Code Execution Vulnerabilities

Technical Details and Exploits
(6) Microsoft Exchange Server Extended Verb Overflow (MS05-021)
(7) Oracle Cumulative Update April 2005
(8) Windows TCP/IP Multiple Vulnerabilities (MS05-019)

Patches
(9) Sun Directory Server LDAP Buffer Overflow

************ SPONSORED BY SANS ROCKY MOUNTAN 2005 *********************
Just two weeks until SANS comes to Denver to host nine immersion tracks
plus short programs on Cutting Edge Hacker Techniques, Security Policy
Development, Security Awareness Training, and more. Wonderful teachers
give you material you can put to work immediately upon returning to the
office and present the most current tools and techniques. Details at
http://www.sans.org/rockymnt2005

What attendees say:
"SANS is the ultimate security training conference. Bar none. It is
the most intensive and informative program available. It's a must have
for infosec professionals." (Aaron Despain, TriWest health Care)

"I have attended several of SANS rivals, and SANS blew them away!"
(Alton Thomas, US Marine Corps)
************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
05.16.1 - Microsoft Windows Explorer Preview Pane Script Injection Vulnerability
-- Third Party Windows Apps
05.16.2 - Sun Java System Web Server Unspecified Denial of Service
05.16.3 - DameWare Mini Remote Control Authentication Credentials Persistence Weakness
05.16.4 - Musicmatch Jukebox Arbitrary File Overwrite
05.16.5 - Musicmatch Jukebox Unspecified Remote Buffer Overflow
05.16.6 - Neslo Desktop Rover Malformed Packet Remote Denial of Service
05.16.7 - WheresJames Webcam Publisher Web Server Buffer Overflow
-- Mac Os
05.16.8 - Apple Safari Remote Local Zone Script Execution
05.16.9 - Apple Mac OS X AppleFilingProtocol Information Disclosure
-- Linux
05.16.10 - GOCR ReadPGM Remote Client-Side Buffer Overflow
05.16.11 - Libsafe Multi-threaded Process Race Condition Security Bypass
05.16.12 - Monkey HTTP Daemon Format String
05.16.13 - Monkey HTTP Daemon Zero Length File Request Denial of Service
-- BSD
05.16.14 - FreeBSD Kernel SIOCGIFCONF Local Information Disclosure
-- Unix
05.16.15 - Oops! Proxy Server Remote Format String Vulnerability
05.16.16 - Webmin and Usermin Configuration File Unauthorized Access
05.16.17 - JAWS Glossary HTML Injection Vulnerability
05.16.18 - XV Image Decoders Multiple Unspecified Vulnerabilities
05.16.19 - XV Image File Name Remote Command Execution
-- Cross Platform
05.16.20 - IBM iSeries AS400 POP3 Server Remote Information Disclosure
05.16.21 - PHP Group Exif Module IFD Tag Integer Overflow
05.16.22 - Net-Server Perl Module Logging Function Format String
05.16.23 - GOCR Remote Client-Side Integer Overflow
05.16.24 - Kerio MailServer WebMail Remote Resource Exhaustion
05.16.25 - Squid Proxy Aborted Connection Remote Denial of Service
05.16.26 - Sumus Game Server Remote Buffer Overflow
05.16.27 - RSA Security Authentication Agent Cross-Site Scripting
05.16.28 - Yager Game Data Block Denial of Service Vulnerability
05.16.29 - Mozilla Code Execution, Cross-Site Scripting and Policy Bypass Vulnerabilities
05.16.30 - IBM OS/400 Incoming Remote Command Denial of Service
05.16.31 - Multiple Vendor TCP Session Acknowledgement Number Denial of Service
05.16.32 - CVS Unspecified Buffer Overflow and Memory Access
05.16.33 - Mozilla Firefox Search Plug-In Remote Script Code Execution Vulnerability
05.16.34 - Mozllia Favicon Link Tag Remote Script Code Execution
05.16.35 - Opera SSL Security Feature Design Error
05.16.36 - Mozilla Firefox Search Target Sidebar Script Code Execution
05.16.37 - Mozilla Firefox PLUGINSPAGE Remote Script Code Execution
05.16.38 - Mozilla Suite/Firefox Blocked Pop-Up Window Remote Script Code Execution
05.16.39 - Mozilla Suite And Firefox Global Scope Pollution Cross-Site Scripting
05.16.40 - XV Planetary Data System Image Decoder Format String Vulnerability
05.16.41 - Mozilla Suite DOM Code Execution
05.16.42 - Java Web Proxy Server Multiple Buffer Overflow Vulnerabilities
05.16.43 - MPlayer RTSP and MMST Stream ID Remote Buffer Overflow
05.16.44 - MPlayer RTSP Server Line Response Remote Buffer Overflow
05.16.45 - Adobe Acrobat Reader Unspecified File Parsing Memory Corruption
-- Web Application
05.16.46 - phpBB Photo Album Module Album_Search.PHP SQL Injection
05.16.47 - phpBB Photo Album Module album_cat.php Cross-Site Scripting
05.16.48 - phpBB Photo Album Album_Comment.PHP Cross-Site Scripting
05.16.49 - S9Y Serendipity exit.php SQL Injection
05.16.50 - WebSphere Application JSP Source Disclosure
05.16.51 - PHP Group Exif Module IFD Nesting Denial of Service
05.16.52 - All4WWW-Homepagecreator index.php Arbitrary Remote File Inclusion
05.16.53 - Mafia Blog Administrator Authentication Bypass
05.16.54 - PHP-Nuke Surveys Module HTTP Response Splitting
05.16.55 - SPHPBlog Search.PHP Cross-Site Scripting
05.16.56 - OneWorldStore OWProductDetail.ASP HTML Injection
05.16.57 - myBloggie Comment HTML Injection Vulnerability
05.16.58 - Datenbank Module For PHPBB Cross-Site Scripting
05.16.59 - mvnForum Search Cross-Site Scripting
05.16.60 - Coppermine Photo Gallery HTML Injection
05.16.61 - phpBB Knowledge Base Module KB.PHP SQL Injection
05.16.62 - Ariadne CMS Remote File Include Vulnerability
05.16.63 - OneWorldStore Multiple SQL Injection Vulnerabilities
05.16.64 - OneWorldStore owProductDetail.asp SQL Injection
05.16.65 - OneWorldStore OWContactUs.ASP Cross-Site Scripting
05.16.66 - OneWorldStore owListProduct.asp Cross-Site Scripting
05.16.67 - OneWorldStore DisplayResults.ASP SQL Injection Vulnerability
05.16.68 - UBBCentral UBB.threads Printthread.PHP SQL Injection
05.16.69 - CityPost PHP LNKX Message.PHP Cross-Site Scripting
05.16.70 - Info2www Cross-Site Scripting
05.16.71 - CityPost PHP Image Editor Cross-Site Scripting
05.16.72 - CityPost PHP Image Editor M3 URI Parameter Cross-Site Scripting
05.16.73 - phpbb-Auction Module Auction_Offer.PHP SQL Injection Vulnerability
05.16.74 - EcommProV3 Admin/Login.ASP SQL Injection
05.16.75 - Netref Cat_for_gen.PHP Remote PHP Script Injection
05.16.76 - CityPost Simple PHP Upload Cross-Site Scripting
05.16.77 - OneWorldStore DisplayResults.ASP Cross-Site Scripting
-- Network Device
05.16.78 - Xerox MicroServer SNMP Authentication Bypass Vulnerability
05.16.79 - Xerox MicroServer Web Server Authentication Bypass
05.16.80 - F5 BIG-IP Undisclosed User Interface Vulnerability
______________________________________________________________________
************************* UPCOMING WEB CAST *****************************
Join Stephen Northcutt for an exclusive webcast "The Log Management
Industry - An Untapped Market"
https://www.sans.org/webcasts/show.php?webcastid=90585
*************************************************************************

PART I Critical Vulnerabilities
Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at
TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

***************************
Widely Deployed Software
***************************

(1) HIGH: Mozilla Firefox Remote Code Execution
Affected:
Firefox version 1.0.2 and prior

Description: Mozilla Firefox has been steadily gaining market share
among browsers. The Firefox browser contains multiple flaws that can be
exploited to execute arbitrary code with the privileges of the logged-on
user. The following are three of the more severe flaws:

(a) The "<link>" tag can be used to load a custom image as a site's icon
in Firefox. However, Firefox does not sufficiently validate the source
for the custom image. Hence, by using "javascript:" URL as the image
source, it is possible to execute arbitrary commands on the client. A
proof-of-concept exploit has been posted. Note that visiting a malicious
web page is sufficient to leverage this flaw.

(b) The "<embed>" tag's "pluginspage" attribute is used to load the URL
for installing a plug-in. By using a "javascript:" URL, it is possible
to execute arbitrary commands on the client.

(c) A malicious webpage can open privileged pages such as about:config
in the sidebar, and then use javascript URLs to execute arbitrary code
on a user's system.

Status: Mozilla confirmed. Firefox version 1.0.3 has been released. This
version fixes many other security vulnerabilities.

Council Site Actions: Just a handful of sites officially support or use
Firefox. One site has already patched, as they received notification
over the weekend. The other sites have advised their users to patch.

References:
Mozilla Advisories
http://www.mozilla.org/security/announce/mfsa2005-34.html
http://www.mozilla.org/security/announce/mfsa2005-35.html
http://www.mozilla.org/security/announce/mfsa2005-36.html
http://www.mozilla.org/security/announce/mfsa2005-37.html
http://www.mozilla.org/security/announce/mfsa2005-38.html
http://www.mozilla.org/security/announce/mfsa2005-39.html
http://www.mozilla.org/security/announce/mfsa2005-40.html
http://www.mozilla.org/security/announce/mfsa2005-41.html
Posting by mikx
http://www.mikx.de/firelinking/
http://www.mikx.de/index.php?p=14
Mozilla Firefox MarketShare
http://www.mozillazine.org/talkback.html?article=6263
SecurityFocus BIDs
http://www.securityfocus.com/bid/13211
http://www.securityfocus.com/bid/13216
http://www.securityfocus.com/bid/13228
http://www.securityfocus.com/bid/13229
http://www.securityfocus.com/bid/13230
http://www.securityfocus.com/bid/13231
http://www.securityfocus.com/bid/13232
http://www.securityfocus.com/bid/13233

*********************************************************************

(2) HIGH: RealNetworks RealPlayer RAM File Processing Overflow
Affected:
Windows
RealPlayer version 10.5 builds 1040 through 1059
RealPlayer versions 8/10/Enterprise
RealOne Player v1/v2
Mac
RealPlayer 10
RealOne Player
Linux
RealPlayer prior to version 10.0.0.4
Helix Player prior to version 10.0.0.4

Description: RealPlayer, a very popular cross-platform media player,
contains a buffer overflow in processing Real Media (".ram") files. A
".ram" file specifies the URL where media clips are stored. The buffer
overflow occurs because RealPlayer does not check the length of the
hostname specified in a media clip's URL. As a result, a .ram file
containing the following entry "http://<long hostname>/example.ram" will
lead to the buffer overflow. The flaw can be exploited to execute
arbitrary code on the client system with the privileges of the logged-on
user. Since many browsers automatically open a ".ram" file with
realplayer, the flaw may be leveraged without any user interaction.

Status: RealPlayer has issued updates for all platforms. Users should
be advised to upgrade their player by clicking "Tools" or "Help" menu
and then choosing "Check For Updates".

Council Site Actions: This software is not officially supported at any
of the council sites. However, a few of the sites plan to notify their
users.

References:
Posting by Piotr Bania
http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0435.html
RealNetworks Advisory
http://service.real.com/help/faq/security/050419_player/EN/
RAM File Format
http://service.real.com/help/library/guides/g270/htmfiles/links.htm
SecurityFocus BID
http://www.securityfocus.com/bid/13264/

***********************************************************************

(2) MODERATE: Microsoft Windows Explorer Remote Script Injection
Affected:
Windows 2000

Description: Windows Explorer reportedly contains a flaw that can be
exploited to execute arbitrary script code on a Windows client. Windows
Explorer, in its default configuration, displays information about some
types of files, such as the author's name, attributes, etc., in the
preview pane when the file is selected. If the author's name resembles
an email address, the name is transformed into a "mailto:" link for
display. A problem arises because the author's name is not sufficiently
sanitized for shell meta-characters. A specially crafted author's name
in certain files can lead to execution of script code when the file is
selected. Note that it is not necessary to open the file; pre-viewing
the file is sufficient to leverage the flaw. An attacker can construct
a malicious file in a shared network folder, and entice a victim via
e-mail or webpage to browse his shared folder. Proof-of-concept Word
documents have been posted.

Status: Microsoft has not confirmed, no updates available. A suggested
workaround is to choose the "Windows Classic Folders" view under
"Tools->Folder Options" in any Explorer window. Block the ports 139/tcp
and 445/tcp to prevent the attacks originating from the Internet.

Council Site Actions: All of the reporting council sites are waiting
for a patch from the vendor. Several have commented that they are
already blocking the affected ports (139 and 445) at their network
security perimeter. One site commented they will rely on the Cisco
security agent software to prevent execution of the Trojan code.

References:
GreyMagic Advisory
http://www.greymagic.com/security/advisories/gm015-ie/
SecurityFocus BID
http://www.securityfocus.com/bid/13248

****************************************************************

(3) MODERATE: Mac OS X Cumulative Security Update (April 15, 2005)
Affected:
Mac OS X client and server version 10.3.9
Safari browser version 1.2

Description: Apple has released a cumulative security update for Mac OS
X on April 15, 2005. This update fixes a vulnerability in Safari browser
that can be potentially exploited to execute arbitrary JavaScript code
with the privileges of the logged-on user. The problem arises due to a
flaw in the "XMLHttpRequest" object that allows an attacker to read
arbitrary files present on the client system. The other problems fixed
by this update can be exploited only by local attackers.

Status: Apply the fixes referenced in the Apple Advisory 301327.

Council Site Actions: Four of the reporting council sites are using the
affected software. All plan to patch during their next regularly
schedule system update process.

References:
Apple Advisory
http://docs.info.apple.com/article.html?artnum=301327
Posting by David Remahl
http://remahl.se/david/vuln/001/
XMLHTTPRequest Object
http://developer.apple.com/internet/webcontent/xmlhttpreq.html
SecurityFocus BID
http://www.securityfocus.com/bid/13202

****************************************************************

******************
Other Software
******************

(4) MODERATE: xv Remote Code Execution Vulnerabilities
Affected:
xv version 3.x

Description: xv is an image manipulation program for UNIX systems that
can handle a large number of image formats such as gif, jpeg, tiff etc.
The program ships by default with many Linux distributions, and can be
configured as a default image viewer for web browsers. The program
contains a buffer overflow in the Planetary Data System (PDS) image
decoding routine, format string vulnerabilities in handling tiff and PDS
image formats, and remote command execution flaw due to insufficient
checking of shell meta-characters in filenames. A malicious image (in a
webpage or email) may exploit these flaws to execute arbitrary code on
the client system. The technical details required to exploit these flaws
can be obtained by comparing the fixed and the vulnerable versions of
the source code.

Status: Gentoo confirmed, fixes available.

Council Site Actions: Two of the reporting council sites are using the
affected software. The first site does not officially support the
software and has notified their users. The other site has a large number
of systems on which xv can be executed, either from a local installation
or from a shared network file system. As far as they know, no
significant number of systems have a web-browser configuration in which
xv is automatically invoked. Therefore, it is relatively unlikely that
malicious images will be viewed using xv. They plan to update to a newer
xv version this summer.

References:
Gentoo Advisory
http://security.gentoo.org/glsa/glsa-200504-17.xml
Product Homepage
http://www.trilon.com/xv/
PDS File Format
http://netghost.narod.ru/gff/graphics/summary/pds.htm
SecurityFocus BIDs
http://www.securityfocus.com/bid/13244
http://www.securityfocus.com/bid/13245
http://www.securityfocus.com/bid/13246
http://www.securityfocus.com/bid/13247

*********************************************************************

*******************************
Technical Details and Exploits
*******************************

(6) Microsoft Exchange Server Extended Verb Overflow (MS05-021)
Description: Exploit code and technical details have been posted for the
"CRITICAL" buffer overflow flaw in the Exchange server reported last
week. Exchange servers running on Windows 2000 platforms should be
patched immediately.

Council Site Updates: Most of the council sites have already patched
their systems or are in the process of patching their systems. A few
sites are still investigating and evaluating their risk.

References:
Posting by Evgeny Pinchuk
http://archives.neohapsis.com/archives/bugtraq/2005-04/0277.html
http://archives.neohapsis.com/archives/bugtraq/2005-04/att-0277/MS05-021-PoC.pl
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely1

****************************************************************

(7) Oracle Cumulative Update April 2005

Description: Multiple proof-of-concept exploits and technical details
have been released for the SQL injection vulnerabilities in Oracle
products. Internet facing web servers using Oracle as the back-end
database should apply the patches on a priority basis.

Council Site Updates: Some of the council sites are still regression
testing the patch and a few others are still investigating with their
DBA teams and/or Oracle. One site is re-evaluating their remediation
plan based on exploit code being released. Another site said they may
be making use of the available code to verify that the updates are
installed effectively at their site.

References:
Posting by AppSecInc Team
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0017.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0016.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0015.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0014.html
Posting by Cesar
http://www.argeniss.com/research.html
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely4

****************************************************************

(8) Windows TCP/IP Multiple Vulnerabilities (MS05-019)

Description: Exploit code for the denial of service in Windows related
to the processing of IP Options has been posted. This DoS will result
in a "blue screen on death". An exploit for the TCP reset/degradation
vulnerability (which affects multiple vendors including Cisco and
Juniper) has also been posted. Note that some users have posted problems
encountered after installing MS05-019 patch.

Council Site Updates: All council sites have already patched their
systems or are in the process of patching their systems. One site
mentioned they plan to use the available exploit code to verify that the
patches have been installed, on systems where an installation problem
is suspected.

References:
Posting by Yuri Gushin (IP Options DoS)
http://www.securityfocus.com/archive/1/396084/2005-04-16/2005-04-22/0
http://archives.neohapsis.com/archives/bugtraq/2005-04/att-0247/ecl-winipdos.c
Posting by houseofdabus (TCP Reset/Degradation via ICMP)
http://archives.neohapsis.com/archives/bugtraq/2005-04/0291.html
Issues reported with MS05-019 patch
http://archives.neohapsis.com/archives/ntbugtraq/2005-q2/0049.html
http://archives.neohapsis.com/archives/ntbugtraq/2005-q2/0050.html
http://archives.neohapsis.com/archives/ntbugtraq/2005-q2/0052.html
http://archives.neohapsis.com/archives/ntbugtraq/2005-q2/0053.html
Previous RISK Newsletter Postings
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely8
http://www.sans.org/newsletters/risk/display.php?v=4&i=15#widely9

****************************************************************

*****************
Patches
*****************

(9) Sun Directory Server LDAP Buffer Overflow

Description: Sun has confirmed and released patches for the LDAP buffer
overflow in Sun ONE/Java System Directory Server discussed in the RISK
newsletter posted on January 13, 2005.

Council Site Updates: The affected software is not in production or
widespread use, or is not officially supported at any of the council
sites. They reported that no action was necessary.

References:
Sun Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57754-1
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=4&i=2#widely4

*********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 16, 2005

This list is compiled by Qualys (www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4237 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________
05.16.1 CVE: CAN-2005-1191
Platform: Windows
Title: Microsoft Windows Explorer Preview Pane Script Injection
Vulnerability
Description: Microsoft Windows Explorer on Windows 2000 is vulnerable
to a script injection issue due to a failure in the application to
filter out potentially harmful characters. An attacker may leverage
this issue to inject and execute malicious script code in a vulnerable
machine. Please refer the link below for list of vulnerable systems.
Ref: http://www.securityfocus.com/archive/1/396224
______________________________________________________________________

05.16.2 CVE: CAN-2005-1150
Platform: Third Party Windows Apps
Title: Sun Java System Web Server Unspecified Denial of Service
Description: Sun Java System web server is affected by a denial of
service vulnerability. Sun Java System Web Server versions 6.0 and
earlier are known to be vulnerable.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57760-1
______________________________________________________________________

05.16.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: DameWare Mini Remote Control Authentication Credentials
Persistence Weakness
Description: DameWare NT Utilities is an system management application
for Windows. It is reported to be vulnerable to authentication
credentials persistence weakness due to improper handling of
authentication credential information. DameWare Development Mini
Remote Control Server versions 4.9 and earlier are reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/13199/
______________________________________________________________________

05.16.4 CVE: CAN-2005-1168
Platform: Third Party Windows Apps
Title: Musicmatch Jukebox Arbitrary File Overwrite
Description: Musicmatch Jukebox is a media player application. It is
vulnerable to an arbitrary file overwrite via the "bstrSavePath"
argument. Musicmatch Jukebox versions 10.00.2047 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/bid/13167/info/
______________________________________________________________________

05.16.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Musicmatch Jukebox Unspecified Remote Buffer Overflow
Description: Musicmatch Jukebox is a utility designed to locate,
identify, and playback music files hosted by the Musicmatch service.
It has an unspecified buffer overflow condition that can be triggered
remotely. This can cause denial of service or remote code execution.
Ref: http://www.securityfocus.com/bid/13174/
______________________________________________________________________

05.16.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Neslo Desktop Rover Malformed Packet Remote Denial of Service
Description: Neslo Desktop Rover is a software application for
Microsoft Windows that provides KVM functionality. Neslo Desktop Rover
is prone to a remote denial of service. Reports indicate that the
software will crash when a malformed packet is processed on TCP port
61427. A remote attacker may exploit this condition to crash the
software and effectively deny service for legitimate users. Neslo
Desktop Rover version 3.0 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/396353
______________________________________________________________________

05.16.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: WheresJames Webcam Publisher Web Server Buffer Overflow
Description: WheresJames Webcam Publisher is a webcam software
package. A problem exists in the handling of remote HTTP GET requests
by the software. The service does not perform proper bounds checking,
making it possible to overwrite sensitive process memory with a custom
GET request. An attacker could leverage this issue to gain
unauthorized access to a system using the vulnerable software with the
privileges of the service.
Ref: http://sourceforge.net/projects/wpub/
______________________________________________________________________

05.16.8 CVE: CAN-2005-0976
Platform: Mac Os
Title: Apple Safari Remote Local Zone Script Execution
Description: Apple Safari is a tabbed browser application developed by
Apple Computers. Safari is affected by a remote local zone script
execution vulnerability. Safari versions 1.2.3 and earlier, Safari RSS
2.0 pre-release and Omni Group OmniWeb 5.1 are known to be vulnerable.
Ref: http://www.securityfocus.com/advisories/8423
______________________________________________________________________

05.16.9 CVE: CAN-2005-0715
Platform: Mac Os
Title: Apple Mac OS X AppleFilingProtocol Information Disclosure
Description: Apple Mac OS X supports AppleShare, a proprietary network
file sharing protocol. The AppleFileServer is Apple's server that
implements this protocol. AppleFileServer provides Apple Filing
Protocol (AFP) services for Mac OS X and Mac OS X server. The AFP
Server is prone to an information disclosure vulnerability. This
vulnerability affects Apple Mac OS X and OS X Server version 10.3.8.
Ref: http://www.securityfocus.com/advisories/8267
______________________________________________________________________

05.16.10 CVE: CAN-2005-1141
Platform: Linux
Title: GOCR ReadPGM Remote Client-Side Buffer Overflow
Description: GOCR is a optical character recognition utility designed
to recognize characters by processing PNM image files. GOCR is
affected by a remote, client-side integer overflow vulnerability. GOCR
versions 0.40 and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/395979
______________________________________________________________________

05.16.11 CVE: CAN-2005-1125
Platform: Linux
Title: Libsafe Multi-threaded Process Race Condition Security Bypass
Description: Libsafe is a security utility that serves as a wrapper
around unsafe C functions. When Libsafe detects an occurrence of
memory corruption in one of the functions it wraps, it will call the
Libsafe "_libsafe_die()" function to kill the application. This
exposes a window of opportunity in multi-threaded processes where
Libsafe checking is not enabled and the "_libsafe_die()" function is
still executing. Libsafe version 2.0-16 is affected.
Ref: http://www.securityfocus.com/archive/1/395999
______________________________________________________________________

05.16.12 CVE: CAN-2005-1122
Platform: Linux
Title: Monkey HTTP Daemon Format String
Description: Monkey is a web server. It is vulnerable to a format
string issue in the CGI processing function. Monkey HTTP Daemon
version 0.9.1 is not affected.
Ref: http://www.gentoo.org/security/en/glsa/glsa-200504-14.xml
______________________________________________________________________

05.16.13 CVE: CAN-2005-1122, CAN-2005-1123
Platform: Linux
Title: Monkey HTTP Daemon Zero Length File Request Denial of Service
Description: Monkey is an open source Web server. Monkey HTTP Daemon
is affected by a remotely exploitable denial of service vulnerability.
Monkey HTTP Daemon versions 0.9.0 and earlier are known to be
vulnerable.
Ref: http://security.gentoo.org/glsa/glsa-200504-14.xml
______________________________________________________________________

05.16.14 CVE: CAN-2005-1126
Platform: BSD
Title: FreeBSD Kernel SIOCGIFCONF Local Information Disclosure
Description: A local information disclosure vulnerability affects the
FreeBSD kernel due to a failure of the affected kernel to securely
handle potentially sensitive memory when providing data to user
processes. The problem occurs when the SIOCGIFCONF ioctl, through the
ifconf() function call, provides a list of network interfaces to user
processes. FreeBSD kernel versions earlier than 5.4 are vulnerable.
Ref: http://www.securityfocus.com/advisories/8414
______________________________________________________________________

05.16.15 CVE: Not Available
Platform: Unix
Title: Oops! Proxy Server Remote Format String Vulnerability
Description: Oops! is a proxy server package. It is vulnerable to a
remote format string issue because the application fails to properly
sanitize user-supplied input in the "auth()" function. An attacker can
leverage this issue to crash the server or run arbitrary code. Oops!
versions 1.5.53 and earlier are reported vulnerable to this issue.
Ref: http://www.securityfocus.com/bid/13172/discussion/
______________________________________________________________________

05.16.16 CVE: CAN-2005-1177
Platform: Unix
Title: Webmin and Usermin Configuration File Unauthorized Access
Description: Usermin is a web-based user interface for Unix/Linux
users. Webmin is a web-based interface for system administration of
Unix/Linux operating systems. Usermin and Webmin are affected by a
configuration file access validation vulnerability. Usermin versions
1.0 00 and earlier and Webmin versions 1.160 and earlier are known to
be vulnerable.
Ref: http://www.webmin.com/uchanges.html
http://www.webmin.com/changes.html
______________________________________________________________________

05.16.17 CVE: Not Available
Platform: Unix
Title: JAWS Glossary HTML Injection Vulnerability
Description: JAWS is a content management system. The Glossary module
is vulnerable to an HTML injection due to insufficient sanitization of
user-supplied input. JAWS versions 0.5 beta2 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/bid/13254/info/
______________________________________________________________________

05.16.18 CVE: CAN-2005-0665
Platform: Unix
Title: XV Image Decoders Multiple Unspecified Vulnerabilities
Description: XV is an image editing application that supports multiple
image formats. It is vulnerable to multiple unspecified input
validation issues due to a failure of the application to properly
sanitize input. An attacker may exploit these issues to execute
arbitrary code with the privileges of the vulnerable application. XV
version 3.10a is reported vulnerable.
Ref: http://www.securityfocus.com/advisories/8431
______________________________________________________________________

05.16.19 CVE: Not Available
Platform: Unix
Title: XV Image File Name Remote Command Execution
Description: XV is an image editing application that supports multiple
image formats. XV is affected by a remote, client-side command
execution vulnerability. XV versions 3.10a and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/advisories/8431
______________________________________________________________________

05.16.20 CVE: CAN-2005-1133
Platform: Cross Platform
Title: IBM iSeries AS400 POP3 Server Remote Information Disclosure
Description: IBM iSeries AS400 computers are reported vulnerable to a
remote information disclosure vulnerability. Error messages from the
POP3 service can be used to enumerate user accounts.
Ref: http://www.securityfocus.com/bid/13156/
______________________________________________________________________

05.16.21 CVE: CAN-2005-1042
Platform: Cross Platform
Title: PHP Group Exif Module IFD Tag Integer Overflow
Description: PHP is prone to an integer overflow vulnerability in the
EXIF module. PHP versions 4.3.10 and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/advisories/8424
______________________________________________________________________

05.16.22 CVE: Not Available
Platform: Cross Platform
Title: Net-Server Perl Module Logging Function Format String
Description: Rob Brown Net-Server is a server engine module for Perl.
It is reported to be vulnerable to a remote format string issue due to
improper sanitization of the "log" parameter of the "Server.pm"
module. Rob Brown Net-Server versions 0.87 and earlier are reported to
be vulnerable.
Ref: http://www.securityfocus.com/bid/13193
______________________________________________________________________

05.16.23 CVE: CAN-2005-1141
Platform: Cross Platform
Title: GOCR Remote Client-Side Integer Overflow
Description: GOCR is an optical character recognition application. It
is vulnerable to an integer overflow issue due to insufficient
validation of user-supplied image size values prior to copying them
into static process buffers. GOCR Optical Character Recognition
Utility versions 0.40 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/395979
______________________________________________________________________

05.16.24 CVE: Not Available
Platform: Cross Platform
Title: Kerio MailServer WebMail Remote Resource Exhaustion
Description: Kerio MailServer is vulnerable to a remote resource
exhaustion vulnerability in the WebMail service. A remote attacker may
leverage this issue to cause the affected application to hang,
possibly denying service to legitimate users. The vendor has addressed
this issue in Kerio MailServer version 6.0.9.
Ref: http://www.kerio.com/kms_history.html
______________________________________________________________________

05.16.25 CVE: CAN-2005-0718
Platform: Cross Platform
Title: Squid Proxy Aborted Connection Remote Denial of Service
Description: Squid Proxy is a web proxy software package. It is
reported to be vulnerable to a denial of service issue due to improper
handling of malicous network requests. Squid version 2.5 and earlier
are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13166
______________________________________________________________________

05.16.26 CVE: Not Available
Platform: Cross Platform
Title: Sumus Game Server Remote Buffer Overflow
Description: Sumus Game Server is designed to facilitate play of an
internet-based version of the mus card game. It is affected by a
remote buffer overflow vulnerability. Sumus versions 0.2.2 and earlier
are known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/395832
______________________________________________________________________

05.16.27 CVE: CAN-2005-1118
Platform: Cross Platform
Title: RSA Security Authentication Agent Cross-Site Scripting
Description: RSA Security Authentication Agent is a utility designed
to secure network-based access to enterprise networks. Insufficient
sanitization of the "postdata" parameter in an HTTP POST request to
the "/WebID/IISWebAgentIF.dll" library exposes the application to a
cross-site scripting issue. RSA Security Authentication Agent version
5.2 is vulnerable.
Ref: http://www.rsasecurity.com/node.asp?id=1176
______________________________________________________________________

05.16.28 CVE: CAN-2005-1164, CAN-2005-1165
Platform: Cross Platform
Title: Yager Game Data Block Denial of Service Vulnerability
Description: Yager Development Yager Game is a air combat game. It is
is vulnerable to a remote denial of service issue due to a failure of
the application to properly handle exceptional network data. An
attacker may leverage this issue to freeze a multiplayer game that is
currently in progress. Yager Game versions 5.24 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/395903
______________________________________________________________________

05.16.29 CVE: CAN-2005-0752
Platform: Cross Platform
Title: Mozilla Code Execution, Cross-Site Scripting and Policy Bypass
Vulnerabilities
Description: Multiple vulnerabilities have been reported in Mozilla
Suite, which can be exploited by attackers to conduct cross-site
scripting attacks, bypass certain security restrictions, and
compromise a user's system. Please check the link below for details on
all the issues.
Ref: http://www.mozilla.org/security/announce/mfsa2005-35.html
http://www.mozilla.org/security/announce/mfsa2005-36.html
http://www.mozilla.org/security/announce/mfsa2005-37.html
http://www.mozilla.org/security/announce/mfsa2005-38.html
http://www.mozilla.org/security/announce/mfsa2005-40.html
http://www.mozilla.org/security/announce/mfsa2005-41.html
______________________________________________________________________

05.16.30 CVE: CAN-2005-1182
Platform: Cross Platform
Title: IBM OS/400 Incoming Remote Command Denial of Service
Description: The Incoming Remote Command service for IBM OS/400 allows
users to run a command on a remote system that has the service
enabled. It is reported vulnerable to an unspecified denial of service
condition.
Ref: http://www.securityfocus.com/bid/13214/
______________________________________________________________________

05.16.31 CVE: CAN-2005-1184
Platform: Cross Platform
Title: Multiple Vendor TCP Session Acknowledgement Number Denial of
Service
Description: Multiple Vendor TCP/IP stack implementations are reported
vulnerable to a denial of service issue and occurs when an erroneous
TCP acknowledgement number is encountered in an active TCP session
stream. An attacker can inject a rogue TCP packet containing a valid
sequence number and an invalid acknowledgement number into a target
TCP stream to cause this issue to result in a degradation of the
target connection, effectively denying service for legitimate users.
Please refer the following link for vulnerable systems.
Ref: http://www.securityfocus.com/bid/13215/info/
______________________________________________________________________

05.16.32 CVE: CAN-2005-0753
Platform: Cross Platform
Title: CVS Unspecified Buffer Overflow and Memory Access
Description: CVS is the Concurrent Versions System. It is reported to
be vulnerable to an unspecified buffer overflow issue due to improper
boundary checks. CVS versions 1.12.11 and earlier are reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/13217
______________________________________________________________________

05.16.33 CVE: CAN-2005-1156, CAN-2005-1157
Platform: Cross Platform
Title: Mozilla Firefox Search Plug-In Remote Script Code Execution
Vulnerability
Description: Mozilla Suite and Firefox are reported to be vulnerable
to a remote script code execution issue due to failure of the
application to provide secure access validation prior to implementing
search plug-ins. Mozilla Browser 1.7.6 and earlier as well as Firefox
1.0.2 and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13211
______________________________________________________________________

05.16.34 CVE: CAN-2005-1155
Platform: Cross Platform
Title: Mozllia Favicon Link Tag Remote Script Code Execution
Description: Mozilla Suite and Mozilla Firefox are vulnerable to a
remote script code execution. The application will execute arbitrary
javascript with a "<LINK rel="icon">" tag due to failing to deny
remote unauthorized access to trusted local interfaces. Firefox
versions 1.0.3 and Mozilla Suite versions 1.7.7 are not vulnerable.
Ref: http://www.mikx.de/firelinking/
______________________________________________________________________

05.16.35 CVE: Not Available
Platform: Cross Platform
Title: Opera SSL Security Feature Design Error
Description: Opera is a web browser available for a number of
platforms. Opera is affected by a design error that can result in a
false sense of security. Opera versions 8 Beta 3 and earlier are known
to be vulnerable.
Ref: http://www.geotrust.com/resources/advisory/sslorg/sslorg-advisory.htm
______________________________________________________________________

05.16.36 CVE: CAN-2005-1158
Platform: Cross Platform
Title: Mozilla Firefox Search Target Sidebar Script Code Execution
Description: Mozilla Firefox is affected by a script code execution
issue. When a malicious page is loaded in the "_search" sidebar panel,
any other tabbed page targeting the "_search" sidebar will be executed
with the privileges of the unsuspecting user that loaded it. Mozilla
Firefox version 1.0.3 is not affected.
Ref: http://www.securityfocus.com/advisories/8430
______________________________________________________________________

05.16.37 CVE: CAN-2005-0752
Platform: Cross Platform
Title: Mozilla Firefox PLUGINSPAGE Remote Script Code Execution
Description: Mozilla Firefox is affected by a remote script code
execution vulnerability. Mozilla Firefox versions 1.0.2 and earlier
are known to be vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-34.html
______________________________________________________________________

05.16.38 CVE: CAN-2005-1153
Platform: Cross Platform
Title: Mozilla Suite/Firefox Blocked Pop-Up Window Remote Script Code
Execution
Description: Mozilla Suite is affected by a remote script code
execution vulnerability. Mozilla Browser versions 1.7.6 and earlier,
Firefox versions 1.0.2 and earlier and Netscape versions 7.2 and
earlier are known to be vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-35.html
______________________________________________________________________

05.16.39 CVE: CAN-2005-1154
Platform: Cross Platform
Title: Mozilla Suite And Firefox Global Scope Pollution Cross-Site
Scripting
Description: A remote cross-site scripting vulnerability affects
Mozilla Suite and Mozilla Firefox. An attacker may exploit this issue
to execute arbitrary script code in the context of a page that is
currently being viewed. This may facilitate the theft of cookie based
authentication credentials as well a other attacks.
Ref: http://www.mozilla.org/security/announce/mfsa2005-36.html
______________________________________________________________________

05.16.40 CVE: Not Available
Platform: Cross Platform
Title: XV Planetary Data System Image Decoder Format String
Vulnerability
Description: xv is an image editing application. It is reported to
have a format string issue in the Planetary Data System (PDS) image
decoder. This allows an attacker to execute arbitrary code on a
vulnerable system.
Ref: http://www.securityfocus.com/advisories/8431
______________________________________________________________________

05.16.41 CVE: CAN-2005-1160
Platform: Cross Platform
Title: Mozilla Suite DOM Code Execution
Description: Both the Mozilla Suite and Firefox are vulnerable to code
execution issue due to the application neglecting to properly verify
Document Object Model property values. Firefox version 1.0.3 and
Mozilla Suite version 1.7.7 are not vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-41.html
______________________________________________________________________

05.16.42 CVE: Not Available
Platform: Cross Platform
Title: Java Web Proxy Server Multiple Buffer Overflow Vulnerabilities
Description: Sun Java System Web Proxy Server is a proxy server. It is
reported to be vulnerable to multiple unspecified remote buffer
overflow vulnerabilities. Sun Java Web Proxy Server version 3.6 SP7 is
not vulnerable.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57763-1
______________________________________________________________________

05.16.43 CVE: Not Available
Platform: Cross Platform
Title: MPlayer RTSP and MMST Stream ID Remote Buffer Overflow
Description: MPlayer is a multimedia video and audio application.
MPlayer is affected by a remote heap-based buffer overflow
vulnerability. MPlayer versions 1.0 pre1 and earlier are known to be
vulnerable.
Ref: http://www.mplayerhq.hu/homepage/design7/news.html#vuln10
http://www.mplayerhq.hu/homepage/design7/news.html#vuln11
______________________________________________________________________

05.16.44 CVE: Not Available
Platform: Cross Platform
Title: MPlayer RTSP Server Line Response Remote Buffer Overflow
Description: MPlayer is a multimedia audio and video application.
MPlayer is affected by a remote heap-based buffer overflow
vulnerability. MPlayer versions 1.0 pre1 and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/advisories/8443
______________________________________________________________________

05.16.45 CVE: Not Available
Platform: Cross Platform
Title: Adobe Acrobat Reader Unspecified File Parsing Memory Corruption
Description: Adobe Acrobat Reader is an application designed for
reading Portable Document Format (PDF) files. Adobe Acrobat Reader is
prone to a memory corruption vulnerability. It is reported that the
issue presents itself when the affected software is processing
malformed files.
Ref: http://www.adobe.com/products/acrobat/readstep2.html
______________________________________________________________________

05.16.46 CVE: Not Available
Platform: Web Application
Title: phpBB Photo Album Module Album_Search.PHP SQL Injection
Description: Photo Album is a module for the phpBB bulletin board
system. Photo Album is affected by an SQL injection vulnerability.
This issue is due to a failure in the application to properly sanitize
user-supplied input to the "mode" parameter of "album_search.php"
before using it in an SQL query.
Ref: http://www.securityfocus.com/bid/13155
______________________________________________________________________

05.16.47 CVE: CAN-2005-1115
Platform: Web Application
Title: phpBB Photo Album Module album_cat.php Cross-Site Scripting
Description: Photo Album is a module for phpBB bulletin board system.
Insufficient sanitization of the "sid" parameter in the
"album_cat.php" script exposes the application to a cross-site
scripting issue.
Ref: http://www.securityfocus.com/archive/1/395720
______________________________________________________________________

05.16.48 CVE: Not Available
Platform: Web Application
Title: phpBB Photo Album Album_Comment.PHP Cross-Site Scripting
Description: Photo Album is a module for the phpBB bulletin board. It
is vulnerable to a cross-site scripting issue due to a failure in the
application to properly sanitize user-supplied input to the
"album_comment.php" script. An attacker can exploit this issue to
steal cookie-based authentication credentials. Photo Album version
2.0.53 is known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/395720
______________________________________________________________________

05.16.49 CVE: Not Available
Platform: Web Application
Title: S9Y Serendipity exit.php SQL Injection
Description: Serendipity is a web log application. It is reported to
be vulnerable to an SQL injection issue due to improper sanitization
of user-supplied input to the "url_id" parameter of the "exit.php"
script. All current versions are affected.
Ref: http://www.securityfocus.com/bid/13161
______________________________________________________________________

05.16.50 CVE: CAN-2005-1112
Platform: Web Application
Title: WebSphere Application JSP Source Disclosure
Description: IBM WebSphere is vulnerable to a JSP source code
disclosure vulnerability due to improper handling of an HTTP request
with an invalid Host header. IBM Websphere Application Server versions
6.0 and earlier are vulnerable.
Ref: http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rtrb_jspsource.html
______________________________________________________________________

05.16.51 CVE: CAN-2005-1043
Platform: Web Application
Title: PHP Group Exif Module IFD Nesting Denial of Service
Description: PHP is vulnerable to a denial of service condition when
deeply nested EXIF IFD (Image File Directory) data is processed. This
issue could manifest itself in Web applications that allow users to
upload images.
Ref: http://www.php.net/ChangeLog-4.php#4.3.11
______________________________________________________________________

05.16.52 CVE: CAN-2005-1117
Platform: Web Application
Title: All4WWW-Homepagecreator index.php Arbitrary Remote File
Inclusion
Description: All4WWW-Homepagecreator is a home page creator.
Insufficient sanitization of the "site" parameter of the "index.php"
script exposes the application to a remote file include issue.
All4WWW-Homepagecreator version 1.0a is affected.
Ref: http://www.securityfocus.com/archive/1/395831
______________________________________________________________________

05.16.53 CVE: CAN-2005-1169
Platform: Web Application
Title: Mafia Blog Administrator Authentication Bypass
Description: Mafia is web based blog software. Mafia is affected by an
authentication bypass vulnerability regarding the administrator
functions. Mafia versions 4 Beta and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/archive/1/395995
______________________________________________________________________

05.16.54 CVE: CAN-2005-1180
Platform: Web Application
Title: PHP-Nuke Surveys Module HTTP Response Splitting
Description: PHP-Nuke is a content management system. It is vulnerable
to an HTTP response splitting vulnerability in the Surveys module.
This issue is due to insufficient sanitization of user-supplied input
of the "forwarder" parameter. PHP-Nuke version 7.6 is reported to be
vulnerable.
Ref: http://www.digitalparadox.org/advisories/pnuke.txt
______________________________________________________________________

05.16.55 CVE: CAN-2005-1135
Platform: Web Application
Title: SPHPBlog Search.PHP Cross-Site Scripting
Description: SPHPBlog is a simple PHP blog. SPHPBlog is affected by a
cross-site scripting vulnerability. SPHPBlog versions 0.4.0 and
earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/bid/13170/info/
______________________________________________________________________

05.16.56 CVE: CAN-2005-1162
Platform: Web Application
Title: OneWorldStore OWProductDetail.ASP HTML Injection
Description: OneWorldStore is web-based storefront software
implemented is ASP. OneWorldStore is affected by an HTML injection
vulnerability. All versions of OneWorldStore are known to be
vulnerable.
Ref: http://oneworldstore.com/support_security_issue_updates.asp
______________________________________________________________________

05.16.57 CVE: CAN-2005-1140
Platform: Web Application
Title: myBloggie Comment HTML Injection Vulnerability
Description: myBloggie is a web-based blog using BBCode Image tags. An
HTML injection issue allows attackers to execute cookie-based
authentication theft.
Ref: http://www.securityfocus.com/archive/1/395988
______________________________________________________________________

05.16.58 CVE: CAN-2005-1171
Platform: Web Application
Title: Datenbank Module For PHPBB Cross-Site Scripting
Description: The datenbank module is a module for phpBB. It is
reported to be vulnerable to a cross-site scripting issue due to
improper sanitization of user-supplied input to the "id" parameter of
the "mod.php" script.
Ref: http://www.securityfocus.com/bid/13210
______________________________________________________________________

05.16.59 CVE: CAN-2005-1183
Platform: Web Application
Title: mvnForum Search Cross-Site Scripting
Description: mvnForum is web bulletin board software. Insufficient
sanitization of user-supplied input exposes the application to a
cross-site scripting issue. mvnForum version 1.0 RC4 is affected.
Ref: http://www.securityfocus.com/bid/13213/info/
______________________________________________________________________

05.16.60 CVE: CAN-2005-1172
Platform: Web Application
Title: Coppermine Photo Gallery HTML Injection
Description: Coppermine Photo Gallery is a web-based image gallery. It
is vulnerable to an HTML injection issue due to insufficient
sanitization of user-supplied input before writing to log files.
Coppermine Photo Gallery versions 1.3 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/396080
______________________________________________________________________

05.16.61 CVE: Not Available
Platform: Web Application
Title: phpBB Knowledge Base Module KB.PHP SQL Injection
Description: Knowledge Base Module is a module for the popular phpBB
bulletin board system. Knowledge Base Module is affected by an SQL
injection vulnerability. Knowledge Base Module versions 2.0.13 and
earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/396098
______________________________________________________________________

05.16.62 CVE: CAN-2005-1181
Platform: Web Application
Title: Ariadne CMS Remote File Include Vulnerability
Description: Ariadne CMS is a content management system. A remote file
include vulnerability in it allows remote attackers to execute
arbitrary PHP scripts in the context of the web server. This may
facilitate unauthorized access.
Ref: http://www.securityfocus.com/bid/13206/
______________________________________________________________________

05.16.63 CVE: Not Available
Platform: Web Application
Title: OneWorldStore Multiple SQL Injection Vulnerabilities
Description: OneWorldStore is web-based storefront software. It is
vulnerable to some SQL injection conditions that can be used to
compromise the remote backend database.
Ref: http://www.securityfocus.com/archive/1/395899
______________________________________________________________________

05.16.64 CVE: CAN-2005-1161
Platform: Web Application
Title: OneWorldStore owProductDetail.asp SQL Injection
Description: OneWorldStore is a web-based storefront application.
Insufficient sanitization of the "idProduct" parameter of the
"owProductDetail.asp" script exposes the application to an SQL
injection issue.
Ref: http://www.securityfocus.com/archive/1/395899
______________________________________________________________________

05.16.65 CVE: CAN-2005-1162
Platform: Web Application
Title: OneWorldStore OWContactUs.ASP Cross-Site Scripting
Description: OneWorldStore is a web-based storefront implemented is
ASP. It is vulnerable to a cross-site scripting issue due to a failure
in the application to properly sanitize user-supplied input to
"owConstactUs.asp". An attacker may leverage this issue to steal
cookie-based authentication credentials or execute other attacks. All
current versions of OneWorldStore are vulnerable.
Ref: http://oneworldstore.com/support_security_issue_updates.asp
______________________________________________________________________

05.16.66 CVE: CAN-2005-1162
Platform: Web Application
Title: OneWorldStore owListProduct.asp Cross-Site Scripting
Description: OneWorldStore is web-based storefront software. It is
reported to be vulnerable to a cross-site scripting issue due to
improper sanitization of user-supplied input to the "bSub" parameter
of the "owListProduct.asp" script.
Ref: http://www.securityfocus.com/bid/13185
______________________________________________________________________

05.16.67 CVE: CAN-2005-1161
Platform: Web Application
Title: OneWorldStore DisplayResults.ASP SQL Injection Vulnerability
Description: OneWorldStore is a web-based storefront implemented in
ASP. It is vulnerable to an SQL injection issue due to a failure of
the application to properly sanitize user-supplied input to the
"DisplayResults.asp" script. An attacker may leverage this issue to
compromise the application, gain access to sensitive information or
modify data. All current known versions of OneWorldStore are
vulnerable.
Ref: http://oneworldstore.com/support_security_issue_updates.asp
______________________________________________________________________

05.16.68 CVE: Not Available
Platform: Web Application
Title: UBBCentral UBB.threads Printthread.PHP SQL Injection
Description: UBBCentral UBB.threads is a web-based forum application
that is implemented in PHP. UBB.threads is affected by an SQL
injection vulnerability. UBB.threads versions 6.0 and earlier are
known to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/396222
______________________________________________________________________

05.16.69 CVE: Not Available
Platform: Web Application
Title: CityPost PHP LNKX Message.PHP Cross-Site Scripting
Description: CityPost PHP LNKX is a PHP script that is designed to
automate reciprocal links exchange. It is affected by a cross-site
scripting vulnerability. An attacker can leverage this towards theft
of cookie-based authentication credentials from legitimate clients.
Ref: http://www.securityfocus.com/bid/13255/
______________________________________________________________________

05.16.70 CVE: CAN-2004-1341
Platform: Web Application
Title: Info2www Cross-Site Scripting
Description: Info2www is a utility that converts info files into HTML.
It is reported to be vulnerable to a cross-site scripting issue due to
improper sanitization of user-supplied input. Info2www version 1.2.2.9
is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13252
______________________________________________________________________

05.16.71 CVE: Not Available
Platform: Web Application
Title: CityPost PHP Image Editor Cross-Site Scripting
Description: CityPost Image Cropper/Resizer is a PHP script for JPEG
manipulation. It is vulnerable to a cross-site scripting issue due to
a failure of the application to properly sanitize user-supplied input
to the "image-editor-52.php" script. An attacker may leverage this
issue to run arbitrary code for stealing cookie-based authentication
credentials or execute other attacks. CityPost Image version 52.0 is
vulnerable.
Ref: http://www.securityfocus.com/bid/13257/discussion/
______________________________________________________________________

05.16.72 CVE: Not Available
Platform: Web Application
Title: CityPost PHP Image Editor M3 URI Parameter Cross-Site Scripting
Description: CityPost Image Cropper/Resizer is a PHP script that is
designed to manipulate a JPEG image. CityPost Image Cropper/Resizer is
affected by a cross-site scripting vulnerability. This issue is due to
a failure in the application to properly sanitize user-supplied input
to the "m3" parameter of the "image-editor-52.php" script.
Ref: http://www.securityfocus.com/bid/13258
______________________________________________________________________

05.16.73 CVE: Not Available
Platform: Web Application
Title: phpbb-Auction Module Auction_Offer.PHP SQL Injection
Vulnerability
Description: phpbb-Auction module is an auction system for phpBB.
phpbb-Auction module is affected by an SQL injection vulnerability.
phpbb-Auction versions 1.2 and earlier are known to be vulnerable.
Ref: http://www.snkenjoi.com/secadv/secadv9.txt
______________________________________________________________________

05.16.74 CVE: Not Available
Platform: Web Application
Title: EcommProV3 Admin/Login.ASP SQL Injection
Description: EcommProV3 is web-based shopping cart system implemented
in ASP. EcommProV3 is prone to an SQL injection vulnerability. This
issue is due to a failure in the application to properly sanitize
user-supplied input to the "AdminPWD" parameter of "admin/login.asp"
before using it in an SQL query. This vulnerability could permit
remote attackers to pass malicious input to database queries,
resulting in modification of query logic or other attacks. EcommProV3
version 3.0 is vulnerable.
Ref: http://www.ihssecurity.com/download/advisory/ecomerce-cart.txt
______________________________________________________________________

05.16.75 CVE: Not Available
Platform: Web Application
Title: Netref Cat_for_gen.PHP Remote PHP Script Injection
Description: A remote PHP script injection vulnerability affects
Netref. This issue is due to a failure of the application to sanitize
user-supplied data. An attacker may leverage this issue to execute
arbitrary PHP script code in the context of an affected Web server.
This will facilitate a compromise of the host computer. Netref version
4.2 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/396376
______________________________________________________________________

05.16.76 CVE: Not Available
Platform: Web Application
Title: CityPost Simple PHP Upload Cross-Site Scripting
Description: CityPost Simple PHP Upload is a PHP script that provides
file upload functionality for a Web site. It is affected by a
cross-site scripting vulnerability. CityPost Simple PHP Upload
versions 53.0 and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/bid/13170/info/
______________________________________________________________________

05.16.77 CVE: CAN-2005-1162
Platform: Web Application
Title: OneWorldStore DisplayResults.ASP Cross-Site Scripting
Description: OneWorldStore is web-based storefront software
implemented is ASP. OneWorldStore is prone to a cross-site scripting
vulnerability. This issue is due to a failure in the application to
properly sanitize user-supplied input to the "sIDSearch" parameter of
"DisplayResults.asp". An attacker may leverage this issue to have
arbitrary script code executed in the browser of an unsuspecting user.
Ref: http://oneworldstore.com/support_security_issue_updates.asp
______________________________________________________________________

05.16.78 CVE: CAN-2005-1179
Platform: Network Device
Title: Xerox MicroServer SNMP Authentication Bypass Vulnerability
Description: Xerox MicroServer is a server utility that includes a web
server. A vulnerability exists in the application allowing remote
attackers to gain access to sensitive information or modify SNMP
settings without requiring authentication. Please check the link below
for a list of vulnerable versions.
Ref: http://a1851.g.akamaitech.net/f/1851/2996/24h/cacheA.xerox.com/downloads/usa/en/c/cert_XRX05_005.pdf
______________________________________________________________________

05.16.79 CVE: CAN-2005-1179
Platform: Network Device
Title: Xerox MicroServer Web Server Authentication Bypass
Description: Xerox MicroServer is a server utility that includes a web
server. It is enabled by default on Xerox WorkCentre devices. It is
vulnerable to default authentication bypass issue which can be
exploited to access sensitive information or modify system
configurations. Please refer to the link below for affected versions.
Ref: http://a1851.g.akamaitech.net/f/1851/2996/24h/cacheA.xerox.com/downloads/usa/en/c/cert_XRX05_005.pdf
______________________________________________________________________

05.16.80 CVE: Not Available
Platform: Network Device
Title: F5 BIG-IP Undisclosed User Interface Vulnerability
Description: F5 BIG-IP provides a high-availability load balancing
service. A vulnerability exists in the F5 BIG-IP user interface. This
issue is exposed when a user simultaneously logs in to the device's
web user interface through multiple web clients. F5 BIG-IP versions
9.0.2 to 9.0.4 are affected.
Ref: http://www.securityfocus.com/bid/13240/info/
______________________________________________________________________

(c) 2005. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==
Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit
http://portal.sans.org Copyright 2005. All rights reserved. No posting
or reuse allowed, other that listed above, without prior written
permission.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFCaRLi+LUG5KFpTkYRAtfQAJ0T8tq/6qkBwbTfe2kP6Qly96EPMwCgjRf/
qaQEkYpeLqfI8LvcAO39vos=
=bvWX
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]