NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2006

RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 2

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Jan 16 2006 - 10:35:35 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
January 16, 2006 Vol. 5. Week 2
*************************************************************************

RISK will be arriving on Monday instead of at the end of the week. We
hope that will allow it to be even more useful to you.

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
=========================================================================
Platform # of Updates & Vulnerabilities
==========================================================================
Windows 1 (#1)
Microsoft Office 1
Other Microsoft Products 2 (#2)
Third Party Windows Apps 2 (#6)
Mac Os 2
Linux 1 (#4)
BSD 3
Solaris 3
Unix 2
Cross Platform 7 (#3, #5, #7, #8)
Web Application 32
Network Device 4
Hardware 2

******************** Sponsored by SANS On Demand ************************
Can't get away for six days to take a SANS course? On Demand offers
Security 401 Security Essentials and 504 Hacker Techniques online
when it is convenient for you. Visit http://www.sans.org/info.php?id=983
or write us at ondemandsans.org to set up a free demo. On Demand,

SANS Training. Anytime, Anywhere!
*************************************************************************

Table of Contents:
Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)

Widely Deployed Software

(1) CRITICAL: Microsoft Windows Embedded Font Processing Overflow
(2) CRITICAL: Microsoft Exchange and Outlook TNEF Format Processing Overflow
(3) CRITICAL: Apple QuickTime Multiple File Format Overflows
(4) CRITICAL: Novell SuSE Linux Enterprise Server Remote Manager Heap Overflow
(5) HIGH: ClamAV UPX Processing Buffer Overflow

Other Software
(6) CRITICAL: BlueCoat WinProxy Buffer Overflow and DoS Vulnerabilities
(7) MODERATE: Apache auth_ldap Module Format String Vulnerabilities
(Other) CRITICAL: eStara Softphone SIP SDP Data Packet Remote Buffer
Overflow (See 06.2.59 in Part II below for details)

Exploit
(8) Sun Java Plugin Security Bypass

*********************** Sponsored Links: ********************************

1) Free SANS Webcast: WhatWorks in Intrusion Prevention Systems:
"Defending Government Security with Unisys" Tuesday, January 17 at 1:00
PM EST (1800 UTC/GMT) http://www.sans.org/info.php?id=984

2) Free SANS Webcast: WhatWorks in Secure Email - Anti-spam Makes for
Home Sweet Home at The Villages Thursday, January 19 at 1:00 PM EST
(1800 UTC/GMT) http://www.sans.org/info.php?id=985
*************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
06.2.1 - Windows Embedded Web Font Buffer Overflow
-- Microsoft Office
06.2.2 - Microsoft Excel Unspecified Code Execution
-- Other Microsoft Products
06.2.3 - Microsoft Outlook / Microsoft Exchange TNEF Decoding Remote Code Execution
06.2.4 - Microsoft Visual Studio UserControl Remote Code Execution
-- Third Party Windows Apps
06.2.5 - PostgreSQL postmaster Denial of Service
06.2.6 - NetSarang XLPD Remote Denial of Service
-- Mac Os
06.2.7 - Apple QuickTime Multiple Code Execution Vulnerabilities
06.2.8 - Eudora Internet Mail Server Multiple Denial of Service Vulnerabilities
-- Linux
06.2.9 - Dave Carrigan Auth_LDAP Remote Format String
-- BSD
06.2.10 - FreeBSD IPFW IP Fragment Remote Denial Of Service
06.2.11 - FreeBSD EE Insecure Temporary File Creation
06.2.12 - BSD SecureLevel Time Setting Security Restriction Bypass
-- Solaris
06.2.13 - Sun Solaris UUSTAT Local Buffer Overflow
06.2.14 - Sun Solaris Find In Proc Filesystem Local Denial Of Service Vulnerability
06.2.15 - Sun Solaris Operating System Unspecified Privilege Escalation
-- Unix
06.2.16 - XMame Multiple Local Command Line Argument Buffer Overflow
06.2.17 - NetBSD KernFS LSEEK Local Kernel Memory Disclosure
-- Cross Platform
06.2.18 - BEA WebLogic Server and WebLogic Express MBean Remote Information
06.2.19 - QuickTime PictureViewer JPEG/PICT File Buffer Overflow
06.2.20 - Sudo Python Environment Variable Handling Security Bypass
06.2.21 - Blackberry Enterprise Server PNG Attachment Denial Of Service
06.2.22 - Stefan Frings SMS Server Tools Local Format String
06.2.23 - Clam Anti-Virus ClamAV Unspecified UPX File Buffer Overflow
06.2.24 - Bogofilter Multiple Remote Buffer Overflow Vulnerabilities
-- Web Application
06.2.25 - Interspire TrackPoint NX Index.PHP Cross-Site Scripting
06.2.26 - PHP Toolkit for PayPal IPN_success.PHP Logfile Injection
06.2.27 - Fog Creek Software FogBugz Default.ASP Cross-Site Scripting
06.2.28 - MyPhPim Multiple Input Validation Vulnerabilities
06.2.29 - CaLogic Calendars Add Event Multiple HTML Injection Vulnerabilities
06.2.30 - MyPhPim Addresses.PHP3 Arbitrary File Upload
06.2.31 - PHP MySQLI Error Logging Remote Format String
06.2.32 - PHP 5 User-Supplied Session ID Input Validation
06.2.33 - Orjinweb Index.PHP Remote File Include
06.2.34 - PHPNuke Multiple Modules IMG Tag HTML Injection
06.2.35 - WebWiz Forums Search_form.ASP Cross-Site Scripting
06.2.36 - Hummingbird Enterprise Collaboration Multiple Vulnerabilities
06.2.37 - Xoops Pool Module HTML Injection
06.2.38 - PHPNuke EV Search Module SQL Injection
06.2.39 - AppServ Open Project Remote File Include
06.2.40 - ADOdb Server.PHP SQL Injection
06.2.41 - Andromeda Andromeda.php Cross-Site Scripting
06.2.42 - Joomla Vcard Access Information Disclosure
06.2.43 - Magic News Plus Administrator Password Change
06.2.44 - Venom Board Post.PHP3 Multiple SQL Injection Vulnerabilities
06.2.45 - PHPChamber Search_result.PHP Cross-Site Scripting
06.2.46 - 427BB Authentication Bypass
06.2.47 - 427BB Showthread.PHP SQL Injection
06.2.48 - Foxrum Multiple BBCode Tag Script Injection Vulnerabilities
06.2.49 - SysCP WebFTP Module Local File Include
06.2.50 - PHP PEAR Go-Pear.PHP Arbitrary Remote Code Execution
06.2.51 - PD9 Software MegaBBS Private Message Information Disclosure
06.2.52 - Aquifer CMS Index.ASP Cross-Site Scripting
06.2.53 - TinyPHPForum Multiple Directory Traversal Vulnerabilities
06.2.54 - Navboard Multiple Cross-Site Scripting Vulnerabilities
06.2.55 - SuSE Open Enterprise Server Novell Remote Manager HTTP Request Header Heap Overflow
06.2.56 - TankLogger General Functions Script SQL Injection Vulnerabilities
-- Network Device
06.2.57 - Cisco Aironet Wireless Access Point ARP Memory Exhaustion Denial of Service
06.2.58 - Cisco CS-MARS Default Administrative Password
06.2.59 - eStara Softphone SIP SDP Data Packet Remote Buffer Overflow
06.2.60 - Trac HTML WikiProcessor Wiki Content HTML Injection
-- Hardware
06.2.61 - Cray UNICOS Multiple Buffer Overflow Vulnerabilities
06.2.62 - Cisco IP Phone 7940 Remote Denial of Service

______________________________________________________________________

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of
3Com, as a by-product of that company's continuous effort to ensure that
its intrusion prevention products effectively block exploits using known
vulnerabilities. TippingPoint's analysis is complemented by input from
a council of security managers from twelve large organizations who
confidentially share with SANS the specific actions they have taken to
protect their systems. A detailed description of the process may be
found at http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

***************************
Widely Deployed Software
***************************

(1) CRITICAL: Microsoft Windows Embedded Font Processing Overflow
Affected:
Windows 98/ME/SE/NT/2000/XP/2003

Description: Embedding fonts in a document guarantees that a user
receiving the document can successfully read it. Embedded Open Type file
Format (".eot") can be used to bundle a font in a webpage, and Internet
Explorer opens the eot files automatically. The library responsible for
parsing EOT files, T2EMBED.DLL, contains a heap-based overflow that can
be triggered by a specially crafted EOT file. The problem arises because
the declared size of the uncompressed block in a EOT file is used to
allocate memory for the uncompressed data; however, the actual
uncompressed data size is not compared to the declared size prior to
writing the section in the heap memory. A malicious webpage can exploit
the overflow to execute arbitrary code on a user's system when the page
is viewed using Internet Explorer. The technical details and the code
disassembly that can be used to craft an exploit have been publicly
posted. Immunity has also made proof of concept exploits available to
its partners. Note that the exploitation vectors for the vulnerability
are similar to the widely exploited WMF flaw, and the extension for EOT
files can be spoofed.

Status: Apply the patch referenced in the Microsoft Security Bulletin
MS06-002. Other vendors like Nortel and Avaya have published patches for
their affected products.

Council Site Actions: All reporting council sites are responding to this
item. Several sites have already distributed the patch and others plan
to deploy during their next scheduled maintenance window. A few sites
are using Microsoft Automatic Updates and hence the patch has already
been installed.

References: Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx eEye
Advisory
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0007.html
Vulnerable Code Disassembly posted by Piotr Bania
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0359.html
CERT Advisory http://www.kb.cert.org/vuls/id/915930 Immunity, Inc.
Partner Information http://www.immunityinc.com/partners-index.shtml
Embedded Font Technology
http://msdn.microsoft.com/workshop/author/fontembed/font_embed.asp#Embedded_Font_Techno
NOrtel Centrex
http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2006/02/020103-01.pdf
Avaya http://archives.neohapsis.com/archives/secunia/2006-q1/0133.html
SecurityFocus BID http://www.securityfocus.om/bid/16194

*********************************************************************

(2) CRITICAL: Microsoft Exchange and Outlook TNEF Format Processing Overflow
Affected:
Microsoft Outlook 2000/2002/2003
Microsoft Exchange Server versions 5.0, 5.5 and 2000
Microsoft Office Multilanguage Packs 2000
Microsoft Office Multilingual UI Packs XP/2003
Microsoft Office 2003 Language Interface Packs

Description: Microsoft Outlook and Exchange use Transport Neutral
Encapsulation Format (TNEF) to handle e-mails written in Rich Text
Format. The library responsible for decoding the TNEF format contains a
buffer overflow that can be triggered by a specially crafted e-mail. The
flaw can be exploited to execute arbitrary code with "SYSTEM" privileges
in case of the Exchange server. Note that for compromising the Exchange
server sending an email is sufficient i.e. no user interaction is
required. The discoverers of the flaw have reported that they will
disclose the technical details in another 3 months.

Status: Apply the patch referenced in the Microsoft Security Bulletin
MS06-003.

Council Site Actions: All reporting council sites are responding to
this item. Several sites have already distributed the patch and others
plan to deploy during their next scheduled maintenance window. A few
sites are using Microsoft Automatic Updates and hence the patch has
already been installed.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx
NGSSoftware Advisory
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0009.html
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0008.html
TNEF File Format
http://cvs.sourceforge.net/viewcvs.py/*checkout*/tnef/tnef/doc/file-format.tex?content-type=text%2Fplain
CERT Advisory
http://www.kb.cert.org/vuls/id/252146
SecurityFocus BID
http://www.securityfocus.om/bid/16197

*********************************************************************

(3) CRITICAL: Apple QuickTime Multiple File Format Overflows
Affected:
QuickTime Player version 7.0.3 and prior on Windows 2000/XP/Mac OS X

Description: The QuickTime media player from Apple contains multiple
buffer overflow vulnerabilities in processing the following file
formats: GIF, MOV, QTIF, JPEG, TGA, TIFF and PICT. A specially crafted
movie or image file can exploit the overflows to execute arbitrary code
on the client system. Note that the malicious files can be hosted on a
webpage, shared folder, P2P folder or sent in an email. The technical
details required to craft exploits are included in the posted
advisories.

Status: Apple has released QuickTime 7.0.4 to address these issues. Note
that iTunes uses QuickTime for playing media. Hence, iTunes users should
also apply this update.

Council Site Actions: Most of the council sites are responding to this
item and are in the process of pushing the patch or plan to push the
patch during their next regularly scheduled system maintenance window.
Some sites are using Apple's Software Update facility and the patch has
already been installed.

References:
Apple Advisory
http://docs.info.apple.com/article.html?artnum=303101
eEye Advisories
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0014.html
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0013.html
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0012.html
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0011.html
Cirt.Dk Advisory
http://cirt.dk/advisories/cirt-41-advisory.pdf
Fortinet Advisories
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0449.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0447.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0446.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0445.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0443.html
CERT Advisory
http://www.us-cert.gov/cas/techalerts/TA06-011A.html
SecurityFocus BID
http://www.securityfocus.om/bid/16202

********************************************************************

(4) CRITICAL: Novell SuSE Linux Enterprise Server Remote Manager Heap Overflow
Affected:
Novell SuSE Linux Entreprise Server version 9.0
Novell Open Entreprise Server

Description : Novell SuSE Linux enterprise server can be managed
remotely via http. This remote management server, which runs on port
8008/tcp or 8009/tcp by default, contains a heap-based buffer overflow.
The overflow can be triggered by supplying a large or a negative content
length in a HTTP POST request, and exploited to execute arbitrary code.

Status: Novell has released an update to address the issue. Block access
to the remote manager HTTP port(s) from the Internet as a general
security measure.

References :
iDefense Advisory
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=371
Novell Advisory
http://www.checksum.org/cso/message/14774.html
Product Homepage
http://www.novell.com/products/linuxenterpriseserver/
Novell Remote Manager Documentation
http://www.novell.com/documentation/oes/index.html?page=/documentation/oes/remotemgr_lx/data/btmt2a5.html
SecurityFocus BID
http://www.securityfocus.com/bid/16226

***********************************************************************

(5) HIGH: ClamAV UPX Processing Buffer Overflow
Affected:
ClamAV versions prior to 0.88

Description: ClamAV is an open-source antivirus software designed mainly
for scanning emails on UNIX mail gateways. The software includes a virus
scanning library - libClamAV. This library is used by many third party
email, web, FTP scanners as well as mail clients. The library contains
a buffer overflow that can be triggered by a specially crafted UPX
packed executable file. The attacker can send the malicious file via
email, web, FTP or a file share, and exploit the buffer overflow to
execute arbitrary code on the system running the ClamAV library. The
technical details can be obtained by comparing the fixed and the
affected versions of the software. Note that for compromising the
mail/web/FTP gateways no user interaction is required.

Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the council sites. They reported that no action was necessary.

References:
ZDI Advisory
http://www.zerodayinitiative.com/advisories/ZDI-06-001.html
Third Party Software Using ClamAV
http://www.clamav.net/whos.html#pagestart (Includes Mac OS X server)
http://www.clamav.net/3rdparty.html#pagestart
SecurityFocus BID
http://www.securityfocus.om/bid/16191

***********************************************************************

***************
Other Software
***************

(6) CRITICAL: BlueCoat WinProxy Buffer Overflow and DoS Vulnerabilities
Affected:
WinProxy version 6.0 and prior

Description: WinProxy proxy suite is designed for secure sharing of a
Internet connection for small to medium businesses. The WinProxy web
proxy server contains a stack-based buffer overflow that can be
triggered by an overlong HTTP "Host" header. An attacker can exploit the
flaw to execute arbitrary code. Exploit code has been publicly posted.

Status: WinProxy version 6.1a has been released to address this buffer
overflow as well as other DoS issues.

References:
iDefense Advisories
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0003.html
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0004.html
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0002.html
Exploit Code
http://www.frsirt.com/exploits/20060107.Winproxy.pl.php
SecurityFocus BIDs
http://www.securityfocus.om/bid/16147
http://www.securityfocus.om/bid/16148
http://www.securityfocus.om/bid/16149

********************************************************************

(7) MODERATE: Apache auth_ldap Module Format String Vulnerabilities
Affected:
auth_ldap version 1.6.0 and prior

Description: auth_ldap module provides LDAP authentication for Apache
servers on Windows and UNIX platforms. This module contains a format
string vulnerability that can be triggered by supplying a specially
crafted username during the LDAP authentication process. An attacker can
exploit the flaw to execute arbitrary code on the Apache server with the
privileges of the "apache" process. The technical details required to
craft an exploit can be gathered by examining the fixed and the
vulnerable code.

Status: Vendor has released version 1.6.1. Linux vendors such as Red Hat
have also released their own updates.

Council Site Actions: Two of the reporting council sites are using the
affected software. One site is awaiting the patch and will install
during their next regularly scheduled system update cycle. The second
site is still assessing and will likely handle at next scheduled
maintenance window.

References:
Posting by Digitalarmaments
http://archives.neohapsis.com/archives/bugtraq/2006-01/0121.html
RedHat Advisory
http://rhn.redhat.com/errata/RHSA-2006-0179.html
Vendor Homepage
http://www.rudedog.org/auth_ldap/
SecurityFocus BID
http://www.securityfocus.com/bid/16177

*********************************************************************

***************
Exploits
***************

(8) Sun Java Plugin Security Bypass

Description: CERT has notified of a malicious website that is exploiting
a vulnerability in Sun JRE (reported in November 2004). This is the
first report of an active exploitation for this vulnerability. Please
ensure that the Sun JRE is updated to the latest version.

References:
CERT Current Activity
http://www.us-cert.gov/current/current_activity.html#javaapi
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=3&i=47#widely2

***********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 2, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4771 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

______________________________________________________________________

06.2.1 CVE: CVE-2006-0010
Platform: Windows
Title: Windows Embedded Web Font Buffer Overflow
Description: Microsoft Windows is vulnerable to a remotely exploitable
buffer overflow issue due to insufficient handling of embedded web
fonts that have been maliciously malformed. See Microsoft security
bulletin MS06-002 for further details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx
______________________________________________________________________

06.2.2 CVE: Not Available
Platform: Microsoft Office
Title: Microsoft Excel Unspecified Code Execution
Description: Microsoft Excel is susceptible to an unspecified code
execution vulnerability. The issue presents itself when Microsoft
Excel attempts to process malformed or corrupted XLS files. Please
visit the reference link provided for a list of vulnerable versions.
Ref: http://www.securityfocus.com/bid/16181
______________________________________________________________________

06.2.3 CVE: CVE-2006-0002
Platform: Other Microsoft Products
Title: Microsoft Outlook / Microsoft Exchange TNEF Decoding Remote
Code Execution
Description: Microsoft Exchange Server and Outlook email clients use
the Transport Neutral Encapsulation (TNEF) format when sending Rich
Text Format (RTF) messages. They are prone to a remote code execution
vulnerability due to insufficient boundary checks performed by the
applications. This issue affects Microsoft Outlook, Microsoft
Exchange, and Microsoft Office Multilingual User Interface (MUI)
Packs.
Ref: http://www.securityfocus.com/archive/1/421518
______________________________________________________________________

06.2.4 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Visual Studio UserControl Remote Code Execution
Description: Microsoft Visual Studio is prone to a vulnerability that
could allow remote arbitrary code execution. This is due to a design
flaw that executes code contained in a project file without first
notifying users. If a "UserControl" object is added to a Form in a
Visual Studio project, the "UserControl_Load" function will execute it
without notifying the user, without prior confirmation, and without
compiling or executing the project. Microsoft Visual Studio 2005 is
reportedly vulnerable to this issue.
Ref: http://www.securityfocus.com/bid/16225
______________________________________________________________________

06.2.5 CVE: CVE-2006-0105
Platform: Third Party Windows Apps
Title: PostgreSQL Postmaster Denial of Service
Description: PostgreSQL is prone to a denial of service vulnerability.
The problem occurs when the "postmaster" service receives multiple
connection attempts at the same time. The application fails to handle
multiple requests properly and crashes. The crash will not affect
existing connections, but future connections will not be possible
until the service is manually restarted. This issue only affects
PostgreSQL for Microsoft Windows. PostgreSQL versions 8.0.0-8.0.5 and
8.1.0-8.1.1 are vulnerable.
Ref: http://www.securityfocus.com/archive/1/421592
______________________________________________________________________

06.2.6 CVE: CVE-2006-0148
Platform: Third Party Windows Apps
Title: NetSarang XLPD Remote Denial of Service
Description: NetSarang Xlpd is a remotely accessible line printer
daemon for the Microsoft Windows platform. It is vulnerable to a
denial of service issue when it receives approximately 40 simultaneous
connections from the same IP. NetSarang Xlpd version 2.1 is
vulnerable.
Ref: http://www.ipomonis.com/advisories/xlpd.txt
______________________________________________________________________

06.2.7 CVE: CVE-2005-2340, CVE-2005-3707, CVE-2005-3708,
CVE-2005-3709, CVE-2005-3710, CVE-2005-3711, CVE-2005-3713
Platform: Mac Os
Title: Apple QuickTime Multiple Code Execution Vulnerabilities
Description: QuickTime Player is the media player distributed by Apple
for QuickTime as well as other media files. It is affected by multiple
remote code execution issues due to failure of the application to
perform boundary checks prior to copying user-supplied data into
sensitive process buffers. QuickTime versions prior to 7.0.4 are
affected.
Ref: http://www.securityfocus.com/bid/16202
______________________________________________________________________

06.2.8 CVE: CVE-2006-0141
Platform: Mac Os
Title: Eudora Internet Mail Server Multiple Denial of Service
Vulnerabilities
Description: Qualcomm Eudora Internet Mail Server (EIMS) is vulnerable
to multiple denial of service issues due to the application's inability
to handle exceptional conditions such as a malformed NTLM
authentication request. Qualcomm Eudora Internet Mail Server versions
3.2.8 and earlier are vulnerable.
Ref: http://www.eudora.co.nz/updates.html
______________________________________________________________________

06.2.9 CVE: CVE-2006-0150
Platform: Linux
Title: Dave Carrigan Auth_LDAP Remote Format String
Description: Dave Carrigan's Auth_ldap is an Apache authentication
module that utilizes Lightweight Directory Access Protocol. It is
vulnerable to a remote format string issue due to insufficient
sanitization of user-supplied input to the
"auth_ldap_log_reason()" function. Dave Carrigan's auth_ldap version
1.6.1 resolves this issue.
Ref: http://rhn.redhat.com/errata/RHSA-2006-0179.html
http://www.rudedog.org/auth_ldap/Changes.html
______________________________________________________________________

06.2.10 CVE: CVE-2006-0054
Platform: BSD
Title: FreeBSD IPFW IP Fragment Remote Denial of Service
Description: FreeBSD IPFW is a packet filtering firewall that is
integrated into the operating system's kernel. It is susceptible to a
remote denial of service vulnerability. This issue is due to a flaw in
affected kernels that results in an uninitialized kernel memory access
when handling ICMP IP fragments. FreeBSD version 6.0 is affected.
Ref: http://www.securityfocus.com/advisories/10003
______________________________________________________________________

06.2.11 CVE: CVE-2006-0055
Platform: BSD
Title: FreeBSD ee Insecure Temporary File Creation
Description: FreeBSD ee is a screen oriented text editor. It creates
temporary files in an insecure manner. An attacker with local access
could exploit this to overwrite files in the context of the
application. Please check the attached advisory for a list of affected
versions.
Ref: http://www.securityfocus.com/bid/16207
______________________________________________________________________

06.2.12 CVE: CVE-2005-4352
Platform: BSD
Title: BSD Securelevel Time Setting Security Restriction Bypass
Description: Securelevels allow administrators to configure computers
with various security restrictions. BSD Securelevels are vulnerable to
a security restriction bypass issue that allows local users to set the
system clock to any arbitrary value due to an integer overflow in the
system clock. NetBSD versions 2.1 and earlier are vulnerable. Linux
versions 2.6.15 and earlier are vulnerable.
Ref: http://www.redteam-pentesting.de/advisories/rt-sa-2005-16.txt
______________________________________________________________________

06.2.13 CVE: CAN-2004-0780
Platform: Solaris
Title: Sun Solaris uustat Local Buffer Overflow
Description: The Sun Solaris uustat utility is used to display status
information about the Unix to Unix CoPy (UUCP) system. The utility
is prone to a local buffer overflow vulnerability. The vulnerability
arises when an attacker supplies excessive string data to the utility
through the "-S" command line argument. A user-supplied string
containing 1152 or more bytes can overflow a finite sized buffer
leading to memory corruption. An attacker can exploit this issue to
execute arbitrary code and gain "uucp" user privileges which
correspond to user ID 5 by default.
Ref: http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-101933-1
______________________________________________________________________

06.2.14 CVE: Not Available
Platform: Solaris
Title: Sun Solaris Find In Proc Filesystem Local Denial of Service
Vulnerability
Description: Sun Solaris is prone to a local denial of service
vulnerability. A local unauthorized user can cause a system panic by
running "find" in the "/proc" filesystem and cause a denial of
service. This issue is triggered by a "readdir" call in an unspecified
location, so any recursive utility like "find" will likely trigger
this issue.
Ref: http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102108-1
______________________________________________________________________

06.2.15 CVE: Not Available
Platform: Solaris
Title: Sun Solaris Operating System Unspecified Privilege Escalation
Description: Sun Solaris on x86 platforms is prone to an unspecified
privilege escalation issue. This vulnerability is due to an
unspecified security issue which may allow a local unprivileged user
to gain elevated privileges or panic the kernel. This issue affects
Solaris 9 and 10.
Ref: http://www.securityfocus.com/bid/16224
______________________________________________________________________

06.2.16 CVE: Not Available
Platform: Unix
Title: XMame Multiple Local Command Line Argument Buffer Overflow
Description: XMame is a port of the MAME arcade emulator. It is prone
to locally exploitable buffer overflow issues in the "xmame.x11"
executable due to insufficient bounds checking of command line
parameters. An attacker could exploit this issue to gain higher
privileges. XMame version 0.102 is vulnerable to these issues.
Ref: http://www.securityfocus.com/bid/16203/info
______________________________________________________________________

06.2.17 CVE: Not Available
Platform: Unix
Title: NetBSD kernfs lseek Local Kernel Memory Disclosure
Description: The kernfs file system is a file system that allows users
to access certain portions of kernel memory in user-space by accessing
virtual files. It is vulnerable to a kernel memory disclosure issue
due to insufficient sanitization of user-supplied arguments passed to
the "lseek()" system call. An attacker could exploit this issue and
could launch further attacks based on the information gathered. NetBSD
version 3.0 is vulnerable.
Ref: http://www.securityfocus.com/advisories/9979
______________________________________________________________________

06.2.18 CVE: Not Available
Platform: Cross Platform
Title: BEA WebLogic Server and WebLogic Express MBean Remote
Information
Description: BEA WebLogic Server and WebLogic Express are susceptible
to a remote information disclosure vulnerability. MBeanHome, and from
there, further configuration MBeans may be retrieved via anonymous
connections through remote RMI (Remote Method Invocation) access to
the JNDI (Java Naming and Directory Interface). Anonymous
administration lookup access to JNDI is enabled by default. WebLogic
Server and Express versions 6.1, 7.0, and 8.1 on all platforms are
vulnerable.
Ref: http://dev2dev.bea.com/pub/advisory/162
______________________________________________________________________

06.2.19 CVE: CAN-2005-2340
Platform: Cross Platform
Title: QuickTime PictureViewer JPEG/PICT File Buffer Overflow
Description: QuickTime Player is the media player. It is vulnerable to
a buffer overflow issue due to insufficient handling of malformed JPEG
and PICT files. QuickTime versions 6.5.2 and 7.0.3 are vulnerable.
Ref: http://www.cirt.dk/advisories/cirt-41-advisory.pdf
______________________________________________________________________

06.2.20 CVE: Not Available
Platform: Cross Platform
Title: Sudo Python Environment Variable Handling Security Bypass
Description: Sudo is a widely used Linux/Unix utility that allows
users to securely run commands as the superuser or other users. It is
prone to a security bypass vulnerability that could lead to arbitrary
code execution. This issue is due to an error in the application when
handling the "PYTHONINSPECT" environment variable.
Ref: http://www.securityfocus.com/bid/16184/exploit
______________________________________________________________________

06.2.21 CVE: CVE-2005-2344
Platform: Cross Platform
Title: Blackberry Enterprise Server PNG Attachment Denial of Service
Description: Research In Motion Blackberry Enterprise Server is
communications middleware for Blackberry devices. It is vulnerable to
a denial of service attack due to insufficient handling of a malformed
Portable Network Graphics (PNG) file. Research in Motion BlackBerry
Enterprise Server versions 4.0 Service Pack 2 and earlier are
vulnerable.
Ref:
http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167794
______________________________________________________________________

06.2.22 CVE: CVE-2006-0083
Platform: Cross Platform
Title: Stefan Frings SMS Server Tools Local Format String
Description: Stefan Frings SMS Server Tools is an application used to
send and receive SMS (Short Message Service). A format string issue is
exposed via the "syslog()" function in the "src/logging.c" source
file. Version 1.14.8 of SMS Server Tools is affected.
Ref: http://www.securityfocus.com/bid/16188
______________________________________________________________________

06.2.23 CVE: Not Available
Platform: Cross Platform
Title: Clam Anti-Virus ClamAV Unspecified UPX File Buffer Overflow
Description: ClamAV is an anti-virus application. It is prone to an
unspecified heap buffer overflow vulnerability due to a failure of the
application to properly bounds check user-supplied data prior to
copying it to an insufficiently sized memory buffer. Exploitation of
this issue could allow attacker-supplied machine code to be executed
in the context of the affected application. Please refer to the
following link for more details.
Ref: http://www.securityfocus.com/archive/1/421741
______________________________________________________________________

06.2.24 CVE: CVE-2005-4591, CVE-2005-4592
Platform: Cross Platform
Title: Bogofilter Multiple Remote Buffer Overflow Vulnerabilities
Description: Bogofilter is a Bayesian spam filtering application
designed to be run on Linux and Unix platforms. Multiple remote buffer
overflow vulnerabilities affect Bogofilter. These issues are due to a
failure of the application to properly handle invalid input sequences
and validate the length of user-supplied strings prior to copying them
into static process buffers. Please visit the reference link for a
list of vulnerable versions.
Ref: http://www.securityfocus.com/bid/16171
______________________________________________________________________

06.2.25 CVE: Not Available
Platform: Web Application
Title: Interspire TrackPoint NX Index.PHP Cross-Site Scripting
Description: TrackPoint NX is an online advertising campaign and
promotional activity management application. Insufficient sanitization
of the "username" parameter of the "index.php" script exposes the
application to a cross-site scripting issue. TrackPoint NX versions
less than 0.1 are affetced.
Ref: http://www.securityfocus.com/bid/16214
______________________________________________________________________

06.2.26 CVE: Not Available
Platform: Web Application
Title: PHP Toolkit for PayPal IPN_success.PHP Logfile Injection
Description: PHP Toolkit for PayPal is a set of application scripts to
integrate PayPal into an ecommerce application. All input parameters
to the "ipn_success.php" script are modifiable by way of an HTTP
"POST" request, and may be overwritten to create false transaction
data in the application's transaction log file. PHP Toolkit version
0.50 is affected.
Ref: http://www.securityfocus.com/archive/1/421739
______________________________________________________________________

06.2.27 CVE: Not Available
Platform: Web Application
Title: Fog Creek Software FogBugz Default.ASP Cross-Site Scripting
Description: FogBugz is a project management application. It is prone
to a cross-site scripting vulnerability due to insufficient
sanitization of user-supplied input to the "dest" parameter of the
"default.asp" script. FogBugz versions 4.029 and prior are vulnerable.
Ref: http://www.securityfocus.com/bid/16216/exploit
______________________________________________________________________

06.2.28 CVE: Not Available
Platform: Web Application
Title: MyPhPim Multiple Input Validation Vulnerabilities
Description: MyPhPim is a personal information manager written in PHP.
It is vulnerable to multiple input validation issues due to a failure
in the application to properly sanitize user-supplied input. SQL
injection attacks are possible through the "cal_id" parameter of the
"calendar.php3" script, and via the "login" input parameter on the
login page of the application. Successful exploitation of these
vulnerabilities could result in a compromise of the application or
theft of cookie based authentication issues. MyPhPim version 1.05 is
vulnerable.
Ref: http://evuln.com/vulns/22/summary.html
______________________________________________________________________

06.2.29 CVE: Not Available
Platform: Web Application
Title: CaLogic Calendars Add Event Multiple HTML Injection
Vulnerabilities
Description: CaLogic Calendars is a web-based calendar application. It
is prone to multiple HTML injection vulnerabilities due to
insufficient sanitization of user-supplied input to multiple
unspecified input variables when adding a new calendar event. CaLogic
version 1.2.2 is reported to be vulnerable.
Ref: http://evuln.com/vulns/24/summary.html
______________________________________________________________________

06.2.30 CVE: CVE-2006-0169
Platform: Web Application
Title: MyPhPim Addresses.PHP3 Arbitrary File Upload
Description: MyPhPim is a personal information manager written in PHP.
MyPhPim is prone to an arbitrary file upload vulnerability. Input to
the "pdbfile" parameter of the "addresses.php3" script is not properly
sanitized, allowing arbitrarily named files to be uploaded to the
user's computer.
Ref: http://evuln.com/vulns/23/summary.html
______________________________________________________________________

06.2.31 CVE: Not Available
Platform: Web Application
Title: PHP MySQLI Error Logging Remote Format String
Description: PHP is a free and widely used web page development
language. It is susceptible to a remote format string vulnerability in
the "mysqli" extension. This issue is due to insufficient sanitization
of user-supplied input prior to using it in the format-specifier
argument to a formatted printing function. PHP versions 5.1.0 and
5.1.1 are affected.
Ref: http://www.securityfocus.com/archive/1/421705
______________________________________________________________________

06.2.32 CVE: Not Available
Platform: Web Application
Title: PHP 5 User-Supplied Session ID Input Validation
Description: PHP 5 is prone to an input validation vulnerability due
to improper sanitization of user-supplied input of PHP session ID's,
transmitted by way of HTTP headers. PHP 5 version 5.1.1 and prior are
affected.
Ref: http://www.hardened-php.net/advisory_012006.112.html
______________________________________________________________________

06.2.33 CVE: Not Available
Platform: Web Application
Title: Orjinweb Index.PHP Remote File Include
Description: Orjinweb E-commerce is a shopping cart application. It is
vulnerable to a remote file include issue due to insufficient
sanitization of user-supplied input to the "page" parameter of the
"index.php" script.
Ref: http://www.securityfocus.com/bid/16199/info
______________________________________________________________________

06.2.34 CVE: Not Available
Platform: Web Application
Title: PHPNuke Multiple Modules IMG Tag HTML Injection
Description: The PHPNuke Pool and News Modules are prone to an HTML
injection vulnerability. This issue is due to improper sanitization
of user-supplied input to "IMG" tags of posted comments to the
application modules.
Ref: http://www.securityfocus.com/bid/16192/exploit
______________________________________________________________________

06.2.35 CVE: Not Available
Platform: Web Application
Title: WebWiz Forums Search_form.ASP Cross-Site Scripting
Description: WebWiz Forums is a forum application written in ASP. It
is prone to a cross-site scripting vulnerability due to improper
sanitization of user-supplied input to the "search" parameter of the
"search_form.asp" script. WebWiz Forum version 6.34 is affected.
Ref: http://www.securityfocus.com/bid/16196
______________________________________________________________________

06.2.36 CVE: Not Available
Platform: Web Application
Title: Hummingbird Enterprise Collaboration Multiple Vulnerabilities
Description: Hummingbird Enterprise Collaboration is a web-based
collaborative groupware application. It is affetced by multiple issues
like arbitrary HTML/script upload and information disclosure.
Hummingbird Enterprise Collaboration version 5.2.1 and earlier are
affected.
Ref: http://www.securityfocus.com/bid/16195
______________________________________________________________________

06.2.37 CVE: Not Available
Platform: Web Application
Title: Xoops Pool Module HTML Injection
Description: The XOOPS Pool Module is a sports betting module for
XOOPS. It is vulnerable to an HTML injection vulnerability due to
insufficient sanitization of user-supplied input to "IMG" tags of
posted comments. Xoops Pool Module is vulnerable.
Ref: http://www.securityfocus.com/archive/1/421325
______________________________________________________________________

06.2.38 CVE: Not Available
Platform: Web Application
Title: PHPNuke EV Search Module SQL Injection
Description: PHPNuke EV is an input validation and filtering system
written in PHP. It is prone to an SQL injection vulnerability caused
by insufficient sanitization of user-supplied input to the "query"
parameter of the search script. PHPNuke EV version 7.7 is vulnerable.
Ref: http://lostmon.blogspot.com/2006/01/phpnuke-ev-77-search-module-query.html
______________________________________________________________________

06.2.39 CVE: Not Available
Platform: Web Application
Title: AppServ Open Project Remote File Include
Description: AppServ Open Project is an installation utility that
ships with an application suite made up of open source software. It is
prone to a remote file include vulnerability due to improper
sanitization of user-supplied input to the "appserv_root" parameter of
the "main.php" script. AppServ Open Project version 2.4.5 is
vulnerable.
Ref: http://www.securityfocus.com/bid/16166
______________________________________________________________________

06.2.40 CVE: CVE-2006-0146
Platform: Web Application
Title: ADOdb Server.PHP SQL Injection
Description: ADOdb is a database abstraction library for PHP. ADOdb is
prone to an SQL injection vulnerability. This issue is due to a
failure in the application to properly sanitize user-supplied input to
the "sql" parameter of the "server.php" script before using it in an
SQL query.
Ref: http://secunia.com/secunia_research/2005-64/advisory/
______________________________________________________________________

06.2.41 CVE: Not Available
Platform: Web Application
Title: Andromeda Andromeda.php Cross-Site Scripting
Description: Andromeda is a streaming MP3 server written in PHP and
ASP. It is prone to a cross-site scripting issue due to a failure in
the application to properly sanitize user-supplied input to the "s"
parameter of the "andromeda.php" script. An attacker could exploit this
issue to steal cookie-based authentication credentials as well as
perform other attacks. Andromeda version 1.9.3.4 is vulnerable.
Ref: http://www.securityfocus.com/bid/16183/info
______________________________________________________________________

06.2.42 CVE: CVE-2006-0114
Platform: Web Application
Title: Joomla Vcard Access Information Disclosure
Description: Joomla is a web content management application. It is
vulnerable to an information disclosure issue due to insufficient
handling of the "hide" control setting when displaying the vcard data.
Joomla versions 1.0.5 and earlier are vulnerable.
Ref: http://forge.joomla.org/sf/go/artf2950
______________________________________________________________________

06.2.43 CVE: Not Available
Platform: Web Application
Title: Magic News Plus Administrator Password Change
Description: Magic News Plus is software to display news and events.
It is affected by a password change issue in which an attacker can
change the administrator password and gain access to the affected
application. Magic News version 1.0.3 is affected.
Ref: http://www.securityfocus.com/bid/16182
______________________________________________________________________

06.2.44 CVE: Not Available
Platform: Web Application
Title: Venom Board Post.PHP3 Multiple SQL Injection Vulnerabilities
Description: Venom Board is a bulletin board application. It is
prone to multiple SQL injection vulnerabilities due to insufficient
sanitization of user-supplied input to the "parent", "root" and
"topic_id" parameters of the "post.php3" script. Venom Board version
1.22 is affected.
Ref: http://www.securityfocus.com/bid/16176/exploit
______________________________________________________________________

06.2.45 CVE: CVE-2006-0152
Platform: Web Application
Title: phpChamber Search_result.PHP Cross-Site Scripting
Description: phpChamber is a member directory management application
written in PHP. It is prone to a cross-site scripting vulnerability.
This issue is due to a failure in the application to properly sanitize
user-supplied input to the "needle" parameter of the
"search_result.php" script.
Ref: http://www.securityfocus.com/bid/16180
______________________________________________________________________

06.2.46 CVE: CVE-2006-0153
Platform: Web Application
Title: 427BB Authentication Bypass
Description: 427BB is a bulletin board application. It is vulnerable
to an authentication bypass issue due to insufficient validation of
user-supplied cookie data with the "login.php" and "getvar.php"
scripts. 427BB versions 2.2 and 2.2.1 are vulnerable.
Ref: http://www.securityfocus.com/archive/1/421326
______________________________________________________________________

06.2.47 CVE: CVE-2006-0154
Platform: Web Application
Title: 427BB Showthread.PHP SQL Injection
Description: 427BB is a bulletin board application. It is vulnerable
to an SQL injection issue due to insufficient sanitization of
user-supplied input to the "ForumID" parameter of the "showthread.php"
script. 427BB versions 2.2 and 2.2.1 are vulnerable.
Ref: http://evuln.com/vulns/18/summary.html
______________________________________________________________________

06.2.48 CVE: Not Available
Platform: Web Application
Title: Foxrum Multiple BBCode Tag Script Injection Vulnerabilities
Description: Foxrum is web forum software. It is prone to multiple
script injection vulnerabilities due to improper sanitization of
user-supplied input to the "[url]" BBCode tag of "addpost1.php" and
"addtopic1.php. Foxrum version 4.0.4f is reported to be vulnerable.
Ref: http://evuln.com/vulns/20/summary.html
______________________________________________________________________

06.2.49 CVE: CVE-2006-0132
Platform: Web Application
Title: SysCP WebFTP Module Local File Include
Description: System Control Panel (SysCP) is a web-based server
administration application. SysCP WebFTP module is prone to a local
file include vulnerability. The "webftp_language" parameter of the
"webftp.php" script is not properly sanitized, allowing an attacker
to include and execute local files in the context of the affected
web server process. WebFTP 1.2.6 is reportedly vulnerable to this
issue. Other versions may be affected as well.
Ref: http://www.securityfocus.com/bid/16175
______________________________________________________________________

06.2.50 CVE: Not Available
Platform: Web Application
Title: PHP PEAR Go-Pear.PHP Arbitrary Remote Code Execution
Description: go-pear.php is a script to automatically download all the
files needed to run the PEAR package installer. It is affected by an
issue that could permit the execution of arbitrary code. An attacker
can exploit this issue to supply a malicious proxy server and upload
arbitrary files and execute them in the context of the web server
process. go-pear.php version 0.2.2 is affected.
Ref: http://www.securityfocus.com/bid/16174
______________________________________________________________________

06.2.51 CVE: Not Available
Platform: Web Application
Title: PD9 Software MegaBBS Private Message Information Disclosure
Description: MegaBBS is web forum software implemented in ASP. It is
vulnerable to an information disclosure issue due to a failure in the
application to properly sanitize user-supplied data. An attacker can
exploit this issue to view private messages of other users. MegaBBS
versions 2.0 and 2.1 are vulnerable.
Ref: http://www.pd9soft.com/megabbs/forums/thread-view.asp?tid=4924
______________________________________________________________________

06.2.52 CVE: Not Available
Platform: Web Application
Title: Aquifer CMS Index.ASP Cross-Site Scripting
Description: Aquifer CMS is a web content management system.
Insufficient sanitization of the "keyword" parameter in
the "public/index.asp" script exposes the application to a cross-site
scripting issue. All current versions are affected.
Ref: http://www.securityfocus.com/bid/16162
______________________________________________________________________

06.2.53 CVE: Not Available
Platform: Web Application
Title: TinyPHPForum Multiple Directory Traversal Vulnerabilities
Description: TinyPHPForum is Web-based forum software. It is
vulnerable to multiple directory traversal issues due to a failure in
the application to properly sanitize user-supplied input. An attacker
can exploit these vulnerabilities to retrieve arbitrary files from the
vulnerable system in the context of the web server process.
TinyPHPForum versions 3.6 and earlier are vulnerable.
Ref: http://evuln.com/vulns/14/summary.html
______________________________________________________________________

06.2.54 CVE: CVE-2006-0140
Platform: Web Application
Title: Navboard Multiple Cross-Site Scripting Vulnerabilities
Description: Navboard is a web forum application. It is vulnerable to
multiple cross-site scripting vulnerabilities due to insufficient
sanitization of user-supplied input to the "[url]", "[b]" and
"[textlarge]" BBCode tags of "post.php". Navboard versions V17beta2
and V16 are vulnerable.
Ref: http://evuln.com/vulns/19/summary.html
______________________________________________________________________

06.2.55 CVE: CVE-2005-3655
Platform: Web Application
Title: SuSE Open Enterprise Server Novell Remote Manager HTTP Request
Header Heap Overflow
Description: Novell Remote Manager is a remote management interface
that is accessible over the HTTP protocol. It is vulnerable to a
remotely exploitable heap overflow issue triggered by a malicious HTTP
request header. The issue is due to a boundary condition error in
"httpstkd" when handling extremely large or negative size values in
HTTP request header fields. Successful exploitation will allow for
arbitrary code execution in the context of the application.
Ref: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=371
______________________________________________________________________

06.2.56 CVE: Not Available
Platform: Web Application
Title: TankLogger General Functions Script SQL Injection
Vulnerabilities
Description: TankLogger is a web-based aquarium tracking application.
It is prone to multiple SQL injection vulnerabilities. These issues
are due to a failure in the application to properly sanitize
user-supplied input to the "livestock_id" and "tank_id" parameters of
the "general_functions.php" script before using it in an SQL query.
TankLogger version 2.4 is affected.
Ref: http://www.securityfocus.com/bid/16228/exploit
______________________________________________________________________

06.2.57 CVE: Not Available
Platform: Network Device
Title: Cisco Aironet Wireless Access Point ARP Memory Exhaustion
Denial of Service
Description: The Cisco Aironet Wireless Access Point devices are a
series of devices that provide wireless access points. They are
vulnerable to a denial of service issue due to a failure of the
device to properly limit the memory consumption of its ARP table. This
issue allows attackers that can successfully associate with a
vulnerable access point to exhaust the memory of the affected device.
This issue affects various devices running Cisco IOS, and not the
models running the VxWorks-based operating system (version 12.05 and
earlier).
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060112-wireless.shtml
______________________________________________________________________

06.2.58 CVE: Not Available
Platform: Network Device
Title: Cisco CS-MARS Default Administrative Password
Description: Cisco Security Monitoring, Analysis and Response System
(CS-MARS) is a security management appliance. The appliace sets a
default administrative password during installation. Cisco Security
Monitoring, Analysis and Response System version 4.1.3 resolves this
issue.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060111-mars.shtml
______________________________________________________________________

06.2.59 CVE: Not Available
Platform: Network Device
Title: eStara Softphone SIP SDP Data Packet Remote Buffer Overflow
Description: eStara Softphone is a commercial SIP (Session Initiation
Protocol) VoIP (Voice Over IP) phone for the Microsoft Windows
platform. A remote buffer overflow vulnerability affects eStara
Softphone due to improper validation of the length of user-supplied
strings. eStara Softphone versions 3.0.1.14 and 3.0.1.46 are
vulnerable to this issue.
Ref: http://www.securityfocus.com/archive/1/421596
______________________________________________________________________

06.2.60 CVE: Not Available
Platform: Network Device
Title: Trac HTML WikiProcessor Wiki Content HTML Injection
Description: Trac is a project tracking application written in the
Python programming language. It is prone to an HTML injection
vulnerability. This issue is due to a failure in the application to
properly sanitize user-supplied input to unspecified fields of the
HTML WikiProcessor before using it in dynamically generated content.
Ref: http://projects.edgewall.com/trac/wiki/ChangeLog
______________________________________________________________________

06.2.61 CVE: Not Available
Platform: Hardware
Title: Cray UNICOS Multiple Buffer Overflow Vulnerabilities
Description: Cray is a supercomputer. The Cray UNICOS is vulnerable to
locally exploitable buffer overflow issues due to insufficient boundry
checking of command line parameters in various utilities with
setuid-superuser privileges. Cray UNICOS version 9.0.2.2 is
vulnerable.
Ref: http://www.securityfocus.com/bid/16205
______________________________________________________________________

06.2.62 CVE: Not Available
Platform: Hardware
Title: Cisco IP Phone 7940 Remote Denial of Service
Description: Cisco IP Phone 7940 is prone to a remote denial of
service vulnerability which arises when the device handles malformed
network data containing a packetcount of 1000 and a packetdelay of
0.002 over TCP port 80. Successful exploitation causes the phone to
restart.
Ref: http://www.securityfocus.com/bid/16200/info
______________________________________________________________________

(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDy8On+LUG5KFpTkYRAslVAJ4yNE5JFRa6GxrrWsWrgznfwSeRMwCeK4Bt
NBHSE8RA4DmeuqxIIjpwPzA=
=d5UZ
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]