|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 3
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Jan 23 2006 - 07:32:08 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Important vulnerabilities were discovered last week for anti-virus
product F-Secure (#1), back-up product EMC Legato (#2), Cisco Call
Manager (#4) and AOL's You've Got Pictures Active X control (#3).
Overall more than 85 new vulnerabilities were reported, but if all of
Oracle's vulnerabilities patched last week (#5) were counted, that
number would have nearly doubled. Users of Vertitas Netbackup should
verify that the patches were installed, as exploits for VolumeManager
daemon (vmd) (#7) have been found, and Internet Storm Center is
reporting widespread scanning of the vmd port.
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
January 23, 2006 Vol. 5. Week 3
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of the vulnerabilities reported this week:
=========================================================================
Platform # of Updates & Vulnerabilities
=========================================================================
Other Microsoft Products 1
Third Party Windows Apps 8 (#3, #4)
Linux 5
HP-UX 1
BSD 1
Solaris 1
Unix 3
Cross Platform 20 (#1, #2, #5, #8)
Web Application 41
Network Device 5 (#6, #7)
Hardware 1
****************** Sponsored by SANS Onsite Training ********************
SANS TRAINING! YOUR LOCATION & SCHEDULE! LOWER COST!
For organizations that need to train a large number of students,
OnSite Information Security Training can deliver all the SANS courses
to any location. You can save your travel budget and reduce your
total cost more than 50%! Contact us at onsitesans.org for more
information.
*************************************************************************
Table of Contents:
Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)
Widely Deployed Software
(1) HIGH: F-Secure Anti-virus ZIP Processing Overflow
(2) HIGH: EMC Legato Networker Backup Buffer Overflow
(3) HIGH: AOL You've Got Pictures ActiveX Control Overflow
(4) HIGH: Cisco Call Manager Multiple DoS Vulnerabilities
(5) MODERATE: Oracle Critical Patch Update January 2006
(6) MODERATE: Cisco IOS Stack Group Bidding Protocol DoS
Other Software
(7) MODERATE: 3Com TippingPoint IPS Denial of Service
Exploits
(8) Veritas Netbackup Shared Library Overflow
*************************** Sponsored Links: ****************************
1) New eBook on Information Theft Prevention provides the latest
advice & best practices around information security. Learn more.
http://www.sans.org/info.php?id=993
2) Free SANS WhatWorks Webcast "WhatWorks in Penetration Testing:
Improving System Health with Care New England" Wednesday, January 25
at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=994
3) Save Time! SANS WhatWorks case studies and webcasts showcase real
user interviews that illustrate effective internet security
technologies.
http://www.sans.org/info.php?id=995
*************************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
-- Other Microsoft Products
06.3.1 - Microsoft Internet Explorer Malformed IMG and XML Parsing Denial of Service
-- Third Party Windows Apps
06.3.2 - Toshiba Bluetooth Stack File Upload Directory Traversal
06.3.3 - Helmsman HomeFtp Remote Denial of Service
06.3.4 - AmbiCom Blue Neighbors Bluetooth Stack Object Push Buffer Overflow
06.3.5 - AOL You've Got Pictures ActiveX Control Buffer Overflow
06.3.6 - WehnTrust Path Specification Local Privilege Escalation
06.3.7 - Computer Associates Unicenter Remote Control DM Primer Remote Denial of Service
06.3.8 - Check Point VPN-1 SecureClient Path Specification Local Privilege Escalation
06.3.9 - F-Secure Multiple Archive Handling Vulnerabilities
-- Linux
06.3.10 - Linux Kernel mq_open System Call Unspecified Denial of Service
06.3.11 - Linux Kernel ProcFS Kernel Memory Disclosure
06.3.12 - Linux Kernel DM-Crypt Local Information Disclosure
06.3.13 - Linux Kernel SDLA IOCTL Unauthorized Local Firmware Access
06.3.14 - Linux Kernel SEARCH_BINARY_HANDLER Local Denial of Service
-- HP-UX
06.3.15 - HP-UX FTPD Remote Denial Of Service
-- BSD
06.3.16 - FreeBSD IEEE 802.11 Network Subsystem Remote Buffer Overflow
-- Solaris
06.3.17 - Sun Solaris LPSCHED Multiple Local Vulnerabilities
-- Unix
06.3.18 - GNU Mailman Large Date Data Denial of Service
06.3.19 - Util-Linux Script Command Arbitrary File Overwrite
06.3.20 - Ecartis PantoMIME Arbitrary Attachment Upload
-- Cross Platform
06.3.21 - Tux Paint Insecure Temporary File
06.3.22 - Albatross Remote Arbitrary Code Execution
06.3.23 - CounterPath eyeBeam SIP Header Data Remote Buffer Overflow
06.3.24 - 123 Flash Chat Server Arbitrary Remote File Creation
06.3.25 - EZDatabase Index.PHP Cross-Site Scripting
06.3.26 - GRSecurity Elevated Service Privileges Weakness
06.3.27 - Apache Geronimo Multiple Input Validation Vulnerabilities
06.3.28 - CMU SNMP SNMPTRAPD Daemon Remote Format String
06.3.29 - Widexl Download Tracker Down.PL Cross-Site Scripting
06.3.30 - Mozilla Thunderbird File Attachment Spoofing
06.3.31 - EMC Legato Networker Multiple Remote Vulnerabilities
06.3.32 - PDFDirectory Unspecified SQL Injection
06.3.33 - Oracle January Security Update Multiple Vulnerabilities
06.3.34 - Cisco IOS HTTP Service CDP Status Page HTML Injection
06.3.35 - Cisco CallManager CCMAdmin Remote Privilege Escalation
06.3.36 - Oracle Database SYS.KUPV$FT Multiple SQL Injection Vulnerabilities
06.3.37 - Cisco CallManager Multiple Remote Denial of Service Vulnerabilities
06.3.38 - Dual DHCP DNS Server DHCP Options Remote Buffer Overflow
06.3.39 - BitComet Torrent File Handling Remote Buffer Overflow
06.3.40 - Kerio WinRoute Firewall Multiple Denial of Service Vulnerabilities
-- Web Application
06.3.41 - Ultimate Auction Item.PL Cross-Site Scripting
06.3.42 - WP-Stats Author Parameter SQL Injection
06.3.43 - Benders Calendar Multiple SQL Injection Vulnerabilities
06.3.44 - Bit 5 Blog Index.PHP SQL Injection
06.3.45 - 8Pixel.net SimpleBlog Multiple Input Validation Vulnerabilities
06.3.46 - Bit 5 Blog AddComment.PHP HTML Injection
06.3.47 - geoBlog ViewCat.PHP SQL Injection
06.3.48 - Faq-O-Matic Multiple Cross-Site Scripting Vulnerabilities
06.3.49 - White Album Pictures.PHP SQL Injection
06.3.50 - GTP iCommerce Multiple Cross-Site Scripting Vulnerabilities
06.3.51 - Ultimate Auction ItemList.PL Cross-Site Scripting
06.3.52 - Wordcircle Multiple Input Validation Vulnerabilities
06.3.53 - Light Weight Calendar Index.PHP Remote Command Execution
06.3.54 - MyBB Usercp.PHP SQL Injection
06.3.55 - DDSN Interactive CM3CMS Admin Panel Index.ASP SQL Injection
06.3.56 - DCP Portal Multiple Input Validation Vulnerabilities
06.3.57 - Web Host Automation Ltd. Helm Cross-Site Scripting
06.3.58 - AlstraSoft Template Seller Pro Fullview.PHP Cross-Site Scripting
06.3.59 - EZDatabaseRemote PHP Script Code Execution
06.3.60 - CubeCart Multiple Cross-Site Scripting Vulnerabilities
06.3.61 - phpXplorer Workspaces.PHP Directory Traversal
06.3.62 - Netbula Anyboard Anyboard.CGI Cross-Site Scripting
06.3.63 - RedKernel Referrer Tracker Rkrt_stats.PHP Cross-Site Scripting
06.3.64 - BlogPHP Index.PHP SQL Injection
06.3.65 - PHP Fusebox Index.PHP Cross-Site Scripting
06.3.66 - WebMobo WBNews Cross-Site Scripting
06.3.67 - PowerPortal Multiple Cross-Site Scripting Vulnerabilities
06.3.68 - SMBCMS Local Site Search Cross-Site Scripting
06.3.69 - AOblogger Multiple Input Validation Vulnerabilities
06.3.70 - HTMLtoNuke HTMLtonuke.PHP Remote File Include
06.3.71 - phpXplorer Action.PHP Directory Traversal
06.3.72 - Phpclanwebsite BBCode IMG Tag Script Injection
06.3.73 - Douran FollowWeb Portal Register.ASPX Cross-Site Scripting
06.3.74 - SaralBlog Multiple Input Validation Vulnerabilities
06.3.75 - Eggblog Multiple Input Validation Vulnerabilities
06.3.76 - MyBB Signature HTML Injection
06.3.77 - PHlyMail Multiple Input Validation Vulnerabilities
06.3.78 - My Amazon Store Manager Cross-Site Scripting
06.3.79 - ELOG Web Logbook Multiple Remote Input Validation Vulnerabilities
06.3.80 - Netrix X-Site Manager Product_Details.PHP Cross-Site Scripting
06.3.81 - WebspotBlogging Login.PHP SQL Injection
-- Network Device
06.3.82 - ACT P202S VOIP WIFI Phones Multiple Remote Vulnerabilities
06.3.83 - MPM HP-180W VOIP WIFI Phone Information Disclosure
06.3.84 - 3Com TippingPoint IPS Remote Unspecified Denial Of Service
06.3.85 - Cisco IOS SGBP Remote Denial of Service
06.3.86 - Linksys BEFVP41 IP Options Remote Denial of Service
-- Hardware
06.3.87 - Clipcomm CPW-100E and CP-100E VOIP Phones Remote Administrative Access Vulnerability
______________________________________________________________________
PART I Critical Vulnerabilities
Part I is compiled by Rohit Dhamankar at TippingPoint, a division of
3Com, as a by-product of that company's continuous effort to ensure that
its intrusion prevention products effectively block exploits using known
vulnerabilities. TippingPoint's analysis is complemented by input from
a council of security managers from twelve large organizations who
confidentially share with SANS the specific actions they have taken to
protect their systems. A detailed description of the process may be
found at http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk
************************
Widely Deployed Software
************************
(1) HIGH: F-Secure Anti-virus ZIP Processing Overflow
Affected:
F-Secure Anti-virus for desktops as well as gateway systems
Description: F-Secure Anti-virus software deployed on client as well as
gateway systems contains a buffer overflow in processing specially
crafted zip archives. The overflow may be exploited to execute arbitrary
code to completely compromise the system running the AV software. In
addition, the software also contains a vulnerability in processing zip
and rar archives that can be exploited to bypass scanning of these
archives containing malware. The technical details required to craft
such malicious archives have not been posted yet.
Status: F-Secure has released hotfixes for its entire product line.
Gateway systems should be patched on a priority basis.
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the council sites. They reported that no action was necessary.
References:
F-Secure Advisory
http://www.f-secure.com/security/fsc-2006-1.shtml
Posting by Zoller
http://www.zoller.lu/
SecurityFocus BID
http://www.securityfocus.om/bid/16309
****************************************************************
(2) HIGH: EMC Legato Networker Backup Buffer Overflow
Affected:
Networker version 7.2 build 172 and possibly prior
Description: EMC Legato Networker backup solutions are designed to
deliver centralized data protection and management across heterogeneous
environments. Sun StorEdge and Solstice backup products package the EMC
Legato Networker software. The Networker software's nsrd.exe and
nsrexec.d programs contain a heap-based buffer overflow that can be
triggered by specially crafted RPC requests to RPC program number 390109
and 390113 respectively. An attacker can exploit these overflows to
execute arbitrary code and compromise a backup client as well as a
backup server. Exploit code has not yet been posted.
Status: Networker 7.1.4 and 7.3 are not affected by this issue. EMC has
also released hotfixes for customers running version 7.2.1.
Council Site Actions: The responding council site using the affected
software reported that they have already patched their systems.
References:
EMC Advisory
http://www.legato.com/support/websupport/product_alerts/011606_NW.htm
iDefense Advisories
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0027.html
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0028.html
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0029.html
Product Homepages
http://www.sun.com/storage/software/data_protection/backup/
http://www.legato.com/products/networker/networker.htm
SecurityFocus BID
http://www.securityfocus.om/bid/16275
****************************************************************
(3) HIGH: AOL You've Got Pictures ActiveX Control Overflow
Affected:
AOL versions 8.0, 8.0 Plus, 9.0 Classic
Description: AOL You've Got Pictures service provides sharing, printing,
organizing and storing photos for AOL members. The Picture Finder Tool
ActiveX control installed by this program contains a buffer overflow
that can be exploited by a malicious webpage to execute arbitrary code
on an AOL user's system. No technical details regarding how to trigger
the overflow have been publicly posted.
Status: Upgrade to AOL 9.0 Optimized or AOL 9.0 Security Edition. AOL
has also released a hot fix. AOL automatically patched a number of user
systems beginning October 2005, and commented that the vulnerability may
not be as widespread at this time.
Council Site Actions: All of the responding council sites are currently
blocking AOL traffic at their network perimeters and they also restrict
ActiveX controls. Thus they felt no action was necessary.
References:
CERT Advisory
http://www.kb.cert.org/vuls/id/715730
AOL Hotfix
http://download.newaol.com/security/YGPClean.exe
SecurityFocus BID
http://www.securityfocus.om/bid/16262
****************************************************************
(4) HIGH: Cisco Call Manager Multiple DoS Vulnerabilities
Affected:
Cisco CallManager version 3.2 and prior
Cisco CallManager versions 3.3.x prior to 3.3(5)SR1a
Cisco CallManager versions 4.0.x prior to 4.0(2a)SR2c
Cisco CallManager versions 4.1.x prior to 4.1(3)SR2
Description: Cisco Call Manager, which runs on Windows platform, is the
main server in a Cisco enterprise VoIP deployment. The Call Manager is
responsible for the call processing and routing functions. The Call
Manager contains the following vulnerabilities: (a) Opening a large
number of TCP connections to the port 2000/tcp causes the Call Manager
to consume memory and CPU resources resulting in a DoS condition. (b)
Opening a large numbers of TCP connections to ports 2001/tcp, 2002/tcp
or 7727/tcp disrupts the Call Manager and Windows Services Manager
interaction that results in restarting the Call Manager. Note that these
vulnerabilities are easy to exploit and causing a denial-of-service to
Call Manager may result in loss of phone service in an enterprise.
Status: Cisco has released fixed versions of Call Manager for all the
affected versions that fix the DoS as well as privilege escalation
vulnerabilities. Customers using Call Manager should upgrade
immediately.
References:
Cisco Security Advisory CCM DoS
http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmdos
SecurityFocus BID
http://www.securityfocus.com/bid/16295
http://www.securityfocus.com/bid/16293
***********************************************************************
(5) MODERATE: Oracle Critical Patch Update January 2006
Affected:
Oracle Database, Oracle Enterprise Manager, Oracle Application Server,
Oracle Collaboration Suite, Oracle E-business Suite, PeopleSoft
Enterprise Portal and JDEdwards Enterprise Tools (For the affected
version information, please refer to the Oracle advisory)
Description: Oracle has released a critical patch update that addresses
more than 80 vulnerabilities in various Oracle applications. A number
of SQL injection vulnerabilities as well as arbitrary file overwrite
vulnerabilities have been patched that are easy to exploit. In certain
cases, the discoverers have released complete technical details required
for exploitation. Please note that the Oracle Voyager worm code can be
modified to include exploits for these flaws. Such a modification has
already been done for an older vulnerability.
Status: Patch the Oracle installations on an expedited basis. General
Oracle security hardening procedures can be found at:
http://www.sans.org/top20/#c4
Council Site Actions: All reporting council sites are responding to this
item. They have already either installed the patches or are in the
process of QA'ing the patches and doing regression testing and plan to
deploy them as soon as possible as QA. Most of the council sites do not
have Oracle servers that are directly accessible from the Internet or
partner sites, thus the threat is somewhat reduced.
References:
Oracle Advisory
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html
Postings by Red Database Security
http://archives.neohapsis.com/archives/bugtraq/2006-01/0311.html
http://archives.neohapsis.com/archives/bugtraq/2006-01/0312.html
http://archives.neohapsis.com/archives/bugtraq/2006-01/0313.html
http://archives.neohapsis.com/archives/bugtraq/2006-01/0315.html
http://archives.neohapsis.com/archives/bugtraq/2006-01/0316.html
Imperva Advisory
http://archives.neohapsis.com/archives/bugtraq/2006-01/0310.html
SecurityFocus BID
http://www.securityfocus.om/bid/16287
****************************************************************
(6) MODERATE: Cisco IOS Stack Group Bidding Protocol DoS
Affected:
Cisco IOS devices running SGBP
Description: The Stack Group Bidding Protocol (SGBP) is used by Cisco
devices participating in Multichassis Multilink PPP (MMP). Enabling SGBP
support causes the Cisco device to listen on port 9900/udp. The IOS
contains a denial-of-service vulnerability in processing SGBP protocol
that can be triggered by a specially crafted UDP packet to the port
9900/udp. Such a packet can lead to a hardware reset of a Cisco device.
Further technical details required to craft the UDP packets, which may
even be spoofed, have not been posted yet.
Status: Cisco has provided a patch for the affected IOS versions.
Internet Storm Center issued reports adding the following:
Nokia phones:
http://isc.sans.org/diary.php?storyid=1056
Nyxem worm:
http://isc.sans.org/diary.php?storyid=1051
http://isc.sans.org/diary.php?storyid=1058
Note the payload erases files on shares (big impact for networks) Vista patches;
http://isc.sans.org/diary.php?storyid=1045
References:
Cisco Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
Cisco SGBP Documentation
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a008009408f.shtml
SecurityFocus BID
http://www.securityfocus.com/bid/16303
*******************************************************************
**************
Other Software
**************
(7) MODERATE: 3Com TippingPoint IPS Denial of Service
Affected:
Affected:
TippingPoint OS version 2.1.3.6323 and prior
TippingPoint OS version 2.2.0.6504 and prior
Description: TippingPoint IPS contains a vulnerability that can be
triggered by a specially crafted HTTP session containing a negative
content length header. The flaw results in a high CPU utilization that
may result in a denial of service. Note that TippingPoint IPS has been
shipping with a filter to block the negative content length HTTP header
anomaly in its "Recommended" settings. Hence, only HTTP flows crafted
in a certain fashion with negative content length can trigger this flaw.
Status: TippingPoint released a fix for its customers within 5 hrs after
the problem was discovered at a few customer locations. Customers
including the unaffected ones should upgrade to the fixed releases of
the TOS - 2.1.4.6324 and 2.2.1.6506. These versions can be downloaded
from the TippingPoint Threat Management Center.
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the council sites. They reported that no action was necessary.
References:
SANS Handler's Diary Posting
http://www.incidents.org/diary.php?storyid=1042
Secunia Advisory
http://secunia.com/advisories/18515/
SecurityFocus BID
Not yet available.
****************************************************************
************
Exploits
************
(8) Veritas Netbackup Shared Library Overflow
Description: Exploit code has been released for Veritas Netbackup shared
library overflow vulnerability that was announced in November 2005.
Specifically the exploit code targets the Volume Manager daemon (vmd)
that listens on port 13701/tcp. Widespread scanning of that port has
been observed by the SANS Internet Security Center. Block the TCP ports
used by Veritas backup software as indicated in the previous RISK
newsletter.
Council Site Actions: Only one of the responding council sites is
currently using the affected software. They plan to install the patch
during their next regularly scheduled system update.
References:
Exploit Code
http://archives.neohapsis.com/archives/bugtraq/2006-01/0277.html
SANS Handler's Diary Posting
http://isc.sans.org/diary.php?storyid=1055
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=4&i=45#widely4
**********************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 3, 2006
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4808 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________
06.3.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer Malformed IMG and XML Parsing
Denial of Service
Description: Microsoft Internet Explorer is affected by a denial of
service vulnerability. This issue arises because the application fails
to properly parse certain specially crafted IMG element in a malformed
XML block. A null pointer dereference condition arises and causes the
application to crash.
Ref: http://www.securityfocus.com/bid/16240
______________________________________________________________________
06.3.2 CVE: CVE-2006-0212
Platform: Third Party Windows Apps
Title: Toshiba Bluetooth Stack File Upload Directory Traversal
Description: Toshiba Bluetooth Stack is bluetooth software. It is
vulnerable to a directory traversal issue in the OBEX Push services.
Toshiba Bluetooth Stack versions 4.0.11 and earlier are vulnerable.
Ref: http://www.digitalmunition.com/DMA%5B2006-0112a%5D.txt
______________________________________________________________________
06.3.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Helmsman HomeFtp Remote Denial of Service
Description: Helmsman HomeFtp is an FTP server for Microsoft Windows.
It is prone to a remote denial of service vulnerability. Successful
authentication is required to exploit this issue. The issues manifests
when a "NLST" command is sent to the FTP service without a required
"PORT" or "PASV" command proceeding it. Helmsman HomeFTP version 1.1
is vulnerable.
Ref: http://www.securityfocus.com/bid/16238
______________________________________________________________________
06.3.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: AmbiCom Blue Neighbors Bluetooth Stack Object Push Buffer
Overflow
Description: AmbiCom Blue Neighbors is Bluetooth software for
Microsoft Windows platforms. It is vulnerable to a buffer overflow
issue due to a failure of the software to properly check user-supplied
data prior to copying it to an insufficiently sized memory buffer.
AmbiCom Blue Neighbors version 2.50 build 2500 is vulnerable.
Ref: http://www.securityfocus.com/bid/16258/info
______________________________________________________________________
06.3.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: AOL You've Got Pictures ActiveX Control Buffer Overflow
Description: AOL You've Got Pictures is a digital photography
application. Insufficient sanitization of user supplied data in the
"YGPPicFinder.DLL" library exposes the application to a denial of
service condition. It is possible to invoke the object from a
malicious web page to trigger this condition. The affected ActiveX
control was distributed in various versions of AOL Client Software,
and on the You've Got Pictures Web site prior to 2004.
Ref: http://www.securityfocus.com/bid/16262
______________________________________________________________________
06.3.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: WehnTrust Path Specification Local Privilege Escalation
Description: Wehnus WehnTrust is a host-based intrusion prevention
system. It is affected by an arbitrary file execution issue. The
application adds a registry key to automatically start a service upon
computer restarts without using properly quoted paths. Due to the lack
of quoting "C:Program.exe" and other locations will be tried during
the search for the intended executable. If one of the files exists, it
will be executed with SYSTEM privileges. All current versions are
affected.
Ref: http://www.securityfocus.com/bid/16268
______________________________________________________________________
06.3.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: Computer Associates Unicenter Remote Control DM Primer Remote
Denial of Service
Description: Computer Associates Unicenter Remote Control (URC)
application is used to remotely control Windows systems. DM Primer is
a service that runs on client computers. Computer Associates Unicenter
Remote Control DM Primer is prone to a denial of service vulnerability
due to failure of the application to handle exceptional conditions in
a proper manner. All versions of Unicenter Remote Control are reported
to be vulnerable.
Ref: http://www.securityfocus.com/bid/16276/exploit
______________________________________________________________________
06.3.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: Check Point VPN-1 SecureClient Path Specification Local
Privilege Escalation
Description: Check Point VPN-1 SecureClient is a VPN client
application. It is prone to a vulnerability that could allow an
arbitrary file to be executed. The "SR_Watchdog.exe" process attempts
to spawn the "SR_GUI.exe" process during startup without using
properly quoted paths. Due to the lack of quoting, "C:Program.exe" and
other locations will be tried during the search for the intended
executable. If one of the files exists, it will be executed with
elevated privileges inherited from "SR_Watchdog.exe". Check Point
Software VPN-1 version 4.1 is affected.
Ref: http://www.securityfocus.com/archive/1/422263
______________________________________________________________________
06.3.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: F-Secure Multiple Archive Handling Vulnerabilities
Description: F-Secure is vulnerable to multiple issues when handling
archives of various formats. These issues could allow a remote
attacker to run arbitrary code in a vulnerable system. Please refer to
the link below for a list of vulnerable versions.
Ref: http://www.f-secure.com/security/fsc-2006-1.shtml
______________________________________________________________________
06.3.10 CVE: CVE-2005-3356
Platform: Linux
Title: Linux Kernel mq_open System Call Unspecified Denial of Service
Description: Linux kernel is vulnerable to a local denial of service
issue in the mq_open system call. Successful exploitation results in
a system crash. This issue affects Linux kernel versions 2.6.9 and
earlier.
Ref: http://rhn.redhat.com/errata/RHSA-2006-0101.html
______________________________________________________________________
06.3.11 CVE: CVE-2005-4605
Platform: Linux
Title: Linux Kernel ProcFS Kernel Memory Disclosure
Description: The Linux kernel is vulnerable to a local memory
disclosure issue due to the procfs code (proc_misc.c) that allows
attackers to read sensitive kernel memory via unspecified vectors in
which a signed value is added to an unsigned value. Linux Kernel
versions before 2.6.15 are vulnerable.
Ref: http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00014.html
______________________________________________________________________
06.3.12 CVE: CVE-2006-0095
Platform: Linux
Title: Linux Kernel DM-Crypt Local Information Disclosure
Description: The Linux kernel contains support for a Device Mapper,
which allows administrators to create logical block devices from
existing devices. It is susceptible to a local information disclosure
vulnerability due to a failure of the module to properly erase
sensitive memory buffers prior to freeing the memory.This issue
affects the Linux Kernel version series 2.6.
Ref: http://marc.theaimsgroup.com/?l=linux-kernel&m=113641114812886&w=2
______________________________________________________________________
06.3.13 CVE: CVE-2006-0096
Platform: Linux
Title: Linux Kernel SDLA IOCTL Unauthorized Local Firmware Access
Description: The Linux kernel contains support for Sangoma S502/S508
series multi-protocol PC interface cards. These cards provide Frame
Relay WAN networking support.
The Linux kernel is susceptible to a local access validation
vulnerability in the SDLA driver. For more information, please follow
the reference link.
Ref: http://www.securityfocus.com/bid/16304
______________________________________________________________________
06.3.14 CVE: CVE-2005-2708
Platform: Linux
Title: Linux Kernel SEARCH_BINARY_HANDLER Local Denial of Service
Description: Linux kernel is vulnerable to a local denial of service
issue because the "search_binary_handler" function of "exec.c" does
not check a return code for a function call when virtual memory is
low. Linux kernel 2.4 versions on 64-bit x86 architectures before
2.4.33-pre1 are vulnerable.
Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161925
______________________________________________________________________
06.3.15 CVE: Not Available
Platform: HP-UX
Title: HP-UX FTPD Remote Denial Of Service
Description: HP-UX ftpd is vulnerable to a remote denial of service
issue. Unauthenticated attackers could exploit this issue to cause the
FTP server to fail to respond. HP-UX version 11 releases 11.23 and
earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/16316/info
______________________________________________________________________
06.3.16 CVE: CVE-2006-0226
Platform: BSD
Title: FreeBSD IEEE 802.11 Network Subsystem Remote Buffer Overflow
Description: FreeBSD is susceptible to a remote, kernel-level buffer
overflow vulnerability due to improper bounds check on user-supplied
network data. This issue is due to an integer overflow in the handling
of corrupt 802.11 beacon or probe response frames and it occurs when
scanning for existing wireless networks. The integer overflow results
in a "memcpy()" operation copying attacker-supplied data past the end
of an insufficiently sized kernel memory buffer. FreeBSD version 6.0
is affected.
Ref: http://www.securityfocus.com/bid/16296
______________________________________________________________________
06.3.17 CVE: Not Available
Platform: Solaris
Title: Sun Solaris LPSCHED Multiple Local Vulnerabilities
Description: Sun Solaris lpsched utility is used to start or restart
the LP print service. It is affected by multiple local
vulnerabilities. The vendor has reported that a local unprivileged
attacker can exploit these issues to delete arbitrary files or disable
the LP print service on a computer that is being used as a print
server.
Ref: http://www.securityfocus.com/bid/16245
______________________________________________________________________
06.3.18 CVE: CVE-2005-4153
Platform: Unix
Title: GNU Mailman Large Date Data Denial of Service
Description: Mailman is software to help manage email discussion
lists, much like Majordomo and SmartList. The application is exposed
to a denial of service issue when it attempts to parse very large
numbers of dates contained in email messages. All current versions are
affected.
Ref: http://www.securityfocus.com/bid/16248
______________________________________________________________________
06.3.19 CVE: CVE-2001-1494
Platform: Unix
Title: Util-Linux Script Command Arbitrary File Overwrite
Description: Util-linux is a software package that provides some
implementations of standard UNIX utilities. It is affected by a issues
that can allow local attackers to overwrite arbitrary files. The issue
presents itself in the script command which is used to save terminal
sessions. Util-linux versions 2.11n and earlier are affected.
Ref: http://www.securityfocus.com/bid/16280
______________________________________________________________________
06.3.20 CVE: Not Available
Platform: Unix
Title: Ecartis PantoMIME Arbitrary Attachment Upload
Description: Ecartis is a mailing list manager. It is affected by an
arbitrary attachment upload vulnerability. This issue presents itself
when the PantoMIME functionality has been enabled. Ecartis can be
configured to save email attachments that are sent to the
"<$list>-request<$hostname>" addresses to a web-accessible directory
specified by the "pantomime-dir" variable. The problem arises because
unauthorized users who are not subscribed to a mailing list can send
email attachments that will be saved in the PantoMIME directory.
Ecartis version 1.0.0 snapshot 20050909 is affetced.
Ref: http://www.securityfocus.com/bid/16317
______________________________________________________________________
06.3.21 CVE: CVE-2005-3340
Platform: Cross Platform
Title: Tux Paint Insecure Temporary File
Description: Tux Paint is a drawing application. It is reported that
the "tuxpaint-import.sh" script creates temporary files in an insecure
manner with unknown impact and attack vectors. Tux Paint versions
0.9.14 and earlier are vulnerable.
Ref: http://www.frsirt.com/english/advisories/2006/0193
______________________________________________________________________
06.3.22 CVE: CVE-2006-0044
Platform: Cross Platform
Title: Albatross Remote Arbitrary Code Execution
Description: Albatross is a toolkit for developing stateful CGI and
Python Web applications. It is prone to an arbitrary code execution
vulnerability because malicious user-supplied data may be insecurely
used as part of a template. Albatross version 1.20 is vulnerable.
Ref: http://www.securityfocus.com/bid/16252
______________________________________________________________________
06.3.23 CVE: Not Available
Platform: Cross Platform
Title: CounterPath eyeBeam SIP Header Data Remote Buffer Overflow
Description: CounterPath eyeBeam is a commercial SIP (Session
Initiation Protocol) VOIP phone. It is affected by a denial of serivce
issue. When SIP packets with header data with names of more than
approximately 100 bytes are included in SIP packets, an internal
memory buffer overrun causing the issue. All current versions are
affected.
Ref: http://www.securityfocus.com/bid/16248
______________________________________________________________________
06.3.24 CVE: Not Available
Platform: Cross Platform
Title: 123 Flash Chat Server Arbitrary Remote File Creation
Description: 123Flash Chat server is a commercial real-time chat
product implemented in Java. It is susceptible to an arbitrary remote
file creation vulnerability due to insufficient sanitization of
user-supplied input to the the username and password fields when
creating new users. 123 Flash Chat server versions 5.0 and 5.1 are
affected.
Ref: http://www.securityfocus.com/bid/16235
______________________________________________________________________
06.3.25 CVE: CVE-2006-0315
Platform: Cross Platform
Title: EZDatabase Index.PHP Cross-Site Scripting
Description: EZDatabase is a database creation application. It is
vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "p" parameter of the
"index.php" script. EZDatabase versions 2.1.1 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/422071
______________________________________________________________________
06.3.26 CVE: Not Available
Platform: Cross Platform
Title: GRSecurity Elevated Service Privileges Weakness
Description: The GRSecurity Linux Kernel patch is a source-code patch
developed and maintained by the GRSecurity development team. It is
vulnerable to a privilege escalation vulnerability due to a failure of
the kernel to properly drop administrative roles. Please visit the
reference link for more information of this vulnerability and the
vulnerable versions.
Ref: http://www.securityfocus.com/bid/16261
______________________________________________________________________
06.3.27 CVE: Not Available
Platform: Cross Platform
Title: Apache Geronimo Multiple Input Validation Vulnerabilities
Description: Apache Geronimo is the J2EE server project of the Apache
Software Foundation. It is prone to multiple input validation
vulnerabilities due to insufficient sanitization of user-supplied
input. As a result HTML injection and cross-site scripting attacks are
possible. Apache Geronimo version 1.0 is vulnerable.
Ref: http://www.oliverkarow.de/research/geronimo_css.txt
______________________________________________________________________
06.3.28 CVE: Not Available
Platform: Cross Platform
Title: CMU SNMP SNMPTRAPD Daemon Remote Format String
Description: CMU SNMP a popular implementation of Simple Network
Management Protocol. A remote format string vulnerability affects the
CMU SNMP's snmptrapd daemon due to a failure of the application to
properly sanitize user-supplied input data prior to using it in a
formatted-printing function. All current versions are vulnerable.
Ref: http://www.securityfocus.com/archive/1/422086
______________________________________________________________________
06.3.29 CVE: CVE-2006-0246
Platform: Cross Platform
Title: Widexl Download Tracker Down.PL Cross-Site Scripting
Description: Download Tracker is a download management application. It
is vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "id" parameter of the
"down.pl" script. Download Tracker version 1.06 is vulnerable.
Ref: http://www.securityfocus.com/bid/16265
______________________________________________________________________
06.3.30 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Thunderbird File Attachment Spoofing
Description: Mozilla Thunderbird is an email client. It is affected by
a file attachment spoofing issue which presents itself when an
attacker crafts a malicious email attachment with a long filename
containing white spaces and a "Content-Type" header that does not
match the file's extension. Thunderbird versions prior to 1.5 are
affected.
Ref: http://www.securityfocus.com/bid/16271
______________________________________________________________________
06.3.31 CVE: Not Available
Platform: Cross Platform
Title: EMC Legato Networker Multiple Remote Vulnerabilities
Description: EMC Legato Networker is a server package designed to help
share data, media and backup processes across a heterogeneous network.
It is affected by multiple remote vulnerabilities. Version 7.2.1 of
Legato Networker is vulnerable to these issues.
Ref: http://www.legato.com/support/websupport/product_alerts/011606_NW.htm
______________________________________________________________________
06.3.32 CVE: CVE-2006-0313
Platform: Cross Platform
Title: PDFDirectory Unspecified SQL Injection
Description: PDFdirectory is an application for storing group
information then converting it to the PDF file format. It is
vulnerable to an unspecified SQL injection issue due to insufficient
sanitization of user-supplied input. PDFdirectory versions 0.2.11 and
earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/16273
______________________________________________________________________
06.3.33 CVE: Not Available
Platform: Cross Platform
Title: Oracle January Security Update Multiple Vulnerabilities
Description: Oracle has released a Critical Patch Update advisory for
January 2006 to address multiple vulnerabilities in various Oracle
products. The issues identified by the vendor affect all security
properties of the Oracle products and present local and remote
threats. The most severe of the vulnerabilities could possibly expose
affected computers to complete compromise. Please see the referenced
advisory for details on obtaining and applying the appropriate
updates.
Ref: http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html
______________________________________________________________________
06.3.34 CVE: Not Available
Platform: Cross Platform
Title: Cisco IOS HTTP Service CDP Status Page HTML Injection
Description: Cisco IOS includes an HTTP service that provides router
management services. It is reportedly prone to an HTML injection
vulnerability due to insufficient sanitization of user-supplied data.
Cisco IOS version 11.2(8.11)SA6 is vulnerable, however, other versions
of IOS 11 are likely affected as well.
Ref: http://www.idefense.com/intelligence/vulnerabilities/display.php?
id=372
http://www.securityfocus.com/archive/1/422433
______________________________________________________________________
06.3.35 CVE: Not Available
Platform: Cross Platform
Title: Cisco CallManager CCMAdmin Remote Privilege Escalation
Description: Cisco CallManager is the software based call processing
component of the Cisco IP Telephony solution. It is affected by a
remote privilege escalation issue due to a failure of the application
to properly enforce access controls. It is exploitable when Multi
Level Administration is enabled and users are granted read-only
administrative access via the CCMAdmin Web interface. Please see
attached advisory for a list of affected versions.
Ref: http://www.securityfocus.com/bid/16282
______________________________________________________________________
06.3.36 CVE: Not Available
Platform: Cross Platform
Title: Oracle Database SYS.KUPV$FT Multiple SQL Injection
Vulnerabilities
Description: Oracle 10g is vulnerable to multiple SQL injection issues
due to insufficient sanitization of user-supplied data. Oracle 10g
Release 1 and earlier versions are reported to be vulnerable.
Ref: http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html
______________________________________________________________________
06.3.37 CVE: Not Available
Platform: Cross Platform
Title: Cisco CallManager Multiple Remote Denial of Service
Vulnerabilities
Description: Cisco CallManager is the software based call processing
component of the Cisco IP Telephony solution. It is susceptible to
multiple remote denial of service vulnerabilities. CallManager does
not properly handle multiple connections correctly on TCP port 2000
which can ultimately lead to memory and CPU resources being consumed.
It also has an issue with multiple connections to TCP ports 2001, 2002
and 7727 that can fill up the Windows message queue. This can prevent
CallManager from communicating with Windows Service Manager ultimately
causing CallManager to restart.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060118-ccmdos.shtml
______________________________________________________________________
06.3.38 CVE: CVE-2006-0304
Platform: Cross Platform
Title: Dual DHCP DNS Server DHCP Options Remote Buffer Overflow
Description: Dual DHCP DNS Server is vulnerable to a remote buffer
overflow issue due to insufficient boundary checks when handling
excessive data through the DHCP options field. Dual DHCP DNS Server
1.0 is reported to be vulnerable.
Ref: http://aluigi.altervista.org/adv/dualsbof-adv.txt
______________________________________________________________________
06.3.39 CVE: Not Available
Platform: Cross Platform
Title: BitComet Torrent File Handling Remote Buffer Overflow
Description: BitComet is a BitTorrent client for Windows platforms. It
is prone to a buffer overflow vulnerability due to a failure of the
application to properly bounds check user-supplied data prior to
copying it to an insufficiently sized memory buffer. BitComet version
0.60 is reported to be vulnerable; other versions may be affected as
well.
Ref: http://www.securityfocus.com/archive/1/422361
______________________________________________________________________
06.3.40 CVE: Not Available
Platform: Cross Platform
Title: Kerio WinRoute Firewall Multiple Denial of Service
Vulnerabilities
Description: Kerio WinRoute Firewall is an enterprise level firewall
that is also capable of proxying networks. It is prone to multiple
denial of service vulnerabilities due to an improper sanitization of
user-supplied input. Please follow the reference link for more
information.
Ref: http://www.securityfocus.com/bid/16314/info
______________________________________________________________________
06.3.41 CVE: Not Available
Platform: Web Application
Title: Ultimate Auction Item.PL Cross-Site Scripting
Description: Ultimate Auction is an online web auction application.
Insufficient sanitization of the "item" parameter in the "item.pl"
script exposes this issue. Ultimate Auction version 3.67 is affetced.
Ref: http://www.securityfocus.com/bid/16239
______________________________________________________________________
06.3.42 CVE: CVE-2006-0238
Platform: Web Application
Title: WP-Stats Author Parameter SQL Injection
Description: WP-Stats is a plug-in for WordPress to display
statistical information. It is vulnerable to an SQL injection issue
due to insufficient sanitization of user-supplied input to the
"author" parameter of the "wp-stats.php" script. WP-Stats version 2.0
is vulnerable.
Ref: http://www.frsirt.com/english/advisories/2006/0192
______________________________________________________________________
06.3.43 CVE: Not Available
Platform: Web Application
Title: Benders Calendar Multiple SQL Injection Vulnerabilities
Description: Benders Calendar is a web calendar application. It is
vulnerable to multiple SQL injection issues due to a failure in the
application to properly sanitize user-supplied input before using it
in an SQL query. Benders Calendar version 1.0 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/422052
______________________________________________________________________
06.3.44 CVE: CVE-2006-0320
Platform: Web Application
Title: Bit 5 Blog Index.PHP SQL Injection
Description: Bit 5 Blog is a web blog application. It is vulnerable to
an SQL injection issue due to insufficient sanitization of
user-supplied input to the "username" and "password" parameters of the
"admin/index.php" script. Bit 5 Blog version 8.1 is vulnerable.
Ref: http://evuln.com/vulns/31/summary.html
______________________________________________________________________
06.3.45 CVE: CVE-2006-0240,CVE-2006-0239
Platform: Web Application
Title: 8Pixel.net SimpleBlog Multiple Input Validation Vulnerabilities
Description: SimpleBlog is a Web blog application. It is vulnerable to
multiple input validation issues due to insufficient sanitization of
user-supplied input to parameters such as "view" and "comment".
SimpleBlog 2.1 from 8pixel.net is vulnerable.
Ref: http://www.hackerscenter.com/archive/view.asp?id=21926
______________________________________________________________________
06.3.46 CVE: Not Available
Platform: Web Application
Title: Bit 5 Blog AddComment.PHP HTML Injection
Description: Bit 5 Blog is a web blog application. It is prone to an
HTML injection vulnerability due to insufficient sanitization of
user-supplied input to the "comment" field of the "addcomment.php"
script before using it in dynamically generated content. Bit 5 Blog
version 8.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/16246/exploit
______________________________________________________________________
06.3.47 CVE: Not Available
Platform: Web Application
Title: geoBlog ViewCat.PHP SQL Injection
Description: geoBlog is a web blog application implemented in PHP. It
is prone to an SQL injection vulnerability due to insufficient
sanitization of user-supplied input to the "cat" parameter of the
"viewcat.php" script. geoBlog version MOD_1.0 is affected.
Ref: http://www.securityfocus.com/bid/16249
______________________________________________________________________
06.3.48 CVE: Not Available
Platform: Web Application
Title: Faq-O-Matic Multiple Cross-Site Scripting Vulnerabilities
Description: Faq-O-Matic is a web-based frequently asked questions
(faq) management application. It is vulnerable to multiple cross-site
scripting issues due to a failure in the application to properly
sanitize user-supplied input to the "_duration", "file" and "cmd"
parameters of the "fom.cgi" script. FAQ-O-Matic version 2.711 is
vulnerable.
Ref: http://www.securityfocus.com/bid/16251/info
______________________________________________________________________
06.3.49 CVE: CVE-2006-0235
Platform: Web Application
Title: White Album Pictures.PHP SQL Injection
Description: White Album is a web-based photo album application. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user-supplied input to the "dir" parameter of the "pictures.php"
script. White Album version 2.5 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/422105
______________________________________________________________________
06.3.50 CVE: Not Available
Platform: Web Application
Title: GTP iCommerce Multiple Cross-Site Scripting Vulnerabilities
Description: GTP iCommerce is used to create and manage ecommerce web
sites. It is prone to multiple cross-site scripting vulnerabilities
due to insufficient sanitization of user-supplied input to the "cat"
and "subcat" parameters of "index.php".
Ref: http://www.securityfocus.com/bid/16255/exploit
______________________________________________________________________
06.3.51 CVE: Not Available
Platform: Web Application
Title: Ultimate Auction ItemList.PL Cross-Site Scripting
Description: Ultimate Auction is an online web auction application.
Insufficient sanitization of the "category" parameter in the
"itemlist.pl" script exposes the application to a cross-site scripting
issue. Ultimate Auction version 3.67 is affected.
Ref: http://www.securityfocus.com/bid/16254
______________________________________________________________________
06.3.52 CVE: CVE-2006-0205
Platform: Web Application
Title: Wordcircle Multiple Input Validation Vulnerabilities
Description: Wordcircle is a web-based education course management
application. It is vulnerable to multiple input validation issues due
to insufficient sanitization of user-supplied input to the
"v_login.php" script and other unspecified parameters. Wordcircle
version 2.17 is vulnerable.
Ref: http://evuln.com/vulns/28/summary.html
______________________________________________________________________
06.3.53 CVE: Not Available
Platform: Web Application
Title: Light Weight Calendar Index.PHP Remote Command Execution
Description: Light Weight Calendar is a calendar application. It is
prone to a remote command execution vulnerability due to improper
sanitization of user-supplied input. The problem presents itself when
attacker-supplied data to the "stam" parameter of the "index.php"
script is not properly sanitized before being used in an "eval()"
call. Light Weight Calendar version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/16229/exploit
______________________________________________________________________
06.3.54 CVE: Not Available
Platform: Web Application
Title: MyBB Usercp.PHP SQL Injection
Description: MyBB is a bulletin board application. It is prone to an
SQL injection vulnerability due to improper sanitization of
user-supplied input to the "threadmode" parameter of the "usercp.php"
script before using it in an SQL query. MyBB version 1.0.2 is
affected.
Ref: http://www.securityfocus.com/archive/1/421913
______________________________________________________________________
06.3.55 CVE: Not Available
Platform: Web Application
Title: DDSN Interactive CM3CMS Admin Panel Index.ASP SQL Injection
Description: DDSN cm3 CMS is affected by an SQL injection issue.
Insufficient sanitization of the "Username" field in the application's
administrative interface login page exposes this issue. All current
versions are affected.
Ref: http://www.securityfocus.com/bid/16231
______________________________________________________________________
06.3.56 CVE: Not Available
Platform: Web Application
Title: DCP Portal Multiple Input Validation Vulnerabilities
Description: DCP Portal is a web portal application. It is vulnerable
to multiple cross-site scripting issues due to a failure in the
application to properly sanitize user-supplied input. All current
versions are vulnerable.
Ref: http://www.securityfocus.com/archive/1/421914
______________________________________________________________________
06.3.57 CVE: CVE-2006-0211
Platform: Web Application
Title: Web Host Automation Ltd. Helm Cross-Site Scripting
Description: Helm from Web Host Automation Ltd. is a server management
and hosting control application. It is vulnerable to a cross-site
scripting issue is due to insufficient sanitization of user-supplied
input to the "txtEmailAddress" parameter of the "forgotPassword.asp"
script. Helm version 3.2.8 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/421791
______________________________________________________________________
06.3.58 CVE: Not Available
Platform: Web Application
Title: AlstraSoft Template Seller Pro Fullview.PHP Cross-Site
Scripting
Description: Template Seller Pro is web site template sales
application. It is prone to a cross-site scripting vulnerability due
to insufficient sanitization of user-supplied input to the "tempid"
parameter of the "fullview.php" script.
Ref: http://www.securityfocus.com/bid/16233/exploit
______________________________________________________________________
06.3.59 CVE: Not Available
Platform: Web Application
Title: EZDatabaseRemote PHP Script Code Execution
Description: EZDatabase is a web application. EZDatabase is prone to a
remote PHP script code execution vulnerability due to insufficient
input sanitization of the "db_id" URI parameter of the
"visitorupload.php" script. EZDatabase version 2.0 is vulnerable to
these issues; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/16237/exploit
______________________________________________________________________
06.3.60 CVE: CVE-2006-0245
Platform: Web Application
Title: CubeCart Multiple Cross-Site Scripting Vulnerabilities
Description: CubeCart is an eCommerce script. It is vulnerable to
multiple cross-site scripting issues due to insufficient sanitization
of user-supplied input to the "index.php" script. CubeCart version
3.0.7-pl1 is vulnerable.
Ref: http://lostmon.blogspot.com/2006/01/cubecart-307-pl1-indexphp-multiple.html
______________________________________________________________________
06.3.61 CVE: Not Available
Platform: Web Application
Title: phpXplorer Workspaces.PHP Directory Traversal
Description: phpXplorer is a web based file viewer. Insufficient
sanitization of the "../" sequence exposes the application to a
directory traversal issue. phpXplorer version 0.9.33 is affected.
Ref: http://www.securityfocus.com/bid/16263
______________________________________________________________________
06.3.62 CVE: Not Available
Platform: Web Application
Title: Netbula Anyboard Anyboard.CGI Cross-Site Scripting
Description: Anyboard is a Web collaboration application written in
Perl. It is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input to the "tk" parameter
of the "anyboard.cgi" script. Netbula Anyboard version 9.9.56 is
affected.
Ref: http://www.securityfocus.com/bid/16264
______________________________________________________________________
06.3.63 CVE: Not Available
Platform: Web Application
Title: RedKernel Referrer Tracker Rkrt_stats.PHP Cross-Site Scripting
Description: Referrer Tracker is a sales referral application. It is
prone to a cross-site scripting vulnerability due to improper
sanitization of user-supplied input to the "rkrt_stats.php" script.
Referrer Tracker version 1.1.0-3 is vulnerable; other versions may
also be affected.
Ref: http://www.securityfocus.com/bid/16266/exploit
______________________________________________________________________
06.3.64 CVE: Not Available
Platform: Web Application
Title: BlogPHP Index.PHP SQL Injection
Description: BlogPHP is Web blog software implemented in PHP. It is
prone to an SQL injection vulnerability due to insufficient
sanitization of user-supplied input to the "username" parameter of the
"index.php" script. BlogPHP version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/16269
______________________________________________________________________
06.3.65 CVE: Not Available
Platform: Web Application
Title: PHP Fusebox Index.PHP Cross-Site Scripting
Description: PHP Fusebox is a framework for building ColdFusion and
PHP Web sites. It is vulnerable to a cross-site scripting issue due to
insufficient sanitization of user-supplied input to the "fuseaction"
parameter of the "index.php" script. PHP Fusebox version 4.0.6 is
vulnerable.
Ref: http://www.securityfocus.com/archive/1/422124
______________________________________________________________________
06.3.66 CVE: CVE-2006-0241
Platform: Web Application
Title: WebMobo WBNews Cross-Site Scripting
Description: WBNews is a web-based news application. It is vulnerable
to a cross-site scripting issue due to insufficient sanitization of
user-supplied input to the "Name" field of the "comments.php" script.
WebMobo WBNews versions 1.1.0 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/422133
______________________________________________________________________
06.3.67 CVE: Not Available
Platform: Web Application
Title: PowerPortal Multiple Cross-Site Scripting Vulnerabilities
Description: PowerPortal is a web portal application. Insufficient
sanitization of the "search" parameter in the "search.php" and
"index.php" scripts exposes the application to multiple cross-site
scripting issues. All current versions are affected.
Ref: http://www.securityfocus.com/bid/16317
______________________________________________________________________
06.3.68 CVE: Not Available
Platform: Web Application
Title: SMBCMS Local Site Search Cross-Site Scripting
Description: SMBCMS is a content management application written in
PHP. It is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input to the "text"
parameter of the "Search" function. SMBCMS version 2.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/16281
______________________________________________________________________
06.3.69 CVE: Not Available
Platform: Web Application
Title: AOblogger Multiple Input Validation Vulnerabilities
Description: AOblogger is a web log application. It is vulnerable to
multiple input validation issues due to insufficient sanitization of
user-supplied input. AOblogger version 2.3 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/422269
______________________________________________________________________
06.3.70 CVE: Not Available
Platform: Web Application
Title: HTMLtoNuke HTMLtonuke.PHP Remote File Include
Description: HTMLtoNuke is an application designed to display HTML
pages on a PHPNuke Web site. Insufficient sanitization of the "filnav"
parameter of the "phptonuke.php" script exposes the application to a
remote file include issue. All current versions are affected.
Ref: http://www.securityfocus.com/bid/16282
______________________________________________________________________
06.3.71 CVE: Not Available
Platform: Web Application
Title: phpXplorer Action.PHP Directory Traversal
Description: phpXplorer is a web-based file viewer. It is vulnerable
to a directory traversal issue is due to insufficient sanitization of
user-supplied input to the "sAction" parameter of the "action.php"
script. phpXplorer version 0.9.33 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/422434
______________________________________________________________________
06.3.72 CVE: Not Available
Platform: Web Application
Title: Phpclanwebsite BBCode IMG Tag Script Injection
Description: Phpclanwebsite is a content management application
written in PHP. It is prone to a script injection vulnerability due to
insufficient sanitization of user-supplied input to the BBCode IMG
tags. Phpclanwebsite version 1.23.1 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/16300
______________________________________________________________________
06.3.73 CVE: Not Available
Platform: Web Application
Title: Douran FollowWeb Portal Register.ASPX Cross-Site Scripting
Description: FollowWeb is a web portal application. It is vulnerable
to a cross-site scripting issue due to a failure in the application to
properly sanitize user-supplied input to the "username" parameter of
the "register.aspx" script. All current versions of FollowWeb are
vulnerable.
Ref: http://www.securityfocus.com/bid/16302/info
______________________________________________________________________
06.3.74 CVE: Not Available
Platform: Web Application
Title: SaralBlog Multiple Input Validation Vulnerabilities
Description: Saralblog is a Web blog application. It is vulnerable to
multiple input validation issues due to insufficient sanitization of
user-supplied input to the "website" parameter of the "view.php"
script. Saralblog version 1.0 is vulnerable.
Ref: http://evuln.com/vulns/40/summary.html
______________________________________________________________________
06.3.75 CVE: Not Available
Platform: Web Application
Title: Eggblog Multiple Input Validation Vulnerabilities
Description: Eggblog is a web blog application. It is vulnerable to
multiple input validation issues due to insufficient sanitization of
user-supplied input. Eggblog version 2.0 is vulnerable.
Ref: http://www.securityfocus.com/bid/16305/info
______________________________________________________________________
06.3.76 CVE: Not Available
Platform: Web Application
Title: MyBB Signature HTML Injection
Description: MyBB is a forum application written in PHP. It is prone
to an HTML injection vulnerability due to insufficient sanitization of
user-supplied input to the "Signature" field of the application. MyBB
version 1.0.2 is affected.
Ref: http://www.securityfocus.com/bid/16308
______________________________________________________________________
06.3.77 CVE: CVE-2005-4652
Platform: Web Application
Title: PHlyMail Multiple Input Validation Vulnerabilities
Description: PHlyMail is a web-based email system. Insufficient
sanitization of user supplied input exposes the application to
multiple SQL injection and cross-site scripting issues. PHlyMail
version 3.0.2.07 has been released to fix this issue.
Ref: http://www.securityfocus.com/bid/16310
______________________________________________________________________
06.3.78 CVE: Not Available
Platform: Web Application
Title: My Amazon Store Manager Cross-Site Scripting
Description: My Amazon Store Manager is an e-commerce application. It
is vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "q" parameter of the
"search.php" script. My Amazon Store Manager version 1.0 is reported
to be vulnerable.
Ref: http://www.securityfocus.com/bid/16312
______________________________________________________________________
06.3.79 CVE: Not Available
Platform: Web Application
Title: ELOG Web Logbook Multiple Remote Input Validation
Vulnerabilities
Description: ELOG Web Logbook is a logbook application. It is
vulnerable to multiple remote vulnerabilities that can allow remote
attackers to execute arbitrary code and gain access to sensitive
information. ELOG versions prior to 2.6.1 are vulnerable.
Ref: http://midas.psi.ch/elog/download/ChangeLog
______________________________________________________________________
06.3.80 CVE: Not Available
Platform: Web Application
Title: Netrix X-Site Manager Product_Details.PHP Cross-Site Scripting
Description: X-Site Manager is a content management and e-commerce
application written in PHP. It is prone to a cross-site scripting
vulnerability due to insufficient sanitization of user-supplied input
to the "product_id" parameter of the "product_details.php" script.
Ref: http://www.securityfocus.com/bid/16313
______________________________________________________________________
06.3.81 CVE: Not Available
Platform: Web Application
Title: WebspotBlogging Login.PHP SQL Injection
Description: WebspotBlogging is a web log application. It is prone to
an SQL injection vulnerability due to improper sanitization of
user-supplied input to the "username" field of "login.php" before
using it in an SQL query. WebspotBlogging version 3.0 is vulnerable.
Ref: http://www.securityfocus.com/bid/16319/exploit
______________________________________________________________________
06.3.82 CVE: Not Available
Platform: Network Device
Title: ACT P202S VOIP WIFI Phones Multiple Remote Vulnerabilities
Description: ACT P202S VOIP WIFI Phones provides Voice Over IP (VOIP)
service through 802.11b wireless networks. It is vulenrable to
multiple remote vulnerabilities. ACT P202S VOIP WIFI Phones running
firmware version 1.01.21 are prone to these issues.
Ref: http://www.securityfocus.com/bid/16288
______________________________________________________________________
06.3.83 CVE: Not Available
Platform: Network Device
Title: MPM HP-180W VOIP WIFI Phone Information Disclosure
Description: The MPM HP-180W VOIP WIFI phone is a hardware device. It
is prone to an information disclosure vulnerability. This device
listens for connections on UDP port 9090. A remote attacker can
connect to this port, at which time the device conveys the device's
MAC address and software version. This information could be useful in
further attacks including denial of service attacks. MPM HP-180W
phones with firmware version WE.00.17 are vulnerable to this issue.
Due to code reuse, other devices and versions may also be affected.
Ref: http://www.securityfocus.com/bid/16285/discuss
______________________________________________________________________
06.3.84 CVE: Not Available
Platform: Network Device
Title: 3Com TippingPoint IPS Remote Unspecified Denial Of Service
Description: 3Com TippingPoint IPS (Intrusion Prevention System) is a
range of commercial network security devices providing inline
protection from certain network security threats. It is vulnerable to
a remote denial of service issue. TippingPoint IPS TOS versions before
2.2.1.6506 and 2.1.4.6324 are vulnerable.
Ref: http://isc.sans.org/diary.php?storyid=1042
______________________________________________________________________
06.3.85 CVE: Not Available
Platform: Network Device
Title: Cisco IOS SGBP Remote Denial of Service
Description: Cisco IOS includes support for Stack Group Bidding
Protocol (SGBP) which allows devices participating in Multichassis
Multilink PPP (MMP) to locate each other and negotiate for a
connection termination point. Cisco IOS SGBP is prone to a remote
denial of service vulnerability. The issue presents itself when a
device handles a specially crafted UDP packet over port 9900. Please
refer to the attached advisory for a list of vulnerable versions.
Ref: http://www.securityfocus.com/bid/16303
______________________________________________________________________
06.3.86 CVE: Not Available
Platform: Network Device
Title: Linksys BEFVP41 IP Options Remote Denial of Service
Description: Linksys BEFVP41 devices are cable/DSL broadband routers
with an integrated 4-port Ethernet switch with IPSec VPN capabilities.
They are susceptible to a remote denial of service vulnerability due
to improper handling of unexpected network traffic. Linksys BEFVP41
versions 1.42.7, BEFVP41 1.40.4, BEFVP41 1.40.3f are vulnerable.
Ref: http://www.securityfocus.com/archive/1/422266
______________________________________________________________________
06.3.87 CVE: Not Available
Platform: Hardware
Title: Clipcomm CPW-100E and CP-100E VOIP Phones Remote Administrative
Access Vulnerability
Description: Clipcomm CPW-100E VOIP Phones provide Voice Over IP
(VOIP) service through 802.11b wireless networks. They are vulnerable
to an issue that allows remote attackers to gain access to potentially
sensitive information and corrupt memory. Clipcomm CPW-100E Phones
running firmware version 1.1.12 and CP-100E phones running firmware
version 1.1.60 are vulnerable.
Ref: http://www.securityfocus.com/bid/16289/info
___________________________________________________________________
(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.
==end==
Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFD1NNL+LUG5KFpTkYRAu2RAKCDzAcC6/vOkxNIjW3EVLxSs0hSHwCggCgc
N4Sq3nfesnKug+eLQbq7+c4=
=i52A
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]