NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2006

RISK: The Consensus Security Vulnerability Alert Vol. 5 No.8

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Feb 27 2006 - 10:35:36 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Another remotely exploitable vulnerability was found in Winamp, and also
one in Adobe Macromedia Shockwave this week. Media player software is
a prime target of attackers because hundreds of millions of copies have
been distributed (often without the buyer knowing it is on his or her
computer) and most people are unaware that they have to take personal
responsibility for patching it. Shame on these vendors for distributing
vulnerable software without ensuring their unsuspecting users have an
automated updating service.

In addition, Apple Mac OS X users lost their feeling of invulnerability
to security problems. A consensus of experts is that Windows users will
continue switching to Macs, despite what will be a growing number of Mac
vulnerability discoveries.

Alan

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
February 27, 2006 Vol. 5. Week 8
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
======================================================================
Platform # of Updates & Vulnerabilities
======================================================================
Third Party Windows Apps 9 (#2, #3)
Mac Os 1 (#1)
Linux 5
Unix 2
Cross Platform 18
Web Application - Cross Site Scripting 8
Web Application - SQL Injection 11
Web Application 35 (#4)
Network Device 3

***** SPONSORED BY SANS SECURITY SAN DIEGO and SANSFIRE WASHINGTON ******

As you can see at www.sans.org, more and more SANS classes are sold out
(the red triangles) so we have begun a policy of earlier posting of new
conferences. If you are thinking about turbo charging you security
career or the careers of any of your coworkers this spring, start
planning now to go to San Diego in early May. You'll find more than a
dozen of SANS most popular courses and a vendor exposition, right on the
harbor in San Diego.
http://www.sans.org/security06/
Or plan to come to Washington in July right after July 4 for the biggest
SANSFIRE ever: with all 17 SANS immersion tracks and more than a dozen
special courses and a big exposition. Bring your family for the national
fireworks show.
http://www.sans.org/sansfire06
SANS offers training in three dozen other cities and online training,
too. See http://www.sans.org/ for a complete listing.

*************************************************************************

Table of Contents:

Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Mac OS X Safari Remote Code Execution
(2) HIGH: Winamp M3U Playlist File Handling Overflow
(3) HIGH: Adobe Macromedia Shockwave Player ActiveX Buffer Overflow

Other Software
(4) HIGH: Mambo CMS SQL Injection and Local File Include Vulnerabilities

*********************** Sponsored Links: ********************************

1) Free Webcast this week - Tool Talk Webcast: "Anatomy of an Attack
Tuesday, February 28 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1044

2) Free First Wednesday Webcast this week:"VoIP Security" Wednesday,
March 01 at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1045
*************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Third Party Windows Apps
06.8.1 - NJStar Word Processor Remote Buffer Overflow
06.8.2 - Safe'n'Sec Path Specification Local Privilege Escalation
06.8.3 - Ipswitch WhatsUp Professional 2006 Denial of Service
06.8.4 - Nullsoft Winamp M3U File Processing Buffer Overflow
06.8.5 - Winace ARJ File Handling Buffer Overflow
06.8.6 - The Bat! Remote Buffer Overflow
06.8.7 - Winace Remote Directory Traversal
06.8.8 - StuffIt and ZipMagic Remote Directory Traversal
06.8.9 - ArGoSoft Mail Server Pro POP3 Server Remote Information Disclosure
-- Mac Os
06.8.10 - Mac OS X Archive Metadata Command Execution
-- Linux
06.8.11 - Fedora Directory Server Password Information Disclosure
06.8.12 - Linux Kernel SDLA_XFER Kernel Memory Disclosure
06.8.13 - ViRobot Linux Server Authentication Bypass
06.8.14 - SUSE CASA Pam_Micasa Remote Buffer Overflow
06.8.15 - Zoo Misc.c Buffer Overflow
-- Unix
06.8.16 - SquirrelMail Multiple Cross-Site Scripting and IMAP Injection Vulnerabilities
06.8.17 - SCO UnixWare Ptrace Unspecified Local Privilege Escalation
-- Cross Platform
06.8.18 - Melange Chat Session Header Information Disclosure
06.8.19 - XPDF Multiple Unspecified Vulnerabilities
06.8.20 - Mozilla Firefox HTML Parsing Denial of Service
06.8.21 - EmuLinker Malformed Packet Remote Denial Of Service
06.8.22 - Micromuse Netcool/NeuSecure NS Account Password Disclosure
06.8.23 - BomberClone Error Messages Buffer Overflow
06.8.24 - Micromuse Netcool/NeuSecure Clear Text Password
06.8.25 - Netcool/NeuSecure Insecure File Permissions
06.8.26 - Snort Frag3 Processor Fragmented Packet Detection Evasion
06.8.27 - Mozilla Thunderbird Address Book Import Remote Denial of Service
06.8.28 - GNU Tar Invalid Headers Buffer Overflow
06.8.29 - Mozilla Thunderbird IFRAME JavaScript Execution
06.8.30 - VisNetic AntiVirus Local Privilege Escalation
06.8.31 - Macromedia Shockwave Player ActiveX Control Buffer Overflow
06.8.32 - POPFile Denial Of Service
06.8.33 - Lincoln D. Stein Crypt::CBC Perl Module Weak Ciphertext
06.8.34 - PHP Error Message Cross-Site Scripting
06.8.35 - PHP PEAR::Archive_Tar Remote Directory Traversal
-- Web Application - Cross Site Scripting
06.8.36 - V-webmail Multiple Cross-Site Scripting Vulnerabilities
06.8.37 - MyBB Multiple Cross-Site Scripting Vulnerabilities
06.8.38 - ADOdb Multiple Cross-Site Scripting Vulnerabilities
06.8.39 - RunCMS Ratefile.PHP Cross-Site Scripting
06.8.40 - Noah's Classifieds Index.PHP Multiple Cross-Site Scripting Vulnerabilities
06.8.41 - CPG Dragonfly CMS Multiple Cross-Site Scripting Vulnerabilities
06.8.42 - JGS-Gallery Module Multiple Cross-Site Scripting Vulnerabilities
06.8.43 - WEBInsta Limbo HTML Injection
-- Web Application - SQL Injection
06.8.44 - PHPNuke Index.PHP Search Module SQL Injection
06.8.45 - Magic Calendar Lite Index.PHP SQL Injection
06.8.46 - ilchClan Multiple SQL Injection Vulnerabilities
06.8.47 - MiniNuke CMS Pages.ASP SQL Injection
06.8.48 - Webpagecity WPC easy SQL Injection
06.8.49 - PEAR::Auth Multiple Unspecified SQL Injection Vulnerabilities
06.8.50 - Noah's Classifieds Search Page SQL Injection
06.8.51 - CPG Dragonfly CMS SQL Injection
06.8.52 - Web Calendar Pro Dropbase.PHP SQL Injection
06.8.53 - Oi! Email Marketing System Index.PHP SQL Injection
06.8.54 - Virtual Communication Services VPMi Enterprise Service_Requests.ASP SQL Injection
-- Web Application
06.8.55 - Guestbox HTML Injection
06.8.56 - Admbook Remote PHP Script Code Execution
06.8.57 - Barracuda Directory Multiple HTML Injection Vulnerabilities
06.8.58 - Xerox WorkCentre Products HTML Injection
06.8.59 - TTS Software Time Tracking Software Edituser.PHP Access Validation
06.8.60 - Siteframe Beaumont Page.PHP HTML Injection
06.8.61 - Wimpy MP3 Player Text File Overwrite Weakness
06.8.62 - Macallan Mail Solution IMAP Commands Directory Traversal
06.8.63 - PerlBlog Multiple Input Validation and Information Disclosure Vulnerabilities
06.8.64 - Teca Scripts Quirex Convert.CGI Information Disclosure
06.8.65 - Apache Libapreq2 Quadratic Behavior Denial of Service
06.8.66 - Teca Scripts Guestex Multiple Input Validation Vulnerabilities
06.8.67 - Leif M. Wright Blog Information Disclosure
06.8.68 - E-Blah Routines.PL HTML Injection
06.8.69 - Leif M. Wright Blog.CGI Authorization Bypass
06.8.70 - Leif M. Wright Blog HTML Injection
06.8.71 - Coppermine Multiple File Include Vulnerabilities
06.8.72 - e107 Website System Chatbox Plugin HTML Injection
06.8.73 - PHPNuke CAPTCHA Bypass Weakness
06.8.74 - PostNuke Multiple Input Validation Vulnerabilities
06.8.75 - Geeklog Multiple Input Validation Vulnerabilities
06.8.76 - CherryPy StaticFilter Directory Traversal
06.8.77 - PEAR LiveUser Unauthorized File Access
06.8.78 - PHPNuke Your_Account Module Multiple Input Validation Vulnerabilities
06.8.79 - Mambo Open Source Unspecified Remote
06.8.80 - InfoVista VistaPortal Directory Traversal
06.8.81 - Noah's Classifieds Local File Include
06.8.82 - CPG Dragonfly CMS Linking.PHP HTML Injection
06.8.83 - Noah's Classifieds Index.PHP Remote File Include
06.8.84 - Intensive Point iUser Ecommerce Unspecified Vulnerabilities
06.8.85 - NOCC Webmail Multiple Input Validation Vulnerabilities
06.8.86 - CubeCart Arbitrary File Upload
06.8.87 - PHPX XCode Tag HTML Injection
06.8.88 - PHPLIB Unspecified Code Execution
06.8.89 - DEV Web Management System HTML Injection
-- Network Device
06.8.90 - HCIDump Remote Denial of Service
06.8.91 - Xerox WorkCentre Unspecified Denial of Service
06.8.92 - Xerox WorkCentre Products Local Authentication Bypass

______________________________________________________________________

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohit Dhamankar and Rob King
at TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

************************
Widely Deployed Software
************************

(1) CRITICAL: Mac OS X Safari Remote Code Execution
Affected:
Safari current and possibly all prior versions

Description: Safari, the default browser on Mac OS X systems, contains
a vulnerability that allows an attacker to execute arbitrary code on a
user's system. The problem arises because Safari opens "Safe" files
automatically after downloading and also trusts the user-supplied
metadata associated with a file. For instance, an attacker can create a
shell script, rename the shell script with a safe extension like ".mov"
and store the metadata for the shell script in the "__MacOSX" folder.
The attacker can then create a zip archive that contains the shell
script and the metadata, and post this crafted zip archive on a
webserver. When a user visits the attacker's site, the zip file will be
automatically downloaded and the shell script executed by the program
indicated by the metafile. Note that no user interaction is required to
leverage this flaw other than browsing a malicious webpage. Exploit code
has been publicly posted.

Status: Apple has not released an update yet. A workaround is to disable
Safari's "Open safe files after downloading" option.

Council Site Actions: Only two of the reporting council sites are
using/supporting MacOS. One site uses Firefox as the supported browser
for the Macs; however, its Safari users were advised to disable Safari's
open-safe-files option in lieu of a patch. They plan to push out the
official patch when it becomes available. The second site has a large
number of Mac systems. They use Apple's Software Update Facility;
therefore, Safari will be updated when Apple releases a patch. This
site has also started publicizing new Mac OS X threats at the top of
their Central IT Department home page. They currently have two Mac OS X
messages at the top, and will likely add one about this Safari issue.
At this time they are undecided about recommending a reconfiguration
that prevents the automatic opening of safe files.

References:
CERT Advisory
http://www.kb.cert.org/vuls/id/999708
Exploit Code
http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.php
http://www.mathematik.uni-ulm.de/~lehn/mac.html
http://secunia.com/mac_os_x_command_execution_vulnerability_test/
SecurityFocus BID
http://www.securityfocus.com/bid/16736

****************************************************************

(2) HIGH: Winamp M3U Playlist File Handling Overflow
Affected:
Winamp version 5.13 and prior

Description: Last week another buffer overflow vulnerability was
reported in Winamp. This overflow is triggered by a playlist file (m3u
format) that contains a specially crafted playlist file (m3u or pls
format). Note that several buffer overflows have been reported in Winamp
during this month. Exploit code has not been posted for this flaw yet.

Status: Winamp has released version 5.2 that fixes all the
vulnerabilities reported so far. Hence, an upgrade to this version is
recommended at the earliest.

References:
Posting by IRM Security
http://www.securityfocus.com/archive/1/425984
NSFocus Advisory
http://www.securityfocus.com/archive/1/425888
Vendor Homepage
http://www.winamp.com
SecurityFocus BID
http://www.securityfocus.com/bid/16785

****************************************************************

(3) HIGH: Adobe Macromedia Shockwave Player ActiveX Buffer Overflow
Affected:
Shockwave player 10.1.0.11 and prior

Description: According to Macromedia, the Shockwave player has been
installed on more than 390 million systems. The Shockwave installer
ActiveX control contains a stack-based buffer overflow that can be
triggered by passing overlong parameters. A malicious webpage can
exploit this flaw to execute arbitrary code on a user's system. The
technical details required to craft an exploit have not been posted.

Status: Adobe Macromedia has issued a fix for the installer ActiveX
control. Note that Macromedia has been pushing the security update via
the automatic update feature of the player prior to this announcement.

Council Site Actions: All reporting council sites are responding to
this issue. Most plan to distribute the patch during their next
regularly scheduled system update process. One site will prepare an
announcement that advises their end users to download the updated
version of Shockwave Player.

References:
TippingPoint Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0590.html
Macromedia Advisory
http://www.macromedia.com/devnet/security/security_zone/apsb06-02.html
Product Homepage
http://www.macromedia.com/software/shockwaveplayer/
SecurityFocus BID
http://www.securityfocus.com/bid/16791

****************************************************************

******************
Other Software
******************

(4) HIGH: Mambo CMS SQL Injection and Local File Include Vulnerabilities
Affected:
Mambo CMS versions 4.5.3h and prior

Description: Mambo is a popularly used open-source content management
system. This software contains several SQL injection vulnerabilities;
One of the SQL injection vulnerabilities can be exploited by an
unauthenticated attacker to login with privileges of any chosen user.
The software also contains local file include vulnerability arising from
the lack of sanitization of user-supplied input to the
"$mos_change_template" variable. This can be exploited to execute
arbitrary PHP code on the Mambo server. The technical details required
to craft an exploit have been posted. Note that "Mare.D" worm is
reportedly exploiting prior vulnerabilities in Mambo CMS installations.

Status: Mambo has released patches for versions 4.5.3 and 4.5.3h. Mambo
installations using prior versions should be upgraded to 4.5.3h.

References:
Gulftech Advisory
http://www.gulftech.org/?node=research&article_id=00104-02242006
Mambo Security Announcement
http://mamboxchange.com/forum/forum.php?forum_id=6835
Mambo Homepage
http://www.mamboserver.com
Mare.D Worm Information
http://www.f-secure.com/v-descs/mare_d.shtml
SecurityFocus BID
http://www.securityfocus.com/bid/16775

***********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 8, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4902 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________

06.8.1 CVE: CVE-2006-0807
Platform: Third Party Windows Apps
Title: NJStar Word Processor Remote Buffer Overflow
Description: NJStar is a word processor application. It is vulnerable
to a remote buffer overflow issue when specially crafted font names
contained in an NJStar document are handled. NJStar Chinese and
Japanese versions 5.01.41107 and earlier are vulnerable.
Ref: http://www.frsirt.com/english/advisories/2006/0670
______________________________________________________________________

06.8.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Safe'n'Sec Path Specification Local Privilege Escalation
Description: StarForce Technologies Safe'n'Sec is a commercial
security application. The application executes other applications
without using properly quoted paths. Safe'n'Sec Personal version 2.0
is vulnerable.
Ref: http://secdev.zoller.lu/research/safnsec.htm
______________________________________________________________________

06.8.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Ipswitch WhatsUp Professional 2006 Denial of Service
Description: Ipswitch WhatsUp Professional 2006 is a network
monitoring and management application. It is vulnerable to a remote
denial of service issue due to insufficient handling of various HTTP
GET requests to the "NmConsole/Login.asp" script. Ipswitch WhatsUp
Professional 2006 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425780
______________________________________________________________________

06.8.4 CVE: CVE-2006-0720
Platform: Third Party Windows Apps
Title: Nullsoft Winamp M3U File Processing Buffer Overflow
Description: Winamp is a media player. It is prone to a buffer
overflow vulnerability when processing malformed M3U playlist files.
This issue occurs when an M3U playlist is paused or stopped. Winamp
makes an insecure "strncpy()" call to reset the title of the program,
which can result in a static buffer being overrun. Winamp versions
5.12 and 5.13 are affected; earlier versions may also be vulnerable.
Ref: http://www.securityfocus.com/archive/1/425984
______________________________________________________________________

06.8.5 CVE: CVE-2006-0813
Platform: Third Party Windows Apps
Title: Winace ARJ File Handling Buffer Overflow
Description: Winace is a file compression and decompression
application. It is vulnerable to a buffer overflow when handling
malformed ARJ archives. Winace version 2.60 is vulnerable.
Ref: http://secunia.com/secunia_research/2005-67/advisory/
______________________________________________________________________

06.8.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: The Bat! Remote Buffer Overflow
Description: The Bat! is a web mail client for various Microsoft
Windows platforms. It is prone to a remote buffer overflow
vulnerability. The problem presents itself when the application
receives an email where the "Subject" field is 4038 bytes. This
results in a buffer overflow and subsequent memory corruption. An
attacker can exploit this issue to control program flow and execute
arbitrary attacker-supplied code in the context of the victim user
running the affected application.
Ref: http://www.securityfocus.com/archive/1/425936
______________________________________________________________________

06.8.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: Winace Remote Directory Traversal
Description: Winace is a file compression/decompression application. A
vulnerablity in Winace may allow an attacker to place files and
overwrite files in arbitrary locations on a vulnerable computer.
Winace versions 2.6.05 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/425971
______________________________________________________________________

06.8.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: StuffIt and ZipMagic Remote Directory Traversal
Description: StuffIt and ZipMagic are file archiving and compression
applications. A vulnerablity in these applications may allow an
attacker to place and overwrite files in arbitrary locations on a
vulnerable computer. This issue presents itself when the application
processes malicious ZIP and TAR archives. Visit the reference link for
a list of vulnerable versions.
Ref: http://www.securityfocus.com/archive/1/425972
______________________________________________________________________

06.8.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: ArGoSoft Mail Server Pro POP3 Server Remote Information
Disclosure
Description: ArGoSoft Mail Server Pro is a mail server application. It
is affected by a remote information disclosure issue by a issuing
"_DUMP" command prior to authenticating to the POP3 service. This will
return potentially sensitive configuration information. ArGoSoft Mail
Server Pro version 1.8.8.1 is affected.
Ref: http://www.securityfocus.com/bid/16808
______________________________________________________________________

06.8.10 CVE: Not Available
Platform: Mac Os
Title: Mac OS X Archive Metadata Command Execution
Description: Apple Mac OS X is vulnerable to an arbitrary command
execution vulnerability when opening ZIP archive files due to an error
when processing file association metadata. Mac OS X versions 10.4.5
and earlier are vulnerable.
Ref: http://secunia.com/mac_os_x_command_execution_vulnerability_test/
______________________________________________________________________

06.8.11 CVE: CVE-2005-3630
Platform: Linux
Title: Fedora Directory Server Password Information Disclosure
Description: Fedora Directory Server is vulnerable to an information
disclosure issue because the application allows for an unauthorized
user to view the administrative password which is stored in the
adm.conf file. RedHat Fedora Directory Server version 1.0 is
vulnerable.
Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174837
______________________________________________________________________

06.8.12 CVE: CVE-2004-2607
Platform: Linux
Title: Linux Kernel SDLA_XFER Kernel Memory Disclosure
Description: The Linux kernel is affected by a local memory disclosure
issue which presents itself in the "sdla_xfer" function of the SDLA
WAN driver. A flawed integer to short cast causes a memory copy
operation to copy zero bytes. Kernel versions 2.4.x up to 2.4.29-rc1
and 2.6.x up to 2.6.5 are affected.
Ref: http://www.securityfocus.com/bid/16759
______________________________________________________________________

06.8.13 CVE: Not Available
Platform: Linux
Title: ViRobot Linux Server Authentication Bypass
Description: ViRobot Linux Server is an application server that
provides antivirus protection. It is prone to an authentication bypass
vulnerability because the "filescan" component does not properly
validate authentication credentials supplied through cookies. ViRobot
Linux Server version 2.0 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/16768
______________________________________________________________________

06.8.14 CVE: CVE-2006-0736
Platform: Linux
Title: SUSE CASA Pam_Micasa Remote Buffer Overflow
Description: SUSE Common Authentication Service Adapter (CASA)
provides a common infrastructure for client authentication. It is
vulnerable to a remote buffer overflow issue due to insufficient
handling of boundary checks with the "pam_micasa" authentication
module. SUSE Open-Enterprise-Server version 9.0 and SUSE Novell Linux
Desktop version 9.0 are vulnerable.
Ref: http://www.novell.com/linux/security/advisories/2006_10_casa.html
______________________________________________________________________

06.8.15 CVE: Not Available
Platform: Linux
Title: Zoo Misc.c Buffer Overflow
Description: Zoo is an archiving tool that uses a Lempel-Ziv
compression. It is prone to a buffer overflow vulnerability due to
insufficient boundry checking on user-supplied data. Zoo version 2.10
is vulnerable.
Ref: http://www.securityfocus.com/bid/16790
______________________________________________________________________

06.8.16 CVE: CVE-2006-0195, CVE-2006-0377, CVE-2006-0188
Platform: Unix
Title: SquirrelMail Multiple Cross-Site Scripting and IMAP Injection
Vulnerabilities
Description: SquirrelMail is a web mail application implemented in
PHP4. It is susceptible to multiple cross-site scripting and IMAP
injection vulnerabilities due to insufficient sanitization of
user-supplied input. All versions prior to SquirrelMail 1.4.6-cvs are
vulnerable.
Ref: http://www.securityfocus.com/bid/16756
______________________________________________________________________

06.8.17 CVE: CVE-2005-2934
Platform: Unix
Title: SCO UnixWare Ptrace Unspecified Local Privilege Escalation
Description: SCO UnixWare is prone to a local privilege escalation
vulnerability. An attacker can exploit the "ptrace()" system call to
gain superuser privileges leading to a complete compromise. SCO
UnixWare versions 7.1.3 and 7.1.4 are known to be vulnerable.
Ref: http://www.securityfocus.com/bid/16765
______________________________________________________________________

06.8.18 CVE: Not Available
Platform: Cross Platform
Title: Melange Chat Session Header Information Disclosure
Description: Melange Chat is an IRC like server/client program. It is
prone to an information disclosure vulnerability due to a failure in
the application to properly secure HTTP request data. The server uses
TCP port 6666 to listen for incoming client connections. However,
during a connection, the client transmits the session header to all
telnet sessions currently connected to the listening port. Melange
Chat System version 1.10 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425589
______________________________________________________________________

06.8.19 CVE: Not Available
Platform: Cross Platform
Title: XPDF Multiple Unspecified Vulnerabilities
Description: The "xpdf" utility is an open-source implementation of a
PDF viewer for the X window system. It is affected by multiple
unspecified security issues. All versions are affected.
Ref: http://www.securityfocus.com/bid/16748
______________________________________________________________________

06.8.20 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Firefox HTML Parsing Denial of Service
Description: Mozilla Firefox is prone to a remote denial of service
vulnerability. This issue occurs when the browser parses certain
malformed HTML content. The browser may fail due to a null pointer
dereference. In some cases, the browser may simply no longer respond.
Mozilla Firefox versions prior to 1.5.0.1 are prone to this issue.
Ref: http://www.securityfocus.com/bid/16741/exploit
______________________________________________________________________

06.8.21 CVE: Not Available
Platform: Cross Platform
Title: EmuLinker Malformed Packet Remote Denial Of Service
Description: EmuLinker is a server application for classic emulated
games. It is susceptible to a remote denial of service vulnerability.
This issue is due to a failure of the application to properly handle
malformed network packets from other game players. EmuLinker versions
prior to 0.99.17 are affected by this issue.
Ref: http://www.securityfocus.com/bid/16733
______________________________________________________________________

06.8.22 CVE: Not Available
Platform: Cross Platform
Title: Micromuse Netcool/NeuSecure NS Account Password Disclosure
Description: Micromuse Netcool/NeuSecure is a security information
management (SIM) platform that stores security data in a MySQL
database. It is prone to a password-disclosure vulnerability. This
issue occurs because the NS account password is logged in cleartext
through the application's logging facility. The log file is viewable
by unprivileged users of the system. Netcool/NeuSecure 3.0.236-1 was
reported vulnerable. Other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/425304
______________________________________________________________________

06.8.23 CVE: CVE-2006-0460
Platform: Cross Platform
Title: BomberClone Error Messages Buffer Overflow
Description: BomberClone is a multiplayer version of the game
"BomberMan". It is affected by a buffer overflow issue when it fails
to perform boundary checks on user-supplied data before storing it in
a finite sized buffer. BomberClone version 0.11.6.2 is affected.
Ref: http://www.securityfocus.com/bid/16697
______________________________________________________________________

06.8.24 CVE: CVE-2006-0838
Platform: Cross Platform
Title: Micromuse Netcool/NeuSecure Clear Text Password
Description: Micromuse Netcool/NeuSecure is a security information
management (SIM) platform. It is vulnerable to a cleartext password
issue because the application stores the passwords in cleartext in the
"/etc/neusecure.conf" configuration file. Micromuse
Netcool/NeuSecure version 3.0.236-1 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425304
______________________________________________________________________

06.8.25 CVE: CAN-2005-2962
Platform: Cross Platform
Title: Netcool/NeuSecure Insecure File Permissions
Description: Netcool/NeuSecure is a security information management
(SIM) platform. It is vulnerable to insecure directory permissions
during a default installation.
Netcool/NeuSecure Version 3.0.236-1 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425304
______________________________________________________________________

06.8.26 CVE: CVE-2006-0839
Platform: Cross Platform
Title: Snort Frag3 Processor Fragmented Packet Detection Evasion
Description: Snort is an intrusion detection system (IDS). Reports
indicate that the Frag3 preprocessor, which is used to handle
fragmented IP packets, does not analyze [ip_option_length] bytes from
the end of the IP options during reassembly. A successful attack can
allow attackers to bypass intrusion detection. Snort version 2.4.3 is
affected.
Ref: http://www.securityfocus.com/archive/1/425290
______________________________________________________________________

06.8.27 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Thunderbird Address Book Import Remote Denial of
Service
Description: Mozilla Thunderbird is an email client. It is vulnerable
to a remote denial of service issue due to insufficient handling of
specially crafted address books containing excessive data. Mozilla
Thunderbird version 1.5 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425602
______________________________________________________________________

06.8.28 CVE: CVE-2006-0300
Platform: Cross Platform
Title: GNU Tar Invalid Headers Buffer Overflow
Description: GNU Tar is a program that allows users to create and
manipulate archive files in various formats. It is prone to a buffer
overflow vulnerability. This issue occurs when archives containing
malformed headers are processed. GNU Tar versions 1.14 and above are
vulnerable.
Ref: http://www.securityfocus.com/bid/16764
______________________________________________________________________

06.8.29 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Thunderbird IFRAME JavaScript Execution
Description: Mozilla Thunderbird is an email client. It is prone to a
script execution vulnerability due to insufficient sanitization of
user-supplied data. The vulnerability presents itself when an attacker
supplies a specially crafted email to a user containing malicious
script code in the "SRC" attribute of an IFRAME and the user attempts
to reply to the mail. Mozilla Thunderbird 1.0.7 and prior versions are
reportedly affected.
Ref: http://www.securityfocus.com/bid/16770/exploit
______________________________________________________________________

06.8.30 CVE: CVE-2006-0812
Platform: Cross Platform
Title: VisNetic AntiVirus Local Privilege Escalation
Description: VisNetic AntiVirus is a specially designed plugin module
for VisNetic MailServer. It is prone to a local privilege escalation
vulnerability. This issue is due to a failure in the application to
drop privileges before invoking other applications. VisNetic AntiVirus
versions 4.6.1.1 and 4.6.4 are affected.
Ref: http://www.securityfocus.com/bid/16788
______________________________________________________________________

06.8.31 CVE: Not Available
Platform: Cross Platform
Title: Macromedia Shockwave Player ActiveX Control Buffer Overflow
Description: Macromedia Shockwave by Adobe is a multi-platform
multimedia playback application. It is affected by a stack-based
buffer overflow issue which occurs when the affected ActiveX control
is passed overly long parameters specified from a malicious web site.
Macromedia Shockwave Player versions 10.1.0.11 and earlier are
affected.
Ref: http://www.securityfocus.com/bid/16791
______________________________________________________________________

06.8.32 CVE: Not Available
Platform: Cross Platform
Title: POPFile Denial Of Service
Description: POPFile is an email classification tool. A remote denial
of service vulnerability has been reported in POPFile. A remote
attacker may cause the application to crash when a victim user opens a
specially crafted email message containing certain malformed character
sets. POPFile version 0.22.3 is vulnerable.
Ref: http://www.securityfocus.com/bid/16792
______________________________________________________________________

06.8.33 CVE: Not Available
Platform: Cross Platform
Title: Lincoln D. Stein Crypt::CBC Perl Module Weak Ciphertext
Description: Lincoln D. Stein Crypt::CBC is a Perl module that
implements cryptographic cipher block chaining mode (CBC) encryption
support. It is vulnerable to a weak ciphertext issue due to a flaw in
its creation of Initialization Vectors for ciphers with a blocksize
larger than 8. Lincoln D. Stein Crypt::CBC versions 2.16 and earlier
are vulnerable.
Ref: http://www.securityfocus.com/archive/1/425966
______________________________________________________________________

06.8.34 CVE: Not Available
Platform: Cross Platform
Title: PHP Error Message Cross-Site Scripting
Description: PHP is a general-purpose scripting language that is
especially suited for web development and can be embedded into HTML.
It is prone to a cross-site scripting vulnerability due to improper
sanitization of user-supplied input before using it in generated error
messages. PHP versions 5.1.1 and earlier are affected.
Ref: http://www.securityfocus.com/bid/16803
______________________________________________________________________

06.8.35 CVE: Not Available
Platform: Cross Platform
Title: PHP PEAR::Archive_Tar Remote Directory Traversal
Description: PEAR::Archive_Tar has a vulnerablity that may allow an
attacker to place files and overwrite files in arbitrary locations on
a vulnerable computer. Reportedly, an attacker can carry out directory
traversal type attacks. This issue presents itself when the
application processes malicious TAR archives. When the application
processes an archive file, it places the files in a location that is
specified within the file itself.
Ref: http://www.securityfocus.com/archive/1/425967
______________________________________________________________________

06.8.36 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: V-webmail Multiple Cross-Site Scripting Vulnerabilities
Description: V-webmail is a webmail application implemented in PHP. It
is prone to multiple cross-site scripting vulnerabilities due to
insufficient sanitization of user-supplied input to the "newid"
parameter of the "preferences.personal.php" script and the "rframe"
parameter of the "frameset.php" script. V-webmail version 1.6.2 is
vulnerable.
Ref: http://www.securityfocus.com/bid/16706
______________________________________________________________________

06.8.37 CVE: CVE-2006-0770
Platform: Web Application - Cross Site Scripting
Title: MyBB Multiple Cross-Site Scripting Vulnerabilities
Description: MyBB is a web-based bulletin-board application. It is
vulnerable to multiple cross-site scripting issues due to insufficient
sanitization of user-supplied input. MyBB Version 1.0.4 is vulnerable.
Ref: http://www.securityfocus.com/bid/16708/info
______________________________________________________________________

06.8.38 CVE: CVE-2006-0806
Platform: Web Application - Cross Site Scripting
Title: ADOdb Multiple Cross-Site Scripting Vulnerabilities
Description: ADOdb is a database-abstraction library for PHP. It is
prone to multiple cross-site scripting vulnerabilities. ADOdb versions
4.71 and prior are vulnerable.
Ref: http://www.securityfocus.com/archive/1/425393
______________________________________________________________________

06.8.39 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: RunCMS Ratefile.PHP Cross-Site Scripting
Description: RunCMS is a web-based content management system.
Insufficient sanitization of the "lid" parameter in the "ratefile.php"
script exposes the application to a cross-site scripting issue. All
current versions are affected.
Ref: http://www.securityfocus.com/bid/16769
______________________________________________________________________

06.8.40 CVE: CVE-2005-2980
Platform: Web Application - Cross Site Scripting
Title: Noah's Classifieds Index.PHP Multiple Cross-Site Scripting
Vulnerabilities
Description: Noah's Classifieds is a general purpose web advertising
application. It is vulnerable to multiple cross-site scripting issues
due to insufficient sanitization of user supplied input to the "inf"
and "upperTemplate" parameters of the "index.php" script.
PhpOutsourcing Noah's Classifieds version 1.3 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425783
______________________________________________________________________

06.8.41 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: CPG Dragonfly CMS Multiple Cross-Site Scripting Vulnerabilities
Description: Dragonfly is a web-based content management system.
Insufficient sanitization of user-supplied input exposes the
application to multiple cross-site scripting issues. All current
versions are affected.
Ref: http://www.securityfocus.com/bid/16784
______________________________________________________________________

06.8.42 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: JGS-Gallery Module Multiple Cross-Site Scripting
Vulnerabilities
Description: JGS-Gallery is a gallery module for Woltlab Burning
Board. JGS-Gallery is vulnerable to multiple cross-site scripting
issues due to a lack of proper sanitization of user-supplied input.
Multiple parameters are not properly sanitized when submitted to
multiple scripts, allowing an attacker to submit malicious HTML and
script code through malicious URI. These issues affect the "userid"
and "katid" parameters of "jgs_galerie_slideshow.php" and the "userid"
parameter of "jgs_galerie_scroll.php"; other scripts and parameters
may also be vulnerable. JGS-Gallery version 4.0 is affected.
Ref: http://www.securityfocus.com/bid/16810/exploit
______________________________________________________________________

06.8.43 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: WEBInsta Limbo HTML Injection
Description: Limbo is a content management application. It is
vulnerable to an HTML injection issue due to insufficient sanitization
of user-supplied input to the message field on the "contact" page.
WEBInsta Limbo CMS version 1.0.4.2 is vulnerable.
Ref: http://www.securityfocus.com/bid/16811/info
______________________________________________________________________

06.8.44 CVE: CVE-2006-0679
Platform: Web Application - SQL Injection
Title: PHPNuke Index.PHP Search Module SQL Injection
Description: PHPNuke is a web-based content management system (CMS).
PHPNuke is prone to an SQL injection vulnerability. PHPNuke versions
7.5.0 up to 7.8.0 are vulnerable.
Ref: http://www.securityfocus.com/archive/1/425508
______________________________________________________________________

06.8.45 CVE: CVE-2006-0673
Platform: Web Application - SQL Injection
Title: Magic Calendar Lite Index.PHP SQL Injection
Description: Magic Calendar Lite is a calendar application.
Insufficient sanitization of the "Login" field in the "index.php"
script exposes the application to an SQL injection issue. Magic
Calendar Lite version 1.02 is affected.
Ref: http://www.securityfocus.com/bid/16734
______________________________________________________________________

06.8.46 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ilchClan Multiple SQL Injection Vulnerabilities
Description: ilchClan is a web application. The application is
vulnerable to SQL injection issues because it fails to properly
sanitize user-supplied input to the "pid" and "login_name" parameters
of the "index.php" and "login.php" scripts. ilchClan versions 1.0.5F
and 1.0.5.G are vulnerable.
Ref: http://www.securityfocus.com/bid/16735/exploit
______________________________________________________________________

06.8.47 CVE: CVE-2006-0199
Platform: Web Application - SQL Injection
Title: MiniNuke CMS Pages.ASP SQL Injection
Description: The MiniNuke CMS is used to create web sites. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user supplied input to the "id" parameter of the "pages.asp"
script. MiniNuke CMS version 1.8.2 is vulnerable.
Ref: http://www.securityfocus.com/bid/16730/info
______________________________________________________________________

06.8.48 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Webpagecity WPC easy SQL Injection
Description: Webpagecity WPC easy is used to create web sites. It is
prone to an SQL injection vulnerability due to insufficient
sanitization of user-supplied input to the login script.
Ref: http://www.securityfocus.com/archive/1/425395
______________________________________________________________________

06.8.49 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PEAR::Auth Multiple Unspecified SQL Injection Vulnerabilities
Description: PEAR::Auth is a package that provides methods for
creating PHP authentication systems. It is prone to multiple
unspecified SQL injection vulnerabilities due to insufficient
sanitization of user-supplied input. PEAR::Auth versions prior to
1.2.4 and prior to 1.3.0r4 are vulnerable.
Ref: http://www.securityfocus.com/bid/16758
______________________________________________________________________

06.8.50 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Noah's Classifieds Search Page SQL Injection
Description: Noah's Classifieds is prone to an SQL injection
vulnerability. This is due to a lack of proper sanitization of
user-supplied input. The "Search" input field on the application's
search page is not sanitized before being used in SQL query input.
Noah's Classifieds version 1.3 is vulnerable.
Ref: http://www.securityfocus.com/bid/16773/exploit
______________________________________________________________________

06.8.51 CVE: CVE-2006-0727
Platform: Web Application - SQL Injection
Title: CPG Dragonfly CMS SQL Injection
Description: Dragonfly is a web-based content management system
implemented in PHP. It is prone to an SQL injection vulnerability due
to insufficient sanitization of user-supplied input to the profile
name. Dragonfly CMS version 9.0.6.1 is affected.
Ref: http://dragonflycms.org/Forums/viewtopic/t=14751.html
______________________________________________________________________

06.8.52 CVE: CVE-2006-0835
Platform: Web Application - SQL Injection
Title: Web Calendar Pro Dropbase.PHP SQL Injection
Description: Web Calendar Pro is a web-based content management system
implemented in PHP. Web Calendar Pro is prone to an SQL-injection
vulnerability due to insufficient sanitization of user-supplied input
to the "tabls" parameter of the "dropbase.php" script.
Ref: http://www.xorcrew.net/xpa/XPA-WebCalendarPro.txt
______________________________________________________________________

06.8.53 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Oi! Email Marketing System Index.PHP SQL Injection
Description: Oi! Email Marketing System is a web-based email and SMS
marketing system. It is vulnerable to an SQL injection issue due to
insufficient sanitization of user supplied input to unspecified
parameters of the "index.php" script. Oi! Email Marketing System
version 3.0 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425924
______________________________________________________________________

06.8.54 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Virtual Communication Services VPMi Enterprise
Service_Requests.ASP SQL Injection
Description: VPMi Enterprise is a project management system. It is
prone to an SQL injection vulnerability due to insufficient
sanitization of user-supplied input to the "UpdateID0" parameter in
the "Service_Requests.asp" script. Virtual Communication Services VPMi
version 3.3 is affected.
Ref: http://www.securityfocus.com/bid/16798
______________________________________________________________________

06.8.55 CVE: Not Available
Platform: Web Application
Title: Guestbox HTML Injection
Description: Guestbox is web guestbook and forum software. It is prone
to an HTML injection vulnerability due to improper sanitization of
user-supplied input before using it in dynamically generated content.
Specifically, input to the "uri" field of "guestbox.php" before
storing it in a system log; other fields may also be vulnerable.
Guestbox version 0.6 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425495
______________________________________________________________________

06.8.56 CVE: CVE-2006-0852
Platform: Web Application
Title: Admbook Remote PHP Script Code Execution
Description: Admbook is a guestbook web application. It is vulnerable
to a remote PHP script code execution issue due to insufficient
sanitization of the "X-Forwarded-For" HTTP request header in the
"write.php" script. Admbook version 1.2.2 is vulnerable.
Ref: http://www.securityfocus.com/bid/16753
______________________________________________________________________

06.8.57 CVE: CVE-2006-0833
Platform: Web Application
Title: Barracuda Directory Multiple HTML Injection Vulnerabilities
Description: Barracuda Directory is a PHP script that enables niche
links directories for Web sites. Barracuda Directory is prone to
multiple HTML injection vulnerabilities due to insufficient
sanitization of user-supplied input. Barracuda Directory version 1.1
is affected.
Ref: http://www.securityfocus.com/bid/16746/info
______________________________________________________________________

06.8.58 CVE: Not Available
Platform: Web Application
Title: Xerox WorkCentre Products HTML Injection
Description: Xerox WorkCentre and WorkCentre Pro are web capable
printers and photocopiers. They are prone to an HTML injection
vulnerability due to improper sanitization of user-supplied input
before using it in dynamically generated content. It has not been
specified which parameters and scripts are vulnerable. This issue is
reported to affect WorkCentre versions 232, 238, 245, 255, 265, 275,
and WorkCentre Pro 232, 238, 245, 255, 265, and 275; other versions
may also be vulnerable.
Ref: http://www.securityfocus.com/bid/16727
______________________________________________________________________

06.8.59 CVE: CVE-2006-0689, CVE-2006-0690, CVE-2006-0691
Platform: Web Application
Title: TTS Software Time Tracking Software Edituser.PHP Access
Validation
Description: Time Tracking Software is a time management application.
The application is prone to an access-validation vulnerability. The
application fails to perform proper access validation in the
"edituser.php" administration script. This issue is reported to affect
Time Tracking Software version 3.0; other versions may also be
vulnerable.
Ref: http://www.securityfocus.com/bid/16731/exploit
______________________________________________________________________

06.8.60 CVE: CVE-2006-0783
Platform: Web Application
Title: Siteframe Beaumont Page.PHP HTML Injection
Description: Siteframe Beaumont is a content management system
designed for the rapid deployment of community based websites. It is
prone to an HTML injection vulnerability due to insufficient
sanitization of user-supplied input to the "comment_text" field of the
"page.php" script. Siteframe Beaumont versions 5.0.2 and earlier are
affected.
Ref: http://www.securityfocus.com/archive/1/425180
______________________________________________________________________

06.8.61 CVE: Not Available
Platform: Web Application
Title: Wimpy MP3 Player Text File Overwrite Weakness
Description: Wimpy MP3 Player is a web script for playing MP3 files.
It is prone to a weakness that permits the overwriting of a text file
with arbitrary attacker-supplied data due to improper authentication.
Wimpy MP3 Player version 5 is affected.
Ref: http://www.securityfocus.com/bid/16696
______________________________________________________________________

06.8.62 CVE: Not Available
Platform: Web Application
Title: Macallan Mail Solution IMAP Commands Directory Traversal
Description: Macallan Mail Solution is a free mail server for
Microsoft Windows 2000 and XP. It supports the Microsoft Outlook and
Outlook Express mail clients. It is prone to a directory traversal
vulnerability exposed through IMAP commands. The "CREATE", "SELECT",
"DELETE", and "RENAME" commands can allow an authenticated user to
view other users' email, create or rename directories, or delete empty
directories. Macallan Mail Solution version 4.8.03.025 is vulnerable.
Ref: http://www.securityfocus.com/bid/16704
______________________________________________________________________

06.8.63 CVE: Not Available
Platform: Web Application
Title: PerlBlog Multiple Input Validation and Information Disclosure
Vulnerabilities
Description: PerlBlog is a web-blog software. Insufficient
sanitization of user-supplied input exposes the application to
multiple input validation and information disclosure issues. All
current versions are affected.
Ref: http://www.securityfocus.com/bid/16707
______________________________________________________________________

06.8.64 CVE: CVE-2006-0795
Platform: Web Application
Title: Teca Scripts Quirex Convert.CGI Information Disclosure
Description: Quirex is a web-based quiz application. It is vulnerable
to a remote information disclosure issue due to insufficient
sanitization of user-supplied input to the "quiz_head", "quiz_foot",
and "template" parameters of the "convert.cgi" script. Teca Quirex
versions 2.0 and 2.0.2 are vulnerable.
Ref: http://evuln.com/vulns/78/summary.html
______________________________________________________________________

06.8.65 CVE: CVE-2006-0042
Platform: Web Application
Title: Apache Libapreq2 Quadratic Behavior Denial of Service
Description: The Libapreq2 is a function library for the Apache
webserver. It is vulnerable to a denial of service due to a design
error affecting the "apreq_parse_headers()" and
"apreq_parse_urlencoded()" functions of the application. The Libapreq2
versions 2.0.6 and earlier are vulnerable.
Ref: http://svn.apache.org/viewcvs.cgi/httpd/apreq/tags/v2_07/CHANGES?
rev=376998&view=markup
______________________________________________________________________

06.8.66 CVE: Not Available
Platform: Web Application
Title: Teca Scripts Guestex Multiple Input Validation Vulnerabilities
Description: Guestex is web-based guestbook software. It is prone to
HTML injection and arbitrary shell command-execution issues due to a
failure in the application to properly sanitize user-supplied input.
Guestex version 1.0 is vulnerable.
Ref: http://evuln.com/vulns/76/summary.html
______________________________________________________________________

06.8.67 CVE: CVE-2006-0843
Platform: Web Application
Title: Leif M. Wright Blog Information Disclosure
Description: Blog is a web log application written in the Perl/CGI
programming language. Blog is prone to an information disclosure
vulnerability due to improper file permission settings on the
configuration files within the application's default installation
path. By way of an HTTP GET request, a remote attacker may view the
".txt" configuration file containing passwords for the application.
Blog version 3.5 is affected by this issue.
Ref: http://evuln.com/vulns/82/summary.html
______________________________________________________________________

06.8.68 CVE: Not Available
Platform: Web Application
Title: E-Blah Routines.PL HTML Injection
Description: E-Blah is web-based forum and message board software
implemented in Perl. It is prone to an HTML injection vulnerability
due to insufficient sanitization of user-supplied input to the
"HTTP_REFERER" field of the "code/routines.pl" script. E-Blah Platinum
version 9.7 is vulnerable.
Ref: http://www.securityfocus.com/bid/16713
______________________________________________________________________

06.8.69 CVE: Not Available
Platform: Web Application
Title: Leif M. Wright Blog.CGI Authorization Bypass
Description: Blog is a web log application. It is prone to an
authorization bypass vulnerability due to insufficient sanitization of
user-supplied input to the password supplied to the "blog.cgi' script.
Leif M. Wright Blog version 3.5 is vulnerable; other versions may also
be affected.
Ref: http://evuln.com/vulns/82/summary.html
______________________________________________________________________

06.8.70 CVE: Not Available
Platform: Web Application
Title: Leif M. Wright Blog HTML Injection
Description: Blog is a web-log application. It is prone to an HTML
injection vulnerability due to improper sanitization of user-supplied
input to the "HTTP_REFERER" and "HTTP_USER_AGENT" fields before
storing it in a system log. Leif M. Wright Blog version 3.5 is
vulnerable.
Ref: http://evuln.com/vulns/82/summary.html
______________________________________________________________________

06.8.71 CVE: Not Available
Platform: Web Application
Title: Coppermine Multiple File Include Vulnerabilities
Description: Coppermine is an image gallery application. It is
vulnerable to multiple local and remote file include issues due to
insufficient sanitization of user supplied input to the "lang"
parameter of the "thumbnails.php" script and the "f" parameter in the
"showdoc.php" script. Coppermine versions 1.4.3 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/425387
______________________________________________________________________

06.8.72 CVE: Not Available
Platform: Web Application
Title: e107 Website System Chatbox Plugin HTML Injection
Description: The e107 Website System is a web-based content management
system. It is prone to an HTML injection vulnerability due to
insufficient sanitization of user-supplied input. e107 website system
version 0.7.2 is affected.
Ref: http://www.securityfocus.com/bid/16719/exploit
______________________________________________________________________

06.8.73 CVE: Not Available
Platform: Web Application
Title: PHPNuke CAPTCHA Bypass Weakness
Description: PHPNuke is a web-based content management system. CAPTCHA
(completely automated public Turing test to tell computers and humans
apart) is a challenge-response test to determine whether the user is a
human or an automated script. PHPNuke employs a simple CAPTCHA
implementation called "security code" that attempts to resist
automated actions. The CAPTCHA implementation may be bypassed due to a
design error. All current versions are affected.
Ref: http://www.securityfocus.com/bid/16722
______________________________________________________________________

06.8.74 CVE: CVE-2006-0802, CVE-2006-0801, CVE-2006-0800
Platform: Web Application
Title: PostNuke Multiple Input Validation Vulnerabilities
Description: PostNuke is a content management system. It is vulnerable
to multiple input validation issues such as cross-site scripting and
SQL injection due to insufficient sanitization of user supplied data.
PostNuke version 0.762 resolved the issues.
Ref: http://news.postnuke.com/index.php?name=News&file=article&sid=275
4
______________________________________________________________________

06.8.75 CVE: Not Available
Platform: Web Application
Title: Geeklog Multiple Input Validation Vulnerabilities
Description: Geeklog is a web-based content management system. It is
prone to multiple input validation vulnerabilities. These issues are
due to a failure in the application to properly sanitize user-supplied
input. Geeklog is prone to multiple SQL injection vulnerabilities.
These issues affect the "userid" parameter of the "users.php" script
and the "sessid" parameter of "lib-sessions.php". It is also prone to
an arbitrary local file include vulnerability. This issue is due to
various parameters of the "lib-common.php" script not being properly
sanitized. Geeklog versions 1.3.11-sr3 and earlier are reported to
be vulnerable.
Ref: http://www.gulftech.org/?node=research&article_id=00102-02192006
______________________________________________________________________

06.8.76 CVE: Not Available
Platform: Web Application
Title: CherryPy StaticFilter Directory Traversal
Description: CherryPy is an object oriented web development framework.
It is prone to a directory traversal vulnerability due to a failure in
the application to properly sanitize user-supplied input. This issue
presents itself in the "staticfilter" functionality of the framework.
CherryPy versions prior to 2.1.1 are vulnerable.
Ref: http://www.securityfocus.com/bid/16760
______________________________________________________________________

06.8.77 CVE: CVE-2006-0869
Platform: Web Application
Title: PEAR LiveUser Unauthorized File Access
Description: PEAR LiveUser is a set of classes for handling user
authentication and permissions. It is vulnerable to an unauthorized
file access issue due to insufficient handling of user-supplied input
with the "store_id" parameter of the "LiveUser.PHP" script. PEAR
LiveUser versions 0.16.8 and earlier are vulnerable.
Ref: http://www.gulftech.org/?node=research&article_id=00103-02212006
______________________________________________________________________

06.8.78 CVE: Not Available
Platform: Web Application
Title: PHPNuke Your_Account Module Multiple Input Validation
Vulnerabilities
Description: PHPNuke is a web-based content management system (CMS)
implemented in PHP. PHPNuke is prone to multiple input validation
vulnerabilities. PHPNuke version 7.8 is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/16774
______________________________________________________________________

06.8.79 CVE: Not Available
Platform: Web Application
Title: Mambo Open Source Unspecified Remote
Description: Mambo is a content management system. It is prone to an
unspecified remote vulnerability. The cause of this issue was not
specified. Mambo versions 4.5.3h and earlier are vulnerable.
Ref: http://mamboxchange.com/forum/forum.php?forum_id=6835
______________________________________________________________________

06.8.80 CVE: Not Available
Platform: Web Application
Title: InfoVista VistaPortal Directory Traversal
Description: VistaPortal is a web-based application enabling secure
communications to service-center performance information. It is
affected by a directory traversal issue when specially crafted URI
containing directory traversal strings are improperly sanitized by the
application.
Ref: http://www.securityfocus.com/bid/16776
______________________________________________________________________

06.8.81 CVE: Not Available
Platform: Web Application
Title: Noah's Classifieds Local File Include
Description: Noah's Classifieds is a web based classified advertising
application. It is prone to a local file include vulnerability due to
a lack of sanitization of user-supplied input to the "otherTemplate"
parameter of the "index.php" script. Noah's Classifieds version 1.3.0
is vulnerable; other versions may be affected as well.
Ref: http://www.securityfocus.com/bid/16778/exploit
______________________________________________________________________

06.8.82 CVE: CVE-2006-0726
Platform: Web Application
Title: CPG Dragonfly CMS Linking.PHP HTML Injection
Description: Dragonfly is a web-based content management system. It is
prone to an HTML injection vulnerability due to insufficient
sanitization of user-supplied input to the "inking.php" script.
Dragonfly CMS version 9.0.6.1 is vulnerable.
Ref: http://dragonflycms.org/Forums/viewtopic/t=14751.html
______________________________________________________________________

06.8.83 CVE: Not Available
Platform: Web Application
Title: Noah's Classifieds Index.PHP Remote File Include
Description: Noah's Classifieds is a web-based classified advertising
application. It is prone to a remote file include vulnerability due to
insufficient sanitization of user-supplied input to the
"lowerTemplate" parameter of the "index.php" script. Noah's
Classifieds version 1.3.0 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425783
______________________________________________________________________

06.8.84 CVE: Not Available
Platform: Web Application
Title: Intensive Point iUser Ecommerce Unspecified Vulnerabilities
Description: Intensive Point iUser Ecommerce is a shopping cart
application. It is vulnerable to unspecified security vulnerabilities.
Intensive Point iUser Ecommerce version 2.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/16787
______________________________________________________________________

06.8.85 CVE: Not Available
Platform: Web Application
Title: NOCC Webmail Multiple Input Validation Vulnerabilities
Description: NOCC Webmail is a web-based client application. It is
vulnerable to multiple input validation issues due to insufficient
sanitization of user-supplied input. NOCC Webmail version 1.0 is
vulnerable.
Ref: http://www.securityfocus.com/archive/1/425889
______________________________________________________________________

06.8.86 CVE: Not Available
Platform: Web Application
Title: CubeCart Arbitrary File Upload
Description: CubeCart is an eCommerce script. It is prone to an
arbitrary file upload vulnerability due to a failure in the
application to properly authenticate a user before permitting a file
upload. Input to the "command" parameter of the "connector.php" script
is not properly sanitized, allowing arbitrarily named files to be
uploaded to the victim computer. CubeCart versions 3.0.7-pl1 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/16796/exploit
______________________________________________________________________

06.8.87 CVE: Not Available
Platform: Web Application
Title: PHPX XCode Tag HTML Injection
Description: PHPX is content management application. Insufficient
sanitization of the messages containing "url" XCode tags exposes the
application to a HTML injection issue. PHPX version 3.5.9 is affetced.
Ref: http://www.securityfocus.com/bid/16799
______________________________________________________________________

06.8.88 CVE: Not Available
Platform: Web Application
Title: PHPLIB Unspecified Code Execution
Description: PHPLIB is a content management application. It is
vulnerable to an unspecified code execution issue. PHPLIB version 7.4
is reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/16801/info
______________________________________________________________________

06.8.89 CVE: Not Available
Platform: Web Application
Title: DEV Web Management System HTML Injection
Description: DEV Web Management System is a content management
application. It is prone to an HTML injection vulnerability due to
insufficient sanitization of user-supplied input to the "City/Region"
field on the account registration page. DEV Web Management System
version 1.5 is vulnerable.
Ref: http://www.securityfocus.com/bid/16812/references
______________________________________________________________________

06.8.90 CVE: CVE-2006-0670
Platform: Network Device
Title: HCIDump Remote Denial of Service
Description: The "hcidump" utility reads raw HCI data from a Bluetooth
device. It is vulnerable to a remote denial of service issue when the
utility parses malformed network data. Hcidump version 1.29 and
earlier are vulnerable.
Ref: http://www.secuobs.com/news/05022006-bluetooth9.shtml#english
______________________________________________________________________

06.8.91 CVE: Not Available
Platform: Network Device
Title: Xerox WorkCentre Unspecified Denial of Service
Description: Xerox WorkCentre products are web capable photocopiers
and printers. They are prone to an unspecified local denial of service
vulnerability. This issue is most likely due to a failure in the
software to handle exceptional conditions. WorkCentre 232, 238, 245,
255, 265, and 275 and WorkCentre Pro 232, 238, 245, 255, 265, and 275
are reported to be affected.
Ref: http://www.xerox.com/downloads/usa/en/c/cert_XRX06_001.pdf
______________________________________________________________________

06.8.92 CVE: Not Available
Platform: Network Device
Title: Xerox WorkCentre Products Local Authentication Bypass
Description: Xerox WorkCentre products are web capable printers and
photocopiers. They are susceptible to a local authentication bypass
due to a flaw in the authentication process. WorkCentre 232, 238, 245,
255, 265, 275 and WorkCentre Pro 232, 238, 245, 255, 265, and 275 are
affected.
Ref: http://www.securityfocus.com/bid/16726
___________________________________________________________________

(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEAyEN+LUG5KFpTkYRAsE4AJ0SltcBCwD45cn5x31iKenGh11HfwCeNDqe
TFy3eERdu2gIWnzARyjM8Wk=
=owAm
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]