NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2006

RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 9

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Mar 06 2006 - 14:26:24 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apple patched several critical vulnerabilities in its Safari browser and
fixed other security problems in Mac OS X. And Oracle is recommending
its new patch be applied now.

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
March 6, 2006 Vol. 5. Week 9
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
===================================================================
Platform # of Updates & Vulnerabilities
===================================================================
Other Microsoft Products 1
Third Party Windows Apps 11
Mac Os 1 (Critical)
Linux 7
BSD 1
Solaris 1
Unix 1
Cross Platform 14
Web Application - Cross Site Scripting 16
Web Application - SQL Injection 14
Web Application 21
Network Device 4

************************ Sponsored by Sourcefire ************************

Sourcefire, the creator of Snort, is offering the Open Source Snort
community two comprehensive courses: "Snort: Building and Operating"
and "Snort Rules."
Purchase both Snort courses either as an instructor-led or 60-day online
training bundle and receive a FREE Snort Certified Professional exam
(save $395).
For more information: http://www.sourcefire.com/services/training_schedule.html
http://www.snort.org/training
Contact traininglistsourcefire.com or 800.501.6008.
*************************************************************************
Upcoming Security Training in Monterey, San Diego and Washington DC

As you can see at www.sans.org, more and more SANS classes are sold out
(the red triangles) so we have begun a policy of earlier posting of new
conferences. If you are thinking about turbo charging your security
career or the careers of any of your coworkers this spring, start
planning now to go to San Diego in early May. You'll find more than a
dozen of SANS most popular courses and a vendor exposition, right on the
harbor in San Diego. http://www.sans.org/security06/

Or plan to come to Washington in July right after July 4 for the biggest
SANS Fire ever: with all 17 SANS immersion tracks and more than a dozen
special courses, a big exposition, and an inside look at how the
Internet's Early Warning System (Internet Storm Center) actually works
Bring your family for the national fireworks show.
http://www.sans.org/sansfire06

*************************************************************************

Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Apple Cumulative Security Update 2006-001
(2) HIGH: Oracle E-Business Suite Diagnostics Pack Vulnerabilities

Exploit
(3) Internet Explorer IsComponentInstalled Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Other Microsoft Products
06.9.1 - Microsoft Internet Explorer IsComponentInstalled Buffer Overflow
-- Third Party Windows Apps
06.9.2 - DirectContact Directory Traversal
06.9.3 - Alt-N MDaemon IMAP Server Remote Format String
06.9.4 - ArGoSoft Mail Server Pro IMAP Server Directory Traversal
06.9.5 - Multiple SpeedProject Applications Remote Directory Traversal
06.9.6 - ArGoSoft Mail Server Pro Multiple HTML Injection
06.9.7 - MTS Professional Open EMail Relay
06.9.8 - lighttpd Information Disclosure
06.9.9 - NetworkActiv Web Server Remote Script Disclosure
06.9.10 - LetterMerger Local Information Disclosure
06.9.11 - RaidenHTTPD Remote Script Disclosure
06.9.12 - Van Dyke SecureCRT and SecureFX Buffer Overflow
-- Mac Os
06.9.13 - Apple Mac OS X Directory Services Passwd Privilege Escalation
-- Linux
06.9.14 - Linux Kernel handle_stop_signal Denial of Service
06.9.15 - GNOME Evolution Denial of Service
06.9.16 - IRSSI DCC ACCEPT Denial of Service
06.9.17 - Linux Kernel XFS File System Local Information Disclosure
06.9.18 - Linux Kernel NFS Client Denial of Service
06.9.19 - Linux Kernel sys_mbind System Call Local Denial of Service
06.9.20 - Linux Kernel ELF File Entry Point Denial of Service
-- BSD
06.9.21 - FreeBSD Remote NFS Mount Request Denial of Service
-- Solaris
06.9.22 - Sun Solaris HSFS Filesystem Local Denial of Service
-- Unix
06.9.23 - Oreka RTP Packet Handling Remote Denial of Service
-- Cross Platform
06.9.24 - Oracle Diagnostics Multiple Vulnerabilities
06.9.25 - MySQL Query Logging Bypass
06.9.26 - phpRPC Library Remote Code Execution
06.9.27 - PHP Multiple Security Bypass Vulnerabilities
06.9.28 - Mozilla Thunderbird Multiple Remote Information Disclosure Vulnerabilities
06.9.29 - CrossFire Denial of Service
06.9.30 - SuSE YaST Online Update Script Signature Verification Bypass
06.9.31 - OpenSSH Remote PAM Denial of Service
06.9.32 - Flex Multiple Unspecified Vulnerabilities
06.9.33 - NCP Secure Client Multiple Vulnerabilities
06.9.34 - IBM WebSphere Application Server JSP Source Code Disclosure
06.9.35 - Apache mod_python FileSession Code Execution
06.9.36 - STLPort Library Multiple Buffer Overflow Vulnerabilities
06.9.37 - EMC Dantz Retrospect Backup Client Remote Denial of Service
-- Web Application - Cross Site Scripting
06.9.38 - Cactusoft Parodia Agencyprofile.ASP Cross-Site Scripting
06.9.39 - CGI Calendar Multiple Cross-Site Scripting Vulnerabilities
06.9.40 - Calcium EventText Cross-Site Scripting
06.9.41 - QwikiWiki Index.PHP Cross-Site Scripting
06.9.42 - MyPHPNuke Multiple Cross-Site Scripting Vulnerabilities
06.9.43 - TMSPublisher Search.CFM Cross-Site Scripting
06.9.44 - EZ Publish ImageCatalogue Cross-Site Scripting
06.9.45 - bttlxeForum Failure.ASP Cross-Site Scripting Vulnerability
06.9.46 - Thomson SpeedTouch 500 Series Cross-Site Scripting
06.9.47 - Fantastic Scripts Fantastic News SQL Injection
06.9.48 - Woltlab Burning Board Multiple Cross-Site Scripting Vulnerabilities
06.9.49 - iCal Calendar Text Cross-Site Scripting
06.9.50 - EJ3 TOPo Inc_header.PHP Cross-Site Scripting
06.9.51 - PEHEPE Membership Management System Cross-Site Scripting
06.9.52 - PunBB Header.PHP Cross-Site Scripting
06.9.53 - AddSoft StoreBot Manage.ASP Cross-Site Scripting
-- Web Application - SQL Injection
06.9.54 - Fantastic Scripts Fantastic ID Parameter SQL Injection
06.9.55 - D3Jeeb Multiple SQL Injection Vulnerabilities
06.9.56 - Cilem News Unspecified SQL Injection
06.9.57 - Pentacle In-Out Board Multiple SQL Injection Vulnerabilities
06.9.58 - phpWebSite Topics.PHP SQL Injection
06.9.59 - DCI-Taskeen Multiple SQL Injection Vulnerabilities
06.9.60 - PHP-Nuke Mainfile.PHP SQL Injection
06.9.61 - Lansuite Board Module SQL Injection
06.9.62 - AddSoft StoreBot MgrLogin.ASP SQL Injection
06.9.63 - Sendcard Multiple Unspecified SQL Injection Vulnerabilities
06.9.64 - DCI-Designs Dawaween Poems.PHP SQL Injection
06.9.65 - Woltlab Burning Board Multiple SQL Injection Vulnerabilities
06.9.66 - PluggedOut Nexus forgotten_password.PHP SQL Injection
06.9.67 - VUBB Index.PHP SQL Injection
-- Web Application
06.9.68 - EKINboard Multiple Input Validation Vulnerabilities
06.9.69 - n8cms Multiple Input Validation Vulnerabilities
06.9.70 - ShoutLIVE Multiple Input Validation Vulnerabilities
06.9.71 - 4images Index.PHP Remote File Include
06.9.72 - Archangel Weblog Authentication Bypass
06.9.73 - freeForum Remote PHP Script Code Injection
06.9.74 - HP System Management Homepage Unspecified Directory Traversal
06.9.75 - DEV Web Management System HTML Injection
06.9.76 - SPiD Scan_Lang_Insert.PHP Local File Include
06.9.77 - FreeHostShop Website Generator Arbitrary File Upload
06.9.78 - iGenus WebMail Config_Inc.PHP Remote File Include
06.9.79 - Simple Machines X-Forwarded-For HTML Injection
06.9.80 - freeForum Multiple HTML Injection Vulnerabilities
06.9.81 - WordPress Multiple HTML Injection Vulnerabilities
06.9.82 - PEHEPE Membership Management System PHP Script Code Injection
06.9.83 - Limbo CMS Frontpage Arbitrary PHP Command Execution
06.9.84 - Issue Dealer Information Disclosure
06.9.85 - SMBlog Arbitrary PHP Command Execution
06.9.86 - UKiWEB UKiBoard FCE.PHP BBCode HTML Injection
06.9.87 - LogIT Remote File Include
06.9.88 - NZ Ecommerce Multiple Input Validation Vulnerabilities
-- Network Device
06.9.89 - NuFW Remote TLS Connection Handling Denial of Service
06.9.90 - Netgear WGT624 Wireless Access Point Default Backdoor Account
06.9.91 - Netgear WGT624 Wireless Firewall Router Information Disclosure
06.9.92 - Compex NetPassage WPE54G Denial Of Service

********************* Sponsored Links: **********************************

1) Free WhatWorks Webcast this week - What Works in Intrusion
Prevention: Sheltering Networks with The Red Cross Tuesday, March 07
at 1:00 PM EST (1800 UTC/GMT)
http://www.sans.org/info.php?id=1050

2) Prepare for the June 10, 2006 CISA(R) Certification examination! The
SANS(R) +S Training for the CISA(R) Certification Exam course has been
specifically written to help prepare for and to pass the CISA(R) exam
while ensuring that the information presented is practical and
applicable in daily life.
New SANSHome session led by James Tarala starts March 23.
See http://www.sans.org/info.php?id=1051
*************************************************************************

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohit Dhamankar and Rob King
at TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

*************************
Widely Deployed Software
*************************

(1) CRITICAL: Apple Cumulative Security Update 2006-001
Affected:
Mac OS X version 10.3.9 and 10.4.5 (including the server)

Description: Apple has released a cumulative security update for Mac OS
X that fixes 20 vulnerabilities. This update fixes several critical
vulnerabilities in Safari browser that can be exploited by a malicious
webpage to compromise a user's system. Exploit code for one of the
Safari flaws is publicly available and was discussed in the last week's
RISK newsletter. This security update also fixes code execution
vulnerabilities in LibSystem, WebKit and rsync components. Apple also
made security enhancements to warn iChat users attempting to download
unsafe file types to prevent worms like Leap.A.

Status: Apply the Mac OS X security update 2006-001 on a priority basis.

Council Site Actions: Two of the reporting council sites are using the
affected software. One site will be distributing the patches during
their next regularly scheduled system update process. The other site
uses Apples Software Update Facility and hence most of their systems are
already patched or will be soon.

References:
Apple Security Advisory
http://docs.info.apple.com/article.html?artnum=303382
Internet Storm Center Articles on this set of problems/solutions:
http://isc.sans.org/diary.php?storyid=1160
http://isc.sans.org/diary.php?storyid=1145
http://isc.sans.org/diary.php?storyid=1138
http://isc.sans.org/diary.php?storyid=1128
iDefense Advisory
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0074.html
Suresec Advisories
http://www.suresec.org/advisories/adv10.pdf
http://www.suresec.org/advisories/adv11.pdf
SANS Handler's Diary Postings
http://isc.sans.org/diary.php?storyid=1160
http://isc.sans.org/diary.php?storyid=1145
http://isc.sans.org/diary.php?storyid=1138
http://isc.sans.org/diary.php?storyid=1128
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=5&i=8#widely1
Leap.A virus
http://www.sophos.com/virusinfo/analyses/osxleapa.html
SecurityFocus BID
http://www.securityfocus.com/bid/16907

****************************************************************

(2) HIGH: Oracle E-Business Suite Diagnostics Pack Vulnerabilities
Affected:
Oracle E-business Suite Diagnostics

Description: Oracle has released a security update for Oracle E-business
diagnostics that will be included in the next critical patch update to
be released in April 2006. Oracle Diagnostics package allows an Oracle
E-business suite administrator to conduct various tests related to the
suite's configuration and functioning. Some of the Diagnostic webpages
can be accessed without any authentication as well as some contain SQL
injection vulnerabilities. The technical details required to exploit
these flaws have not been posted. Note that the "HIGH" rating is based
on the fact that Oracle is advising customers to apply this patch.

Status: Apply the patch released for the Diagnostics package. A
workaround is to block access to URLs that begin with "/OA_HTML/jtfqa"
from the Internet using a firewall or an IPS.

Council Site Actions: Only one of the reporting council sites is using
the affected software. They are still reviewing the vulnerability alert
and will most likely wait until the next Oracle quarterly update to
patch their systems.

References:
Integrigy Advisory
http://www.integrigy.com/info/IntegrigySecurityAnalysis-OracleDiag0206.pdf
CERT Advisory
http://www.kb.cert.org/vuls/id/298958
SecurityFocus BID
http://www.securityfocus.com/bid/16844

****************************************************************

*************
Exploit
*************

(3) Internet Explorer IsComponentInstalled Overflow

Description: Microsoft Internet Explorer contains a stack-based buffer
overflow in the "IsComponentInstalled" function. The overflow has
reportedly been fixed in Windows 2000 SP4 and Windows XP SP1. Exploit
code has been included in the Metasploit project.

References:
Exploit Code
http://metasploit.com/projects/Framework/exploits.html#ie_iscomponentinstalled

***********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 9, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4922 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

______________________________________________________________________

06.9.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer IsComponentInstalled Buffer
Overflow
Description: Microsoft Internet Explorer supports the
"IsComponentInstalled()" method to report if a particular component is
installed. It is prone to a buffer overflow condition due to
insufficient bounds checking on the "sID" argument. This issue was
reportedly addressed in Windows 2000 SP4 and Windows XP SP1, however
this has not been confirmed. Internet Explorer 6 is vulnerable to this
issue; earlier versions may also be affected.
Ref: http://www.securityfocus.com/bid/16870
______________________________________________________________________

06.9.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: DirectContact Directory Traversal
Description: DirectContact is a web server for Windows platforms.
DirectContact is prone to a directory traversal vulnerability. The
problem occurs with specially crafted HTTP GET requests containing
directory traversal strings. DirectContact 0.3b is reportedly
vulnerable.
Ref: http://www.securityfocus.com/bid/16849
______________________________________________________________________

06.9.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Alt-N MDaemon IMAP Server Remote Format String
Description: Alt-N MDaemon is a Microsoft Windows-based mail server
product. It is affected by a remote format string vulnerability due to
improper sanitization of user-supplied input prior to its use in the
format-specifier argument to a formatted printing function. This issue
presents itself when an attacker submits format specification
sequences through the folder name argument of the IMAP "CREATE" and
"LIST" commands. Alt-N MDaemon 8.1.1 is reported to be vulnerable;
other versions are likely affected as well.
Ref: http://www.securityfocus.com/bid/16854/exploit
______________________________________________________________________

06.9.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: ArGoSoft Mail Server Pro IMAP Server Directory Traversal
Description: ArGoSoft Mail Server Pro is a mail server application. It
is vulnerable to a directory traversal issue due to insufficient
sanitization of user input to the IMAP "RENAME" command. ArGoSoft
Mail Server Pro version 1.8.8.1 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/425969
______________________________________________________________________

06.9.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Multiple SpeedProject Applications Remote Directory Traversal
Description: This issue affects SpeedCommander, ZipStar and Squeez.
These applications are archiving and compression applications for
Microsoft Windows. The applications are reported prone to a
vulnerability that may allow an attacker to place files and overwrite
files in arbitrary locations on a vulnerable computer. Speedproject
ZipStar 5.1, Speedproject Squeez 5.1 and Speedproject SpeedCommander
11.0 Build 4450 are affected.
Ref: http://www.securityfocus.com/bid/16807/exploit
______________________________________________________________________

06.9.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: ArGoSoft Mail Server Pro Multiple HTML Injection
Description: ArGoSoft Mail Server is an SMTP, POP3 and Finger server.
Insufficient sanitization of email headers such as "subject" and
"from" exposes the application to an HTML injection issue. ArGoSoft
Mail Server Pro 1.8.8.5 and earlier are affected.
Ref: http://www.securityfocus.com/bid/16834
______________________________________________________________________

06.9.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: MTS Professional Open EMail Relay
Description: MTS Professional is a SMTP/POP3 email server for the
Microsoft Windows platform. It is susceptible to a remote
open-email-relay vulnerability. This issue is due to a failure in the
application to properly verify the source of mail before forwarding
it.
Ref: http://www.securityfocus.com/bid/16840
______________________________________________________________________

06.9.8 CVE: CVE-2006-0814
Platform: Third Party Windows Apps
Title: lighttpd Information Disclosure
Description: lighttpd is a web server. It is affected by an
information disclosure issue due to insufficient sanitization of the
GET request. lighttpd versions prior to 1.4.10a for Windows are
affected.
Ref: http://www.securityfocus.com/bid/16893
______________________________________________________________________

06.9.9 CVE: CVE-2006-0815
Platform: Third Party Windows Apps
Title: NetworkActiv Web Server Remote Script Disclosure
Description: NetworkActiv Web Server is vulnerable to an information
disclosure issue because the application fails to properly validate
file extensions in an HTTP GET request. NetworkActiv Web Server
versions 3.5.15 and earlier are vulnerable.
Ref: http://secunia.com/secunia_research/2006-10/advisory/
______________________________________________________________________

06.9.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: LetterMerger Local Information Disclosure
Description: LetterMerger is an alternative to the Microsoft Word mail
merge tool. It is prone to a local information disclosure
vulnerability. The issue exists because the application stores data
with insecure permissions in a Microsoft Access database. LetterMerger
version 1.2 is vulnerable.
Ref: http://www.securityfocus.com/bid/16917
______________________________________________________________________

06.9.11 CVE: CVE-2006-0949
Platform: Third Party Windows Apps
Title: RaidenHTTPD Remote Script Disclosure
Description: RaidenHTTPD is a web server. It is vulnerable to an
information disclosure issue when the application fails to properly
validate file extensions in an HTTP GET request. RaidenHTTPD versions
1.1.47 and earlier are vulnerable.
Ref: http://secunia.com/secunia_research/2006-15/advisory/
______________________________________________________________________

06.9.12 CVE: Not Available
Platform: Third Party Windows Apps
Title: Van Dyke SecureCRT and SecureFX Buffer Overflow
Description: Van Dyke Software SecureCRT is a Secure Shell (SSH)
client and SecureFX is a secure file transfer client. They are
vulnerable to a buffer overflow issue when unicode strings are
converted to narrow strings. Van Dyke Software SecureCRT versions
5.0.4 and earlier are vunerable. SecureFX versions 3.0.4 and earlier
are vulnerable.
Ref: http://www.vandyke.com/products/securefx/history.txt
http://www.vandyke.com/products/securecrt/history.txt
______________________________________________________________________

06.9.13 CVE: CVE-2005-2713, CVE-2005-2714
Platform: Mac Os
Title: Apple Mac OS X Directory Services Passwd Privilege Escalation
Description: Apple Mac OS X Directory Services implements the "passwd"
utility to allow users to change their passwords. It is affected by
two issues which result in privilege escalation issues. These issues
were originally described in Apple Mac OS X Security Update 2006-001.
Ref: http://www.securityfocus.com/bid/16910
______________________________________________________________________

06.9.14 CVE: CVE-2005-3847
Platform: Linux
Title: Linux Kernel handle_stop_signal Denial of Service
Description: Linux kernel is prone to a denial of service
vulnerability caused by a race condition. The issue resides in the
"handle_stop_signal()" function in "signal.c". It arises when a core
dump is triggered in one thread while another thread has a pending
SIGKILL.
Ref:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dd12f48d4e8774415b528d3991ae47c28f26e1ac;hp=ade6648b3b11a5d81f6f28135193ab6d85d621db
______________________________________________________________________

06.9.15 CVE: CVE-2006-0040
Platform: Linux
Title: GNOME Evolution Denial of Service
Description: Evolution is an email client for the GNOME desktop. It is
vulnerable to a remote denial of service issue due to a failure in the
application to properly handle incoming emails consisting of a large
number of URI and other formatting. This issue is compounded when the
application is restarted, as it will attempt to process the same
malicious email. GNOME Evolution versions 2.3.7 and earlier are
affected.
Ref: http://www.securityfocus.com/bid/16899
______________________________________________________________________

06.9.16 CVE: Not Available
Platform: Linux
Title: IRSSI DCC ACCEPT Denial of Service
Description: IRSSI is an Internet Relay Chat (IRC) client. It is
vulnerable to a remote denial of service issue because the DCC ACCEPT
command handler does not verify remotely specified arguments. IRSSI
versions 0.8.9 and 0.8.10rc5 are vulnerable.
Ref: http://www.securityfocus.com/bid/16913
______________________________________________________________________

06.9.17 CVE: CVE-2006-0554
Platform: Linux
Title: Linux Kernel XFS File System Local Information Disclosure
Description: The Linux kernel contains support for the XFS filesystem
by SGI. It is susceptible to a local information disclosure issue due
to a flaw in the filesystem that may result in previously written data
being returned to local users. This issue arrises when certain
"ftruncate()" activity triggers a flaw that may result in data extents
being exposed to local users where holes should be. Linux kernel
versions prior to 2.6.15.5 are affected.
Ref: http://www.securityfocus.com/bid/16844
______________________________________________________________________

06.9.18 CVE: CVE-2006-0555
Platform: Linux
Title: Linux Kernel NFS Client Denial of Service
Description: Linux kernel NFS client is prone to a local denial of
service vulnerability. This issue is due to improper handling of the
direct I/O with excessive O_DIRECT data. For more information on
affected versions, please follow the reference link.
Ref: http://www.securityfocus.com/bid/16922
______________________________________________________________________

06.9.19 CVE: Not Available
Platform: Linux
Title: Linux Kernel sys_mbind System Call Local Denial of Service
Description: The Linux kernel "sys_mbind" system call is vulnerable to
a local denial of service issue due to insufficient sanitization in
the system call's arguments.
Linux kernel versions 2.6.15.4 and earlier are vulnerable.
Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5
______________________________________________________________________

06.9.20 CVE: CVE-2006-0741
Platform: Linux
Title: Linux Kernel ELF File Entry Point Denial of Service
Description: Linux kernel is vulnerable to a denial of service when
opening malformed ELF files with a bad entry address. Intel EM64T
processors running Linux kernel versions 2.6.15.4 and earlier are
vulnerable.
Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5
______________________________________________________________________

06.9.21 CVE: Not Available
Platform: BSD
Title: FreeBSD Remote NFS Mount Request Denial of Service
Description: FreeBSD is susceptible to a remote denial of service
vulnerability. This issue is due to a flaw in affected kernels that
potentially results in a crash when handling malformed NFS mount
requests.
Ref: http://www.securityfocus.com/bid/16838/exploit
______________________________________________________________________

06.9.22 CVE: Not Available
Platform: Solaris
Title: Sun Solaris HSFS Filesystem Local Denial of Service
Description: Sun Solaris is prone to a local denial of service issue
that affects multiple locations of the "hsfs" module. A local
unprivileged attacker can cause a system panic.
Ref: http://www.securityfocus.com/bid/16816
______________________________________________________________________

06.9.23 CVE: CVE-2006-0912
Platform: Unix
Title: Oreka RTP Packet Handling Remote Denial of Service
Description: Oreka is a freely available, open-source audio recording
application. Oreka is susceptible to a remote denial of service
vulnerability. This issue is due to the application's failure to
properly handle unspecified sequences of RTP packets. Oreka versions
prior to 0.5 are affected by this issue.
Ref: http://oreka.sourceforge.net/about/news?id=2006-02-16/0.5-release
______________________________________________________________________

06.9.24 CVE: Not Available
Platform: Cross Platform
Title: Oracle Diagnostics Multiple Vulnerabilities
Description: The Oracle Diagnostics module (IZU) is a troubleshooting
feature of the Oracle E-Business Suite 11i. It is affected by multiple
vulnerabilities including SQL injection. All current versions are
affected.
Ref: http://www.securityfocus.com/bid/16844
______________________________________________________________________

06.9.25 CVE: Not Available
Platform: Cross Platform
Title: MySQL Query Logging Bypass
Description: MySQL is susceptible to a query logging bypass
vulnerability. This issue is due to a discrepancy between the handling
of NULL bytes in input data in the "mysql_real_query()" function, and
the query logging functionality. If an attacker issues queries against
a vulnerable database with query logging enabled, they can include
NULL bytes in order to truncate the query in the log. MySQL version
5.0.18 is affected.
Ref: http://www.securityfocus.com/bid/16850
______________________________________________________________________

06.9.26 CVE: Not Available
Platform: Cross Platform
Title: phpRPC Library Remote Code Execution
Description: phpRPC is an xmlrpc library that uses database and
rpc-protocol abstraction. It is prone to a remote code execution
vulnerability because the "decode()" function within the
"rpc_decoder.php" script fails to adequately sanitize user-supplied
input before processing it in an "eval()" call. Successful
exploitation would result in arbitrary code execution in the context
of the application. PHP scripts that implement the phpRPC library,
such as RunCMS, may also be affected by this issue.
Ref: http://www.securityfocus.com/bid/16833
______________________________________________________________________

06.9.27 CVE: Not Available
Platform: Cross Platform
Title: PHP Multiple Security Bypass Vulnerabilities
Description: PHP is prone to multiple input validation
vulnerabilities. These issues could allow an attacker to bypass the
"safe_mode" and "open_basedir" security settings to obtain sensitive
information. The first issue exists because the "mb_send_mail()"
function does not properly validate user-supplied input to the
"additional_parameter" parameter. The second issue occurs because
various PHP IMAP functions do not properly validate user-supplied
input. The IMAP vulnerabilities exist in PHP version 4.4.2 compiled
with c_client 2004g; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/16878/exploit
______________________________________________________________________

06.9.28 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Thunderbird Multiple Remote Information Disclosure
Vulnerabilities
Description: Mozilla Thunderbird is susceptible to multiple remote
information disclosure vulnerabilities. These issues are due to a
failure of the application to properly enforce the restriction for
downloading remote content in email messages. These issues allow
remote attackers to gain access to potentially sensitive information,
aiding them in further attacks. Mozilla Thunderbird version 1.5 is
vulnerable to these issues.
Ref: http://www.securityfocus.com/archive/1/426347
______________________________________________________________________

06.9.29 CVE: CVE-2006-0677
Platform: Cross Platform
Title: CrossFire Denial of Service
Description: CrossFire is a multiplayer role playing game for multiple
operating systems. It is prone to a remote denial of service
vulnerability due to a design error in the application. By turning on
the "oldsocketmode" option in the application, and then sending an
overly large request, an attacker can exploit this issue. Crossfire
version 1.8 is reported to be vulnerable.
Ref: http://aluigi.altervista.org/poc.htm
______________________________________________________________________

06.9.30 CVE: CVE-2006-0803
Platform: Cross Platform
Title: SuSE YaST Online Update Script Signature Verification Bypass
Description: SuSE YaST Online Update (YOU) is a software update
utility that facilitates the installation of software updates from an
online repository. The YaST Online Update is affected by a design
error that could allow malicious scripts to bypass signature
verification.
Ref: http://www.securityfocus.com/bid/16889
______________________________________________________________________

06.9.31 CVE: CVE-2006-0883
Platform: Cross Platform
Title: OpenSSH Remote PAM Denial of Service
Description: OpenSSH is susceptible to a remote denial of service
vulnerability. This issue arises when OpenSSH is configured with
PrivilegeSeparation enabled, as well as configured to utilize OpenPAM
as an authentication system. In this configuration, OpenSSH forks an
unprivileged process to handle incoming connections, and another
process to interact with the PAM authentication system. If the
unprivileged process handling the incoming connection terminates while
PAM authentication is underway, the OpenSSH master process mistakenly
counts the orphaned children PAM processes in its connection
accounting code. If an attacker causes many of these connections to be
counted in this manner, the OpenSSH master process will believe that
it is overloaded and it will stop accepting new connections. OpenSSH
in conjunction with OpenPAM on FreeBSD versions 5.3 and 5.4 are
affected by this issue. Other operating systems and versions may also
be affected.
Ref: http://www.securityfocus.com/bid/16892
______________________________________________________________________

06.9.32 CVE: Not Available
Platform: Cross Platform
Title: Flex Multiple Unspecified Vulnerabilities
Description: GNU Flex is a tool for generating lexical analyzers. It
is vulnerable to multiple unspecified security issues. GNU Flex
versions 2.5.32 and 2.5.30 are vulnerable.
Ref: http://secunia.com/advisories/19071/
______________________________________________________________________

06.9.33 CVE: Not Available
Platform: Cross Platform
Title: NCP Secure Client Multiple Vulnerabilities
Description: NCP Secure Client is a commercial VPN and firewall
application that is available for multiple platforms including
Microsoft Windows and Linux. It is susceptible to multiple
vulnerabilities. NCP Secure Client version 8.11 Build 146 on Microsoft
Windows is vulnerable to these issues; other versions may also be
affected.
Ref: http://www.securityfocus.com/bid/16906
______________________________________________________________________

06.9.34 CVE: Not Available
Platform: Cross Platform
Title: IBM WebSphere Application Server JSP Source Code Disclosure
Description: IBM WebSphere Application Server is prone to a source
code disclosure vulnerability. An attacker can exploit this issue by
supplying malformed HTTP requests to the server to disclose JSP source
code. This issue allows remote attackers to gain access to the
contents of potentially sensitive JSP source pages, aiding them in
further attacks. Versions 5.0.2 and 5.1.1 of the software are
vulnerable.
Ref: http://www-1.ibm.com/support/docview.wss?uid=swg21231377
______________________________________________________________________

06.9.35 CVE: Not Available
Platform: Cross Platform
Title: Apache mod_python FileSession Code Execution
Description: Apache's mod_python is a module which allows the web
server to interpret Python scripts. Apache mod_python is prone to a
code execution vulnerability. Reports indicate that this issue affects
the FileSession object of mod_python. It should be noted that this
issue only affects mod_python version 3.2.7 and only arises if
FileSession has been enabled, which is not enabled by default.
Ref: http://www.cgisecurity.com/2006/02/07
______________________________________________________________________

06.9.36 CVE: Not Available
Platform: Cross Platform
Title: STLPort Library Multiple Buffer Overflow Vulnerabilities
Description: STLport is a freely available, open source C++ Standard
Template Library (STL). The STLport library is susceptible to multiple
buffer overflow vulnerabilities. These issues are due improper
boundary checking of the user-supplied input prior to copying it to
insufficiently sized memory buffers. The first issues are due to
several incorrectly-bounded uses of the "strcpy()" function in the
"src/c_locale_glibc/c_locale_glibc2.c" source file. STLport versions
prior to 5.0.2 are affected by these issues.
Ref: http://www.securityfocus.com/bid/16928
______________________________________________________________________

06.9.37 CVE: Not Available
Platform: Cross Platform
Title: EMC Dantz Retrospect Backup Client Remote Denial of Service
Description: Dantz Retrospect Backup client is a network backup client
for Windows and Apple OS X platforms. It is affected by a remote
denial of service if it receives malformed data on TCP port 497. This
issue has been addressed in Retrospect Backup Client 6.5.138 and
7.0.109.
Ref: http://www.securityfocus.com/bid/16933
______________________________________________________________________

06.9.38 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Cactusoft Parodia Agencyprofile.ASP Cross-Site Scripting
Description: Parodia is a web-based job board application. It is prone
to a cross-site scripting vulnerability due to improper sanitization
of user-supplied input to the "AG_ID" parameter of the
"agencyprofile.asp" script. CactuSoft Parodia version 6.2 is
vulnerable.
Ref: http://www.securityfocus.com/bid/16865
______________________________________________________________________

06.9.39 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: CGI Calendar Multiple Cross-Site Scripting Vulnerabilities
Description: CGI Calendar is a freely available online calendar
application. It is prone to multiple cross-site scripting
vulnerabilities due to insufficient sanitization of user-supplied
input to various scripts. CGI Calendar version 2.7 is vulnerable.
Ref: http://www.securityfocus.com/bid/16859
______________________________________________________________________

06.9.40 CVE: CVE-2006-0889
Platform: Web Application - Cross Site Scripting
Title: Calcium EventText Cross-Site Scripting
Description: Calcium is a web-based calendar application for any
platform that supports Perl CGI scripts. Calcium is prone to a
cross-site scripting vulnerability. Calcium version 3.10.1 is
vulnerable.
Ref: http://www.securityfocus.com/bid/16851
______________________________________________________________________

06.9.41 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: QwikiWiki Index.PHP Cross-Site Scripting
Description: QwikiWiki is a web-based wiki application implemented in
PHP. It is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input to the "page"
parameter of the "index.php" script. QwikiWiki version 1.4 is
affected.
Ref: http://www.securityfocus.com/bid/16874
______________________________________________________________________

06.9.42 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: MyPHPNuke Multiple Cross-Site Scripting Vulnerabilities
Description: MyPHPNuke is a web-based content management system
written in PHP. It is prone to multiple cross-site scripting
vulnerabilities due to insufficient sanitization of user-supplied
input to the "letter" parameter of the "reviews.php" script, and the
"category" parameter of the "download.php" script. myPHPNuke version
1.8.8 is vulnerable.
Ref: http://www.securityfocus.com/bid/16815
______________________________________________________________________

06.9.43 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: TMSPublisher Search.CFM Cross-Site Scripting
Description: tmsPublisher is a web-based content management system
implemented in ColdFusion. Insufficient sanitization of the
"search.cfm" script exposes the application to a cross-site scripting
issue.
Ref: http://www.securityfocus.com/bid/16816
______________________________________________________________________

06.9.44 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: EZ Publish ImageCatalogue Cross-Site Scripting
Description: eZ Publish is a web-based content management system.
Insufficient sanitization of the "RefererURL" parameter in the
"imagecatalogue" module exposes the application to a cross-site
scripting issue.
Ref: http://www.securityfocus.com/bid/16817
______________________________________________________________________

06.9.45 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: bttlxeForum Failure.ASP Cross-Site Scripting Vulnerability
Description: bttlxeForum is web forum application. It is vulnerable to
a cross-site scripting issue due to insufficient sanitization of
user-supplied input to the "err_txt" parameter of the "failure.asp"
script. Battleaxe Software bttlxeForum version 2.0 is vulnerable.
Ref: http://www.securityfocus.com/bid/16821
______________________________________________________________________

06.9.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Thomson SpeedTouch 500 Series Cross-Site Scripting
Description: The SpeedTouch 500 series are ADSL modems that have a
built-in web interface for configuration. The SpeedTouch 500 series
are prone to a cross-site scripting vulnerability. An attacker may
leverage this issue to have arbitrary script code executed in the
browser of an unsuspecting user in the context of the affected site.
Ref: http://www.securityfocus.com/archive/1/426186
______________________________________________________________________

06.9.47 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Fantastic Scripts Fantastic News SQL Injection
Description: Fantastic News is a web-based bulletin board written in
PHP. It is prone to an SQL injection vulnerability. Fantastic News
version 2.1.1 is affected.
Ref: http://www.securityfocus.com/archive/1/426195
______________________________________________________________________

06.9.48 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Woltlab Burning Board Multiple Cross-Site Scripting
Vulnerabilities
Description: Woltlab Burning Board is a web-based bulletin board
package. It is vulnerable to multiple cross-site scripting issues due
to insufficient sanitization of user-supplied input to the "username"
parameter of the "galerie_index.php" script and the "inpic" parameter
of the "galerie_onfly.php" script. Woltlab Burning Board versions 2.7
and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/16843
______________________________________________________________________

06.9.49 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: iCal Calendar Text Cross-Site Scripting
Description: Brown Bear Software iCal is a web-based calendar
application. It is vulnerable to a cross-site scripting issue due to
insufficient sanitization of user-supplied input to the "Calendar
Text" parameter. Brown Bear Software iCal version 3.10 is vulnerable.
Ref: http://www.securityfocus.com/bid/16845/info
______________________________________________________________________

06.9.50 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: EJ3 TOPo Inc_header.PHP Cross-Site Scripting
Description: EJ3 TOPo is a topsite ranking application implemented in
PHP. EJ3 TOPo is prone to a cross-site scripting vulnerability. This
issue is due to the application's failure to properly sanitize
user-supplied input to the "gTopNomBer" parameter of the
"inc_header.php" script. EJ3 TOPo version 2.2.178 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/426318
______________________________________________________________________

06.9.51 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PEHEPE Membership Management System Cross-Site Scripting
Description: PEHEPE Membership Management System is a member directory
application. It is vulnerable to a cross-site scripting issue due to
insufficient sanitization of user-supplied input to the "kul_adi"
parameter of the "sol_menu.php" script. PEHEPE Membership Management
System version 3 is vulnerable.
Ref: http://yns.zaxaz.com/2006/02/
______________________________________________________________________

06.9.52 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PunBB Header.PHP Cross-Site Scripting
Description: PunBB is a bulletin board application written in PHP. It
is prone to a cross-site scripting vulnerability. PunBB version 1.2.10
is vulnerable.
Ref: http://www.punbb.org/changelogs/1.2.10_to_1.2.11.txt
______________________________________________________________________

06.9.53 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: AddSoft StoreBot Manage.ASP Cross-Site Scripting
Description: StoreBot is web-based shopping cart software implemented
in ASP. StoreBot is prone to a cross-site scripting vulnerability.
AddSoft StoreBot 2002 Standard Edition is vulnerable.
Ref: http://www.securityfocus.com/bid/16898
______________________________________________________________________

06.9.54 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Fantastic Scripts Fantastic ID Parameter SQL Injection
Description: Fantastic News is a web-based bulletin board. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user-supplied input to the "id" parameter of the "news.php" script.
Fantastic News version 2.1.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/16860
______________________________________________________________________

06.9.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: D3Jeeb Multiple SQL Injection Vulnerabilities
Description: D3Jeeb is a web application. It is vulnerable to multiple
SQL injection issues due to insufficient sanitization of user-supplied
input to the "catid" parameter of "fastlinks.php" and "catogary.php"
scripts. D3Jeeb Pro version 3 is vulnerable.
Ref: http://secunia.com/advisories/19062/
______________________________________________________________________

06.9.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Cilem News Unspecified SQL Injection
Description: Cilem News is a news-related web application with a
database back end. Cilem News is prone to an unspecified SQL injection
vulnerability. Cilem News versions 1.1 and 1.0 are vulnerable.
Ref: http://www.securityfocus.com/bid/16813
______________________________________________________________________

06.9.57 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Pentacle In-Out Board Multiple SQL Injection Vulnerabilities
Description: Pentacle In-Out Board is a web-based bulletin board
application. It is vulnerable to multiple SQL injection issues due to
insufficient sanitization of user-supplied input to the "password"
parameter of the "login.asp" script, and the "newsid" parameter of the
"newsdetailsview.asp" script. Pentacle In-Out Board version 6.03 is
vulnerable.
Ref: http://www.securityfocus.com/bid/16818
______________________________________________________________________

06.9.58 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpWebSite Topics.PHP SQL Injection
Description: phpWebSite is a content management system implemented in
PHP. It is prone to an SQL injection vulnerability due to insufficient
sanitization of user-supplied input to the "topic" parameter of the
"topics.php" script. phpWebSite versions 0.10.2 and earlier are
affected.
Ref: http://www.securityfocus.com/bid/16825
______________________________________________________________________

06.9.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: DCI-Taskeen Multiple SQL Injection Vulnerabilities
Description: DCI-Taskeen is a web-based application. Insufficeint
sanitization of the "id" and "action" parameters of the "basket.php"
script and the "id" and "page" parameters of the "cat.php" script
exposes the application to multiple SQL injection issues.
Ref: http://www.securityfocus.com/bid/16828
______________________________________________________________________

06.9.60 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP-Nuke Mainfile.PHP SQL Injection
Description: PHP-Nuke is a web-based content management application.
It is vulnerable to an SQL injection issue due to insufficient
sanitization of user-supplied input to the "mainfile.php" script.
PHP-Nuke version 7.8 is vulnerable.
Ref: http://www.waraxe.us/advisory-47.html
______________________________________________________________________

06.9.61 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Lansuite Board Module SQL Injection
Description: Lansuite is a Lanparty administration application. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user-supplied input to the "fid" parameter of the Board module.
Lansuite version 2.1.0 Beta is vulnerable.
Ref: http://milw0rm.com/id.php?id=1526
http://secunia.com/advisories/19048/
______________________________________________________________________

06.9.62 CVE: Not Available
Platform: Web Application - SQL Injection
Title: AddSoft StoreBot MgrLogin.ASP SQL Injection
Description: StoreBot is web-based shopping cart software. It is prone
to an SQL injection vulnerability due to improper sanitization of
user-supplied input to the "Pwd" parameter of the "MgrLogin.asp"
script. AddSoft StoreBot 2005 Professional Edition is vulnerable.
Ref: http://www.securityfocus.com/bid/16897
______________________________________________________________________

06.9.63 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Sendcard Multiple Unspecified SQL Injection Vulnerabilities
Description: Sendcard is a web-based application for the creation and
sending of e-cards. Insufficient sanitization of user-supplied input
exposes the application to an SQL injection issue. Sendcard versions
3.3.0 and earlier are affected.
Ref: http://www.securityfocus.com/bid/16900
______________________________________________________________________

06.9.64 CVE: Not Available
Platform: Web Application - SQL Injection
Title: DCI-Designs Dawaween Poems.PHP SQL Injection
Description: DCI-Designs Dawaween is a web application implemented in
PHP. It is prone to an SQL injection vulnerability due to insufficient
sanitization of user-supplied input to the "id" parameter of the
"poems.php" script. Dawaween version 1.03 is reportedly affected.
Ref: http://www.securityfocus.com/bid/16909
______________________________________________________________________

06.9.65 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Woltlab Burning Board Multiple SQL Injection Vulnerabilities
Description: Woltlab Burning Board is a bulletin board application. It
is vulnerable to multiple SQL injection issues due to insufficient
sanitization of user-supplied input to the "fileid" parameter of the
"info_db.php" and "database.php scripts. Woltlab Burning Board
versions 2.7 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/426583
______________________________________________________________________

06.9.66 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PluggedOut Nexus forgotten_password.PHP SQL Injection
Description: PluggedOut Nexus is a web-based community application. It
is prone to an SQL injection vulnerability due to improper
sanitization of user-supplied input to the "forgotten_password.php"
script. Nexus version 0.1 is reported to be affected.
Ref: http://www.securityfocus.com/bid/16915/exploit
______________________________________________________________________

06.9.67 CVE: Not Available
Platform: Web Application - SQL Injection
Title: VUBB Index.PHP SQL Injection
Description: VUBB is an interactive forum application, written in PHP.
It is prone to an SQL injection vulnerability due to insufficient
sanitization of user-supplied input to the "pass" cookie parameter in
the "index.php" script. VUBB version 0.2 is vulnerable.
Ref: http://milw0rm.com/id.php?id=1543
______________________________________________________________________

06.9.68 CVE: CVE-2005-3638
Platform: Web Application
Title: EKINboard Multiple Input Validation Vulnerabilities
Description: EKINboard is a web-based forum application. It is
vulnerable to multiple input validation issues due to insufficient
sanitization of the user-supplied input. Issues include SQL injections
and cross-site scripting. EKINboard version 1.0.3 is vulnerable.
Ref: http://secunia.com/advisories/19045/
______________________________________________________________________

06.9.69 CVE: Not Available
Platform: Web Application
Title: n8cms Multiple Input Validation Vulnerabilities
Description: n8cms is a web-based content management system
implemented in PHP. It is prone to multiple input validation
vulnerabilities due to insufficient sanitization of user-supplied
input. n8cms versions 1.2 and 1.1 are affected.
Ref: http://www.securityfocus.com/bid/16858
______________________________________________________________________

06.9.70 CVE: Not Available
Platform: Web Application
Title: ShoutLIVE Multiple Input Validation Vulnerabilities
Description: ShoutLIVE is affected by multiple input validation issues
that result in script code injection. ShoutLIVE version 1.1.0 is
affected.
Ref: http://www.securityfocus.com/bid/16857
______________________________________________________________________

06.9.71 CVE: Not Available
Platform: Web Application
Title: 4images Index.PHP Remote File Include
Description: 4images is an image gallery management application. It is
vulnerable to a remote file include issue due to insufficient
sanitization of user-supplied input to the "template" parameter of the
"index.php" script. 4images version 1.7.1 is vulnerable.
Ref: http://milw0rm.com/id.php?id=1533
______________________________________________________________________

06.9.72 CVE: Not Available
Platform: Web Application
Title: Archangel Weblog Authentication Bypass
Description: Archangel Weblog is web-based blog software implemented
in PHP utilizing a MySQL backend. It is prone to an authentication
bypass vulnerability due to improper validatation of user-supplied
cookie data. Archangel Weblog version 0.90.2 is affected.
Ref: http://www.securityfocus.com/bid/16848/exploit
______________________________________________________________________

06.9.73 CVE: Not Available
Platform: Web Application
Title: freeForum Remote PHP Script Code Injection
Description: freeForum is a forum application. Insufficient
sanitization of the "X-Forwarded-For" and "Client-Ip" HTTP request
header in the "func.inc.php" script exposes the application to a
script injection issue. freeForum version 1.2 is affected.
Ref: http://www.securityfocus.com/bid/16871
______________________________________________________________________

06.9.74 CVE: Not Available
Platform: Web Application
Title: HP System Management Homepage Unspecified Directory Traversal
Description: HP System Management Homepage (SMH) provides a web-based
management interface for ProLiant and Integrity servers. It is
vulnerable to an unspecified directory traversal vulnerability when
dealing with the "Lang" parameter of the ".namazurc" resource file. HP
System Management Homepage versions 2.1.4 and earlier are vulnerable.
Ref: http://secunia.com/advisories/19059/
______________________________________________________________________

06.9.75 CVE: Not Available
Platform: Web Application
Title: DEV Web Management System HTML Injection
Description: DEV Web Management System is a content management
application. It is prone to an HTML injection vulnerability due to
insufficient sanitization of user-supplied input to the "City/Region"
field on the account registration page. DEV Web Management System
version 1.5 is vulnerable.
Ref: http://www.securityfocus.com/bid/16812/references
______________________________________________________________________

06.9.76 CVE: Not Available
Platform: Web Application
Title: SPiD Scan_Lang_Insert.PHP Local File Include
Description: SPiD is a web-based gallery management application. It is
prone to a local file include vulnerability due to improper
sanitization of user-supplied input to the "lang" parameter of the
"scan_lang_insert.php" script before using it in an "include()" call.
SPiD version 1.3.1 is affected.
Ref: http://www.securityfocus.com/bid/16822/exploit
______________________________________________________________________

06.9.77 CVE: Not Available
Platform: Web Application
Title: FreeHostShop Website Generator Arbitrary File Upload
Description: Website Generator is a web-based content management
system implemented in PHP. It is prone to an arbitrary file-upload
vulnerability. An attacker can exploit this vulnerability to upload
arbitrary code and execute it in the context of the webserver process.
Ref: http://www.securityfocus.com/archive/1/426077
______________________________________________________________________

06.9.78 CVE: Not Available
Platform: Web Application
Title: iGenus WebMail Config_Inc.PHP Remote File Include
Description: iGenus WebMail is a web email client application. It is
vulnerable to a remote file include issue due to insufficient
sanitization of user-supplied input to the "_SG_HOME" variable of the
"config_inc.php" script. iGENUS WebMail versions 2.0.2 and earlier are
vulnerable.
Ref: http://retrogod.altervista.org/igenus_202_xpl_pl.html
______________________________________________________________________

06.9.79 CVE: Not Available
Platform: Web Application
Title: Simple Machines X-Forwarded-For HTML Injection
Description: Simple Machines Forum (SMF) is a web forum application.
Insufficient sanitization of the "X-Forwarded-For" header in the
"Sources/Register.php" script exposes the application to an HTML
injection issue. Simple Machines versions 1.0.6 and earlier are
affected.
Ref: http://www.securityfocus.com/bid/16841
______________________________________________________________________

06.9.80 CVE: Not Available
Platform: Web Application
Title: freeForum Multiple HTML Injection Vulnerabilities
Description: freeForum is a forum application. It is vulnerable to
multiple HTML injection issues due to insufficient sanitization of
user-supplied input to the "name" and "subject" parameters of the
"func.inc.php" script. freeForum version 1.2 is vulnerable.
Ref: http://soft.zoneo.net/freeForum/changes.php
______________________________________________________________________

06.9.81 CVE: Not Available
Platform: Web Application
Title: WordPress Multiple HTML Injection Vulnerabilities
Description: WordPress is a web-based publishing application.
Insufficient sanitization of the "name" and "website" field on the
"post comment" page exposes the application to HTML injection issues.
WordPress version 2.0.1 is affected.
Ref: http://www.securityfocus.com/bid/16880
______________________________________________________________________

06.9.82 CVE: Not Available
Platform: Web Application
Title: PEHEPE Membership Management System PHP Script Code Injection
Description: PEHEPE Membership Management System is a forum
application. It is vulnerable to a remote PHP script code injection
issue due to insufficient input sanitization of the "uye_klasor"
parameter of the "sol_menu.php" script. PEHEPE Membership Management
System version 3 is vulnerable.
Ref:
http://yns.zaxaz.com/2006/02/28/pehepe-membership-management-system-multiple-vulnerabilities/
______________________________________________________________________

06.9.83 CVE: Not Available
Platform: Web Application
Title: Limbo CMS Frontpage Arbitrary PHP Command Execution
Description: Limbo CMS is a web-based content management system. It is
prone to an arbitrary command execution vulnerability due to improper
sanitization of user-supplied input to the "Itemid" parameter in the
"index.php" script. Limbo CMS versions 1.0.4.2 and 1.0.4.1 are
vulnerable.
Ref: http://www.securityfocus.com/bid/16902/exploit
______________________________________________________________________

06.9.84 CVE: Not Available
Platform: Web Application
Title: Issue Dealer Information Disclosure
Description: Issue Dealer is an issue tracking web application. It is
vulnerable to an information disclosure issue because it allows remote
attackers to guess URIs of unpublished content in a brute force
manner. Issue Dealer versions 0.9.95 and earlier are vulnerable.
Ref: http://issuedealer.com/changes
______________________________________________________________________

06.9.85 CVE: Not Available
Platform: Web Application
Title: SMBlog Arbitrary PHP Command Execution
Description: SMBlog is a web log application. It is vulnerable to an
arbitrary command execution issue due to insufficient sanitization of
user-supplied input to the "pg" parameter of the "index.php" script.
SMBlog version 1.2 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/426498
______________________________________________________________________

06.9.86 CVE: Not Available
Platform: Web Application
Title: UKiWEB UKiBoard FCE.PHP BBCode HTML Injection
Description: UKiWEB UKiBoard is a web-based bulletin board. It is
prone to an HTML-injection vulnerability due to improper sanitization
of user-supplied input to the "show_post()" function of the "fce.php"
script. UKiBoard version 3.0.1 is vulnerable.
Ref: http://evuln.com/vulns/90/summary.html
______________________________________________________________________

06.9.87 CVE: Not Available
Platform: Web Application
Title: LogIT Remote File Include
Description: LogIT is a logging and statistics application written in
PHP. It is prone to a remote file include vulnerability due to
insufficient sanitization of user-supplied input to the "pg" URI
parameter of the "index.php" script. LogIT versions 1.3 and 1.4 are
affected by this vulnerability.
Ref: http://www.securityfocus.com/bid/16932
______________________________________________________________________

06.9.88 CVE: Not Available
Platform: Web Application
Title: NZ Ecommerce Multiple Input Validation Vulnerabilities
Description: NZ Ecommerce is a shopping cart system. The application
is prone to multiple input validation vulnerabilities due to improper
sanitization of user-supplied input. SQL injection attacks are
possible through the "informationID" and "ParentCategory" parameters
of "index.php". Cross-site scripting attacks are possible through the
"action" parameter of "index.php". NZ Ecommerce System version 0 is
affected.
Ref: http://www.securityfocus.com/bid/16931/exploit
______________________________________________________________________

06.9.89 CVE: Not Available
Platform: Network Device
Title: NuFW Remote TLS Connection Handling Denial of Service
Description: NuFW is a freely available, open source authenticating
network application proxy firewall. It is susceptible to a remote
Denial of Service vulnerability. This issue is due to a failure of the
application to properly handle excessive authentication requests. NuFW
versions prior to 1.0.21 are affected by this issue.
Ref: http://www.nufw.org/+NuFW-1-21-minor-security-fix+.html
______________________________________________________________________

06.9.90 CVE: CVE-2004-2556, CVE-2004-2557
Platform: Network Device
Title: Netgear WGT624 Wireless Access Point Default Backdoor Account
Description: Netgear WGT624 contains a default administrative account
with a username of "Gearguy" and the password "Geardog". A remote
attacker can gain complete access to a vulnerable access point by
using the default credentials.
Ref: http://www.securityfocus.com/bid/16933
______________________________________________________________________

06.9.91 CVE: Not Available
Platform: Network Device
Title: Netgear WGT624 Wireless Firewall Router Information Disclosure
Description: NetGear WGT624 Wireless Firewall Router is a hardware
appliance. It is vulnerable to information disclosure when the backup
settings are enabled. The backup file contains authentication
credentials in cleartext. NetGear model WGT624 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/426185
______________________________________________________________________

06.9.92 CVE: Not Available
Platform: Network Device
Title: Compex NetPassage WPE54G Denial Of Service
Description: NetPassage WPE54G is a wireless access point. It is prone
to a remote denial of service vulnerability due to improper handling
of user-supplied input. The problem occurs when the device receives
malformed UDP packets to UDP port 7778.
Ref: http://www.securityfocus.com/bid/16894
______________________________________________________________________

(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEDJFq+LUG5KFpTkYRAuVHAJ9d3NUiddE2CvEGiYP8szvN7fvejwCdEAhl
cdNYxik97XwXi+Rp6IqYspA=
=3Nfl
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]