NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2006

RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 11

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Mar 20 2006 - 13:24:17 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft Office documents suddenly stopped being "safe to open" last
week.(#1) Apple Mac users got another demonstration that they, too, are
vulnerable to remote attacks.(#2) Adobe Macromedia Flash and Shockwave
users can be infected just by visiting an infected web site or receiving
an html email, with minimal user interaction.(#3)

Would you like to make a substantial difference in making the Web safer?
If you know how to write Firefox toolbars, please email us. We are
building a Firefox toolbar, that people could install to monitor what
web sites they go to, and to classify "bad websites" by various
categories (e.g. "adults", "exploit", "phishing"). This would complement
Storm Centers "honey monkey farm" which is a set of automated systems
that browse suspect websites. We will feed the user- supplies URLs to
the "honey monkeys" in order to have the sites characterized by his
systems. We are looking for a (paid) volunteer to write the Firefox
(and maybe later Internet Explorer) toolbar to do the reporting. Email
infosans.org with subject Browser Toolbar if you can help.

Alan

********************************************************************************
RISK: The Consensus Security Vulnerability Alert
March 20, 2006 Vol. 5. Week 11
********************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
==================================================================
Platform # of Updates & Vulnerabilities
==================================================================
Microsoft Office 5 (#1)
Other Microsoft Products 2 (#4, #9)
Third Party Windows Apps 7 (#5, #6, #7)
Mac Os 2 (#2)
Linux 6
Aix 1
Unix 1
Novell 1
Cross Platform 7 (#3, #8)
Web Application - Cross Site Scripting 10
Web Application - SQL Injection 7
Web Application 15
Network Device 1

*** Sponsored by SANS Training in San Diego, Munich, London and Washington DC **

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internets Early Warning
System (Internet Storm Center) actually works Bring your family for the
national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************

Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Microsoft Office and Excel Multiple Vulnerabilities
(2) HIGH: Apple Mac OS X Security Update 2006-002
(3) HIGH: Adobe Macromedia Players SWF Remote Code Execution
(4) MODERATE: Internet Explorer Script Handler Memory Corruption

Other Software
(5) HIGH: Adobe Document and Graphics Server Remote Code Execution
(6) HIGH: Atrium Software Mercur Messaging IMAP Server Buffer Overflows
(7) MODERATE: Ipswitch IMail IMAP FETCH Command Buffer Overflow

Exploit Code
(8) Skype Heap-based Buffer Overflow
(9) Microsoft Telephony Service Buffer Overflow (MS05-040)

****************************** Sponsored Links: ********************************

1) Blue Coat (formerly Permeo Technologies)
Need help selecting an SSL VPN solution? Read security analyst Mark
Bouchard's (CISSP) latest buyer's guide.
http://www.sans.org/info.php?id=1076

2) Audit 522: SANS(R) +S(TM) Training for the CISA(R) Certification Exam
via SANSHome starts March 23!
http://www.sans.org/athome/details.php?id=1419
See http://www.sans.org/athome/ for complete SANSHome listings.
********************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)

-- Microsoft Office
06.11.1 - Microsoft Excel Malformed Formula Size Remote Code Execution
06.11.2 - Microsoft Excel Malformed Parsing Format File Remote Code Execution
06.11.3 - Microsoft Excel Malformed Description Remote Code Execution
06.11.4 - Microsoft Office Routing Slip Processing Remote Buffer Overflow
06.11.5 - Excel Malformed Record Remote Code Execution Vulnerability
-- Other Microsoft Products
06.11.6 - Microsoft Internet Explorer Script Action Handler Buffer Overflow
06.11.7 - Microsoft Commerce Server 2002 Authentication Bypass
-- Third Party Windows Apps
06.11.8 - Unalz Hostile Destination Path
06.11.9 - Adobe Graphics Server / Document Server Remote Command Execution
06.11.10 - Ipswitch IMail Server / Collaboration Suite IMAP FETCH Remote Buffer Overflow
06.11.11 - SafeDisc Secdrv.sys Local Privilege Escalation
06.11.12 - Free-AV AntiVir Personal Edition Classic Local Privilege Escalation
06.11.13 - Apache Log4Net Denial of Service
06.11.14 - MERCUR Messaging 2005 IMAP Remote Buffer Overflow
-- Mac Os
06.11.15 - Mac OS X Mail Message Attachment Remote Buffer Overflow
06.11.16 - Safari Archive JavaScript Same Origin Policy Violation
-- Linux
06.11.17 - Zoo Parse.c Local Buffer Overflow
06.11.18 - Debian GNU/Linux Local Information Disclosure
06.11.19 - Linux Kernel IP ID Information Disclosure
06.11.20 - sa-exim Unauthorized File Access
06.11.21 - Linux Kernel ATM Module Inconsistent Reference Counts Denial of Service
06.11.22 - Linux Kernel Security Key Functions Local Copy_To_User Race Condition
-- Aix
06.11.23 - IBM AIX MKLVCopy Unspecified Security Vulnerability
-- Unix
06.11.24 - glFTPd IP Check Security Bypass
-- Novell
06.11.25 - Novell Netware FTP Server Denial of Service
-- Cross Platform
06.11.26 - Dwarf HTTP Server Multiple Input Validation Vulnerabilities
06.11.27 - Macromedia Flash Multiple Unspecified Security Vulnerabilities
06.11.28 - Apple QuickTime/iTunes Integer And Heap Overflow Vulnerabilities
06.11.29 - Firebird Local Inet_Server Buffer Overflow
06.11.30 - IBM Tivoli Lightweight Client Framework Information Disclosure
06.11.31 - ENet Multiple Denial of Service Vulnerabilities
06.11.32 - CGI::Session Multiple Information Disclosure Vulnerabilities
-- Web Application - Cross Site Scripting
06.11.33 - SPIP Research Module Cross-Site Scripting
06.11.34 - Contrexx CMS Index.PHP Cross-Site Scripting
06.11.35 - QwikiWiki Multiple Cross-Site Scripting Vulnerabilities
06.11.36 - DokuWiki Mediamanager Cross-Site Scripting
06.11.37 - WordPress Multiple Cross-Site Scripting Vulnerabilities
06.11.38 - Jupiter CMS BBCode HTML Injection
06.11.39 - vCard Create.PHP Multiple Cross-Site Scripting Vulnerabilities
06.11.40 - WMNews Multiple Cross-Site Scripting Vulnerabilities
06.11.41 - Gemini Createissue.ASPX Cross-Site Scripting
06.11.42 - Inprotect Zones.PHP Cross-Site Scripting
-- Web Application - SQL Injection
06.11.43 - DSPoll PollID SQL Injection
06.11.44 - Oxynews Index.PHP SQL Injection
06.11.45 - CyBoards PHP Lite Post.PHP SQL Injection
06.11.46 - DSNewsletter Multiple SQL Injection Vulnerabilities
06.11.47 - DSCounter Index.PHP SQL Injection
06.11.48 - DSDownload Multiple SQL-Injection Vulnerabilities
06.11.49 - Vegas Forum Forumlib.PHP SQL Injection
-- Web Application
06.11.50 - Simple PHP Blog Install05.PHP Local File Include
06.11.51 - Drupal Multiple Input Validation Vulnerabilities
06.11.52 - php iCalendar Arbitrary File Upload
06.11.53 - Skull-Splitter PHP Guestbook HTML Injection
06.11.54 - php iCalendar Local File Include
06.11.55 - Milkeyway Captive Portal Multiple Input Validation Vulnerabilities
06.11.56 - Xhawk.net Discussion BBCode IMG Tag Script Injection
06.11.57 - KnowledgebasePublisher PageController.PHP Remote File Include
06.11.58 - ASP Portal Multiple Input Validation Vulnerabilities
06.11.59 - Horde Application Framework Go.PHP Information Disclosure
06.11.60 - Nodez Multiple Input Validation Vulnerabilities
06.11.61 - Core News Index.PHP Remote Code Execution
06.11.62 - GuppY Dwnld.PHP Remote Directory Traversal
06.11.63 - Zeroboard Multiple HTML Injection Vulnerabilities
06.11.64 - 1 File Store Multiple Input Validation Vulnerabilities
-- Network Device
06.11.65 - BorderWare MXtreme Web Administration Remote Vulnerability
______________________________________________________________________

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of
3Com, as a by-product of that company's continuous effort to ensure that
its intrusion prevention products effectively block exploits using known
vulnerabilities. TippingPoint's analysis is complemented by input from
a council of security managers from twelve large organizations who
confidentially share with SANS the specific actions they have taken to
protect their systems. A detailed description of the process may be
found at http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

*************************
Widely Deployed Software
*************************

(1) CRITICAL: Microsoft Office and Excel Multiple Vulnerabilities
Affected:
Office 2000 SP3
Office XP SP3
Office 2003 SP1/SP2
Microsoft Works Suites 2000-2006
Office X/2004 for Mac OS

Description: Microsoft Office suite contains five memory corruption
vulnerabilities in Excel program and another buffer overflow in
processing "routing slips". A malicious Excel file or an Office file can
exploit these vulnerabilities to execute arbitrary code on a client
system using vulnerable Office versions. The specially crafted
Excel/Office documents can be posted on a web server, file server, P2P
share or attached to an email. Note that although browsers like IE and
Firefox typically present a user prompt prior to opening an Office
document, since these documents are generally considered "safe" as
opposed to executable files, users are likely to open these documents
even from untrusted sites. The technical details required to craft
exploits for many of the buffer overflows have been publicly posted.
Exploitation for some of the overflows is trivial as they as stack-based
overflows.

Status: Microsoft confirmed. Patches referenced in the Microsoft Security
Bulletin MS05-012.

Council Site Actions: All reporting council sites are planning to
address these vulnerabilities in their next regularly scheduled system
maintenance cycle. A few reported they will increase the urgency if
exploits are seen in the wild.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
XFocus Advisory
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0080.html
TippingPoint ZDI Advisory
http://www.zerodayinitiative.com/advisories/ZDI-06-004.html
Posting by hexview
http://marc.theaimsgroup.com/?l=full-disclosure&m=114238502808159&w=2
Fortinet Advisories
http://www.securityfocus.com/archive/1/427649/30/30/threaded
http://www.securityfocus.com/archive/1/427648/30/30/threaded
Posting by NGSSoftware
http://www.securityfocus.com/archive/1/427635/30/30/threaded
SecurityFocus BIDs
http://www.securityfocus.com/bid/17091
http://www.securityfocus.com/bid/17100
http://www.securityfocus.com/bid/17101
http://www.securityfocus.com/bid/17108

****************************************************************

(2) HIGH: Apple Mac OS X Security Update 2006-002
Affected:
Mac OS X and server version 10.4.5

Description: Apple has released another security update for Mac OS X
this month. The security update 2006-002 addresses important
vulnerabilities in Mail and Safari browser. Mail, an e-mail client built
into Mac OS X, contains a buffer overflow on Mac OS X systems that have
been patched with the Apple security update 2006-001. The overflow can
be triggered by an e-mail attachment in the MIME-encapsulated Apple
Double format (documented in RFC1740) with a long "Real Name" entry.
When a Mail user double clicks such an attachment arbitrary code can be
executed on the users system. Exploit code has been publicly posted. The
security update also provides additional checks to identify malicious
files downloaded via Safari browser before the files are automatically
opened.

Status: Apple confirmed. Apply Apple Security Update 2006-002 on a
priority basis.

Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the council sites. They reported that no action was necessary.

Reference:
Apple Security Update 2006-002
http://docs.info.apple.com/article.html?artnum=303453
Digitalmunition Advisory and Exploit Code
http://www.digitalmunition.com/DMA%5B2006-0313a%5D.txt
http://www.milw0rm.com/exploits/1583
Mail Homepage
http://www.apple.com/macosx/features/mail/
SecurityFocus BIDs
http://www.securityfocus.com/bid/17081

****************************************************************

(3) HIGH: Adobe Macromedia Players SWF Remote Code Execution
Affected:
Flash Player versions 8.0.22.0 and prior
Breeze Meeting Add-In version 5.1 and prior
Shockwave Player version 10.1.0.11 and prior
Flash Debug Player version 7.0.14.0 and prior

Description: Adobe has released a security advisory indicating that
multiple Macromedia players contain a critical vulnerability in handling
SWF files. According to Adobe the flaw can be exploited to execute
arbitrary code. A malicious webpage or an HTML email can leverage the
flaw to compromise a users system with minimal user interaction. No
technical details have been released at this time. Note that several
versions of Windows ship with a vulnerable version of Flash player by
default; these systems should be updated on a priority basis.

Status: Adobe confirmed. Upgrade to the latest version of the players
as described in the Adobe advisory.

Council Site Actions: All reporting council sites are planning to
address in their next regularly scheduled system maintenance cycle.

References:
Adobe Advisory
http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html
Microsoft Advisory
http://www.microsoft.com/technet/security/advisory/916208.mspx
CERT Advisory
http://www.us-cert.gov/cas/techalerts/TA06-075A.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/170106

****************************************************************

(4) MODERATE: Internet Explorer Script Handler Memory Corruption
Affected:
Internet Explorer possibly all versions

Description: Internet Explorer contains a memory corruption
vulnerability that can be triggered by an HTML page containing a hundred
or more of script action handlers such as "onclick", "onmouseover" etc.
According to the discoverer, the flaw can be possibly exploited to
execute arbitrary code (not confirmed). The technical details and a
proof-of-concept exploit have been publicly posted.

Status: Microsoft has not confirmed the vulnerability yet, no updates
available.

Council Site Actions: All reporting council sites are waiting on
additional information from Microsoft.

References:
Postings by Michale Zalewski
http://archives.neohapsis.com/archives/bugtraq/2006-02/0855.html
http://archives.neohapsis.com/archives/bugtraq/2006-02/0856.html
http://archives.neohapsis.com/archives/bugtraq/2006-02/0887.html
PoC Code
http://lcamtuf.coredump.cx/iedie.html
Internet Explorer Script Action Handlers
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/referen
ce/events.asp
SecurityFocus BID
http://www.securityfocus.com/bid/17131

**********************************************************************

*******************
Other Software
*******************

(5) HIGH: Adobe Document and Graphics Server Remote Code Execution
Affected:
Adobe Document Server versions 5.x and 6.x
Adobe Graphics Server version 2.x

Description: Adobe Document and Graphics server products are designed
to enable enterprises generate PDF and graphics documents on the fly.
In the default configuration, the "saveContent" and the "saveOptimized"
commands can be used to store any files in arbitrary directory on the
servers. For instance, a graphics file containing malicious HTML code
can be placed in the "Startup" folder for "All Users". This will result
in compromising Windows-based Adobe servers. An attacker can access the
file saving commands via AlterCast web service that runs by default on
port 8109/tcp.

Status: Adobe has acknowledged the flaw in the default configuration and
published steps to harden the configuration of Document and Graphics
servers.

References:
Adobe Advisory
http://www.adobe.com/support/techdocs/332989.html
Secunia Advisory
http://secunia.com/secunia_research/2005-28/advisory/
Product Homepages
http://www.adobe.com/products/server/documentserver/main.html
http://www.adobe.com/products/server/graphics/main.html
AlterCast Service
http://www.adobe.com/products/server/graphics/pdfs/entprswp.pdf
SecurityFocus BID
http://www.securityfocus.com/bid/17113

****************************************************************************

(6) HIGH: Atrium Software Mercur Messaging IMAP Server Buffer Overflows
Affected Products:
Mercur Messaging version 5.0 SP3 and possibly prior

Description:
The IMAP service provided by Mercur Mailserver is reportedly vulnerable
to multiple buffer overflows which can be triggered by passing overlong
strings to various IMAP commands. The flaw may be exploited by a remote
unauthenticated attacker to execute arbitrary code with the privileges
of the Mercur Mailserver process, possibly Local System. Exploit code
has been publicly posted. Note that a similar flaw was reported in
previous versions of this mailserver.

Status: Vendor has not confirmed the flaw, no patches are available.

References:
Posting by Tim Taylor
http://archives.neohapsis.com/archives/fulldisclosure/2006-02/1837.html
Posting by 3APA3A
http://archives.neohapsis.com/archives/fulldisclosure/2006-02/1936.html
Exploit Code
http://www.milw0rm.com/exploits/1592
Product Homepage
http://www.atrium-softwareusa.com/EN/mercur_products.html
SecurityFocus BID
http://www.securityfocus.com/bid/17138

***********************************************************************

(7) MODERATE: Ipswitch IMail IMAP FETCH Command Buffer Overflow
Affected:
Ipswitch Collaboration Suite versions prior to 2006.03
IMail Secure Server versions prior to 2006.03

Description: Ipswitch IMail is a Windows-based mail server used by many
small and medium ISPs. IpSwitch Collaboration Suite includes the IMail
server, and these products serve over 60 million users world-wide. The
mail servers IMAP service contains a buffer overflow that can be
triggered by specially crafted arguments to the "FETCH" command. An
authenticated user can exploit the flaw to execute arbitrary code on the
server with Local System privileges. Note that exploits are available
for previously disclosed vulnerabilities in this application.

Status: Vendor confirmed, update available. Upgrade to version 2006.03
for IMail and Collaboration Suite.

References:
Ipswitch Advisories
http://www.ipswitch.com/support/imail/releases/im200603.asp
http://www.ipswitch.com/support/ics/updates/ics200603stan.asp
TippingPoint ZDI Advisory
http://www.zerodayinitiative.com/advisories/ZDI-06-003.html
Product Homepage
http://www.ipswitch.com/products/imail/index.asp
http://www.ipswitch.com/products/collaboration/index.asp
SecurityFocus BID
http://www.securityfocus.com/bid/17063

***********************************************************************

*********
Exploits
*********

(8) Skype Heap-based Buffer Overflow

References:
Exploit Details in BlackHat Europe Presentation
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf
Previous RISK Posting
http://www.sans.org/newsletters/risk/display.php?v=4&i=43#other1

********************************************************************

(9) Microsoft Telephony Service Buffer Overflow (MS05-040)

Council Site Actions: All reporting council sites patched their systems
late last year.

References:
Exploit Code
http://www.milw0rm.com/exploits/1584
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=4&i=32#widely4

****************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 11, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4938 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.

06.11.1 CVE: Not Available
Platform: Microsoft Office
Title: Microsoft Excel Malformed Formula Size Remote Code Execution
Description: Microsoft Excel is prone to a remote code execution
vulnerability. This issue may be triggered when a malformed Excel
document is opened. This is due to an error in Excel that is related
to how the program parses data fields within the document.
Specifically, this vulnerability is a buffer overflow that occurs when
handling malformed formula size data in an Excel file.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
______________________________________________________________________

06.11.2 CVE: CVE-2006-0028
Platform: Microsoft Office
Title: Microsoft Excel Malformed Parsing Format File Remote Code
Execution
Description: Microsoft Excel is prone to a remote code execution
vulnerability. This issue may be triggered when a malformed Excel
document is opened. This is due to an error in Excel that is related
to how the program parses data fields within the document. Successful
exploitation may result in execution of arbitrary code in the context
of the currently logged in user.
Ref: http://www.microsoft.com/technet/security/bulletin/MS06-012.mspx
______________________________________________________________________

06.11.3 CVE: CVE-2006-0029
Platform: Microsoft Office
Title: Microsoft Excel Malformed Description Remote Code Execution
Description: Microsoft Excel is prone to a remote code execution
vulnerability that may be triggered when a malformed Excel document is
opened. This is due to an error in Excel that is related to how the
program parses data fields within the document.
Ref: http://www.microsoft.com/technet/security/bulletin/MS06-012.mspx
______________________________________________________________________

06.11.4 CVE: CVE-2006-0009
Platform: Microsoft Office
Title: Microsoft Office Routing Slip Processing Remote Buffer Overflow
Description: Microsoft Office supports routing slips, which are
embedded in Word, Excel, or PowerPoint documents to aid in
collaborative working. Microsoft Office is prone to a remote buffer
overflow vulnerability. Specifically, the issue arises when the
application handles a specially crafted document containing a
malicious routing slip. A successful attack can result in a remote
compromise in the context of an affected user.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
______________________________________________________________________

06.11.5 CVE: CVE-2006-0031
Platform: Microsoft Office
Title: Excel Malformed Record Remote Code Execution Vulnerability
Description: Microsoft Excel is prone to a remote code execution issue
which may be triggered when a malformed Excel document is opened. The
issue is due to an error in Excel that is related to how the program
parses data fields within the document.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
______________________________________________________________________

06.11.6 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer Script Action Handler Buffer
Overflow
Description: Microsoft Internet Explorer is prone to a remote buffer
overflow vulnerability in "MSHTML.DLL" due to improper boundary
checking of user supplied input data prior to copying it into an
insufficiently sized memory buffer. This issue is triggered by having
several thousand script action handlers, such as "onLoad",
"onMouseOver", in a single HTML tag. Internet Explorer 6 is reported
to be vulnerable to this issue; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/17131/exploit
______________________________________________________________________

06.11.7 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Commerce Server 2002 Authentication Bypass
Description: Microsoft Commerce Server 2002 is a web server product
geared towards building e-commerce websites. It is prone to an
authentication bypass vulnerability because of improper authentication
of users due to the possible existence of sample files. Microsoft
Commerce Server 2002 versions prior to Service Pack 2 are affected by
this issue.
Ref: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/csvr2002/htm/cs_se_securityconcepts_cbgw.asp
______________________________________________________________________

06.11.8 CVE: CVE-2006-0950
Platform: Third Party Windows Apps
Title: Unalz Hostile Destination Path
Description: Unalz is a file compression and decompression application
written for Microsoft Windows. It contains a vulnerability in the
handling of pathnames in archived files. By specifying a path for an
archived item that points outside the expected destination directory,
the creator of the archive can cause the file to be extracted to
arbitrary locations on the filesystem. Unalz version 0.53 is
vulnerable.
Ref: http://secunia.com/advisories/19063/
______________________________________________________________________

06.11.9 CVE: CVE-2006-1182
Platform: Third Party Windows Apps
Title: Adobe Graphics Server / Document Server Remote Command
Execution
Description: Adobe Graphics Server is used to automate the creation of
graphics for print and web. Adobe Document Server is used to
automatically generate PDF documents. Adobe Graphics Server and
Document Server are prone to a vulnerability that may allow remote
attackers to disclose arbitrary graphics or PDF files, place arbitrary
graphics or PDF files on a server, and potentially execute arbitrary
code and gain unauthorized access to a computer. Adobe Graphics Server
versions 2.0 and 2.1 are affected. Adobe Document Server versions 5.0
and 6.0 running on Windows are affected.
Ref: http://www.securityfocus.com/bid/17113
______________________________________________________________________

06.11.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: Ipswitch IMail Server / Collaboration Suite IMAP FETCH Remote
Buffer Overflow
Description: Ipswitch IMail is an email server that serves clients
their mail via a web interface. It runs on Microsoft Windows operating
systems. Ipswitch Collaboration Suite (ICS) is an application suite
that includes IMail Server and IMail Anti-Virus. Ipswitch IMail
Server/Collaboration Suite are prone to a remote buffer overflow
vulnerability. This issue arises because the application fails to
perform boundary checks prior to copying user-supplied data into
sensitive process buffers.
Ref: http://www.securityfocus.com/bid/17063
______________________________________________________________________

06.11.11 CVE: CVE-2006-1197
Platform: Third Party Windows Apps
Title: SafeDisc Secdrv.sys Local Privilege Escalation
Description: Macrovision SafeDisc is a copy protection application
written. It is vulnerable to a local privilege escalation issue due to
an incorrect setting of the "SERVICE_CHANGE_CONFIG" flag applied to
the Safedisc's version of the "secdrv.sys" driver. All versions of
Macrovision Safedisc are vulnerable.
Ref: http://www.securityfocus.com/archive/1/427410
______________________________________________________________________

06.11.12 CVE: Not Available
Platform: Third Party Windows Apps
Title: Free-AV AntiVir Personal Edition Classic Local Privilege
Escalation
Description: AntiVir Personal Edition Classic is a virus, worm and
malware detection application, written for the Microsoft Windows
operating system. It is prone to a local privilege escalation
vulnerability due to a failure in the application to drop privileges
before invoking other applications. AntiVir Personal Edition Classic
version 7 is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/427412
______________________________________________________________________

06.11.13 CVE: CVE-2006-0743

Platform: Third Party Windows Apps
Title: Apache Log4Net Denial of Service
Description: Apache Log4net is a port of log4j for the .NET runtime.
It is prone to a remote denial of service vulnerability due to a
design error in the application. The problem occurs due to an
unspecified error in "LocalSyslogAppender". Log4net version 1.2.9 is
vulnerable.
Ref: http://www.securityfocus.com/bid/17095
______________________________________________________________________

06.11.14 CVE: Not Available
Platform: Third Party Windows Apps
Title: MERCUR Messaging 2005 IMAP Remote Buffer Overflow
Description: MERCUR Messaging 2005 is a mail server. It is vulnerable
to a remote buffer overflow issue when the server handles crafted IMAP
LOGIN and SELECT commands containing excessive data. MERCUR Messaging
2005 version 5.0 SP3 is vulnerable.
Ref: http://www.securityfocus.com/bid/17138/info
______________________________________________________________________

06.11.15 CVE: CVE-2006-0396
Platform: Mac Os
Title: Mac OS X Mail Message Attachment Remote Buffer Overflow
Description: Mac OS X Mail is vulnerable to a remote buffer overflow
issue due to insufficient boundry checking when handling specially
malformed email with attachments. Apple released Security Update
2006-002 to resolve this issue.
Ref: http://docs.info.apple.com/article.html?artnum=303453
______________________________________________________________________

06.11.16 CVE: CVE-2006-0400
Platform: Mac Os
Title: Safari Archive JavaScript Same Origin Policy Violation
Description: Apple Safari is susceptible to a same origin policy
violation vulnerability due to a failure of the application to
properly enforce same origin policy for JavaScript remote data access.
This issue is the result of the same origin policy not being enforced
for archives that originate from remote sources.
Ref: http://www.securityfocus.com/bid/17082
______________________________________________________________________

06.11.17 CVE: Not Available
Platform: Linux
Title: Zoo Parse.c Local Buffer Overflow
Description: Zoo is an archiving tool for various Linux platforms. It
is prone to a local buffer overflow vulnerability in "parse.c" when an
archive is created using a long filename. An attacker would have to
entice a user to add a directory created by an attacker with a long
name to an archive. Zoo version 2.10 is vulnerable.
Ref: http://www.securityfocus.com/bid/17126
______________________________________________________________________

06.11.18 CVE: Not Available
Platform: Linux
Title: Debian GNU/Linux Local Information Disclosure
Description: Debian GNU/Linux is vulnerable to a local information
disclosure issue due to the installation system improperly storing
sensitive information in world readable files. Debian GNU/Linux
version 3.1 is vulnerable.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=254068
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356845
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356939
______________________________________________________________________

06.11.19 CVE: CVE-2006-1242
Platform: Linux
Title: Linux Kernel IP ID Information Disclosure
Description: The Linux kernel is vulnerable to a remote information
disclosure weakness. The kernel increments the IP ID field after
receiving unsolicited TCP SYN-ACK packets, which allows attackers to
conduct idle scans or stealth scans. The Linux kernel 2.6 series as
well as some kernels in the 2.4 series are vulnerable.
Ref: http://www.securityfocus.com/archive/1/427622
______________________________________________________________________

06.11.20 CVE: Not Available
Platform: Linux
Title: sa-exim Unauthorized File Access
Description: sa-exim is a SpamAssassin module for Exim. It is
vulnerable to an unauthorized file access vulnerability. This issue is
due to insufficient sanitization of the "greylistclean.cron" file.
sa-exim versions 4.2 and earlier are vulnerable.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345071
______________________________________________________________________

06.11.21 CVE: CVE-2005-3359
Platform: Linux
Title: Linux Kernel ATM Module Inconsistent Reference Counts Denial of
Service
Description: The Linux kernel is prone to a local denial of service
issue which presents itself because the ATM module can allow attackers
to create inconsistent reference counts for loadable protocol modules
of netfilter. Linux kernel versions 2.6.14 and earlier are affected.
Ref: http://www.securityfocus.com/bid/17078
______________________________________________________________________

06.11.22 CVE: CVE-2006-0457
Platform: Linux
Title: Linux Kernel Security Key Functions Local Copy_To_User Race
Condition
Description: The Linux kernel contains a keyring module that is
designed to allow for the storage and maintenance of local key data
for operations such as storing Kerberos credentials. The Linux kernel
is susceptible to a local race condition vulnerability in its security
key functionality. This allows local attackers to crash the kernel.
Ref: http://www.ubuntu.com/usn/usn-263-1
______________________________________________________________________

06.11.23 CVE: Not Available
Platform: Aix
Title: IBM AIX MKLVCopy Unspecified Security Vulnerability
Description: The MKLVCopy command is an administrative command used to
modify Logical Volumes. IBM AIX is vulnerable to an unspecified
security issue in the mklvcopy command. IBM AIX version 5.3 is
vulnerable.
Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY82739
______________________________________________________________________

06.11.24 CVE: Not Available
Platform: Unix
Title: glFTPd IP Check Security Bypass
Description: glFTPd is an FTP server for Unix based systems. It is
prone to a security bypass vulnerability due to a design error in the
application when validating the IP address of an incoming connection.
A specially crafted DNS hostname could trick the application and
bypass IP address restrictions. GlFtpd versions 2.0.1 RC4 and earlier
are vulnerable.
Ref: http://www.securityfocus.com/bid/17118
______________________________________________________________________

06.11.25 CVE: Not Available
Platform: Novell
Title: Novell Netware FTP Server Denial of Service
Description: Netware FTP Server is vulnerable to a remote denial of
service issue. The cause is with the "NWFTPD.NLM" when setting the
time with the "MDTM" command. Novell Netware FTP Server version 5.07
and Novell Netware version 6.5 SP4 are vulnerable.
Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973435.htm
______________________________________________________________________

06.11.26 CVE: CVE-2006-0819, CVE-2006-0820
Platform: Cross Platform
Title: Dwarf HTTP Server Multiple Input Validation Vulnerabilities
Description: Dwarf HTTP Server is vulnerable to multiple input
validation issues due to insufficient sanitization of user-supplied
input. Dwarf HTTP Server versions 1.3.2 and earlier are vulnerable.
Ref: http://secunia.com/secunia_research/2006-13/advisory/
______________________________________________________________________

06.11.27 CVE: CVE-2006-0024
Platform: Cross Platform
Title: Macromedia Flash Multiple Unspecified Security Vulnerabilities
Description: Macromedia Flash is a dynamic content platform commonly
used in web based applications. Its plug-in is susceptible to multiple
unspecified vulnerabilities. Macromedia Flash versions prior to
7.0.63.0 and 8.0.24.0 are vulnerable.
Ref: http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html
______________________________________________________________________

06.11.28 CVE: Not Available
Platform: Cross Platform
Title: Apple QuickTime/iTunes Integer And Heap Overflow
Vulnerabilities
Description: An integer overflow and heap-based buffer overflow
vulnerability have been reported in Apple QuickTime and iTunes. These
issues affect both Mac OS X and Microsoft Windows releases of the
software. Please visit the reference link provided for a list of
vulnerable versions.
Ref: http://www.securityfocus.com/bid/17074
______________________________________________________________________

06.11.29 CVE: CVE-2006-1240
Platform: Cross Platform
Title: Firebird Local Inet_Server Buffer Overflow
Description: Firebird is a database. It is vulnerable to a local
buffer overflow issue due to insufficient boundry checks of
user-supplied data when the "-p" command line argument is used.
Firebird versions 1.5.2 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/427480
______________________________________________________________________

06.11.30 CVE: Not Available
Platform: Cross Platform
Title: IBM Tivoli Lightweight Client Framework Information Disclosure
Description: Tivoli Lightweight Client Framework (LCF) is prone to an
information disclosure vulnerability. The problem occurs in the HTTP
interface of LCF. An authenticated attacker can manipulate the
configuration of the log files and gain read access to files with
superuser privileges. IBM Tivoli Lightweight Client Framework version
3.7.1 is affected.
Ref: http://www.securityfocus.com/bid/17085
______________________________________________________________________

06.11.31 CVE: Not Available
Platform: Cross Platform
Title: ENet Multiple Denial of Service Vulnerabilities
Description: ENet is an open source library for handling UDP
connections. It is affected by multiple denial of service issues. An
attacker may create a command packet containing one or more negative
32-bit numbers causing the application to point to invalid memory
buffers. The next command packet received by the application will
cause a denial of service condition. All current versions are
affected.
Ref: http://www.securityfocus.com/bid/17087
______________________________________________________________________

06.11.32 CVE: Not Available
Platform: Cross Platform
Title: CGI::Session Multiple Information Disclosure Vulnerabilities
Description: CGI::Session is a Perl/CGI session library. It is prone
to multiple information disclosure vulnerabilities because the
application fails to properly set file permissions on files in the
"/tmp: directory which contain sensitive data. CGI::Session version
4.03 is affected.
Ref: http://www.securityfocus.com/bid/17099
______________________________________________________________________

06.11.33 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: SPIP Research Module Cross-Site Scripting
Description: SPIP is a web publishing application. It is vulnerable to
a cross-site scripting issue due to insufficient sanitization of
user-supplied input to some unspecified parameters of the "research"
module. SPIP version 1.8.2-e is vulnerable.
Ref: http://www.securityfocus.com/bid/17130/info
______________________________________________________________________

06.11.34 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Contrexx CMS Index.PHP Cross-Site Scripting
Description: Contrexx CMS is a web-based content management system
(CMS) implemented in PHP. It is prone to a cross-site scripting
vulnerability due to improper sanitizstion of user supplied input to
"index.php". Contrexx version 1.0.8 is vulnerable.
Ref: http://www.securityfocus.com/bid/17128/exploit
______________________________________________________________________

06.11.35 CVE: CVE-2006-1196, CVE-2006-0983
Platform: Web Application - Cross Site Scripting
Title: QwikiWiki Multiple Cross-Site Scripting Vulnerabilities
Description: QwikiWiki is a web-based wiki application. It is
vulnerable to multiple cross-site scripting issues due to insufficient
sanitization of user-supplied input to such scripts as index.php,
login.php, pageindex.php and recentchanges.php. QwikiWiki 1.4 and 1.5
are vulnerable.
Ref: http://www.osvdb.org/23700
______________________________________________________________________

06.11.36 CVE: CVE-2006-1165
Platform: Web Application - Cross Site Scripting
Title: DokuWiki Mediamanager Cross-Site Scripting
Description: DokuWiki is a web wiki application implemented in PHP.
DokuWiki is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input. DokuWiki versions
2005-9-22 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17065
______________________________________________________________________

06.11.37 CVE: CVE-2006-0985
Platform: Web Application - Cross Site Scripting
Title: WordPress Multiple Cross-Site Scripting Vulnerabilities
Description: WordPress is a web-based publishing application. It is
vulnerable to
multiple unspecified cross-site scripting issues due to insufficient
sanitization of user-supplied input. WordPress versions 2.0.1 and
earlier are vulnerable.
Ref: http://wordpress.org/development/2006/03/security-202/
______________________________________________________________________

06.11.38 CVE: CVE-2006-1223
Platform: Web Application - Cross Site Scripting
Title: Jupiter CMS BBCode HTML Injection
Description: Jupiter CMS is a content management application written
in PHP. It is prone to an HTML injection vulnerability due to
insufficient sanitization of user-supplied input to the BBCode system
in "img" tags. Jupiter CMS versions 1.1.5 and 1.1.4 are vulnerable.
Ref: http://www.securityfocus.com/archive/1/427406
______________________________________________________________________

06.11.39 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: vCard Create.PHP Multiple Cross-Site Scripting Vulnerabilities
Description: vCard is electronic greeting card software. It is prone
to multiple cross-site scripting vulnerabilities due to insufficient
sanitization of user-supplied input to various scripts. vCard versions
2.9 and 2.8 are affected.
Ref: http://www.securityfocus.com/bid/17073
______________________________________________________________________

06.11.40 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: WMNews Multiple Cross-Site Scripting Vulnerabilities
Description: WMNews is web-based news software implemented in PHP. It
is prone to multiple cross-site scripting vulnerabilities due to
insufficient sanitization of user-supplied input to various scripts.
Ref: http://www.securityfocus.com/bid/17076
______________________________________________________________________

06.11.41 CVE: CVE-2006-1239
Platform: Web Application - Cross Site Scripting
Title: Gemini Createissue.ASPX Cross-Site Scripting
Description: CounterSoft Gemini is a web-based project management
application. It is vulnerable to a cross site scripting issue due to
insufficient sanitization of user-supplied input to the
"rtcDescription$RadEditor1" field of "issue/createissue.aspx" script.
CounterSoft Gemini version 2.0 is vulnerable.
Ref: http://www.osvdb.org/23907
______________________________________________________________________

06.11.42 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Inprotect Zones.PHP Cross-Site Scripting
Description: Inprotect is a web interface for the Nessus security
scanner. It is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input to the "Name" and
"Description" parameters of the "zones.php" script. Inprotect versions
0.21 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17141
______________________________________________________________________

06.11.43 CVE: CVE-2006-1217
Platform: Web Application - SQL Injection
Title: DSPoll PollID SQL Injection
Description: DSPoll is a web-based polling application. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user-supplied input to the "pollid" parameter of the "results.php",
"pollit.php" and "topoll.php" scripts. DSPoll version 1.1 is
vulnerable.
Ref: http://evuln.com/vulns/96/summary.html
______________________________________________________________________

06.11.44 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Oxynews Index.PHP SQL Injection
Description: Oxynews is a web-based news application implemented in
PHP. Oxynews is prone to an SQL injection vulnerability due to
insufficient sanitization of user-supplied input to the
"oxynews_comment_id" parameter of the "index.php" script.
Ref: http://www.securityfocus.com/bid/17132
______________________________________________________________________

06.11.45 CVE: CVE-2006-1134
Platform: Web Application - SQL Injection
Title: CyBoards PHP Lite Post.PHP SQL Injection
Description: CyBoards PHP Lite is bulletin board software.
Insufficient sanitization of the "parent" parameter in the "post.php"
script exposes the application to an SQL injection issue. Cyboards PHP
Lite version 1.25 is affected.
Ref: http://www.securityfocus.com/bid/17107
______________________________________________________________________

06.11.46 CVE: Not Available
Platform: Web Application - SQL Injection
Title: DSNewsletter Multiple SQL Injection Vulnerabilities
Description: DSNewsletter is web-based newsletter software. It is
prone to multiple SQL injection vulnerabilities due to improper
sanitization of user supplied input before using it in an SQL query.
Specifically, input to the "email" parameter of the "include/sub.php",
"include/confirm.php" and "include/unconfirm.php" scripts is not
properly sanitized. DSNewsletter version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/17111
______________________________________________________________________

06.11.47 CVE: Not Available
Platform: Web Application - SQL Injection
Title: DSCounter Index.PHP SQL Injection
Description: DSCounter is bulletin board software. Insufficient
sanitization of the "X-Forwarded-For" HTTP header in the "index.php"
script exposes the application to an SQL injection issue. Cyboards PHP
Lite versions 1.25 and earlier are affected.
Ref: http://www.securityfocus.com/bid/17112
______________________________________________________________________

06.11.48 CVE: CVE-2006-1232
Platform: Web Application - SQL Injection
Title: DSDownload Multiple SQL-Injection Vulnerabilities
Description: DSDownload is a file download tracking application,
written in PHP. It is prone to multiple SQL injection vulnerabilities
due to insufficient sanitization of user-supplied input to the
"category" parameter of the 'downloads.php" script, and the "key"
parameter of the "search.php" script. DSDownload version 1.0 is
affected.
Ref: http://evuln.com/vulns/99/summary.html
______________________________________________________________________

06.11.49 CVE: CVE-2006-1020
Platform: Web Application - SQL Injection
Title: Vegas Forum Forumlib.PHP SQL Injection
Description: Vegas Forum is forum software implemented in PHP. It is
prone to an SQL injection vulnerability. The application fails to
properly sanitize user supplied input before using it in an SQL query.
Specifically, input to the "postid" parameter of the "forumlib.php"
library is not properly sanitized. Vegas Forum version 1.0 is
vulnerable.
Ref: http://www.securityfocus.com/bid/17079/exploit
______________________________________________________________________

06.11.50 CVE: Not Available
Platform: Web Application
Title: Simple PHP Blog Install05.PHP Local File Include
Description: Simple PHP Blog is a web blog application implemented in
PHP. It is prone to a local file include vulnerability due to a lack
of sanitization of user supplied input. The "blog_language" parameter
of the "install05.php" script is not properly sanitized. Simple PHP
Blog version 0.4.7.1 and prior are vulnerable; other versions may be
affected as well.
Ref: http://www.securityfocus.com/bid/17102/exploit
______________________________________________________________________

06.11.51 CVE: Not Available
Platform: Web Application
Title: Drupal Multiple Input Validation Vulnerabilities
Description: Drupal is an open-source content management system. It is
prone to multiple input validation vulnerabilities due to improper
sanitization of user supplied input. The following specific issues
have been disclosed: Mail header injection vulnerability, Session
hijacking vulnerability, Cross-site scripting vulnerability,
Information disclosure vulnerability.
Ref: http://www.securityfocus.com/bid/17104/references
______________________________________________________________________

06.11.52 CVE: Not Available
Platform: Web Application
Title: php iCalendar Arbitrary File Upload
Description: php iCalendar is a web-based calendar application. It is
vulnerable to an arbitrary file upload issue due to insufficient
sanitization of user-supplied input to the "calendar/publish.ical.php"
script. php iCalendar versions 2.2.1 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17129/info
______________________________________________________________________

06.11.53 CVE: Not Available
Platform: Web Application
Title: Skull-Splitter PHP Guestbook HTML Injection
Description: PHP Guestbook is a web-based guestbook application.
Insufficient sanitization of the "url" parameter of the
"guestbook.php" script exposes the applicaiton to an HTML injection
issue. Skull-Splitter Guestbook version 2.6 is affected.
Ref: http://www.securityfocus.com/bid/17136
______________________________________________________________________

06.11.54 CVE: CVE-2006-0648
Platform: Web Application
Title: php iCalendar Local File Include
Description: php iCalendar is a web log application implemented in
PHP. It is prone to a local file-include vulnerability due to
insufficient sanitization of user-supplied input in cookie data. An
attacker may modify file paths in this cookie data using directory
traversal sequences "../" and include and execute local files in the
context of the affected webserver process. php iCalendar versions 2.21
and prior are vulnerable.
Ref: http://www.milw0rm.com/exploits/1585
______________________________________________________________________

06.11.55 CVE: Not Available
Platform: Web Application
Title: Milkeyway Captive Portal Multiple Input Validation
Vulnerabilities
Description: Milkeyway Captive Portal is a web-based portal
application. Insufficient sanitization of user-supplied data exposes
the applicaiton to various cross-site scripting and SQL injection
issues. Milkeyway Captive Portal versions 0.1.1 and earlier are
affected.
Ref: http://www.securityfocus.com/bid/17127
______________________________________________________________________

06.11.56 CVE: Not Available
Platform: Web Application
Title: Xhawk.net Discussion BBCode IMG Tag Script Injection
Description: xhawk.net discussion is a web-based bulletin board.
Insufficient sanitization of BBCode IMG tags exposes the application
to a script injection issue. Discussion version 2.0 beta2 is affected.
Ref: http://www.securityfocus.com/bid/17119
______________________________________________________________________

06.11.57 CVE: Not Available
Platform: Web Application
Title: KnowledgebasePublisher PageController.PHP Remote File Include
Description: KnowledgebasePublisher is an opensource web based
knowledgebase/FAQ implemented in PHP. It is prone to a remote file
include vulnerability due to improper sanitization of user supplied
input to the "dir" parameter of "PageController.PHP".
KnowledgebasePublisher version 1.2 is reported to be vulnerable; other
versions may also be vulnerable.
Ref: http://www.securityfocus.com/bid/17120/exploit
______________________________________________________________________

06.11.58 CVE: Not Available
Platform: Web Application
Title: ASP Portal Multiple Input Validation Vulnerabilities
Description: ASP Portal is a web-based portal application. It is
vulnerable to numerous input validation issues due to insufficient
sanitization of user-supplied input. ASP Portal version 3.0 is
vulnerable.
Ref: http://www.securityfocus.com/archive/1/427701
______________________________________________________________________

06.11.59 CVE: Not Available
Platform: Web Application
Title: Horde Application Framework Go.PHP Information Disclosure
Description: The Horde Application Framework is a suite of
applications implemented in PHP. It is prone to an information
disclosure vulnerability due to improper sanitization of user supplied
input. The problem presents itself in the "/services/go.php" script.
The application does not properly sanitize the "url" parameter before
processing it in a "readfile()" function call. An attacker can insert
a NULL character and control the input passed to that function.
Ref: http://www.securityfocus.com/archive/1/427710
______________________________________________________________________

06.11.60 CVE: Not Available
Platform: Web Application
Title: Nodez Multiple Input Validation Vulnerabilities
Description: Nodez is a content management system implemented in PHP.
It is prone to multiple input validation vulnerabilities due to
insufficient sanitization of user-supplied input to various scripts.
Nodez version 4.6.1.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/17066
______________________________________________________________________

06.11.61 CVE: Not Available
Platform: Web Application
Title: Core News Index.PHP Remote Code Execution
Description: Core News is a news reader application. Insufficient
sanitization of the "page" parameter in the "index.php" script exposes
the application to a remote code execution issue. Core News version
2.0.1 is affetced.
Ref: http://www.securityfocus.com/bid/17067
______________________________________________________________________

06.11.62 CVE: Not Available
Platform: Web Application
Title: GuppY Dwnld.PHP Remote Directory Traversal
Description: GuppY is a web based portal application implemented in
PHP. It is prone to a directory traversal vulnerability due to
improper sanitization user supplied input. The problem presents itself
in the "pg" parameter of the "dwnld.php" script. The current directory
traversal filter does not properly sanitize "%2E" from attacker
supplied data. GuppY versions 4.5.11 and earlier are affected.
Ref: http://www.securityfocus.com/bid/17068/exploit
______________________________________________________________________

06.11.63 CVE: Not Available
Platform: Web Application
Title: Zeroboard Multiple HTML Injection Vulnerabilities
Description: Zeroboard is a web based bulletin board application
implemented in PHP. It is prone to HTML injection vulnerabilities due
to improper sanitization of user supplied input before using it in
dynamically generated content. Specifically, the "memo" box title and
"user email" input fields of the homepage information page is not
properly sanitized. An attacker may take advantage of a flaw in the
"bbs/lib.php" script which prevents IP address spoofing, and conduct
HTML injection attacks on the administrative user. Zeroboard version
4.1-pl7 is vulnerable.
Ref: http://www.securityfocus.com/bid/17075
______________________________________________________________________

06.11.64 CVE: Not Available
Platform: Web Application
Title: 1 File Store Multiple Input Validation Vulnerabilities
Description: 1 File Store is a file archiving and member management
application. It is prone to multiple input validation vulnerabilities
due to improper sanitization of user supplied input. SQL injection
attacks are possible through the "email" parameter of the
"password.php" script. The "id" parameter in the following scripts is
also vulnerable. Cross-site scripting attacks are possible through the
"real_name", "email" and "login" parameters of the "signup.php"
script.
Ref: http://www.securityfocus.com/bid/17090
______________________________________________________________________

06.11.65 CVE: Not Available
Platform: Network Device
Title: BorderWare MXtreme Web Administration Remote Vulnerability
Description: BorderWare MXtreme is an email firewall. BorderWare
MXtreme web administration interface is prone to an unspecified
vulnerability. The cause and impact of this issue are currently
unknown. BorderWare MXtreme versions 5.0 and 6.0 are vulnerable.
Ref: http://www.securityfocus.com/bid/17140

______________________________________________________________________

(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEHvfu+LUG5KFpTkYRAmOFAJ9v3tGl3kX8Mvv8faN2bEkYdri3uACfbZvt
7eVeod+haCwunfSxWY65Y0U=
=7tyW
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]