NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2006

RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 12

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Mar 27 2006 - 13:59:07 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Internet Explorer, Sendmail and RealPlayer are the packages with
critical vulnerabilities discovered this week.

Alan

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
March 27, 2006 Vol. 5. Week 12
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
===================================================================
Platform # of Updates & Vulnerabilities
===================================================================
Other Microsoft Products 2 (#1)
Third Party Windows Apps 8
Linux 5
HP-UX 2
BSD 2
Unix 3
Novell 1
Cross Platform 14 (#2, #3)
Web Application - Cross Site Scripting 13
Web Application - SQL Injection 9
Web Application 12
Network Device 2

************************************************************************
SANS Training in San Diego, Munich, London and Washington DC

Turbo charge your security career or the careers of any of your
coworkers this spring in San Diego in early May: a dozen of SANS most
popular courses and a vendor exposition right on the harbor.
http://www.sans.org/security06/
Or in London at the end of June: http://www.sans.org/london06
Or Munich in early April: http://www.sans.org/munich06
Or Washington in July right after July 4 for the biggest SANSFIRE ever:
with all 17 SANS immersion tracks and more than a dozen special courses,
a big exposition, and an inside look at how the Internet's Early Warning
System (Internet Storm Center) actually works Bring your family for the
national fireworks show.
http://www.sans.org/sansfire06
*************************************************************************
Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Internet Explorer createTextRange Method Remote Code Execution
(2) HIGH: Sendmail Signal Handling Memory Corruption
(3) HIGH: RealNetworks RealPlayer Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Other Microsoft Products
06.12.1 - Microsoft Internet Explorer Unspecified Remote HTA Execution
06.12.2 - Microsoft Internet Explorer CreateTextRange Remote Code Execution
-- Third Party Windows Apps
06.12.3 - Veritas Backup Exec Media Server BEngine Service Format String Vulnerability
06.12.4 - WinHKI Remote Directory Traversal
06.12.5 - avast! Antivirus Local Insecure Permissions
06.12.6 - MailEnable Enterprise/Professional Editions Webmail Denial of Service
06.12.7 - MailEnable Unspecified POP Authentication Bypass
06.12.8 - Microsoft ASP.NET COM Components W3WP Remote Denial of Service
06.12.9 - Counterpane Password Safe Insecure Random Number Generation
06.12.10 - Baby FTP Server Information Disclosure Weakness
-- Linux
06.12.11 - X.Org X Window Server Local Privilege Escalation
06.12.12 - Libcgi-session-perl Multiple Insecure Temporary File Creation Vulnerabilities
06.12.13 - Linux Kernel Netfilter Do_Replace Remote Buffer Overflow
06.12.14 - util-vserver Unknown Linux Capabilities
06.12.15 - Linux Kernel sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities
-- HP-UX
06.12.16 - HP-UX Usermod Local Unauthorized Access
06.12.17 - HP-UX Swagentd Remote Denial Of Service
-- BSD
06.12.18 - FreeBSD IPsec Replay Vulnerability
06.12.19 - OPIE Arbitrary Account Password Change
-- Unix
06.12.20 - Jabber Studio JabberD Remote Denial of Service
06.12.21 - FreeRADIUS EAP-MSCHAPv2 Authentication Bypass
06.12.22 - runit CHPST Privilege Escalation
-- Novell
06.12.23 - Novell SSL Server Multiple Vulnerabilities
-- Cross Platform
06.12.24 - Monotone MT File Arbitrary Code Execution
06.12.25 - Veritas Backup Exec Multiple Remote Denial of Service Vulnerabilities
06.12.26 - phpMyAdmin Set_Theme Cross-Site Scripting
06.12.27 - BEA WebLogic Server and WebLogic Express HTTP Response Splitting
06.12.28 - BEA WebLogic Server Remote Filesystem Access
06.12.29 - BEA WebLogic Server Remote Denial of Service
06.12.30 - WebLogic Server and WebLogic Express Invalid Login Attempts Weakness
06.12.31 - snmptrapfmt Insecure Temporary File Creation
06.12.32 - Sendmail Asynchronous Signal Handling Remote Code Execution
06.12.33 - RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities
06.12.34 - Orion Application Server JSP Source Disclosure
06.12.35 - Sendmail SM_SysLog Remote Memory Leak Denial Of Service
06.12.36 - IBM Tivoli Business Systems Manager APWC_Win_Main.JSP Cross-Site Scripting
06.12.37 - Internet Security Systems BlackICE and RealSecure Desktop Local Privilege Escalation
-- Web Application - Cross Site Scripting
06.12.38 - Invision Power Board Multiple Cross-Site Scripting Vulnerabilities
06.12.39 - ExtCalendar Cross-Site Scripting Vulnerabilities
06.12.40 - Woltlab Burning Board Class_DB_MySQL.PHP Cross-Site Scripting
06.12.41 - Noah's Classifieds Index.PHP Multiple Cross-Site Scripting
06.12.42 - Streber Unspecified HTML Injection
06.12.43 - Verisign MPKI 6.0 Haydn.EXE Cross-Site Scripting
06.12.44 - Virtual Communication Services VPMi Service_Requests.ASP Cross-Site Scripting
06.12.45 - PHP Live! Status_Image.PHP Cross-Site Scripting
06.12.46 - Invision Power Board PM Cross-Site Scripting
06.12.47 - EasyMoblog Img.PHP Cross-Site Scripting
06.12.48 - CoMoblog Img.PHP Cross-Site Scripting
06.12.49 - Webcheck Username HTML Injection
06.12.50 - Pubcookie Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - SQL Injection
06.12.51 - xhawk.net Discussion Discussion.Class.PHP SQL Injection
06.12.52 - BetaParticle Blog Multiple SQL Injection Vulnerabilities
06.12.53 - phpWebsite Multiple SQL Injection Vulnerabilities
06.12.54 - Skull-Splitter Download Counter for Wallpapers Count.PHP SQL Injection
06.12.55 - Maian Weblog Multiple SQL Injection Vulnerabilities
06.12.56 - SoftBB Reg.PHP SQL Injection
06.12.57 - ASP Portal Download_click.ASP SQL Injection
06.12.58 - 1WebCalendar Multiple SQL Injection Vulnerabilities
06.12.59 - AdMan ViewStatement.PHP SQL Injection
-- Web Application
06.12.60 - MusicBox Multiple Input Validation Vulnerabilities
06.12.61 - CutePHP CuteNews Function.PHP Local File Include
06.12.62 - BEA WebLogic Portal JSR-168 Portlets Information Disclosure
06.12.63 - gCards Multiple Input Validation Vulnerabilities
06.12.64 - Free Articles Directory Remote File Include Vulnerability
06.12.65 - PHP SimpleNEWS Authentication Bypass
06.12.66 - OSWiki Username HTML Injection
06.12.67 - AnyPortal(PHP) Siteman.PHP3 Directory Traversal
06.12.68 - Beagle Insecure Application Path
06.12.69 - VBulletin ImpEx Remote File Include
06.12.70 - eXpandable Home Page CMS Multiple Access Validation Vulnerabilities
06.12.71 - Pablo Software Solutions Baby Web/Quick 'n Easy Web ASP Source Disclosure
-- Network Device
06.12.72 - F5 Firepass 4100 SSL VPN Cross-Site Scripting
06.12.73 - Motorola PEBL U6 OBEX Setpath Buffer Overflow
*************************************************************************

Sponsored Links:

1) The SANHome program brings the same courses taught at SANS
conferences right to your home. Many new classes starting in April.
See http://www.sans.org/info.php?id=1082
*********************************************************************

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar at TippingPoint, a division of
3Com, as a by-product of that company's continuous effort to ensure that
its intrusion prevention products effectively block exploits using known
vulnerabilities. TippingPoint's analysis is complemented by input from
a council of security managers from twelve large organizations who
confidentially share with SANS the specific actions they have taken to
protect their systems. A detailed description of the process may be
found at http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

*************************
Widely Deployed Software
*************************

(1) CRITICAL: Internet Explorer createTextRange Method Remote Code Execution
Affected:
Internet Explorer 5.01, 6 and 7 Beta 2

Description: Internet Explorer contains a heap memory corruption
vulnerability that can be triggered by a JavaScript call to
"createTextRange" method. This method is used to create "textRange"
object that represents text in an HTML element. Invoking the
"createTextRange" method on a "checkbox" object can be exploited to
corrupt heap memory that leads to arbitrary code execution. A specially
crafted webpage or an HTML email can exploit this flaw to compromise a
user's system. Exploit code has been publicly posted and attacks have
been recorded in the wild. SANS Internet Storm Center reports that
around 100 sites using the exploit to install Trojans and other malware
on compromised systems. A researcher has posted a tool that can be used
to stress test the implementation of other DHTML methods, and reported
that Internet Explorer crashes on three other instances. Another
researcher has reportedly found a flaw in IE that can be used to run
arbitrary HTA code.

Status: Microsoft is aware of the issues and is working on releasing the
fix along with the April patches. Microsoft is also planning to roll
changes in IE's automatic handling of multimedia content in the next
patch that may cause issues with certain websites (EOLAS changes). A
workaround is to turn off the "Active Scripting" option in IE (which
will break normal functioning of many webpages) or use another browser
like Firefox. Use updated AV and IDS/IPS signatures to prevent users
from loading malicious webpages or emails.

Council Site Actions:
Most are reviewing turning off "Active Scripting", but will likely wait
for vendor patch/fix. The great majority will obtain the update through
the public Microsoft Update site, or through their local WSUS server,
whenever Microsoft releases a patch. Antivirus may buy some degree of
protection in the meantime.

References:
Secunia Advisory
http://archives.neohapsis.com/archives/secunia/2006-q1/1088.html
Microsoft Advisory
http://www.microsoft.com/technet/security/advisory/917077.mspx
Microsoft Security Response Center Blog
http://blogs.technet.com/msrc/
SANS Incident Handler's Diary
http://www.incidents.org/diary.php?storyid=1223
http://www.incidents.org/diary.php?storyid=1221
Tool for Testing DHTML Methods
http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
Undisclosed vulnerability in IE
http://jeffrey.vanderstad.net/grasshopper/
Exploit Code
http://www.milw0rm.com/exploits/1606
http://www.milw0rm.com/exploits/1607
IE Changes Planned for Next Update (EOLAS)
http://www.computerworld.com/developmenttopics/websitemgmt/story/0,10801,109866,00.html?source=NLT_SEC&nid=109866
SecurityFocus BIDs
http://www.securityfocus.com/bid/17196

****************************************************************

(2) HIGH: Sendmail Signal Handling Memory Corruption
Affected:
Open Source: Sendmail version 8.13.5 and prior
Commercial Products:
Sendmail Sentrion Appliance version 1.1
Sendmail Switch/Managed MTA/Multi-Switch version 3.1.7 and prior
Sendmail Advanced Message Server and Message Store version 2.2 and prior
Intelligent Quarantine version 3.0
All other OSes and third party software using affected versions of Sendmail.

Description: Sendmail is the most common mail transfer agent (MTA) used
on the Internet and according to certain estimates handles between 50
and 75% of the e-mail traffic. Sendmail contains a vulnerability in its
"signal" handling code that deals with "timeouts" during SMTP
connections. (Signals are used to communicate to a process or a thread
about certain events.) A remote attacker can trigger the vulnerability
by sending a sequence of SMTP commands with certain timing conditions
along with a specially crafted e-mail message. The flaw can be exploited
to corrupt the process stack or heap memory, and execute arbitrary code
with the privileges of sendmail process (root in older versions).
Proof-of-concept exploit has been publicly posted.

Status: Sendmail has released version 8.13.6 to fix the problem. Patches
for versions 8.15.5 and 8.12.11 are also available. Major Linux vendors
like RedHat, Gentoo, OpenPKG, Fedora have released updated sendmail
packages. Sun and IBM have also released patches for Solaris and AIX
respectively. For other affected vendors, please refer to the CERT
advisory.

Council Site Actions: One site has sendmail enabled only to listen on
loopback only mode and they plan to deploy the patch during their next
regularly scheduled system maintenance cycle. Another site is affected
only on its Sun platforms and they are currently testing the patches and
will deploy soon. The third site plans to deploy patches for heavily
used systems after some initial testing over the next few weeks. Their
lightly used system will automatically obtain updates from their Linux
distributors.

References:
ISS Advisory
http://xforce.iss.net/xforce/alerts/id/216
Sendmail Advisory
http://www.sendmail.com/company/advisory/
CERT Advisory
http://www.kb.cert.org/vuls/id/834865
Posting by Mark Dowd (discoverer)
http://archives.neohapsis.com/archives/dailydave/2006-q1/0250.html
Posting by Dave Aitel
http://archives.neohapsis.com/archives/dailydave/2006-q1/0255.html
PoC Code
http://rapturesecurity.org/jack/exploiting_sendmail.html
SecurityFocus BID
http://www.securityfocus.com/bid/17192

****************************************************************

(3) HIGH: RealNetworks RealPlayer Multiple Vulnerabilities
Affected:
RealPlayer, RealOne Player, Mac Real Player, Mac RealOne Player, Helix
Player, Linux RealPlayer

Description: RealPlayer contains multiple vulnerabilities that can lead
to remote compromise of users' systems running the vulnerable version
of the media players.

(a) The players contain a buffer overflow in handling specially crafted
SWF and MBC file formats. A malicious media file posted on a webpage,
P2P or shared folder can exploit the overflows to execute arbitrary code
on a client system. The technical details required to craft an exploit
have not been released yet.

(b) The players contain a heap-based overflow that can be triggered by
specially crafted "chunked data" during HTTP download. Chunk transfer
mechanism allows an HTTP server to break the data into smaller pieces
or "chunks", and each chunk of data is preceded by its length. The heap
corruption can be triggered by chunk with size -1 or chunk with data
size greater than the declared length. A malicious server hosting a
media file can exploit this overflow to execute arbitrary code on a
client system.

Status: RealPlayer has issued fixed version for all the affected media
players. Enable the "Autoupdate" feature available on the players to
keep them updated.

Council Site Actions: The software is not officially supported at the
reporting council sites, although it is used by many at the respective
sites. Two sites are relying on the "Autoupdate" feature to download
the latest version. The third site uses SMS to search for and remove
the software from their workstations on a regular basis. This forces
their user community to download and install the latest releases when
they want to use the software.

References:
RealNetworks Advisory
http://service.real.com/realplayer/security/03162006_player/en/
iDefense Advisory
http://archives.neohapsis.com/archives/vulnwatch/2006-q1/0088.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/17202

****************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 12, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4949 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________

06.12.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer Unspecified Remote HTA Execution
Description: Microsoft Internet Explorer is affected by an unspecified
remote issue. HTA files are HTML applications that are given higher
levels of trust and access to the local system that remote web pages
are normally given. Due to this higher level of trust, successful
exploits may possibly facilitate arbitrary remote code execution and
the compromise of affected computers. This vulnerability affects
Internet Explorer 6.0 running on Microsoft Windows 98, Windows XP, and
Windows Server 2003.
Ref: http://www.securityfocus.com/bid/17181
______________________________________________________________________

06.12.2 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer CreateTextRange Remote Code
Execution
Description: Microsoft Internet Explorer is affected by a remote code
execution issue due to a flaw in the application that results in an
invalid table pointer dereference. Certain uses of the
"createTextRange()" JavaScript method exposes this issue. Internet
Explorer 6 and 7 beta 2 are affected.
Ref: http://www.securityfocus.com/bid/17196
______________________________________________________________________

06.12.3 CVE: CVE-2006-1298
Platform: Third Party Windows Apps
Title: Veritas Backup Exec Media Server BEngine Service Format String
Vulnerability
Description: Veritas Backup Exec Media Server provides backup
solutions. The "bengine.exe" is vulnerable to a remote format string
issue due to insufficient handling of malicious filenames during a
backup run. Symantec Veritas Backup Exec for Windows Servers versions
10.1 and earlier are vulnerable.
Ref: http://seer.support.veritas.com/docs/282254.htm
______________________________________________________________________

06.12.4 CVE: CVE-2006-1323
Platform: Third Party Windows Apps
Title: WinHKI Remote Directory Traversal
Description: WinHKI is a file compression and decompression
application. It is vulnerable to a directory traversal issue when the
application processes malformed RAR and TAR archives. WinHKI versions
1.6 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17153/info
______________________________________________________________________

06.12.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: avast! Antivirus Local Insecure Permissions
Description: The avast! antivirus application is prone to a local
insecure permissions vulnerability because it incorrectly resets the
permissions on critical files in the "Program FilesAlwil
SoftwareAvast4" directory during its periodic update process. avast!
4.x versions are vulnerable.
Ref: http://www.securityfocus.com/bid/17158
______________________________________________________________________

06.12.6 CVE: CVE-2006-1338
Platform: Third Party Windows Apps
Title: MailEnable Enterprise/Professional Editions Webmail Denial of
Service
Description: MailEnable is an email server application. It is
vulnerable to a remote denial of service issue due to insufficient
handling of specially formatted "quoted-printable" emails. The
following versions resolve this issue: MailEnable Professional version
1.73 and Enterprise Edition version 1.21.
Ref: http://www.mailenable.com/enterprisehistory.asp
______________________________________________________________________

06.12.7 CVE: CVE-2006-1337
Platform: Third Party Windows Apps
Title: MailEnable Unspecified POP Authentication Bypass
Description: MailEnable is an email server application. It is
vulnerable to an unspecified authentication bypass issue in the POP
service. The following versions resolve this issue: MailEnable
Professional version 1.73, Enterprise Edition version 1.21 and
standard version 1.93.
Ref: http://www.mailenable.com/standardhistory.asp
______________________________________________________________________

06.12.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: Microsoft ASP.NET COM Components W3WP Remote Denial of Service
Description: w3wp.exe is a worker process associated with the
Microsoft IIS access pool. ASP.NET is a set of tools based on the .NET
framework for building web applications. The application is affected
by a remote denial of service issue due to the "ASPCompat" directive
when accessing COM and COM+ components.
Ref: http://www.securityfocus.com/bid/17188
______________________________________________________________________

06.12.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: Counterpane Password Safe Insecure Random Number Generation
Description: Counterpane Password Safe is a password storage
application for Microsoft Windows operating systems. It is susceptible
to an insecure random number generation vulnerability that allows
easier brute force decryption attacks. This issue is due to a failure
of the application to properly utilize a cryptographically secure
random number generation algorithm. This issue is only present when
Password Safe 3.0 is running on operating systems prior to Microsoft
Windows XP. Version 3.0 of the software is vulnerable.
Ref: http://www.securityfocus.com/archive/1/428552
______________________________________________________________________

06.12.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: Baby FTP Server Information Disclosure Weakness
Description: Baby FTP Server is vulnerable to an information
disclosure weakness due to insufficient sanitization of user-supplied
input such as "../". Baby FTP Server version 1.24 is vulnerable.
Ref: http://www.securityfocus.com/bid/17205/info
______________________________________________________________________

06.12.11 CVE: CVE-2006-0745
Platform: Linux
Title: X.Org X Window Server Local Privilege Escalation
Description: The X.Org X server is a windows server for Unix variants.
It is vulnerable to a privilege escalation issue due to insufficient
verification of credentials before permitting access to the
"modulepath" and "logfile" command line options. X.Org X server
version X11R7 1.0.2 resolves the issue.
Ref: http://www.securityfocus.com/archive/1/428230
______________________________________________________________________

06.12.12 CVE: Not Available
Platform: Linux
Title: Libcgi-session-perl Multiple Insecure Temporary File Creation
Vulnerabilities
Description: Libcgi-session-perl is vulnerable to multiple insecure
temporary file creation issues because session files are written in an
insecure manner such as with world readable permissions.
Libcgi-session-perl version 4.03-1 for Debian is vulnerable.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555
______________________________________________________________________

06.12.13 CVE: Not Available
Platform: Linux
Title: Linux Kernel Netfilter Do_Replace Remote Buffer Overflow
Description: The Linux kernel is susceptible to a remote buffer
overflow vulnerability due to improper boundary checking of user
supplied input before using it in a memory copy operation. Linux
kernel versions prior to 2.6.16 in the 2.6 series are affected by this
issue.
Ref: http://www.securityfocus.com/bid/17178
______________________________________________________________________

06.12.14 CVE: CVE-2005-4418
Platform: Linux
Title: util-vserver Unknown Linux Capabilities
Description: util-vserver is an administrative utility for the
Linux-VServer package. It is susceptible to an unknown Linux
capability vulnerability. This issue presents itself in the
"vc_get_insecurebcaps()" function in the "lib/getinsecurebcaps.c"
source file. This function operates on a list of hard coded
capabilities, and fails to consider all others. This issue has been
fixed in util-vserver version 0.30.210.
Ref: http://www.securityfocus.com/bid/17180
______________________________________________________________________

06.12.15 CVE: CVE-2006-1342, CVE-2006-1343
Platform: Linux
Title: Linux Kernel sockaddr_In.Sin_Zero Kernel Memory Disclosure
Vulnerabilities
Description: The Linux kernel is affected by multiple local memory
disclosure vulnerabilities. These issues are due to a failure of the
kernel to properly clear previously used kernel memory prior to
returning it to local users. These issues return 6 bytes of
previously-used kernel memory in the "sockaddr_in.sin_zero" memory
buffer when local users call the following functions: accept(),
getpeername(), getsockname(), getsockopt() with the "SO_ORIGINAL_DST"
flag. Linux kernel versions 2.6.16 -rc1 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17203/exploit
______________________________________________________________________

06.12.16 CVE: CVE-2006-1248
Platform: HP-UX
Title: HP-UX Usermod Local Unauthorized Access
Description: HP-UX is vulnerable to a local unauthorized access issue
because a certain combination of options relating to usermod results
in recursively modifying ownership of all files and directories under
a user's home directory. HP-UX versions B.11.00, B.11.11 and B.11.23
are vulnerable.
Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00614838&jumpid=reg_R1002_USEN
______________________________________________________________________

06.12.17 CVE: Not Available
Platform: HP-UX
Title: HP-UX Swagentd Remote Denial Of Service
Description: Swagentd is a local and remote software distribution
application for HP-UX. It is vulnerable to an unspecified remote
denial of service issue. HP-UX versions B.11.11 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/bid/17215/info
______________________________________________________________________

06.12.18 CVE: CVE-2006-0905
Platform: BSD
Title: FreeBSD IPsec Replay Vulnerability
Description: FreeBSD's IPsec implementation is vulnerable to remote
replay attacks due to a flaw in the "fast_ipsec(4)" which allows all
packets to pass the anti-replay sequence number validation check.
FreeBSD versions 6.0 and earlier are vulnerable.
Ref: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:11.ipsec.asc
______________________________________________________________________

06.12.19 CVE: CVE-2006-1283
Platform: BSD
Title: OPIE Arbitrary Account Password Change
Description: OPIE is a one-time password system designed to protect
against replay attacks. It is prone to an arbitrary password change
vulnerability. This issue exists because "opiepasswd" uses "getlogin"
to identify the user that invoked "opiepasswd". Under certain
circumstances "getlogin" may return root even when it is running as an
unprivileged user, allowing the user to configure OPIE authentication
for the root user. FreeBSD versions 6.0 -STABLE and earlier are
vulnerable.
Ref: http://www.securityfocus.com/bid/17194
______________________________________________________________________

06.12.20 CVE: CVE-2006-1329
Platform: Unix
Title: Jabber Studio JabberD Remote Denial of Service
Description: Jabber Studio JabberD is an instant messaging protocol
application. It is vulnerable to a remote denial of service issue due
to insufficient handling of malformed network messages. Jabber Server
versions 2.0 s10 and earlier are vulnerable.
Ref: http://article.gmane.org/gmane.network.jabber.admin/27372
______________________________________________________________________

06.12.21 CVE: Not Available
Platform: Unix
Title: FreeRADIUS EAP-MSCHAPv2 Authentication Bypass
Description: FreeRADIUS is a freely available, open source
implementation of the RADIUS protocol. It is available for the Unix
and Linux platforms. FreeRADIUS is prone to an authentication bypass
vulnerability. This issue exists because adequate input validation was
not being performed in the EAP-MSCHAPv2 client state machine. This
could allow a user to manipulate the EAP-MSCHAPv2 client state machine
to convince the server to bypass authentication checks. FreeRADIUS
versions 1.0.0 to 1.1.0 are vulnerable.
Ref: http://www.freeradius.org/security.html
______________________________________________________________________

06.12.22 CVE: CVE-2006-1319
Platform: Unix
Title: runit CHPST Privilege Escalation
Description: runit is an "init" replacement package for Unix, Linux,
and other Unix-like operating systems. It is susceptible to a local
privilege escalation vulnerability. This issue is due to a flaw in the
"chpst" utility that results in programs gaining unintended, elevated
group privileges. runit versions prior to 1.4.1 are affected by this
issue.
Ref: http://www.securityfocus.com/bid/17179
______________________________________________________________________

06.12.23 CVE: CVE-2006-0997, CVE-2006-0998, CVE-2006-0999
Platform: Novell
Title: Novell SSL Server Multiple Vulnerabilities
Description: Novell SSL Server contains multiple vulnerabilities, such
as incorrectly facilitating cleartext communications or employing weak
encryption algorithms.
Novell Open Enterprise Server and Netware versions 6.5 SP4 and earlier
are vulnerable.
Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm
______________________________________________________________________

06.12.24 CVE: Not Available
Platform: Cross Platform
Title: Monotone MT File Arbitrary Code Execution
Description: Monotone is a version control system released under the
GNU GPL. Monotone is prone to an arbitrary code execution
vulnerability due to a design error in the application. This issue
only affects Monotone on case insensitive filesystems such as
Microsoft Windows and Apple Mac OS X. Monotone version 0.25 is
affected.
Ref: http://lists.gnu.org/archive/html/monotone-devel/2006-03/msg00062.html
______________________________________________________________________

06.12.25 CVE: Not Available
Platform: Cross Platform
Title: Veritas Backup Exec Multiple Remote Denial of Service
Vulnerabilities
Description: Veritas Backup Exec is a network enabled backup solution.
It is affected by multiple remote denial of service issues. The
vulnerabilities present themselves when the application handles
specially crafted Network Data Management Protocol (NDMP) packets.
Various versions of Backup Exec Windows, Linux and Netware are
affected.
Ref: http://www.securityfocus.com/bid/17098
______________________________________________________________________

06.12.26 CVE: Not Available
Platform: Cross Platform
Title: phpMyAdmin Set_Theme Cross-Site Scripting
Description: phpMyAdmin is a tool that provides a web interface for
handling MySQL administrative tasks. phpMyAdmin is prone to a
cross-site scripting vulnerability due to improper sanitization of
user supplied input to the "set_theme" parameter of "index.php".
phpMyAdmin version 2.8.1 is affected.
Ref: http://www.securityfocus.com/bid/17142/exploit
______________________________________________________________________

06.12.27 CVE: Not Available
Platform: Cross Platform
Title: BEA WebLogic Server and WebLogic Express HTTP Response
Splitting
Description: WebLogic Server and WebLogic Express are enterprise
application server products distributed by BEA Systems. They are prone
to an HTTP response splitting vulnerability. This issue is due to a
failure in the application to properly sanitize user supplied input
prior to using it to create dynamic content.
Ref: http://www.securityfocus.com/bid/17163
______________________________________________________________________

06.12.28 CVE: Not Available
Platform: Cross Platform
Title: BEA WebLogic Server Remote Filesystem Access
Description: WebLogic Server is prone to a vulnerability that could
allow a remote attacker with HTTP access to the server to read files
on the local filesystem. This issue exists because an internal
servlet installed by default allows access to the underlying Windows
filesystem. WebLogic Server version 6.1 is vulnerable.
Ref: http://dev2dev.bea.com/pub/advisory/180
______________________________________________________________________

06.12.29 CVE: Not Available
Platform: Cross Platform
Title: BEA WebLogic Server Remote Denial of Service
Description: BEA WebLogic Server and WebLogic Server Express are prone
to a remote denial of service issue due to a design error in the
application's XML parser. BEA Weblogic Server version 8.1 is affected.
Ref: http://www.securityfocus.com/bid/17167
______________________________________________________________________

06.12.30 CVE: Not Available
Platform: Cross Platform
Title: WebLogic Server and WebLogic Express Invalid Login Attempts
Weakness
Description: WebLogic Server and WebLogic Express are enterprise
application server products distributed by BEA Systems. They are prone
to a weakness facilitating excessive invalid login attempts a against
an username. This issue can aid in brute force attacks. WebLogic
Server versions 8.1 SP 4 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17168
______________________________________________________________________

06.12.31 CVE: CVE-2006-0050
Platform: Cross Platform
Title: snmptrapfmt Insecure Temporary File Creation
Description: snmptrapfmt is a configurable SNMP trap handler daemon
for snmpd. snmptrapfmt creates temporary files in an insecure manner.
This may allow a local attacker to perform symbolic link attacks.
Debian Linux version 3.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/17182
______________________________________________________________________

06.12.32 CVE: CVE-2006-0058
Platform: Cross Platform
Title: Sendmail Asynchronous Signal Handling Remote Code Execution
Description: Sendmail is a widely used MTA for Unix and Microsoft
Windows systems. It is prone to a remote code execution vulnerability
due to an unspecified race condition error. Sendmail versions prior to
8.13.6 are vulnerable to this issue.
Ref: http://www.securityfocus.com/bid/17192
______________________________________________________________________

06.12.33 CVE: CVE-2006-0323, CAN-2005-2922
Platform: Cross Platform
Title: RealNetworks Multiple Products Multiple Buffer Overflow
Vulnerabilities
Description: Various RealNetworks products are prone to multiple
buffer overflow vulnerabilities. These issues arise because the
applications fail to perform boundary checks prior to copying
user-supplied data into sensitive process buffers. Please see the
advisory below for details.
Ref: http://www.securityfocus.com/bid/17202
______________________________________________________________________

06.12.34 CVE: CVE-2006-0816
Platform: Cross Platform
Title: Orion Application Server JSP Source Disclosure
Description: Orion Application Server is an enterprise application
server. It is vulnerable to Java Server Pages (JSP) source disclosure
due to insufficient validation of the filename extension. Orion
Application Server versions 2.0.5 and 2.0.6 are vulnerable.
Ref: http://secunia.com/secunia_research/2006-11/advisory/
______________________________________________________________________

06.12.35 CVE: CVE-2006-0058
Platform: Cross Platform
Title: Sendmail SM_SysLog Remote Memory Leak Denial Of Service
Description: Sendmail is a widely used MTA for UNIX and Microsoft
Windows systems. Sendmail is prone to a remote denial of service
vulnerability. This issue is due to a failure of the application to
properly free allocated memory regions when it is finished with them.
Remote attackers may leverage this issue to consume excessive memory,
eventually crashing the application. Sendmail versions prior to 8.13.6
are vulnerable to this issue.
Ref: http://www.sendmail.com/company/advisory/index.shtml
______________________________________________________________________

06.12.36 CVE: Not Available
Platform: Cross Platform
Title: IBM Tivoli Business Systems Manager APWC_Win_Main.JSP
Cross-Site Scripting
Description: IBM Tivoli Business Systems Manager is a web application
for the management of IT operations. It is prone to a cross-site
scripting vulnerability due to improper sanitization of user supplied
input to the "skin" parameter of the
"TbsmWebConsole/help/en/jsp/apwc_win_main.jsp" page. IBM Tivoli
Business Systems Manager version 3.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/17210/exploit
______________________________________________________________________

06.12.37 CVE: CAN-2005-2711
Platform: Cross Platform
Title: Internet Security Systems BlackICE and RealSecure Desktop Local
Privilege Escalation
Description: Multiple Internet Security Systems (ISS) products are
susceptible to a local privilege escalation vulnerability. This issue
is due to a failure of the application to properly lower the
privileges of the running process when required. This vulnerability
allows local attackers to access and execute arbitrary files with
SYSTEM privileges, facilitating the compromise of the local computer.
Ref: http://www.securityfocus.com/archive/1/428588
______________________________________________________________________

06.12.38 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Invision Power Board Multiple Cross-Site Scripting
Vulnerabilities
Description: Invision Power Board is a web-based bulletin board
application implemented in PHP. It is prone to multiple cross-site
scripting vulnerabilities due to improper sanitization of user
supplied input. Invision Board version 2.0.4 is vulnerable.
Ref: http://www.securityfocus.com/bid/17144/exploit
______________________________________________________________________

06.12.39 CVE: CVE-2006-1336
Platform: Web Application - Cross Site Scripting
Title: ExtCalendar Cross-Site Scripting Vulnerabilities
Description: ExtCalendar is a web-based calendar application that is
implemented in PHP. ExtCalendar is prone to multiple cross site
scripting vulnerabilities. ExtCalendar version 1.0 of the software is
vulnerable.
Ref: http://www.securityfocus.com/bid/17146
______________________________________________________________________

06.12.40 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Woltlab Burning Board Class_DB_MySQL.PHP Cross-Site Scripting
Description: Woltlab Burning Board is a web-based bulletin board
package. It is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input to the "errormsg"
variable in the "wbb/acp/lib/class_db_mysql.php" script. Woltlab
Burning Board version 2.3.4 is affected.
Ref: http://www.securityfocus.com/bid/17147
______________________________________________________________________

06.12.41 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Noah's Classifieds Index.PHP Multiple Cross-Site Scripting
Description: Noah's Classifieds is a general purpose web-based
advertising application. Insufficient sanitization of the "list" and
"method" parameters of the "index.php" script exposes the application
to multiple cross-site scripting issues.
Ref: http://www.securityfocus.com/bid/17151
______________________________________________________________________

06.12.42 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Streber Unspecified HTML Injection
Description: Streber is a web-based project management application
written in PHP. Streber is affected by an unspecified HTML injection
vulnerability. Streber versions 0.054 and prior are vulnerable.
Ref: http://www.securityfocus.com/bid/17157
______________________________________________________________________

06.12.43 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Verisign MPKI 6.0 Haydn.EXE Cross-Site Scripting
Description: Verisign's MPKI 6.0 package contains CGI common
components in various Verisign products, including those aimed at
Digital ID certificate enrollment, revocation and validation of server
certificates. It is prone to a cross-site scripting vulnerability due
to insufficient sanitization of user-supplied input to the
"VHTML_FILE" parameter of the "haydn.exe" script.
Ref: http://www.securityfocus.com/bid/17170/exploit
______________________________________________________________________

06.12.44 CVE: CVE-2006-1266
Platform: Web Application - Cross Site Scripting
Title: Virtual Communication Services VPMi Service_Requests.ASP
Cross-Site Scripting
Description: VPMi Enterprise is a project management system. It is
prone to a cross-site scripting vulnerability due to insufficient
sanitization of user-supplied input to the "Request_Name_Display"
parameter of "Service_Requests.ASP" script. Virtual Communication
Services VPMi version 3.3 is affected.
Ref: http://www.securityfocus.com/bid/17172
______________________________________________________________________

06.12.45 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PHP Live! Status_Image.PHP Cross-Site Scripting
Description: PHP Live! is a live support system application. It is
vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "base_url" variable in the
"status_image.php" script. PHP Live! version 3.0 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/428452
______________________________________________________________________

06.12.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Invision Power Board PM Cross-Site Scripting
Description: Invision Power Board is a web-based bulletin board
application. It is prone to a cross-site scripting vulnerability due
to insufficient sanitization of user-supplied input through "PM".
Invision Board versions 2.1.5 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17187
______________________________________________________________________

06.12.47 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: EasyMoblog Img.PHP Cross-Site Scripting
Description: EasyMoblog is a web log application implemented in PHP.
It is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input to the "i" parameter
of the "img.php" script.
Ref: http://www.securityfocus.com/bid/17199/exploit
______________________________________________________________________

06.12.48 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: CoMoblog Img.PHP Cross-Site Scripting
Description: CoMoblog is a web log application. It is prone to a
cross-site scripting vulnerability due to insufficient sanitization of
user-supplied input to the "i" parameter of the "img.php" script.
CoMoblog version 1.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/17201
______________________________________________________________________

06.12.49 CVE: CVE-2006-1321
Platform: Web Application - Cross Site Scripting
Title: Webcheck Username HTML Injection
Description: Webcheck is web site crawling application. It is
vulnerable to an HTML injection issue due to insufficient sanitization
of user-supplied input to the url, title, or author name in a crawled
page. Webcheck versions 1.9.5 and earlier are vulnerable.
Ref: http://ch.tudelft.nl/~arthur/webcheck/news.html#2006013
______________________________________________________________________

06.12.50 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Pubcookie Multiple Cross-Site Scripting Vulnerabilities
Description: Pubcookie is a web application that provides single
sign-on authentication for multiple websites. It is prone to multiple
cross-site scripting vulnerabilities due to insufficient sanitization
of user-supplied input to the "mod_pubcookie" Apache module and ISAPI
filter as well as the "index.cgi" program. These issues were addressed
in Pubcookie versions 3.3.0a and 3.2.1b.
Ref: http://pubcookie.org/news/20060306-login-secadv.html
http://pubcookie.org/news/20060306-apps-secadv.html
______________________________________________________________________

06.12.51 CVE: Not Available
Platform: Web Application - SQL Injection
Title: xhawk.net Discussion Discussion.Class.PHP SQL Injection
Description: The "discussion" application from xhawk.net is bulletin
board software implemented in PHP. It is prone to an SQL injection
vulnerability due to insufficient sanitization of user-supplied input
to the "view" parameter of the "discussion.class.php" script.
xhawk.net version 2.0 beta2 is affected.
Ref: http://www.securityfocus.com/bid/17121
______________________________________________________________________

06.12.52 CVE: Not Available
Platform: Web Application - SQL Injection
Title: BetaParticle Blog Multiple SQL Injection Vulnerabilities
Description: BetaParticle Blog is a blogging application. Insufficient
sanitization of the "id" variable in the "template_permalink.asp"
script and the "fldGalleryID" variable in the
"template_gallery_detail.asp" script exposes the application to an SQL
injection issue. All current versions are affected.
Ref: http://www.securityfocus.com/bid/17148
______________________________________________________________________

06.12.53 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpWebsite Multiple SQL Injection Vulnerabilities
Description: phpWebSite is a content management system. It is prone to
multiple SQL injection vulnerabilities due to insufficient
sanitization of user-supplied input to the "sid" parameter of
"friend.php" and "article.php" scripts. phpWebsite versions 0.10.2 and
earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17150
______________________________________________________________________

06.12.54 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Skull-Splitter Download Counter for Wallpapers Count.PHP SQL
Injection
Description: Skull-Splitter Download Counter for wallpapers is a web
application implemented in PHP. Download Counter for Wallpapers is
prone to an SQL injection vulnerability due to improper sanitization
of user-supplied input. Specifically, input to the "count_fieldname",
"url_fieldname", and "url" parameters of the "count.php" script is not
properly sanitized. Skull-Splitter Download Counter for Wallpapers
version 1.0 is vulnerable.
Ref: http://www.securityfocus.com/bid/17156
______________________________________________________________________

06.12.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Maian Weblog Multiple SQL Injection Vulnerabilities
Description: Maian Weblog is a web blogging application. Insufficient
sanitization of user-supplied input exposes the application to
multiple SQL injection issues. All current versions are affected.
Ref: http://www.securityfocus.com/bid/17159
______________________________________________________________________

06.12.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: SoftBB Reg.PHP SQL Injection
Description: SoftBB is a web-based forum application. It is prone to
an SQL injection vulnerability due to improper sanitization of
user-supplied input. Specifically, input to the "mail" parameter of
"reg.php" is not properly sanitized. SoftBB version 0.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/17160/exploit
______________________________________________________________________

06.12.57 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ASP Portal Download_click.ASP SQL Injection
Description: ASP Portal is a website management application.
Insufficient sanitization of the "downloadid" parameter of the
"download_click.asp" script exposes the application to an SQL
injection issue. ASP Portal version 3.1.1 is affected.
Ref: http://www.securityfocus.com/bid/17174
______________________________________________________________________

06.12.58 CVE: CVE-2006-1372
Platform: Web Application - SQL Injection
Title: 1WebCalendar Multiple SQL Injection Vulnerabilities
Description: 1WebCalendar is a web-based calendar application
implemented in Macromedia ColdFusion. 1WebCalendar is prone to
multiple SQL injection vulnerabilities.
Ref: http://pridels.blogspot.com/2006/03/1webcalendar-v-4x-vuln.html
______________________________________________________________________

06.12.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: AdMan ViewStatement.PHP SQL Injection
Description: AdMan is an advertisement management application. It is
prone to an SQL injection vulnerability due to insufficient
sanitization of user-supplied input to the "transactions_offset"
parameter of the "viewStatement.php" script. AdMan versions
1.0.20051221 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17208
______________________________________________________________________

06.12.60 CVE: Not Available
Platform: Web Application
Title: MusicBox Multiple Input Validation Vulnerabilities
Description: MusicBox is a web-based application for hosting a music
site. It is prone to multiple input validation vulnerabilities because
the application fails to properly sanitize user-supplied input. The
issues include three cross-site scripting vulnerabilities and two SQL
injection vulnerabilities. MusicBox 2.3-Beta 2 is reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/17149/exploit
______________________________________________________________________

06.12.61 CVE: Not Available
Platform: Web Application
Title: CutePHP CuteNews Function.PHP Local File Include
Description: CuteNews is a web-based news management application.
CuteNews is prone to a local file include vulnerability. This issue is
due to a failure in the application to properly sanitize user supplied
input. The problem presents itself in how "functions.inc.php"
sanitizes the "archive" parameter. CuteNews version 1.4.1 is
vulnerable.
Ref: http://www.securityfocus.com/bid/17152/references
______________________________________________________________________

06.12.62 CVE: CVE-2006-1358
Platform: Web Application
Title: BEA WebLogic Portal JSR-168 Portlets Information Disclosure
Description: BEA WebLogic Portal is prone to an information disclosure
vulnerability. The problem presents itself when the occasional JSR-168
Portlet is mistakenly rendered from cache. This may enable one user to
view another user's JSR-168 Portlet. Versions of Weblogic prior to 8.1
SP6 are vulnerable.
Ref: http://www.securityfocus.com/bid/17164
______________________________________________________________________

06.12.63 CVE: CVE-2006-1348, CVE-2006-1347, CVE-2006-1346
Platform: Web Application
Title: gCards Multiple Input Validation Vulnerabilities
Description: gCards is an electronic greeting card application. It is
vulnerable to multiple
input validation issues, such as cross-site scripting and SQL
injection. These issues are due to insufficient sanitizaion of
user-supplied input. gCards versions 1.45 and earlier are vulnerable.
Ref: http://www.milw0rm.com/exploits/1595
______________________________________________________________________

06.12.64 CVE: CVE-2006-1350
Platform: Web Application
Title: Free Articles Directory Remote File Include Vulnerability
Description: Free Articles Directory is a web-based application. It is
vulnerable to a remote file include issue due to insufficient
sanitization of user-supplied input to the "page" paramter of the
"Index.php" script. All versions of Free Articles Directories are
vulnerable.
Ref: http://www.securityfocus.com/bid/17183/info
______________________________________________________________________

06.12.65 CVE: CVE-2006-1276
Platform: Web Application
Title: PHP SimpleNEWS Authentication Bypass
Description: PHP SimpleNEWS is prone to an authentication bypass
vulnerability. This is due to a lack of proper validation of cookie
data by the affected scripts. User authentication may be bypassed
simply by setting a value of "admin" to the "username" parameter of
the "admin.php" script. Once this is done, the administrative
interface of the application becomes available.
Ref: http://www.securityfocus.com/archive/1/428427
______________________________________________________________________

06.12.66 CVE: Not Available
Platform: Web Application
Title: OSWiki Username HTML Injection
Description: OSWiki is a web-based wiki application. It is affected by
an HTML injection vulnerability due to improper sanitization of
user-supplied input to the "username" input field before including it
in dynamically generated content. OSWiki versions prior to 0.3.1 are
vulnerable.
Ref: http://www.securityfocus.com/bid/17189
______________________________________________________________________

06.12.67 CVE: Not Available
Platform: Web Application
Title: AnyPortal(PHP) Siteman.PHP3 Directory Traversal
Description: AnyPortal(PHP) is a web-based portal application. It is
prone to a directory traversal vulnerability due to insufficient
sanitization of user-supplied input to the "siteman.php3" script.
AnyPortal(PHP) release "12 MAY 00" is vulnerable.
Ref: http://nger.org/anyportal/forum/read.php?f=1&i=152&t=152#reply_152
______________________________________________________________________

06.12.68 CVE: CAN-2006-1296
Platform: Web Application
Title: Beagle Insecure Application Path
Description: Beagle is a wiki application. It is vulnerable to an
insecure application path issue due to a design error with the
"beagle-status" script running the "beagle-info" script. Beagle
version 0.2.2.1 is vulnerable.
Ref: http://secunia.com/advisories/19278
______________________________________________________________________

06.12.69 CVE: Not Available
Platform: Web Application
Title: VBulletin ImpEx Remote File Include
Description: ImpEx is the importing and exporting system for
VBulletin. It is prone to a remote file include vulnerability due to
improper sanitization of user-supplied input to the "systempath"
variable of "ImpExData.php".
Ref: http://www.securityfocus.com/bid/17206/exploit
______________________________________________________________________

06.12.70 CVE: Not Available
Platform: Web Application
Title: eXpandable Home Page CMS Multiple Access Validation
Vulnerabilities
Description: eXpandable Home Page CMS is a web content management
application. Insufficient sanitization of user-supplied input exposes
the application to multiple access validation issues. eXpandable
version 0.5 is affected.
Ref: http://www.securityfocus.com/bid/17209
______________________________________________________________________

06.12.71 CVE: Not Available
Platform: Web Application
Title: Pablo Software Solutions Baby Web/Quick 'n Easy Web ASP Source
Disclosure
Description: A source disclosure issue is exposed in Pablo Software
Solutions Baby Web/Quick 'n Easy web server due to a failure to
properly validate filename extensions. Baby Web Server and versions
prior to 3.1.1 of its successor Quick 'n Easy Web Server are affected.
Ref: http://www.securityfocus.com/bid/17222
______________________________________________________________________

06.12.72 CVE: Not Available
Platform: Network Device
Title: F5 Firepass 4100 SSL VPN Cross-Site Scripting
Description: Firepass 4100 SSL VPN is a secure virtual private network
device that utilizes SSL over HTTPS versus the standard IPSec VPN. It
is prone to a cross-site scripting vulnerability. The application
fails to properly sanitize user-supplied input to the "username"
parameter of "my.support.php3". FirePass 4100 version 5.4.2 is
vulnerable.
Ref: http://www.securityfocus.com/bid/17175/exploit
______________________________________________________________________

06.12.73 CVE: Not Available
Platform: Network Device
Title: Motorola PEBL U6 OBEX Setpath Buffer Overflow
Description: Motorola PEBL U6 is a cellular telephone handset that
supports the Bluetooth protocol. Motorola PEBL U6 devices are prone to
a remote buffer overflow vulnerability. This issue occurs when the
device processes a "setpath()" with an excessively long argument
during an OBEX file transfer session. It is important to note that an
attacker would have to convince a vulnerable user to accept an OBEX
file transfer session in order to exploit this vulnerability. All
Motorola PEBL handsets are vulnerable to this issue; other handsets
may also be affected.
Ref: http://www.securityfocus.com/archive/1/428431
______________________________________________________________________

(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEKDfQ+LUG5KFpTkYRAuGDAJ4nl5BTWFo5kJ48EUd6UyuI/R2nmACfSAKm
AoMkiENN2p+Gm6W53AzxA6s=
=5Drn
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]