NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2006

RISK: The Consensus Security Vulnerability Alert Vol. 5 No. 19

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon May 15 2006 - 15:48:59 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A slew of last-minute additions makes this week's issue larger than
usual. Microsoft Exchange users have a particularly critical problem
to solve. Your Blackberry users will scream, because they will be
disabled, but if you don't fix it, unauthenticated attackers can take
full control of your Exchange servers. (31 vulnerabilities this week),
Verisign, Adobe, Real, EMC, Sophos, and Adobe users also have immediate
work to do. Apple is distributing fixes for 31 vulnerabilities in OS/X
and some for QuickTime, too.
Alan

PS. This Wednesday (May 17) is the early registration deadline for
SANSFIRE, the largest security training conference and exposition in
Washington DC. Eighteen immersion tracks. Wednesday is also the early
registration deadline for SANS London.
SANSFIRE: http://www.sans.org/sansfire06/
SANS London: http://www.sans.org/london06/index.php

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
May 15, 2006 Vol. 5. Week 19
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:
- -----------------------------------------------------------------
Platform Number of Updates and Vulnerabilities
- -----------------------------------------------------------------
Windows 3 (#1, #5, #13)
Third Party Windows Apps 7 (#9, #10, #11)
Mac Os 1 (#2)
Linux 4
Solaris 1
Unix 2
Novell 2 (#12)
Cross Platform 8 (#3, #4, #6, #7, #8)
Web Application - Cross Site Scripting 12
Web Application - SQL Injection 15
Web Application 32
Network Device 1

****************** Sponsored By Blue Coat Systems, Inc. *****************

New eBooklet - SSL VPNs: Lesson Learned
Sponsored by: Blue Coat

Get the most out of SSL VPNs. Honest, technical, and to-the-point, this
eBooklet, by analyst Don Jones, discusses what SSL VPNs promised, how
they originally failed to deliver, and why the technology is making
comeback. He'll answer your questions, explains the technology, and set
you on the path to success. Learn more.
http://www.sans.org/info.php?id=1162

*************************************************************************

Part I -- Critical Vulnerabilities from TippingPoint, a division of 3Com
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Microsoft Exchange Calendar Properties Buffer Overflow (MS06-019)
(2) HIGH: Apple Mac OS X Security Update 2006-003
(3) HIGH: Apple QuickTime Multiple Buffer Overflows
(4) HIGH: RealVNC Remote Authentication Bypass Vulnerability
(5) HIGH: Adobe Macromedia Flash Player Remote Code Execution (MS06-020)
(6) MODERATE: Sophos Antivirus CAB File Processing Overflow
(7) MODERATE: Adobe Dreamweaver Server Behaviour SQL Injection

Other Software
(8) HIGH: EMC Retrospect Client Packet Handling Remote Buffer Overflow
(9) HIGH: VeriSign i-Nav ActiveX Control Remote Code Execution
(10) HIGH: wodSSHServer ActiveX Component Buffer Overflow
(11) MODERATE: Novell Client for Windows Buffer Overflow
(12) MODERATE: Novell NetWare Distributed Print Services Integer Overflow

Update
(13) Microsoft Distributed Transaction Coordinator Heap Overflow

************************ Sponsored Links: *******************************

1) Protect corporate data on stolen computers and avoid costly
litigation. Delete data remotely with Computrace(R) Data Protection.
http://www.sans.org/info.php?id=1163

2) Free white paper - consolidate, correlate, generate "rules-based"
reports for millions of events a day.
http://www.sans.org/info.php?id=1164

3) WhatWorks in Log Management - a county court finds a solution to
centralize events and streamline reporting.
http://www.sans.org/info.php?id=1165

*************************************************************************

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
06.19.1 - Windows MSDTC Heap Buffer Overflow
06.19.2 - Windows MSDTC Invalid Memory Access Denial of Service
06.19.3 - Microsoft Internet Explorer Position CSS Denial of Service
-- Third Party Windows Apps
06.19.4 - Xeneo Web Server Source Disclosure
06.19.5 - Kerio WinRoute Firewall Unspecified Remote Denial of Service
06.19.6 - Intervations FileCopa User Command Remote Buffer Overflow
06.19.7 - Cisco Secure ACS Insecure Password Storage
06.19.8 - TZipBuilder ZIP File Buffer Overflow
06.19.9 - ICQ Banner Ad Cross-Application Scripting
06.19.10 - Verisign i-Nav ActiveX Control Remote Buffer Overflow
-- Mac Os
06.19.11 - Apple Mac OS X Security Update 2006-003 Multiple Vulnerabilities
-- Linux
06.19.12 - pstotext Arbitrary Script Code Execution
06.19.13 - ISPConfig Session.INC.PHP Remote File Include
06.19.14 - Linux Kernel Multiple SCTP Remote Denial of Service Vulnerabilities
06.19.15 - Linux Kernel Lease_Init Local Denial of Service
-- Solaris
06.19.16 - Solaris LibIKE IKE Exchange Denial of Service
-- Unix
06.19.17 - Inter7 Vpopmail Authentication Bypass
06.19.18 - Dovecot Remote Information Disclosure
-- Novell
06.19.19 - Novell NetWare Distributed Print Services Integer Overflow
06.19.20 - Novell Client Unspecified Buffer Overflow
-- Cross Platform
06.19.21 - Sophos Anti-Virus CAB File Scanning Remote Heap Overflow
06.19.22 - IBM WebSphere Application Server Welcome Page Security Restriction Bypass
06.19.23 - Multiple Cisco Productions WebSense Content Filtering Bypass
06.19.24 - Avahi Buffer Overflow and Denial of Service Vulnerabilities
06.19.25 - OpenOBEX IRCP Arbitrary File Overwrite
06.19.26 - 3Com TippingPoint SMS Information Disclosure
06.19.27 - Symantec Enterprise Firewall / Gateway Security HTTP Proxy Internal IP Leakage
06.19.28 - QuickTime Multiple Integer and Buffer Overflow Vulnerabilities
-- Web Application - Cross Site Scripting
06.19.29 - Singapore Index.PHP Cross-Site Scripting
06.19.30 - OpenFAQ Validate.PHP HTML Injection
06.19.31 - Vision Source CMS User Profile HTML Injection
06.19.32 - FaktoryStudios EasyEvent Index.PHP Cross-Site Scripting
06.19.33 - CuteNews Multiple Cross-Site Scripting Vulnerabilities
06.19.34 - EPublisherPro Moreinfo.ASP Cross-Site Scripting
06.19.35 - PHP Live Helper Chat.PHP Cross-Site Scripting
06.19.36 - Jadu CMS Multiple Cross-Site Scripting Vulnerabilities
06.19.37 - ColdFusion Required Fields Cross-Site Scripting
06.19.38 - ManageEngine OpManager Search.DO Cross-Site Scripting
06.19.39 - Vizra A_Login.PHP Cross-Site Scripting
06.19.40 - OZJournals Vname Parameter Cross-Site Scripting
-- Web Application - SQL Injection
06.19.41 - 2005-Comments-Script Multiple Cross-Site Scripting Vulnerabilities
06.19.42 - VP-ASP Shopping Cart Shopcurrency.ASP SQL Injection
06.19.43 - Flexcustomer Login SQL Injection
06.19.44 - Creative Community Portal Multiple SQL Injection Vulnerabilities
06.19.45 - Limbo CMS Index.PHP SQL Injection
06.19.46 - EvoTopsite Index.PHP Multiple SQL Injection Vulnerabilities
06.19.47 - MultiCalendars All_calendars.ASP SQL Injection
06.19.48 - MyBB Showthread.PHP SQL Injection
06.19.49 - EImagePro Multiple SQL Injection Vulnerabilities
06.19.50 - EDirectoryPro Search_result.ASP SQL Injection
06.19.51 - DUWare DUGallery Login SQL Injection
06.19.52 - Ozzywork Galeri Admin Login SQL Injection
06.19.53 - Dreamweaver Multiple SQL Injection Vulnerabilities
06.19.54 - Application Dynamics Cartweaver ColdFusion SQL Injection Vulnerabilities
06.19.55 - AliPAGER Elementz.PHP SQL Injection
-- Web Application
06.19.56 - Claroline Multiple Remote File Include Vulnerabilities
06.19.57 - Ocean12 Calendar Manager Pro Multiple Input Validation Vulnerabilities
06.19.58 - Jetbox CMS Config.PHP Remote File Include
06.19.59 - Chipmunk Blogger Multiple Input Validation Vulnerabilities
06.19.60 - PHP-Fusion Multiple Local File Include Vulnerabilities
06.19.61 - Timobraun Dynamic Galerie Multiple Input Validation Vulnerabilities
06.19.62 - Drupal Project Module HTML Injection
06.19.63 - Chipmunk Forum Multiple Input Validation Vulnerabilities
06.19.64 - MyBloggie BBCode IMG Tag HTML Injection
06.19.65 - PassMasterFlex Multiple HTML Injection Vulnerabilities
06.19.66 - Online Universal Payment System Script Multiple Input Validation Vulnerabilities
06.19.67 - ACal Day.PHP Remote File Include
06.19.68 - Nagios Remote Negative Content-Length Buffer Overflow
06.19.69 - Phil's Bookmark Script Admin.PHP Authentication Bypass
06.19.70 - Website Baker User Display Name HTML Injection
06.19.71 - X7 Chat Avatar URL HTML Injection
06.19.72 - openEngine Template Unauthorized Access
06.19.73 - MyBBoard Email SQL Injection
06.19.74 - StatIt Visible_count_inc.PHP Remote File Include
06.19.75 - Maxx Schedule Multiple Input Validation Vulnerabilities
06.19.76 - UBlog Text Field HTML Injection
06.19.77 - X-POLL Add.PHP Input Validation
06.19.78 - Dokeos LDAP_VAR.INC.PHP Remote File Include
06.19.79 - IBM Websphere Application Server Multiple Vulnerabilities
06.19.80 - phpCOIN Email Address Information Disclosure
06.19.81 - IdealBB Multiple Input Validation Vulnerabilities
06.19.82 - IA-Calendar Multiple Input Validation Vulnerabilities
06.19.83 - PAFileDB Pafiledb_Constants.PHP Remote File Include
06.19.84 - Aardvark Topsites PHP LostPW.PHP Remote File Include
06.19.85 - Ozzywork Galeri Arbitrary File Upload
06.19.86 - NewsBoard ABBC.CSS.PHP Local File Include
06.19.87 - phpBB Multiple Input Validation Vulnerabilities
-- Network Device
06.19.88 - Cisco Application Velocity System Open TCP Proxy

_____________________________________________________________________

PART I Critical Vulnerabilities

Part I is compiled by Rohit Dhamankar and Rob King at TippingPoint, a
division of 3Com, as a by-product of that company's continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/risk

*************************
Widely Deployed Software
*************************

(1) CRITICAL: Microsoft Exchange Calendar Properties Buffer Overflow (MS06-019)
Affected:
Microsoft Exchange Server 2000/2003

Description: Microsoft Exchange, one of the most widely-deployed email
servers around the globe, contains a buffer overflow. An unauthenticated
attacker can trigger the overflow by sending a specially crafted
"calendar" request, and exploit the overflow to execute arbitrary code
on the Exchange server with "SYSTEM" privileges. The problem occurs in
the module that processes "vcal" and "ical" mime content types, which
are used by the Exchange server and email clients when sending calendar
requests. The technical details have not been posted. However, this flaw
can be exploited to create a worm; hence, it should be patched on a
priority basis.

Status: Apply the patch referenced in the Microsoft Bulletin MS06-019.
Enterprises that are using Blackberry service or Goodlink Wireless
service via Exchange may suffer disruption as users on mobile devices
cannot send e-mail messages. In such cases, network or host intrusion
prevention solutions should be used to block this attack.

Council Site Actions: All of the reporting council sites are responding
to this item. Most are in the process of updating their systems now. A
few have already completed the updates. A few sites are still
investigating how to update without breaking their existing email
delegations on the gateways, such as Blackberries and other RIM devices.

References:
Microsoft Security Bulletin MS06-019
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
Problems with Mobile Devices
http://support.microsoft.com/kb/912918
CERT Advisory
http://www.kb.cert.org/vuls/id/303452
Internet Calendaring and Scheduling Core Object Specification
http://www.ietf.org/rfc/rfc2445.txt
SecurityFocus BIDs
http://www.securityfocus.com/bid/17908

***********************************************************************

(2) HIGH: Apple Mac OS X Security Update 2006-003
Affected:
Apple Mac OS X versions 10.4.6 and prior.

Description:
Apple announced fixes for thirty one vulnerabilities in Mac OS X version 10.4.6 and prior. These vulnerabilities include local and remote code execution, information disclosure, denial-of-service and local privilege escalation. The update fixes the 0-day vulnerabilities in OS X's handling of multiple image file formats.

Status: Apple confirmed, patches released.

References:
Apple Security Update 2006-003
http://docs.info.apple.com/article.html?artnum=303737
MuSecurity Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0300.html

************************************************************************

(3) HIGH: Apple QuickTime Multiple Buffer Overflows
Affected:
Apple QuickTime version prior to 7.1.

Description:
Apple's QuickTime, a popular digital media framework for Windows and Mac
platforms, contains multiple buffer overflow vulnerabilities. The
problems lie in the QuickTime's processing of various file/media
formats, and may be exploited to execute arbitrary code on a client
system. A webpage serving a malicious QuickTime media file may leverage
these flaws to compromise a client. Note that users who have QuickTime
as their default media player may be compromised via any of the media
file formats. The technical details for some of the vulnerabilities have
been publicly posted.

Status:
Vendor confirmed, patches released. Upgrade to QuickTime version 7.1.

References:
Apple Advisory
http://docs.info.apple.com/article.html?artnum=303752
Apple QuickTime Home Page
http://www.apple.com/quicktime
eEye Advisory
http://www.eeye.com/html/research/advisories/AD20060511.html
TippingPoint ZDI Advisory
http://www.zerodayinitiative.com/advisories/ZDI-06-015.html
AvertLabs Advisory
http://archives.neohapsis.com/archives/bugtraq/2006-05/0229.html
NevisLabs
http://archives.neohapsis.com/archives/bugtraq/2006-05/0222.html
SecurityFocus BID
http://www.securityfocus.com/bid/17953
http://www.securityfocus.com/bid/17074

*************************************************************************

(4) HIGH: RealVNC Remote Authentication Bypass Vulnerability
Affected:
RealVNC Free Edition version 4.1.1 and prior
RealVNC Personal and Enterprise Editions versions 4.2.2 and prior

Description:
RealVNC, a popular VNC (Virtual Network Computing) client and server,
suffers from a vulnerability in the way it processes passwords. By
passing a specially-crafted request, a remote attacker could bypass the
authentication process and gain access to the vulnerable system.
Technical details and a proof-of-concept exploit have been publicly
released.

Status: Vendor confirmed, updates released. System administrators should
block the access to the ports being used for this software from the
Internet.

References:
Initial Discovery at IntelliAdmin
http://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.html
Proof-of-Concept Exploit
http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html
Posting by James Evans
http://archives.neohapsis.com/archives/bugtraq/2006-05/0286.html
RealVNC Home Page
http://www.realvnc.com/
VNC Protocol Description
http://en.wikipedia.org/wiki/Virtual_Network_Computing
SecurityFocus BID
Not yet available.

**********************************************************************

(5) HIGH: Adobe Macromedia Flash Player Remote Code Execution (MS06-020)
Affected:
Windows XP SP1 and SP2
Windows ME/98/98SE with Internet Explorer 6 SP1 installed

Description: This patch from Microsoft fixes remote code execution
vulnerabilities in the Adobe Macromedia Flash player that ships by
default with certain Windows versions. Adobe has previously issued
updates for the affected versions of Flash player. A malicious flash
player animation (".swf" file) can execute arbitrary code on an affected
Windows system. The malicious SWF file can be posted on a webpage,
shared folder, P2P folder or attached to an email message. Note that one
of the Flash player vulnerabilities patched by this update has been
publicly disclosed. Hence, this patch should be applied on a priority
basis.

Status: Apply the patch referenced in the Microsoft Security Bulletin
MS06-020.

Council Site Actions: All of the reporting council sites are responding
to this item. Some have already upgraded their systems. A few are in
the process of upgrading them now, or plan to upgrade in the near
future.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS06-020.mspx
CERT Advisory
http://www.kb.cert.org/vuls/id/945060
Adobe Security Bulletin
http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html
Previous RISK Newsletter Posting
http://www.sans.org/newsletters/risk/display.php?v=5&i=11#widely3
SecurityFocus BID
http://www.securityfocus.com/bid/17106

******************************************************************

(6) MODERATE: Sophos Antivirus CAB File Processing Overflow
Affected:
Sophos Anti-Virus for Windows, Mac OS, Unix, Linux, NetWare, OS/2, OpenVMS and DOS
Sophos Anti-Virus Small Business Editions for Windows and Mac OS
PureMessage for Windows/Exchange and UNIX
PureMessage Small Business Edition
MailMonitor for Windows, Notes/Domino and Exchange

Description: Sophos Anti-virus products contain a heap-based overflow
that can be triggered by specially crafted Microsoft Cabinet (".cab")
files. The overflow can be exploited to execute arbitrary code on a
system running the affected Sophos product if the option to inspect CAB
files is enabled (disabled by default). Exploiting the mail gateways is
easy as it does not require any user interaction. The antivirus library
is also embedded in products sold by more than 20 vendors, and updates
should be applied to any products listed at:
http://www.sophos.com/partners/oem/

Status: Sophos confirmed, updates available.

References:
TippingPoint Advisory
http://www.zerodayinitiative.com/advisories/ZDI-06-012.html
Vendor Homepage
http://www.sophos.com
SecurityFocus BID
http://www.securityfocus.com/bid/17876

****************************************************************

(7) MODERATE: Adobe Dreamweaver Server Behaviour SQL Injection
Affected:
DreamWeaver 8 and MX

Description: Adobe Dreamweaver is a leading web development tool that
is used for creating a large number of websites. The code generated by
Dreamweaver for Cold Fusion, PHP MySQL, ASP.NET and JSP server models
contains SQL injection vulnerabilities. The flaws can be exploited to
execute arbitrary SQL commands on the back-end database. The technical
details to craft an exploit may be obtained from the steps outlined to
mitigate risks for Dreamweaver MX.

Status: Adobe has released version 8.0.2 for Dreamweaver and also
provided steps for mitigation for users of Dreamweaver MX. Please
re-generate the affected website code using the updated Dreamweaver
software.

Council Site Actions: Only one council site is using the affected
software. They reported that it would be rare that the software is used
for developing web sites that support SQL; thus they believe they are
largely unaffected, but they still are investigating.

References:
Adobe Advisory
http://www.adobe.com/support/security/bulletins/apsb06-07.html
Product Homepage
http://www.adobe.com/products/dreamweaver/
SecurityFocus BIDs
http://www.securityfocus.com/bid/17928

***********************************************************************

******************
Other Software
******************

(8) HIGH: EMC Retrospect Client Packet Handling Remote Buffer Overflow
Affected:
Retrospect client for Windows/Mac/Linux/Netware

Description: EMC Retrospect is a multi-platform backup solution for
small-medium businesses. The backup client contains a buffer overflow
that can be triggered by sending a specially crafted packet to port
497/tcp or 497/udp. The flaw can be exploited to execute arbitrary code
on the backup client. The technical details required to craft an exploit
have not been posted yet.

Status: EMC confirmed. Patches are available for Windows, Mac, Linux and
NetWare clients. A general security measure would be to block ports
497/tcp and 497/udp from the Internet.

Council Site Actions: Only one of the responding council sites is using
the affected software, and on only a small number of Macintosh systems.
They will encourage owners of the affected computers to remove
Retrospect and switch to their supported backup solution. They expect a
few users will choose to upgrade to a newer Retrospect Client within the
next month.

References:
EMC Advisory
http://kb.dantz.com/article.asp?article=9511&p=2
Product Homepage
http://www.emcinsignia.com/products/smb/retroforwin/
http://www.emcinsignia.com/products/smb/retroformac/
SecurityFocus BIDs
http://www.securityfocus.com/bid/17948

*********************************************************************

(9) HIGH: VeriSign i-Nav ActiveX Control Remote Code Execution
Affected:
Verisign VUpdater.Install ActiveX Control

Description: Verisign i-Nav plug-in allows a user to browse the Internet
with internationalized domain names (IDNs) using Internet Explorer or
Microsoft Outlook/Outlook Express. i-Nav's "VUpdater.Install" contains
a remote code execution vulnerability. The problem arises because this
ActiveX control's "InstallProduct" routine can be used to run an
arbitrary executable. A malicious webpage or an HTML email can exploit
this flaw to execute arbitrary code with the privileges of the logged-on
user.

Status: Verisign has issued an update for the i-Nav plug-in.

Council Site Actions: Only one of the responding council sites is using
the affect software, and on only a small number of systems. It is not
supported by their central IT department. They are still investigating
whether there is any efficient upgrade approach provided by the vendor,
e.g., perhaps the software has a way to notify an end user that an
update is needed.

References:
Sophos Advisory
http://www.sophos.com/support/knowledgebase/article/4934.html
TippingPoint Advisory
http://www.zerodayinitiative.com/advisories/ZDI-06-014.html
Verisign IDNNow Homepage
http://www.idnnow.com/index.jsp
SecurityFocus BIDs
http://www.securityfocus.com/bid/17939

**********************************************************************

(10) HIGH: wodSSHServer ActiveX Component Buffer Overflow
Affected:
wodSSHServer versions 1.2.7 and 1.3.3 and prior.

Description:
wodSSHServer is a Windows-based ActiveX SSH server component that allows
ActiveX-aware applications to easily provide SSH and Telnet server
functionality. This server contains a flaw in the processing of SSH key
exchanges that leads to a buffer overflow vulnerability. By sending a
specially-crafted request, a remote attacker can exploit the flaw to
execute arbitrary code on the remote system. Note that software that
embeds this ActiveX component may also be vulnerable.

Status: Vendor has not confirmed. No updates available.

References:
Secunia Security Advisory
http://secunia.com/advisories/19845/
wodSSHServer Home Page
http://www.weonlydo.com/index.asp?showform=SSHServer
freeSSHd (an SSH server built using the vulnerable component)
http://freesshd.com
Exploit Code
http://www.milw0rm.com/exploits/1787
http://metasploit.com/projects/Framework/exploits.html#freesshd_key_exchange

***********************************************************************

(11) MODERATE: Novell Client for Windows Buffer Overflow
Affected:
Novell client 4.83 SP3, 4.90 SP2 and 4.91 SP2 for Windows NT/2000/XP

Description: Novell client for Windows contains a buffer overflow that
can be triggered by sending a specially crafted RPC message. The buffer
overflow can be exploited to execute arbitrary code on the affected
Windows system. No technical details about the flaw are yet available.

Status: Novell has released a patch for the Windows client.

Council Site Actions: One council site is in the process of migrating
away from their Novell implementation. A second site is still
investigating whether there is a widespread deployment of Novell Client
within the one department that has a Novell implementation.

References:
Novell Advisory
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973719.htm
SecurityFocus BIDs
http://www.securityfocus.com/bid/17931

**********************************************************************

(12) MODERATE: Novell NetWare Distributed Print Services Integer Overflow
Affected:
Novell Netware version 6.5

Description: Netware Distributed Print Services (NDPS/iPrint) contains
an integer overflow vulnerability that can be exploited to execute
arbitrary code on an affected Netware server. The technical details
required to craft an exploit have not been posted yet.

Status: Novell confirmed. Apply the SP3, SP4 or SP5 for the affected
server.

Council Site Actions: Only one of the responding council site is using
the affected software. These systems are in the process of being
migrated away from Novell.

References:
Novell Advisory
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973700.htm
Product Homepage
http://www.novell.com/products/ndps/details.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/17922

*********************************************************************

*****************
Update
*****************

(13) Microsoft Distributed Transaction Coordinator Heap Overflow

Description: eEye has released technical details about a heap-based
buffer overflow in the Microsoft Distributed Transaction Coordinator
(MSDTC) RPC service that affects Windows NT 4.0, Windows 2000 SP2 and
SP3 installations. Note that MS05-051 patched this overflow for Windows
2000 SP4, Windows XP and Windows 2003 systems. The patch is now
available for Microsoft NT 4.0/2000 SP2/2000 SP3 systems for customers
who have entered into a customer support agreement with Microsoft.

References:
eEye Advisory
http://www.eeye.com/html/research/advisories/AD20060509a.html

*********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 19, 2006

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5014 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

______________________________________________________________________

06.19.1 CVE: CVE-2006-0034
Platform: Windows
Title: Windows MSDTC Heap Buffer Overflow
Description: The Microsoft Distributed Transaction Coordinator (MSDTC)
is a distributed transaction facility for the Windows platform. It is
vulnerable to a remote heap buffer overflow issue because the
destination buffer may be overrun during the string copy operation.
See Microsoft advisory for details.
Ref: http://www.microsoft.com/technet/security/bulletin/MS06-018.mspx
______________________________________________________________________

06.19.2 CVE: Not Available
Platform: Windows
Title: Windows MSDTC Invalid Memory Access Denial of Service
Description: The Microsoft Distributed Transaction Coordinator (MSDTC)
is prone to a denial of service issue. This vulnerability can be
exploited remotely to disrupt the MSDTC service and any services that
depend on MSDTC. Please see the attached advisory for details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx
______________________________________________________________________

06.19.3 CVE: Not Available
Platform: Windows
Title: Microsoft Internet Explorer Position CSS Denial of Service
Description: Microsoft Internet Explorer is affected by a denial of
service vulnerability. This issue presents itself when a user hovers
their mouse cursor over a table that has the CSS "position" attribute
set. This results in an unhandled exception in "mshtml.dll", crashing
the browser. Internet Explorer 6 is vulnerable to this issue.
Ref: http://www.securityfocus.com/bid/17932
______________________________________________________________________

06.19.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Xeneo Web Server Source Disclosure
Description: Xeneo is a web server for Microsoft Windows. A problem
with validating the filename extension results in the disclosure of
the source code of scripts. By manipulating the filename extension
with dot, slash and space characters, an attacker can trick the server
into revealing the source code rather than serve the specified script
file. This issue affects Xeneo version 2.2.22.0.
Ref: http://www.securityfocus.com/bid/17858
______________________________________________________________________

06.19.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Kerio WinRoute Firewall Unspecified Remote Denial of Service
Description: Kerio WinRoute Firewall is a network firewall and
security application. Insufficient sanitization of SMTP and POP3
messages exposes the application to a denial of service issue. Kerio
WinRoute Firewall versions 6.2.1 and earlier are affected.
Ref: http://www.securityfocus.com/bid/17859
______________________________________________________________________

06.19.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Intervations FileCopa User Command Remote Buffer Overflow
Description: FileCopa FTP Server is a file transfer application. It is
affected by a buffer overflow issue in the USER command. All current
versions are affected.
Ref: http://www.securityfocus.com/bid/17881
______________________________________________________________________

06.19.7 CVE: CVE-2006-0561
Platform: Third Party Windows Apps
Title: Cisco Secure ACS Insecure Password Storage
Description: Cisco Secure ACS (Access Control Server) is an
authentication, authorization, and accounting software package
distributed by Cisco Systems. It is susceptible to an insecure
password storage vulnerability. Specifically, passwords and the key
used to encrypt them are both stored in the Windows registry, allowing
attackers that have access to the registry to gain access to sensitive
passwords. Cisco Secure ACS for Windows versions 3.x are affected by
this issue.
Ref: http://www.securityfocus.com/archive/1/433286
______________________________________________________________________

06.19.8 CVE: CVE-2006-2161
Platform: Third Party Windows Apps
Title: TZipBuilder ZIP File Buffer Overflow
Description: TZipBuilder is an application and library designed to
process compressed ZIP files. It is vulnerable to a buffer overflow
issue due to insufficient handling of ZIP files with overly long
embedded filenames. TZipBuilder versions 1.79.03.01 and earlier are
vulnerable.
Ref: http://secunia.com/secunia_research/2006-26/advisory/
______________________________________________________________________

06.19.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: ICQ Banner Ad Cross-Application Scripting
Description: ICQ is prone to a cross-application scripting
vulnerability. The problem occurs in the handling of banner ad
content. The content is downloaded by ICQ and then displayed in an
Internet Explorer COM object as local data. This results in the
potentially malicious remote content being rendered in the "My
Computer" security zone. ICQ versions 5.04 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/433360
______________________________________________________________________

06.19.10 CVE: CVE-2006-2273
Platform: Third Party Windows Apps
Title: Verisign i-Nav ActiveX Control Remote Buffer Overflow
Description: Verisign i-Nav ActiveX control is a software package that
adds support for international domain names (IDN). It is vulnerable to
a buffer overflow issue due to an insufficient boundry check of an
unspecified parameter of the "VUpdater.Install" control. All versions
of VeriSign i-Nav are vulnerable.
Ref: http://www.securityfocus.com/archive/1/433589
______________________________________________________________________

06.19.11 CVE: Not Available
Platform: Mac Os
Title: Apple Mac OS X Security Update 2006-003 Multiple
Vulnerabilities
Description: Apple Mac OS X is affected by multiple security issues.
Apple released security update 2006-003 to address these issues.
Please see the attached advisory for details.
Ref: http://docs.info.apple.com/article.html?artnum=303737
______________________________________________________________________

06.19.12 CVE: Not Available
Platform: Linux
Title: pstotext Arbitrary Script Code Execution
Description: The pstotext utility is a command line utility that
utilizes GhostScript to convert PostScript files to plain text. It is
susceptible to an arbitrary command execution vulnerability due to
improper sanitization of user-supplied input to the filename. Version
1.9 of pstotext is vulnerable to this issue.
Ref: http://www.securityfocus.com/bid/17897
______________________________________________________________________

06.19.13 CVE: Not Available
Platform: Linux
Title: ISPConfig Session.INC.PHP Remote File Include
Description: ISPConfig is an open source hosting control panel. It is
affected by a remote file include issue due to a failure in the
application to properly sanitize user-supplied input to the
"go_info[server][classes_root]" parameter of the "session.inc.php"
script. ISPConfig version 2.2.2 is affected.
Ref: http://www.securityfocus.com/bid/17909
______________________________________________________________________

06.19.14 CVE: CVE-2006-2275
Platform: Linux
Title: Linux Kernel Multiple SCTP Remote Denial of Service
Vulnerabilities
Description: The Linux kernel SCTP module is susceptible to remote
denial of service vulnerabilities. These issues are triggered when
unexpected SCTP packets are handled by the kernel. The Linux kernel
version 2.6.16 is vulnerable.
Ref: http://labs.musecurity.com/advisories/MU-200605-01.txt
______________________________________________________________________

06.19.15 CVE: Not Available
Platform: Linux
Title: Linux Kernel Lease_Init Local Denial of Service
Description: The Linux kernel is prone to a local denial of service
issue due to a design error in the "lease_init" function of the
"fs/locks.c" file. Linux kernel versions earlier than 2.6.16.16 are
affected.
Ref: http://www.securityfocus.com/bid/17943
______________________________________________________________________

06.19.16 CVE: Not Available
Platform: Solaris
Title: Solaris LibIKE IKE Exchange Denial of Service
Description: Sun Solaris is vulnerable to a denial of service issue
with the "libike" IKE implementation if a malformed payload is sent
during an IKE exchange. Solaris 9 and 10 are vulnerable.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102246-1
______________________________________________________________________

06.19.17 CVE: Not Available
Platform: Unix
Title: Inter7 Vpopmail Authentication Bypass
Description: Inter7 Vpopmail is mail management software. It is
vulnerable to a remote authentication bypass issue because of a logic
flaw in the application while handling plaintext password
authentication during SMTP AUTH or APOP connections. Inter7 Vpopmail
versions 5.4.15 and earlier are vulnerable.
Ref: http://sourceforge.net/project/shownotes.php?release_id=415350
______________________________________________________________________

06.19.18 CVE: CVE-2006-0730
Platform: Unix
Title: Dovecot Remote Information Disclosure
Description: Dovecot is a mail server application. It is vulnerable to
an information disclosure issue due to insufficient sanitization of
directory traversal sequences in the IMAP LIST command. Dovecot
versions 1.0 stable through 1.0 beta8 are vulnerable.
Ref: http://www.frsirt.com/english/advisories/2006/0549
______________________________________________________________________

06.19.19 CVE: Not Available
Platform: Novell
Title: Novell NetWare Distributed Print Services Integer Overflow
Description: Novell Netware Distributed Print Services (NDPS/iPrint)
is a communications layer for printer management. It is affected by an
integer overflow issue due to an unspecified integer overflow in
"DPRPCNLM.NLM" when handling malformed requests. All current versions
are affected.
Ref: http://www.securityfocus.com/bid/17922
______________________________________________________________________

06.19.20 CVE: Not Available
Platform: Novell
Title: Novell Client Unspecified Buffer Overflow
Description: Novell Client is prone to an unspecified buffer overflow
vulnerability. The problem occurs in "DPRPCW32.DLL". This issue exists
in Novell Client 4.83 SP3, 4.90 SP2, and 4.91 SP2.
Ref: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2973719. tm
______________________________________________________________________

06.19.21 CVE: CVE-2006-0994
Platform: Cross Platform
Title: Sophos Anti-Virus CAB File Scanning Remote Heap Overflow
Description: Sophos Anti-Virus is a commercially available virus
scanning software. A remote heap overflow vulnerability exists in
Sophos Anti-Virus Library when scanning CAB files. See advisory for
further details.
Ref: http://www.sophos.com/support/knowledgebase/article/4934.html
______________________________________________________________________

06.19.22 CVE: Not Available
Platform: Cross Platform
Title: IBM WebSphere Application Server Welcome Page Security
Restriction Bypass
Description: IBM WebSphere Application Server is a utility designed to
facilitate the creation of various enterprise web applications. It is
prone to a security restriction bypass vulnerability. Specifically,
when security constraints with a pattern of "/*" are deployed, they
will fail to match pages with paths consisting of just "/". For
example, "/somepath/homepage.jsp" will properly require
authentication, but "/somepath/" will not, even though they both
resolve to the same "homepage.jsp" page.
Ref: http://www.securityfocus.com/bid/17900
______________________________________________________________________

06.19.23 CVE: Not Available
Platform: Cross Platform
Title: Multiple Cisco Productions WebSense Content Filtering Bypass
Description: Multiple Cisco products can be configured to utilize the
WebSense service to filter HTTP content. They are susceptible to a
content filtering bypass vulnerability due to improper recognition of
HTTP request traffic. If attackers fragment HTTP requests, the content
filter will be bypassed as the affected device will not attempt to
forward the request to the WebSense service to perform authorization
checks. Cisco is tracking this issue as Bug IDs CSCsc67612, CSCsc68472
and CSCsd81734.
Ref: http://www.securityfocus.com/bid/17883
______________________________________________________________________

06.19.24 CVE: Not Available
Platform: Cross Platform
Title: Avahi Buffer Overflow and Denial of Service Vulnerabilities
Description: Avahi is an application to discover services available on
the local network. The application is affected by multiple buffer
overflow, denial of service and command execution issues. Avahi 0.6.10
and earlier are affected.
Ref: http://www.securityfocus.com/bid/17884
______________________________________________________________________

06.19.25 CVE: Not Available
Platform: Cross Platform
Title: OpenOBEX IRCP Arbitrary File Overwrite
Description: OpenOBEX is an open source implementation of the Object
Exchange protocol. OpenOBEX's IRCP utility is susceptible to a remote
file overwrite issue because it fails to verify that a destination
file does not exist before creating one. OpenOBEX version 1.2 is
vulnerable.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366484
______________________________________________________________________

06.19.26 CVE: Not Available
Platform: Cross Platform
Title: 3Com TippingPoint SMS Information Disclosure
Description: TippingPoint Security Management System (SMS) is an
appliance for managing multiple Intrusion Prevention Systems (IPS).
Insufficient sanitization of user-supplied input exposes the
application to an information disclosure issue. Please refer to the
attached advisory for details.
Ref: http://www.securityfocus.com/bid/17935
______________________________________________________________________

06.19.27 CVE: Not Available
Platform: Cross Platform
Title: Symantec Enterprise Firewall / Gateway Security HTTP Proxy
Internal IP Leakage
Description: Symantec Enterprise Firewall and Gateway Security
products are prone to an information disclosure weakness. The NAT/HTTP
proxy component of the products may reveal the internal IP addresses
of protected computers when handling certain specially crafted HTTP
requests.
Ref:
http://securityresponse.symantec.com/avcenter/security/Content/2006.05.10.html
______________________________________________________________________

06.19.28 CVE: CVE-2006-1458, CVE-2006-1459, CVE-2006-1460,
CVE-2006-1461, CVE-2006-1462, CVE-2006-1463, CVE-2006-1464,
CVE-2006-1465, CVE-2006-1453,CVE-2006-1454, CVE-2006-2238
Platform: Cross Platform
Title: QuickTime Multiple Integer and Buffer Overflow Vulnerabilities
Description: QuickTime Player is a media player. It is vulnerable to
multiple integer overflow and buffer overflow issues. See advisory for
further details. QuickTime Player versions 7.0.4 and earlier are
vulnerable.
Ref: http://docs.info.apple.com/article.html?artnum=303752
______________________________________________________________________

06.19.29 CVE: CVE-2006-2262
Platform: Web Application - Cross Site Scripting
Title: Singapore Index.PHP Cross-Site Scripting
Description: Singapore is an image gallery application. It is
vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "gallery" parameter of the
"index.php" script. Singapore version 0.9.7 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/433250
______________________________________________________________________

06.19.30 CVE: CVE-2006-2252
Platform: Web Application - Cross Site Scripting
Title: OpenFAQ Validate.PHP HTML Injection
Description: OpenFAQ is a web-based FAQ (Frequently Asked Questions)
manager. OpenFAQ is prone to an HTML injection vulnerability.
Ref: http://www.securityfocus.com/archive/1/433120
______________________________________________________________________

06.19.31 CVE: CVE-2006-2287
Platform: Web Application - Cross Site Scripting
Title: Vision Source CMS User Profile HTML Injection
Description: Vision Source CMS is a content management system
implemented in PHP. Vision Source CMS is prone to an HTML injection
vulnerability.
Ref: http://www.securityfocus.com/archive/1/433129
______________________________________________________________________

06.19.32 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: FaktoryStudios EasyEvent Index.PHP Cross-Site Scripting
Description: EasyEvent is a web-based event calendar. Insufficient
sanitization of the "curr_year" parameter of the "index.php" script
exposes the application to a cross-site scripting issue. All current
versions are affected.
Ref: http://www.securityfocus.com/bid/17891
______________________________________________________________________

06.19.33 CVE: CVE-2006-2249
Platform: Web Application - Cross Site Scripting
Title: CuteNews Multiple Cross-Site Scripting Vulnerabilities
Description: CuteNews is a news reader application. CuteNews is
vulnerable to multiple cross-site scripting issues due to insufficient
sanitization of user-supplied input to the "search.php" script.
CuteNews version 1.4.1 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/433058
______________________________________________________________________

06.19.34 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: EPublisherPro Moreinfo.ASP Cross-Site Scripting
Description: EPublisherPro is a website publishing application. It is
prone to a cross-site scripting vulnerability because it fails to
properly sanitize user-supplied input to the "title" parameter of the
"moreinfo.asp" script.
Ref: http://www.securityfocus.com/bid/17907
______________________________________________________________________

06.19.35 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PHP Live Helper Chat.PHP Cross-Site Scripting
Description: PHP Live Helper is a customer support application. It is
vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "PHPSESSID" parameter of
the "chat.php" script. PHP Live Helper version 2.0. Beta is
vulnerable.
Ref: http://www.securityfocus.com/bid/17960/info
______________________________________________________________________

06.19.36 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Jadu CMS Multiple Cross-Site Scripting Vulnerabilities
Description: Jadu CMS is a news reader application. It is vulnerable
to multiple cross-site scripting issues due to insufficient
sanitization of user-supplied input to the "register.php" script. All
versions of Jadu CMS are vulnerable.
Ref: http://www.securityfocus.com/bid/17929/info
______________________________________________________________________

06.19.37 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: ColdFusion Required Fields Cross-Site Scripting
Description: Adobe ColdFusion is an application server providing
development and hosting infrastructure. It is vulnerable to a
cross-site scripting issue due to insufficient sanitization of
user-supplied input when the "_required" flag is used in the name of
HTML POST form data and an error occurs. Adobe ColdFusion versions 5
and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/17938
______________________________________________________________________

06.19.38 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: ManageEngine OpManager Search.DO Cross-Site Scripting
Description: ManageEngine OpManager is a network monitoring and
management application available for the Microsoft Windows operating
system. It is prone to a cross-site scripting vulnerability. This
issue affects version 6.0.
Ref: http://www.securityfocus.com/bid/17944
______________________________________________________________________

06.19.39 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Vizra A_Login.PHP Cross-Site Scripting
Description: Vizra is a web-based application implemented in PHP.
Vizra is vulnerable to a cross-site scripting issue due to
insufficient sanitization of user-supplied input to the "message"
parameter of the "a_login.php" script. All versions are vulnerable.
Ref: http://www.securityfocus.com/bid/17949
______________________________________________________________________

06.19.40 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: OZJournals Vname Parameter Cross-Site Scripting
Description: OZJournals is a web-based application. It is vulnerable
to a cross-site scripting issue due to insufficient sanitization of
user-supplied input to the "vname" parameter when submitting a
comment. OZJournals version 1.2 is vulnerable.
Ref: http://kiki91.altervista.org/exploit/ozjournals.txt
______________________________________________________________________

06.19.41 CVE: Not Available
Platform: Web Application - SQL Injection
Title: 2005-Comments-Script Multiple Cross-Site Scripting
Vulnerabilities
Description: 2005-Comments-Script is affected by multiple SQL
injection issues due to insufficient sanitization of user-supplied
input. All current versions are affected.
Ref: http://www.securityfocus.com/bid/17895
______________________________________________________________________

06.19.42 CVE: CVE-2006-2263
Platform: Web Application - SQL Injection
Title: VP-ASP Shopping Cart Shopcurrency.ASP SQL Injection
Description: VP-ASP Shopping Cart is a shopping cart application.
VP-ASP Shopping Cart is prone to an SQL injection vulnerability due to
insufficient sanitization of user-supplied input to the "cid"
parameter of the "shopcurrency.asp" script. VP-ASP versions prior to
6.08 are vulnerable.
Ref: http://milw0rm.com/exploits/1759
______________________________________________________________________

06.19.43 CVE: CVE-2006-2268
Platform: Web Application - SQL Injection
Title: Flexcustomer Login SQL Injection
Description: Flexcustomer is a web-based user management application.
Flexcustomer is prone to an SQL injection vulnerability due to
insufficient sanitization of user-supplied input to the administrative
and user login panels. Flexcustomer versions 0.0.4 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/433125
______________________________________________________________________

06.19.44 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Creative Community Portal Multiple SQL Injection
Vulnerabilities
Description: Creative Community Portal is a web application designed
to create online communities. Insufficient sanitization of
user-supplied input exposes the application to multiple SQL injection
issues. Creative Community Portal version 1.1 is affected.
Ref: http://www.securityfocus.com/bid/17890
______________________________________________________________________

06.19.45 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Limbo CMS Index.PHP SQL Injection
Description: Limbo CMS is a content management application.
Insufficient sanitization of the "catid" parameter in the "index.php"
script exposes the application to an SQL injection issue. All current
versions are affected.
Ref: http://www.securityfocus.com/bid/17870
______________________________________________________________________

06.19.46 CVE: Not Available
Platform: Web Application - SQL Injection
Title: EvoTopsite Index.PHP Multiple SQL Injection Vulnerabilities
Description: EvoTopsites is a web-based topsites script. It is
vulnerable to multiple SQL injection issues due to insufficient
sanitization of user-supplied input to the "cat_id" and "id"
parameters of the "index.php" script. EvoTopsites versions 2.0 and Pro
2.0 are vulnerable.
Ref: http://www.hamid.ir/security/evotopsites.txt
______________________________________________________________________

06.19.47 CVE: Not Available
Platform: Web Application - SQL Injection
Title: MultiCalendars All_calendars.ASP SQL Injection
Description: MultiCalendars is a shopping cart application.
Insufficient sanitization of the "calsids" parameter in the
"all_calendars.asp" script exposes the application to an SQL injection
issue. MultiCalendars version 3.0 is affected.
Ref: http://www.securityfocus.com/bid/17903
______________________________________________________________________

06.19.48 CVE: CVE-2006-2103
Platform: Web Application - SQL Injection
Title: MyBB Showthread.PHP SQL Injection
Description: MyBB is a bulletin board application. The application is
prone to an SQL injection issue due to insufficient sanitization of
user-supplied input to the "comma" parameter of the "showthread.php"
script. MyBB version 1.1.1 is reported to be vulnerable.
Ref: http://www.securityfocus.com/archive/1/433564
______________________________________________________________________

06.19.49 CVE: CVE-2006-2300
Platform: Web Application - SQL Injection
Title: EImagePro Multiple SQL Injection Vulnerabilities
Description: EImagePro is an image gallery application, implemented in
PHP. The application is prone to multiple SQL-injection
vulnerabilities.
Ref: http://www.securityfocus.com/bid/17911
______________________________________________________________________

06.19.50 CVE: CVE-2006-2296
Platform: Web Application - SQL Injection
Title: EDirectoryPro Search_result.ASP SQL Injection
Description: EDirectoryPro is an advanced link directory application.
It is vulnerable to an SQL injection issue due to insufficient
sanitization of user-supplied input to the "keyword" parameter of the
"search_result.asp" script. All versions of EDirectoryPro are
vulnerable.
Ref: http://www.securityfocus.com/bid/17912/info
______________________________________________________________________

06.19.51 CVE: Not Available
Platform: Web Application - SQL Injection
Title: DUWare DUGallery Login SQL Injection
Description: DUGallery is a bulletin-board application written in ASP.
The application is prone to an SQL injection vulnerability.
Ref: http://www.securityfocus.com/archive/1/433410
______________________________________________________________________

06.19.52 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Ozzywork Galeri Admin Login SQL Injection
Description: Ozzywork Galeri is a web-based gallery application. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user-supplied input to the "Login" and "password" fields of the
"admin_default.asp" script. Ozzywork Galeri version 2.0 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/433358
______________________________________________________________________

06.19.53 CVE: CVE-2006-2042
Platform: Web Application - SQL Injection
Title: Dreamweaver Multiple SQL Injection Vulnerabilities
Description: Dreamweaver is a web development tool. The automantic
code generator is vulnerable to multiple SQL injection issues due to
insufficient sanitization of user-supplied input. Dreamweaver versions
8.0 and earlier are vulnerable.
Ref: http://www.adobe.com/support/security/bulletins/apsb06-07.html
______________________________________________________________________

06.19.54 CVE: CVE-2006-2046
Platform: Web Application - SQL Injection
Title: Application Dynamics Cartweaver ColdFusion SQL Injection
Vulnerabilities
Description: Cartweaver ColdFusion is a shopping cart application. It
is vulnerable to SQL injection attacks due to insufficient
sanitization of user-supplied input to the "Details.cfm" and
"Results.cfm" scripts. Cartweaver version 2.17.11 resolves this issue.
Ref: http://pridels.blogspot.com/2006/04/cartweaver-coldfusion-vuln.html
______________________________________________________________________

06.19.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: AliPAGER Elementz.PHP SQL Injection
Description: AliPAGER is an advanced link directory application. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user-supplied input to the "ubild" parameter of the "elementz.php"
script. AliPager version 1.5 is vulnerable.
Ref: http://www.securityfocus.com/bid/17945
______________________________________________________________________

06.19.56 CVE: CVE-2006-2284
Platform: Web Application
Title: Claroline Multiple Remote File Include Vulnerabilities
Description: Claroline is a collaborative learning application. It is
vulnerable to multiple remote file include issues due to insufficient
sanitization of user-supplied input to the authldap.php, ldap.inc.php
and casProcess.inc.php scripts. Claroline and Doekos Open Source
Learning and Knowledge Management Tool versions 1.7.5 and earlier are
vulnerable.
Ref: http://www.frsirt.com/english/advisories/2006/1701
______________________________________________________________________

06.19.57 CVE: Not Available
Platform: Web Application
Title: Ocean12 Calendar Manager Pro Multiple Input Validation
Vulnerabilities
Description: Calendar Manager Pro is a calendar application,
implemented in ASP. It is prone to multiple input-validation
vulnerabilities because the application fails to properly sanitize
user-supplied input. Calendar Manager Pro version 1.1 is affected.
Ref: http://www.securityfocus.com/bid/17877
______________________________________________________________________

06.19.58 CVE: CVE-2006-2270
Platform: Web Application
Title: Jetbox CMS Config.PHP Remote File Include
Description: Jetbox CMS is a content management system. It is
vulnerable to a remote file include issue due to insufficient
sanitization of user-supplied input to the "relative_script_path"
variable, which is used in the "config.php" script. Jetbox CMS version
2.1 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/433121
______________________________________________________________________

06.19.59 CVE: CVE-2006-0069
Platform: Web Application
Title: Chipmunk Blogger Multiple Input Validation Vulnerabilities
Description: Chipmunk Blogger is a blog management application. It is
vulnerable to multiple input validation issues such has HTML injection
and cross-site scripting. See the advisory for further details.
Ref: http://www.securityfocus.com/archive/1/433122
______________________________________________________________________

06.19.60 CVE: Not Available
Platform: Web Application
Title: PHP-Fusion Multiple Local File Include Vulnerabilities
Description: PHP-Fusion is a website management application.
Insufficient sanitization of the "settings" parameter of the
"last_seen_users_panel.php" script and the "localset" parameter of the
"setup.php" script exposes the application to multiple file include
issues. All current versions are affected.
Ref: http://www.securityfocus.com/bid/17898
______________________________________________________________________

06.19.61 CVE: Not Available
Platform: Web Application
Title: Timobraun Dynamic Galerie Multiple Input Validation
Vulnerabilities
Description: Dynamic Galerie is an image gallery application. It is
prone to a directory traversal vulnerability and a cross-site
scripting vulnerability due to a failure in the application to
properly sanitize user-supplied input to the "pfad" parameter of the
"index.php" script.
Ref:
http://d4igoro.blogspot.com/2006/05/dynamic-galerie-10-path-traversal-xss.html
______________________________________________________________________

06.19.62 CVE: CVE-2006-2260
Platform: Web Application
Title: Drupal Project Module HTML Injection
Description: Drupal is an open-source content management system.
Drupal is prone to an HTML injection vulnerability.
Ref: http://drupal.org/drupal-4.7.0
______________________________________________________________________

06.19.63 CVE: Not Available
Platform: Web Application
Title: Chipmunk Forum Multiple Input Validation Vulnerabilities
Description: Chipmunk Forum is a bulletin board application.
Insufficient sanitization of user-supplied input exposes the
application to multiple HTML injection and SQL injection issues.
Ref: http://www.securityfocus.com/bid/17863
______________________________________________________________________

06.19.64 CVE: Not Available
Platform: Web Application
Title: MyBloggie BBCode IMG Tag HTML Injection
Description: MyBloggie is a web log application implemented in PHP. It
is prone to an HTML injection vulnerability due to improper
sanitization of user-supplied input submitted in BBCode IMG tags.
myBloggie versions 2.1.3 and 2.1.2 are affected.
Ref: http://www.securityfocus.com/bid/17865
______________________________________________________________________

06.19.65 CVE: Not Available
Platform: Web Application
Title: PassMasterFlex Multiple HTML Injection Vulnerabilities
Description: PassMasterFle is a web-based authentication utility.
Insufficient sanitization of user-supplied input exposes the
application to multiple HTML injection issues. All current versions
are affected.
Ref: http://www.securityfocus.com/bid/17866
______________________________________________________________________

06.19.66 CVE: Not Available
Platform: Web Application
Title: Online Universal Payment System Script Multiple Input
Validation Vulnerabilities
Description: Online Universal Payment System Script is an ecommerce
application. It is vulnerable to multiple input validation issues such
as directoroy traveral and cross-site scripting. See the advisory for
further details.
Ref: http://www.securityfocus.com/bid/17889/info
______________________________________________________________________

06.19.67 CVE: CVE-2006-2261
Platform: Web Application
Title: ACal Day.PHP Remote File Include
Description: ACal is a web-based calendar application implemented in
PHP. ACal is prone to a remote file include vulnerability due to
insufficient sanitization of user-supplied input to the "path"
parameter of the "day.php" script. ACal versions 2.2.6 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/bid/17886
______________________________________________________________________

06.19.68 CVE: Not Available
Platform: Web Application
Title: Nagios Remote Negative Content-Length Buffer Overflow
Description: Nagios is an open source application designed to monitor
networks and services for service interruptions. Insufficient
sanitization of the "Content-Length" HTTP header exposes the
application to a buffer overflow issue. Nagios versions prior to 2.3
in the 2.x series and versions prior to 1.4 in the 1.x series are
affected.
Ref: http://www.securityfocus.com/bid/17879
______________________________________________________________________

06.19.69 CVE: Not Available
Platform: Web Application
Title: Phil's Bookmark Script Admin.PHP Authentication Bypass
Description: Phil's Bookmark script is a web link bookmarking
application. It is vulnerable to an authentication bypass issue
because the "admin.php" script fails to prompt for authentication
credentials. All versions of Phil's Bookmark script are vulnerable.
Ref: http://www.securityfocus.com/archive/1/433222
______________________________________________________________________

06.19.70 CVE: Not Available
Platform: Web Application
Title: Website Baker User Display Name HTML Injection
Description: Website Baker is a content management system. It is
vulnerable to an HTML injection issue due to insufficient sanitization
of user-supplied input in user display names. Website Baker versions
2.6.1 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/433130
______________________________________________________________________

06.19.71 CVE: CVE-2006-2282
Platform: Web Application
Title: X7 Chat Avatar URL HTML Injection
Description: X7 Chat is a web-based chatroom application. It is
vulnerable to an HTML injection issue due to insufficient sanitization
of HTML and script code from avatar URLs. X7 Chat versions 2.0.2 and
earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/433131
______________________________________________________________________

06.19.72 CVE: Not Available
Platform: Web Application
Title: openEngine Template Unauthorized Access
Description: openEngine is a web-based content management system. It
is prone to an unauthorized access vulnerability due to improper
sanitization of user-supplied input to the "template" parameter of the
"website.php" script.
Ref: http://www.securityfocus.com/bid/17871
______________________________________________________________________

06.19.73 CVE: Not Available
Platform: Web Application
Title: MyBBoard Email SQL Injection
Description: MyBBoard is a web-based bulletin board application
implemented in PHP. MyBBoard is prone to an SQL injection
vulnerability.
Ref: http://www.securityfocus.com/archive/1/433231
______________________________________________________________________

06.19.74 CVE: Not Available
Platform: Web Application
Title: StatIt Visible_count_inc.PHP Remote File Include
Description: StatIt is a web-based statistics application implemented
in PHP. It is prone to a remote file include vulnerability due to
improper sanitization of user-supplied input to the "statitpath"
parameter of "visible_count_inc.php" script.
Ref: http://www.securityfocus.com/bid/17887
______________________________________________________________________

06.19.75 CVE: CVE-2006-2258, CVE-2006-2259
Platform: Web Application
Title: Maxx Schedule Multiple Input Validation Vulnerabilities
Description: Maxx Schedule is a web application for resource
scheduling. Maxx Schedule is prone to multiple input validation
vulnerabilities including a cross-site scripting vulnerability and a
SQL injection vulnerability. Maxx Schedule version 1.0 is vulnerable
to these issues.
Ref: http://www.securityfocus.com/bid/17892
______________________________________________________________________

06.19.76 CVE: Not Available
Platform: Web Application
Title: UBlog Text Field HTML Injection
Description: Ublog is a web-based blog application. Insufficient
sanitization of the "text" parameter exposes the application to a HTML
injection issue. All current versions are affected.
Ref: http://www.securityfocus.com/bid/17856
______________________________________________________________________

06.19.77 CVE: CVE-2006-2281
Platform: Web Application
Title: X-POLL Add.PHP Input Validation
Description: X-POLL is a web-based polling application. It is
vulnerable to an input validation issue due to insufficient
sanitization of user-supplied input to the "add.php" script. X-POLL
version 2.0 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/433220
______________________________________________________________________

06.19.78 CVE: Not Available
Platform: Web Application
Title: Dokeos LDAP_VAR.INC.PHP Remote File Include
Description: Dokeos is a web-based e-learning and course management
application. Insufficient sanitization of the "includePath" parameter
of the "ldap_var.inc.php" script exposes the application to a remote
file include issue. Dokeos version 1.6.4 is affected.
Ref: http://www.securityfocus.com/bid/17915
______________________________________________________________________

06.19.79 CVE: CVE-2006-1093
Platform: Web Application
Title: IBM Websphere Application Server Multiple Vulnerabilities
Description: IBM WebSphere Application Server is a utility to
facilitate the creation of various enterprise web applications. It is
vulnerable to multiple unspecified security issues. IBM WebSphere
versions 5.0.2.x and 5.1.1.x are vulnerable.
Ref: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012064
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012009
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24011773
______________________________________________________________________

06.19.80 CVE: CVE-2006-1428
Platform: Web Application
Title: phpCOIN Email Address Information Disclosure
Description: phpCOIN is an application for client, order, and helpdesk
management; it is implemented in PHP. It is prone to an information
disclosure vulnerability.
Ref: http://www.securityfocus.com/bid/17959
______________________________________________________________________

06.19.81 CVE: Not Available
Platform: Web Application
Title: IdealBB Multiple Input Validation Vulnerabilities
Description: IdealBB is a bulletin board application implemented in
PHP. It is prone to multiple input validation vulnerabilities because
the application fails to properly sanitize user-supplied input.
IdealBB version 1.5.3 is affected.
Ref: http://www.securityfocus.com/archive/1/433248
______________________________________________________________________

06.19.82 CVE: CVE-2006-2292, CVE-2006-2291
Platform: Web Application
Title: IA-Calendar Multiple Input Validation Vulnerabilities
Description: Inhouse Associates IA-Calendar is a web calendar
application. IA-Calendar is prone to multiple input-validation
vulnerabilities because the application fails to properly sanitize
user-supplied input.
Ref: http://www.securityfocus.com/bid/17925
______________________________________________________________________

06.19.83 CVE: Not Available
Platform: Web Application
Title: PAFileDB Pafiledb_Constants.PHP Remote File Include
Description: paFileDB is a web-based file management utility.
Insufficient sanitization of the "module_root_path" parameter of the
"pafiledb_constants.php" script exposes the application to a remote
file include issue. paFileDB version version 2.0.1 is affected.
Ref: http://www.securityfocus.com/bid/17930
______________________________________________________________________

06.19.84 CVE: Not Available
Platform: Web Application
Title: Aardvark Topsites PHP LostPW.PHP Remote File Include
Description: Aardvark Topsites PHP is affected by a remote file
include issue due to a failure in the application to properly sanitize
user-supplied input to the "CONFIG[path]" parameter of the
"sources/lostpw.php" script. All current versions are affected.
Ref: http://www.securityfocus.com/bid/17940
______________________________________________________________________

06.19.85 CVE: Not Available
Platform: Web Application
Title: Ozzywork Galeri Arbitrary File Upload
Description: Ozzywork Galeri is a web-based gallery application. It is
vulnerable to an arbitrary file upload issue due to insufficient
sanitization of input to the "add.asp" script. Ozzywork Galeri version
2.0 is affected.
Ref: http://www.securityfocus.com/bid/17946/info
______________________________________________________________________

06.19.86 CVE: Not Available
Platform: Web Application
Title: NewsBoard ABBC.CSS.PHP Local File Include
Description: NewsBoard is a web-based news reader application.
Insufficeint sanitization of the "design_path" parameter of the
"abbc.css.php" script exposes the application to a local file include
issue. NewsBoard version 1.6.1 is affected.
Ref: http://www.securityfocus.com/bid/17947
______________________________________________________________________

06.19.87 CVE: Not Available
Platform: Web Application
Title: phpBB Multiple Input Validation Vulnerabilities
Description: phpBB is a bulletin board application implemented in PHP.
phpBB is prone to multiple input-validation vulnerabilities because
the application fails to properly sanitize user-supplied input.
Ref: http://www.securityfocus.com/archive/1/433715
______________________________________________________________________

06.19.88 CVE: CVE-2006-2322
Platform: Network Device
Title: Cisco Application Velocity System Open TCP Proxy
Description: Cisco Application Velocity System (AVS) is a
web-application accelerator package designed to act as a proxy for
HTTP traffic to improve response times. AVS is susceptible to a remote
open TCP proxy vulnerability due to a failure of the software to allow
only valid TCP ports to be utilized by remote users. Specifically,
attackers may specify arbitrary TCP ports to connect to through the
affected proxy software. Versions of AVS prior to 5.0.1 are vulnerable
to this issue.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20060510-avs.shtml
______________________________________________________________________

(c) 2006. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

==end==

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFEaNkY+LUG5KFpTkYRAvfdAJ9u5x/oIsBR+SeYIiL+DqJ4xtL2CgCgg6eq
k1F2NNdXseV2XlSIox54f/0=
=EVY8
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]