NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2007

RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 5

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Jan 29 2007 - 19:14:41 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Big problems this week with Cisco IOS and Citrix. Plus more than 50 new
vulnerabilities confirmed in web applications.

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
January 29, 2007 Vol. 6. Week 5
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Windows 1
Microsoft Office 1 (#4)
Other Microsoft Products 1
Third Party Windows Apps 7 (#1, #3)
Mac Os 9 (#6, #7, #8)
Linux 5
Solaris 3
Unix 1
Cross Platform 15 (#5)
Web Application - Cross Site Scripting 8
Web Application - SQL Injection 10
Web Application 34
Network Device 4 (#2, #9)
Hardware 2

*************************************************************************
SECURITY TRAINING UPDATE: Several of the hands-on immersion security
training courses at SANS 2007 (San Diego, March 29 - April 4) are
starting to fill up. If you want a place, register early. You'll also
save hundreds of dollars if you do it in the next few weeks.
Full Schedule (53 courses): http://www.sans.org/sans2007/event.php
*************************************************************************

Table of Contents

Part I - Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: NCTsoft NCTAudioFile2 ActiveX Control Buffer Overflow
(2) HIGH: Cisco IOS Multiple Vulnerabilities
(3) HIGH: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability
(4) MODERATE: Microsoft Word Unspecified Code Execution Vulnerability
(5) MODERATE: Computer Associates Multiple Products Multiple Vulnerabilities
(6) MODERATE: Apple Mac OS X PICT Handling Memory Corruption
(7) MODERATE: Apple iChat AIM URL Handler Format String Vulnerability
(8) LOW: Apple Software Update Format String Vulnerability

Other Software
(9) LOW: Multiple VoIP Phones Session Hijacking Vulnerability

Patch
(10) CRITICAL: QuickTime RTSP URL Handler Buffer Overflow

Part II - Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
07.5.1 - Microsoft Help Workshop .HPJ File Buffer Overflow
-- Microsoft Office
07.5.2 - Microsoft Word 2000 Unspecified Code Execution
-- Other Microsoft Products
07.5.3 - Microsoft Visual C++ Resource File Buffer Overflow
-- Third Party Windows Apps
07.5.4 - EarthLink TotalAccess ActiveX Control Unsafe Methods Weakness
07.5.5 - Citrix Presentation and MetaFrame Server Cpprov.DLL Stack Buffer Overflow
07.5.6 - Computer Associates BrightStor ARCServe BackUp Multiple Remote Buffer Overflow Vulnerabilities
07.5.7 - NCTsoft ActiveX Control Remote Buffer Overflow
07.5.8 - KarjaSoft Sami HTTP Server Request Remote Denial of Service
07.5.9 - BitDefender Client Professional Plus Settings Local Format String Vulnerability
07.5.10 - DivX Web Player NPDIVX32.DLL ActiveX Control Remote Denial of Service
-- Mac Os
07.5.11 - Mac OS X QuickDraw GetSrcBits32ARGB() Remote Memory Corruption
07.5.12 - Apple Software Update Format String Vulnerability
07.5.13 - Apple Mac OS X QuickDraw GetSrcBits32ARGB Remote Memory Corruption
07.5.14 - Apple UserNotificationCenter Local Privilege Escalation
07.5.15 - iChat AIM URL Handler Remote Format String
07.5.16 - Mac OS X System Preferences Writeconfig Local Privilege Escalation
07.5.17 - Transmit 3 Remote Heap Overflow
07.5.18 - Apple Mac OS X Shared_Region_Map_File_NP System Call Memory Corruption
07.5.19 - Rumpus FTP Server Multiple Vulnerabilities
-- Linux
07.5.20 - GTK2 GDKPixBufLoader Remote Denial of Service
07.5.21 - Linux-PAM Pam_Unix.SO Authentication Bypass
07.5.22 - Linux Kernel AIO_Setup_Ring Local Denial of Service
07.5.23 - Ulogd Unspecified Buffer Overflow
07.5.24 - GNU Ed Insecure Temporary File Creation
-- Solaris
07.5.25 - Sun Ray Server Multiple Password Disclosure Vulnerabilities
07.5.26 - Sun Solaris Tip Local Privilege Escalation
07.5.27 - Kodak Color Management System Utilities Local Arbitrary Command Execution
-- Unix
07.5.28 - ISC BIND Remote Fetch Context Denial of Service
-- Cross Platform
07.5.29 - Hitachi HiRDB DataReplicator Server Unspecified Remote Denial of Service
07.5.30 - Hitachi JP1/HIBUN Servers Unspecified Remote Denial of Service
07.5.31 - Trend Micro InterScan VirusWall VSAPI Module Buffer Overflow
07.5.32 - ISC BIND Remote DNSSEC Validation Denial of Service
07.5.33 - Multiple Check Point Products Integrity Clientless Security Security Bypass
07.5.34 - Hitachi Web Server Multiple Vulnerabilities
07.5.35 - Symantec Web Security Multiple Denial of Service And Cross-Site Scripting Vulnerabilities
07.5.36 - Hitachi OpenTP1 Unspecified Remote Denial of Service
07.5.37 - Squid Proxy ACL Queue Overload Remote Denial of Service
07.5.38 - Atozed Software Intraweb Component HTTP Remote Denial of Service
07.5.39 - OpenLDAP Gentoo GenCert.SH Script Insecure Temporary File Creation
07.5.40 - Netrik Textarea Tag Remote Arbitrary Command Execution
07.5.41 - Django Authentication Bypass Weakness
07.5.42 - Django Message Files Remote Arbitrary Command Execution
07.5.43 - mbse-bbs MBSE_ROOT Multiple Local Privilege Escalation Vulnerabilities
-- Web Application - Cross Site Scripting
07.5.44 - ezDatabase Login.PHP Cross-Site Scripting
07.5.45 - Openads phpAdsNew Admin-Search.PHP Cross-Site Scripting
07.5.46 - 212cafeBoard Multiple Cross-Site Scripting Vulnerabilities
07.5.47 - Bitweaver Articles and Blogs Multiple Cross-Site Scripting Vulnerabilities
07.5.48 - 212Cafe Guestbook Show.PHP Cross-Site Scripting
07.5.49 - Openads for PostgreSQL Unspecified Cross-Site Scripting
07.5.50 - PostNuke Reviews Index.PHP Cross-Site Scripting
07.5.51 - Sabros.US Index.PHP Cross-Site Scripting
-- Web Application - SQL Injection
07.5.52 - Makit Newsposter Script News_Page.ASP SQL Injection
07.5.53 - GPS CMS Print.ASP SQL Injection
07.5.54 - ASP News News_Detail.ASP SQL Injection
07.5.55 - ASP Edge User.ASP SQL Injection
07.5.56 - Drupal Acidfree Module Node Title SQL Injection
07.5.57 - Website Baker Login.PHP SQL Injection
07.5.58 - FishCart Olst Parameter SQL Injection
07.5.59 - Unique Ads Banner.PHP SQL Injection
07.5.60 - PHP-Nuke Multiple SQL Injection Vulnerabilities
07.5.61 - Joomla CMS Multiple SQL Injection Vulnerabilities
-- Web Application
07.5.62 - CGI Rescue WebForm Multiple Input Validation Vulnerabilities
07.5.63 - High5 Review Script Search Field HTML Injection
07.5.64 - Virtual Path PHPBB Module Configure.PHP Remote File Include
07.5.65 - Digitalxero Xero Portal PHPBB_Root_Path Multiple Remote File Include Vulnerabilities
07.5.66 - Drupal Project and Project Issues Tracking Modules Multiple Vulnerabilities
07.5.67 - Community Server Pingback SourceURI Denial of Service and Information Disclosure
07.5.68 - AWFFull Unspecified Multiple Buffer Overflow Vulnerabilities
07.5.69 - Virtual Host Administrator Modules_Dir Remote File Include
07.5.70 - Wordpress Pingback SourceURI Denial of Service and Information Disclosure
07.5.71 - RPW Config.PHP Remote File Include
07.5.72 - phpXD Path Remote File Include
07.5.73 - MyBB Private.PHP HTML Injection
07.5.74 - MaklerPlus Multiple Unspecified Vulnerabilities
07.5.75 - Mini Web Server Unspecified Multiple Buffer Overflow Vulnerabilities
07.5.76 - BBClone Selectlang.PHP Remote File Include
07.5.77 - Yana Framework Guestbook Unspecified Security Bypass
07.5.78 - Vote! Pro Multiple PHP Code Execution Vulnerabilities
07.5.79 - PHP Link Directory Link Submission HTML Injection
07.5.80 - Zomp Index.PHP Local File Include
07.5.81 - PHPIndexPage Config.PHP Remote File Include
07.5.82 - Neon Labs Website NL.PHP Remote File Include
07.5.83 - XMB MemCP.PHP HTML Injection
07.5.84 - PHPSherpa Racine Parameter Remote File Include
07.5.85 - Upload Service Remote File Include
07.5.86 - Mafia Scum Tools Index.PHP Remote File Include
07.5.87 - WebChat Remote File Include
07.5.88 - Bradabra Includes.PHP Remote File Include
07.5.89 - Easebay Resources Paypal Subscription Manager Multiple Input Validation Vulnerabilities
07.5.90 - Easebay Resources Login Manager Multiple Input Validation Vulnerabilities
07.5.91 - SMF Index.PHP HTML Injection
07.5.92 - DocMan Multiple Input Validation Vulnerabilities
07.5.93 - ArsDigita Community System Directory Traversal
07.5.94 - VirtueMart Joomla ECommerce Edition Multiple Unspecified Input Validation Vulnerabilities
07.5.95 - WebGUI Registration Username HTML Injection
-- Network Device
07.5.96 - Cisco IOS IPv6 Source Routing Remote Memory Corruption
07.5.97 - Cisco Multiple Devices Crafted IP Option Multiple Remote Code Execution Vulnerabilities
07.5.98 - AVM FRITZ!Box VoIP Remote Denial of Service
07.5.99 - Cisco SSL/TLS Certificate and SSH Public Key Validation
-- Hardware
07.5.100 - Multiple VOIP Phones Aredfox PA168 Chipset Session Hijacking
07.5.101 - T-Com Speedport 500V 'LogInKey' Cookie Parameter Authentication Bypass

*********************************************************************************************

PART I - Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar
at TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process

*****************************
Widely-Deployed Software
*****************************

(1) CRITICAL: NCTsoft NCTAudioFile2 ActiveX Control Buffer Overflow
Affected:
NCTAudioFile2 ActiveX Control version 2.7.1 and prior
Note that this control is installed by many different applications.

Description: The NCTsoft NCTAudioFile2 ActiveX control contains a buffer
overflow vulnerability in the processing of arguments passed to its
"SetFormatLikeSample()" method. A web page that instantiates this
control could trigger this vulnerability, and execute arbitrary code
with the privileges of the current user. Technical details for this
vulnerability are publicly available, as is a simple proof-of-concept.
Reusable exploit code targeting ActiveX control vulnerabilities is
widely available and easily adaptable to this specific vulnerability.
Users can mitigate the impact of this vulnerability by disabling the
control via Microsoft's "kill bit" mechanism for GUID
"77829F14-D911-40FF-A2F0-D11DB8D6D0BC".

Status: NCTsoft has not confirmed, no updates available.

References:
Secunia Security Advisory
http://secunia.com/secunia_research/2007-2/advisory/
Posting by Secunia (lists products known to ship the vulnerable control)
http://www.securityfocus.com/archive/1/457965
Microsoft Knowledge Base Article (details the "kill bit" mechanism)
http://support.microsoft.com/kb/240797
Product Home Page
http://nctsoft.com/products/NCTAudioEditor2/
SecurityFocus BID
http://www.securityfocus.com/bid/22196

*************************************************************************
(2) HIGH: Cisco IOS Multiple Vulnerabilities
Affected:
Cisco IOS XR versions 2.0 and higher
Cisco IOS versions 12.4 XB and prior
Due to the large number of builds of IOS, other versions may be
vulnerable. Some builds within the range given above are not vulnerable.
It is recommended that users consult the official Cisco advisories to
determine whether or not they are vulnerable.

Description: Cisco IOS is Cisco's custom operating system used in its
routing products. The majority of internet traffic is routed via systems
running IOS. Cisco IOS contains the following vulnerabilities:

(1) A specially-crafted IP options field in an Internet Control Message
Protocol (ICMP), Protocol Independent Multicast version 2 (PIMv2),
Pragmatic General Multicast (PGM), or URL Rendezvous Directory (URD)
packet could trigger a vulnerability, leading to a denial-of-service
condition. It is believed that this vulnerability could lead to
arbitrary code execution, but this has not yet been proven.

(2) A specially-crafted Transmission Control Protocol (TCP) packet can
lead to a small memory leak on certain vulnerable systems. Large numbers
of these packets can exhaust all available memory on a system, leading
to a denial-of-service condition.

(3) An Internet Protocol version 6 (IPv6) packet containing a
specially-crafted Type 0 Routing header could lead to a
denial-of-service condition by crashing the vulnerable system. IOS is
vulnerable to the first two issues in its default configuration; IPv6
processing is not enabled by default. In all cases, the malicious
traffic must be directed specifically to the router; traffic transiting
the router will not trigger these vulnerabilities. These vulnerabilities
can be partially mitigated by configuring firewall rules and access
lists to limit the types of traffic that can reach the vulnerable
systems directly.

Status: Cisco confirmed, updates available.

References:
Cisco Security Advisories
http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb157.shtml#workarounds
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
Cisco Applied Intelligence Response (discusses mitigating strategies)
http://www.cisco.com/en/US/products/products_security_response09186a00807cb0da.html
Cisco IOS Home Page
http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_category_home.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/22208
http://www.securityfocus.com/bid/22210
http://www.securityfocus.com/bid/22211

*************************************************************************

(3) HIGH: Citrix Metaframe Presentation Server Print Provider Buffer
Overflow Vulnerability
Affected:
Citrix Presentation Server version 4.0
Citrix MetaFrame Presentation Server version 3.0
Citrix MetaFrame XP version 1.0

Description: A print provider installed by several Citrix products
contains a remotely-exploitable buffer overflow. By passing an
overly-long argument to the "EnumPrintersW()" or "OpenPrinter()"
functions, an attacker could exploit this buffer overflow and execute
arbitrary code with "LocalSystem" privileges. These calls can be issued
via an unauthenticated RPC request. Note that some technical details for
this vulnerability are publicly available, and a working exploit is
available to the members of Immunity's partner program. Users are
advised to block access to TCP and UDP ports 135, 137, 138, 139, 445,
and 593 at the network perimeter, if possible.

Status: Citrix confirmed, updates available.

References:
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-07-006.html
Citrix Security Advisory
http://support.citrix.com/article/CTX111686
Immunity Partner's Program Exploit (binary file)
https://www.immunityinc.com/downloads/immpartners/citrix_pp.tar
Citrix Home Page
http://www.citrix.com
SecurityFocus BID
http://www.securityfocus.com/bid/22217

*************************************************************************

(4) MODERATE: Microsoft Word Unspecified Code Execution Vulnerability
Affected:
Microsoft Word 2000 and possibly other versions

Description: Microsoft Word is vulnerable to a code execution
vulnerability. The exact nature of this vulnerability is currently
undisclosed. According to SecurityFocus, Symantec believes this
vulnerability is being actively exploited in the wild.

Status: Microsoft is investigating this issue.

References:
Microsoft Security Advisory
http://www.microsoft.com/technet/security/advisory/932114.mspx
SecurityFocus BID
http://www.securityfocus.com/bid/22225

*************************************************************************
(5) MODERATE: Computer Associates Multiple Products Multiple Vulnerabilities
Affected:
Computer Associates Desktop and Business Protection Suite
Computer Associates Desktop Management Suite
Computer Associates Mobile Backup
Computer Associates BrightStor ARCserve Backup Laptop and Desktop

Description: Multiple Computer Associates products contain
remotely-exploitable buffer overflows. The exact nature of these buffer
overflows is currently not publicly known, but the vendor has stated
that successful exploitation can lead to arbitrary code execution with
SYSTEM or root privileges. It is unknown if these vulnerabilities are
related to those discussed in RISK Volume 6, Issue 3.

Special Note: CA BrightStor ARCServe buffer overflows have been actively
exploited for the past couple of years. SANS recommends that you block
all the ports that are opened by the software, at the network perimeter.
A list of the ports to block may be found at:
http://www.ca.com/at/local/partner/techtalk_mar05_faq.pdf
http://supportconnectw.ca.com/public/ca_common_docs/brightstorwinxpsp2matrix.asp

Status: Computer Associates confirmed, updates available.

References:
Previous RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=6&i=3#widely2
Computer Associates Security Advisory
http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp
Next Generation Security Software (credited by the vendor with discovery
of these vulnerabilities)
http://www.ngssoftware.com
Product Home Page
http://www3.ca.com/solutions/ProductFamily.aspx?ID=115
SecurityFocus BID
http://www.securityfocus.com/bid/22199

*************************************************************************
(6) MODERATE: Apple Mac OS X PICT Handling Memory Corruption
Affected:
Mac OS X 10.4.8 and prior

Description: Apple Mac OS X contains a flaw when parsing PICT image
files. PICT is an old, rarely-used image file format. A PICT file with
a specially-crafted "ARGB" field could exploit this vulnerability and
create a denial-of-service condition. It is believed that this
vulnerability could also lead to arbitrary code execution with the
privileges of the current user, but this has not been confirmed.
Technical details and a proof-of-concept for this vulnerability are
publicly available. PICT files are opened automatically by Safari, Mail,
and other applications. It is currently unknown if Apple QuickTime on
Microsoft Windows is vulnerable.

Status: Apple has not confirmed, no updates available.

References:
Security Protocols Advisory (includes proof-of-concept)
http://security-protocols.com/sp-x43-advisory.php
Wikipedia Article on the PICT File Format
http://en.wikipedia.org/wiki/PICT
SecurityFocus BID
http://www.securityfocus.com/bid/22228

*************************************************************************

(7) MODERATE: Apple iChat AIM URL Handler Format String Vulnerability
Affected:
Apple iChat version 3.1.6 and possibly prior

Description: Apple iChat, Apple's instant messaging client installed by
default on Mac OS X systems, contains a format string vulnerability. A
specially-crafted "aim://" URL, used to initiate an AOL Instant Message
chat session, could exploit this vulnerability and execute arbitrary
code with the privileges of the current user. The specially-crafted URL
can be placed in a web page, and can be made to automatically open upon
viewing the page. Technical details and a simple proof-of-concept for
this vulnerability are publicly available. This vulnerability was
disclosed by the Month of Apple Bugs project, whose goal is to disclose
a security vulnerability in Apple or Apple-related software every day
for a month.

Status: Apple has not confirmed, no updates available.

References:
Month of Apple Bugs Advisory
http://projects.info-pull.com/moab/MOAB-20-01-2007.html
Proof of Concept (malicious web page)
http://projects.info-pull.com/moab/bug-files/MOAB-20-01-2007.html
Apple iChat Home Page
http://www.apple.com/macosx/features/ichat/
SecurityFocus BID
http://www.securityfocus.com/bid/22146

*************************************************************************

(8) LOW: Apple Software Update Format String Vulnerability
Affected:
Apple Software Update version 2.0.5 and possibly prior

Description: Apple Software Update, a part of Apple Mac OS X used to
download and install software updates, contains a format string
vulnerability. A Software Update catalog file with a specially-crafted
name can exploit this vulnerability. It is believed that code execution
is possible with this vulnerability, though this has not been confirmed.
Software Update catalog files are not opened by default in any software.
Technical details and a simple proof-of-concept are publicly available.

Status: Apple has not confirmed, no updates available.

References:
Month of Apple Bugs Advisory
http://projects.info-pull.com/moab/MOAB-24-01-2007.html
SecurityFocus BID
http://www.securityfocus.com/bid/22222

*************************************************************************

**************
Other Software
**************

(9) LOW: Multiple VoIP Phones Session Hijacking Vulnerability
Affected:
VoIP phones using the Aredfox PA168 chipset with firmware versions 1.42 and 1.54

Description: Voice-over-IP (VoIP) phones that use the Aredfox chipset
are vulnerable to a session-hijacking vulnerability. If an administrator
logs into the phone's web-based administrative interface, that session
can be easily hijacked by an attacker to execute arbitrary commands with
adminitrative privilege. Note that the attacker's session is valid only
so long as the administrator is logged in. A simple proof-of-concept for
this vulnerability is available.

Status: Aredfox has not confirmed, no updates available.

References:
Proof of Concept (includes list of affected phones)
http://downloads.securityfocus.com/vulnerabilities/exploits/active-session-attack.sh
Vendor Home Page
http://www.aredfox.com/eindex.htm
VoIP Security Alliance
http://voipsa.org/
SecurityFocus BID
http://www.securityfocus.com/bid/22191

*****
Patch
*****

(10) CRITICAL: QuickTime RTSP URL Handler Buffer Overflow

Description: Apple has released a patch for the QuickTime RTSP URL
handler buffer overflow, described in the RISK volume 6, issue 1. This
patch should be automatically downloaded via the Software Update
facility on Mac OS X. Windows users may need to manually download an
updated version of QuickTime.

References:
Previous RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=6&i=1#widely1
Apple Security Update
http://docs.info.apple.com/article.html?artnum=304989
QuickTime Download for Microsoft Windows
http://www.apple.com/quicktime/download/win.html

****************************************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 5 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5351 unique vulnerabilities. For this special
SANS community listing, Qualys also includes vulnerabilities that cannot
be scanned remotely.

07.5.1 CVE: Not Available
Platform: Windows
Title: Microsoft Help Workshop .HPJ File Buffer Overflow
Description: Microsoft Help Workshop is prone to a buffer overflow
vulnerability as it fails to properly bounds check user-supplied
input in ".hpj" help project files. Please see the advisory for
further information.
Ref: http://www.securityfocus.com/bid/22135
______________________________________________________________________

07.5.2 CVE: Not Available
Platform: Microsoft Office
Title: Microsoft Word 2000 Unspecified Code Execution
Description: Microsoft Word 2000 is prone to a remote code execution
vulnerability that arises because of a memory corruption
vulnerability. Exploit attempts against Word 2003/XP result in a
denial of service due to complete CPU utilization, denying service to
legitimate users. Various versions of Microsoft Word are affected.
Ref: http://www.securityfocus.com/bid/22225
______________________________________________________________________

07.5.3 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Visual C++ Resource File Buffer Overflow
Description: Microsoft Visual C++ is prone to a stack-based buffer
overflow issue because it fails to bounds check user-supplied data to
the MSDEV.EXE process within the resource compiler RCDLL module.
Ref: http://www.securityfocus.com/bid/22170
______________________________________________________________________

07.5.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: EarthLink TotalAccess ActiveX Control Unsafe Methods Weakness
Description: EarthLink TotalAccess is a suite of applications to
protect against Internet attacks. The ActiveX control is vulnerable to
a weakness with certain methods. See the advisory for further details.
Ref: http://www.securityfocus.com/bid/22238
______________________________________________________________________

07.5.5 CVE: CVE-2007-0444
Platform: Third Party Windows Apps
Title: Citrix Presentation and MetaFrame Server Cpprov.DLL Stack
Buffer Overflow
Description: The Citrix Presentation Server and MetaFrame server are
ICA client applications that include Citrix support. They are prone to
a stack-based buffer overflow vulnerability because they fail to
properly bounds check user-supplied data to the "EnumPrinters()" and
"OpenPrinter" functions residing in the "ccprov.dll" file. Citrix Presentation
Server 4.0, Citrix MetaFrame XP 1.0 and Citrix MetaFrame Presentation
Server 3.0 are all affected.
Ref: http://support.citrix.com/article/CTX111686
______________________________________________________________________

07.5.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Computer Associates BrightStor ARCServe BackUp Multiple Remote
Buffer Overflow Vulnerabilities
Description: Computer Associates BrightStor ARCServe BackUp is prone
to multiple buffer overflow vulnerabilities which allow remote
attackers to execute arbitrary code with SYSTEM privileges.
Ref: http://www.securityfocus.com/bid/22199
______________________________________________________________________

07.5.7 CVE: CVE-2007-0018
Platform: Third Party Windows Apps
Title: NCTsoft ActiveX Control Remote Buffer Overflow
Description: NCTsoft NCTAudioEditor ActiveX DLL is a visual
multi-functional audio files editor. It is vulnerable to a buffer overflow
issue in the NCTAudioFile2.AudioFile ActiveX control when handling the
"SetFormatLikeSample()" method. See the advisory for further details.
Ref: http://secunia.com/secunia_research/2007-2/advisory/
______________________________________________________________________

07.5.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: KarjaSoft Sami HTTP Server Request Remote Denial of Service
Description: Sami HTTP Server is a server application available for
Microsoft Windows. It is prone to a remote denial of service
vulnerability when the application receives an excessive amount of
HTTP requests for nonexistent files and folders. Versions 2.0.1, 1.0.5
and 1.0.4 are reportedly vulnerable.
Ref: http://www.securityfocus.com/bid/22159
______________________________________________________________________

07.5.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: BitDefender Client Professional Plus Settings Local Format
String Vulnerability
Description: BitDefender Client Professional Plus is prone to a format
string vulnerability because it fails to properly sanitize
user-supplied input before using it in the format specifier argument
to a formatted printing function. BitDefender Client Professional Plus
build 8.02 and prior versions are vulnerable to this issue.
Ref:
http://www.bitdefender.com/KB325-en--Format-string-vulnerability.html
______________________________________________________________________

07.5.10 CVE: Not Available
Platform: Third Party Windows Apps
Title: DivX Web Player NPDIVX32.DLL ActiveX Control Remote Denial of
Service
Description: DivX Web Player is for watching DivX encoded video
content. DivX Web Player is vulnerable to a denial of service issue when the
"GoWindowed()" method of the vulnerable control is executed with a
window size of 1x1 pixels. Version 1.2 is vulnerable.
Ref: http://www.securityfocus.com/bid/22133
______________________________________________________________________

07.5.11 CVE: CVE-2007-0462
Platform: Mac Os
Title: Mac OS X QuickDraw GetSrcBits32ARGB() Remote Memory Corruption
Description: Mac OS X QuickDraw is a library used by the operating
system to perform image manipulation operations. It is vulnerable to a
remote memory corruption issue because it fails to properly handle
malformed PICT image files. See the advisory for further details.
Ref: http://projects.info-pull.com/moab/MOAB-23-01-2007.html
______________________________________________________________________

07.5.12 CVE: CVE-2007-0463
Platform: Mac Os
Title: Apple Software Update Format String Vulnerability
Description: Apple Software Update is an application for delivering
patches to a user's MacOS X Operating System. It is vulnerable to a
format string issue because the application fails to properly sanitize
user-supplied input before passing it as the format specifier to a
formatted printing function. Apple Software Update version 2.0.5 is
vulnerable.
Ref: http://projects.info-pull.com/moab/MOAB-24-01-2007.html
______________________________________________________________________

07.5.13 CVE: Not Available
Platform: Mac Os
Title: Apple Mac OS X QuickDraw GetSrcBits32ARGB Remote Memory
Corruption
Description: Mac OS X QuickDraw is prone to a remote memory corruption
vulnerability due to the failure of the software to properly handle
malformed PICT image files in the "GetSrcBits32ARGB()" function. Mac
OS X version 10.4.8 is affected.
Ref: http://www.securityfocus.com/bid/22207
______________________________________________________________________

07.5.14 CVE: CVE-2007-0023
Platform: Mac Os
Title: Apple UserNotificationCenter Local Privilege Escalation
Description: Apple Mac OS X is prone to a local privilege escalation
vulnerability. The UserNotificationCenter application is executed on
demand when messages are sent to the "com.apple.UNCUserNotification"
port. It is executed by the operating system with the privileges of the
logged in user but it retains group privileges. Apple Mac OS X version
10.4.8 is vulnerable and other versions may also be affected.
Ref: http://projects.info-pull.com/moab/MOAB-22-01-2007.html
______________________________________________________________________

07.5.15 CVE: CVE-2007-0021
Platform: Mac Os
Title: iChat AIM URL Handler Remote Format String
Description: Apple iChat is an instant messaging client for Apple OS
X. It is vulnerable to a remote format string issue due to
insufficient handling of malformed data passed to the "aim://"
handler. Apple iChat version 3.1.6 (v441) is vulnerable.
Ref: http://projects.info-pull.com/moab/MOAB-20-01-2007.html
______________________________________________________________________

07.5.16 CVE: Not Available
Platform: Mac Os
Title: Mac OS X System Preferences Writeconfig Local Privilege
Escalation
Description: Mac OS X is prone to a local privilege escalation issue
because the "writeconfig" script of the "System Preferences" utility
does not verify the "PATH" environment variable when it calls the
"launchctl" utility. Mac OS X version 10.4.8 is reported to be
vulnerable.
Ref: http://projects.info-pull.com/moab/MOAB-21-01-2007.html
______________________________________________________________________

07.5.17 CVE: CVE-2007-0020
Platform: Mac Os
Title: Transmit 3 Remote Heap Overflow
Description: Transmit 3 is an FTP application designed for use on the
Mac OS X operating system. It is exposed to a heap overflow
vulnerability because the server fails to allocate enough space when
dealing with strings passed on by the URL handler. Transmit 3 version
3.5.5 and earlier are affected.
Ref: http://projects.info-pull.com/moab/MOAB-19-01-2007.html
______________________________________________________________________

07.5.18 CVE: Not Available
Platform: Mac Os
Title: Apple Mac OS X Shared_Region_Map_File_NP System Call Memory
Corruption
Description: Apple Mac OS X is prone to a memory corruption
vulnerability because it fails to properly bounds check parameter
values to the "shared_region_map_file_np()" kernel function call,
which handles memory allocation. Mac OS X versions 10.4.8 and prior are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/457466
______________________________________________________________________

07.5.19 CVE: Not Available
Platform: Mac Os
Title: Rumpus FTP Server Multiple Vulnerabilities
Description: Rumpus FTP server is prone to multiple vulnerabilities.
These include multiple remote heap overflows, denial of service
conditions, and local privilege escalation issues. Versions 5.1 and
prior are vulnerable. Please see the advisory for further information.
Ref: http://www.securityfocus.com/bid/22126
______________________________________________________________________

07.5.20 CVE: CVE-2007-0010
Platform: Linux
Title: GTK2 GDKPixBufLoader Remote Denial of Service
Description: GTK2 is a package containing the GIMP ToolKit (GTK+), a
graphics library for use with the X Windows System. It is vulnerable
to a denial of service issue because the "GdkPixbuLoader()" function
fails to properly handle malformed image data. See the advisory for
further details.
Ref: http://rhn.redhat.com/errata/RHSA-2007-0019.html
______________________________________________________________________

07.5.21 CVE: CVE-2007-0003
Platform: Linux
Title: Linux-PAM Pam_Unix.SO Authentication Bypass
Description: Linux-PAM is a package of Pluggable Authentication
Modules. It is vulnerable to an authentication bypass issue because it
fails to effectively verify user passwords during the authentication
process. Linux-PAM version 0.99.7.0 is vulnerable.
Ref: https://www.redhat.com/archives/pam-list/2007-January/msg00017.html
______________________________________________________________________

07.5.22 CVE: CVE-2006-5754
Platform: Linux
Title: Linux Kernel AIO_Setup_Ring Local Denial of Service
Description: The Linux kernel is prone to a local denial of service
vulnerability because it fails to properly initialize a variable.
Specifically, the "aio_setup_ring()" function incorrectly initializes
a variable that can be leveraged in an error path to free allocated
resources. Several versions of the linux kernel are affected.
Ref: http://www.securityfocus.com/bid/22193
______________________________________________________________________

07.5.23 CVE: CVE-2007-0460
Platform: Linux
Title: Ulogd Unspecified Buffer Overflow
Description: Ulogd (usermode log daemon) is an opensource syslog based
application. It is vulnerable to a buffer overflow issue due to an
improper length calculation of an unspecified string. Ulogd version
1.23 is vulnerable.
Ref: http://www.securityfocus.com/bid/22139
______________________________________________________________________

07.5.24 CVE: CVE-2006-6939
Platform: Linux
Title: GNU Ed Insecure Temporary File Creation
Description: GNU Ed is a line oriented text editor. It is vulnerable
to an insecure temporary file creation issue. GNU Ed versions 0.2 and
earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/22129
______________________________________________________________________

07.5.25 CVE: Not Available
Platform: Solaris
Title: Sun Ray Server Multiple Password Disclosure Vulnerabilities
Description: Sun Ray server is a proxy server. It is vulnerable to
multiple password disclosure vulnerabilities due to a design error.
Sun Ray Server Software versions 2.0 and 3.0 are vulnerable. See the
advisory for futher details.
Ref:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102779-1&searchclause=
______________________________________________________________________

07.5.26 CVE: Not Available
Platform: Solaris
Title: Sun Solaris Tip Local Privilege Escalation
Description: Sun Solaris is prone to a local privilege escalation
vulnerability due to an unspecified flaw in the tip(1) command. This
command is installed setuid-uucp by default. Solaris versions 8, 9 and 10 are
reportedly vulnerable.
Ref:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102773-1&searchclause=
______________________________________________________________________

07.5.27 CVE: Not Available
Platform: Solaris
Title: Kodak Color Management System Utilities Local Arbitrary Command
Execution
Description: Kodak Color Management System is prone to a local command
execution vulnerability. Specifically, the "kcms_calibrate()" command
can be leveraged by a local unprivileged user to execute arbitrary
commands with superuser privileges. The version of Kodak Color
Management System distributed with Sun Solaris versions 8 and 9 is
vulnerable and other platforms may also be affected.
Ref:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102728-1&searchclause=
______________________________________________________________________

07.5.28 CVE: Not Available
Platform: Unix
Title: ISC BIND Remote Fetch Context Denial of Service
Description: ISC BIND is prone to a remote denial of service
vulnerability due to a failure of the application to properly handle
unexpected DNS requests.
Ref: http://www.securityfocus.com/bid/22229
______________________________________________________________________

07.5.29 CVE: Not Available
Platform: Cross Platform
Title: Hitachi HiRDB DataReplicator Server Unspecified Remote Denial
of Service
Description: Hitachi HiRDB Datareplicator is an application for
linking information with other databases. It is affected by a denial
of service issue.
Ref: http://www.securityfocus.com/bid/22244
______________________________________________________________________

07.5.30 CVE: Not Available
Platform: Cross Platform
Title: Hitachi JP1/HIBUN Servers Unspecified Remote Denial of Service
Description: Hitachi JP1/HIBUN is a bundled management server and log
server package. It is affected by a denial of service issue.
Ref: http://www.securityfocus.com/bid/22237
______________________________________________________________________

07.5.31 CVE: Not Available
Platform: Cross Platform
Title: Trend Micro InterScan VirusWall VSAPI Module Buffer Overflow
Description: Trend Micro InterScan VirusWall (ISVW) is an internet
gateway virus scanning package. It is prone to a buffer overflow
vulnerability due to insufficient input sanitization in the
"libvsapi.so" library file. Version 3.81 is reportedly vulnerable.
Ref: http://www.securityfocus.com/bid/22240
______________________________________________________________________

07.5.32 CVE: Not Available
Platform: Cross Platform
Title: ISC BIND Remote DNSSEC Validation Denial of Service
Description: ISC BIND is vulnerable to a remote denial of service
issue because the application fails to handle malformed DNSSEC
validation requests. See the advisory for further details.
Ref: http://www.isc.org/index.pl?/sw/bind/bind-security.php
______________________________________________________________________

07.5.33 CVE: CVE-2007-0471
Platform: Cross Platform
Title: Multiple Check Point Products Integrity Clientless Security
Security Bypass
Description: Connectra is a web security gateway and VPN-1 Power/UTM
is a virtual private network package developed by Check Point. Both
applications are prone to a security bypass vulnerability due to
insufficient data sanitization in the "/sre/params.php" script. Please
refer to the advisory for vulnerable versions.
Ref: http://www.securityfocus.com/bid/22233
______________________________________________________________________

07.5.34 CVE: Not Available
Platform: Cross Platform
Title: Hitachi Web Server Multiple Vulnerabilities
Description: Hitachi Web Server is prone to multiple vulnerabilities.
There are multiple cross-site scripting issues because the server fails
to properly sanitize user-supplied input which affects image maps and
an "Expect" header. A security bypass related to a protocol version
rollback also affects the application during client connection.
Various versions of the application are affected.
Ref:
http://www.hitachi-support.com/security_e/vuls_e/HS06-022_e/01-e.html
______________________________________________________________________

07.5.35 CVE: Not Available
Platform: Cross Platform
Title: Symantec Web Security Multiple Denial of Service And Cross-Site
Scripting Vulnerabilities
Description: Symantec Web Security is an HTTP/FTP traffic scanner
that scans and filters viruses and inappropriate content at the web
gateway. It is affected by multiple denial of service and cross-site
scripting issues. Symantec Web Security versions prior to 3.0.1.85 are
vulnerable.
Ref: http://www.securityfocus.com/bid/22184
______________________________________________________________________

07.5.36 CVE: Not Available
Platform: Cross Platform
Title: Hitachi OpenTP1 Unspecified Remote Denial of Service
Description: Hitachi OpenTP1 platform is a distributed transaction
manager providing Mainframe equivalent services in business
environments. It is affected by an unspecified denial of service
issue. Hitachi OpenTP1 TPI1/LiNK versions 3-5, and OpenTP1 TPI1/Server
Base versions 3-5 are affected.
Ref: http://www.securityfocus.com/bid/22223
______________________________________________________________________

07.5.37 CVE: CVE-2007-0248
Platform: Cross Platform
Title: Squid Proxy ACL Queue Overload Remote Denial of Service
Description: Squid is an open source proxy server. It is vulnerable to
a remote denial of service issue because the proxy server fails to
handle excessive data. Squid Web Proxy Cache version 2.6.STABLE7
resolves this issue.
Ref: http://www.squid-cache.org/bugs/show_bug.cgi?id=1848
______________________________________________________________________

07.5.38 CVE: Not Available
Platform: Cross Platform
Title: Atozed Software Intraweb Component HTTP Remote Denial of
Service
Description: Intraweb component for Borland Delphi and Kylix is prone
to a denial of service vulnerability because the application fails to
handle specially-crafted HTTP requests. Intraweb component versions
8.0 and prior are affected.
Ref: http://www.securityfocus.com/bid/22185
______________________________________________________________________

07.5.39 CVE: Not Available
Platform: Cross Platform
Title: OpenLDAP Gentoo GenCert.SH Script Insecure Temporary File
Creation
Description: OpenLDAP Software is an open source implementation of the
LDAP protocol. The application creates temporary files in an insecure
way that could allow an attacker with local access to perform symbolic
link attacks, overwriting arbitrary files in the context of the
affected application. This issue affects Gentoo ebuild for OpenLDAP.
Ref: http://www.securityfocus.com/bid/22195
______________________________________________________________________

07.5.40 CVE: CVE-2006-6678
Platform: Cross Platform
Title: Netrik Textarea Tag Remote Arbitrary Command Execution
Description: Netrik is a text-based web browser application. It is
exposed to a vulnerability that allows attackers to execute remote
arbitrary shell commands in the context of the web server application
by injecting malicious shell metacharacters into temporary filenames
via "textarea" tags. Netrik versions prior to 1.15.5 beta are
affected.
Ref: http://www.securityfocus.com/bid/22158
______________________________________________________________________

07.5.41 CVE: Not Available
Platform: Cross Platform
Title: Django Authentication Bypass Weakness
Description: Django is a high level Python Web framework. It is
exposed to a weakness that may permit attackers to bypass the
authentication mechanism of the application and obtain unauthorized
access to persistent "request.user" data belonging to the victim.
Django version 0.95 is affected.
Ref: http://www.securityfocus.com/bid/22138
______________________________________________________________________

07.5.42 CVE: Not Available
Platform: Cross Platform
Title: Django Message Files Remote Arbitrary Command Execution
Description: Django is a high level Python Web framework used to
build web applications. It is susceptible to a shell command execution
vulnerability because it fails to properly sanitize user-supplied
input before using it in a Python "os.system()" function call. Django
version 0.95 is vulnerable and other versions may also be affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407519
______________________________________________________________________

07.5.43 CVE: Not Available
Platform: Cross Platform
Title: mbse-bbs MBSE_ROOT Multiple Local Privilege Escalation
Vulnerabilities
Description: mbse-bbs is a bulletin board system available for
UNIX, Linux, and other UNIX-like operating systems. It is prone to
multiple local privilege escalation vulnerabilities because it fails
to bounds check user-supplied data to the "MBSE_ROOT" parameter of the
"mbuseradd.c" file before copying it into an insufficiently sized
buffer. mbse-bbs versions 0.70.0 and prior are affected.
Ref: http://www.securityfocus.com/bid/22112
______________________________________________________________________

07.5.44 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: ezDatabase Login.PHP Cross-Site Scripting
Description: ezDatabase is a database creation application. It is
vulnerable to a cross-site scripting issue due to insufficient
sanitization of user-supplied input to the "admin/login.php" script.
ezDatabase version 2.1.3 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/458062
______________________________________________________________________

07.5.45 CVE: CVE-2007-0363
Platform: Web Application - Cross Site Scripting
Title: Openads phpAdsNew Admin-Search.PHP Cross-Site Scripting
Description: Openads phpAdsNew is an application for hosting
classified ads online. It is vulnerable to a cross-site scripting
issue because it fails to properly sanitize user-supplied input to the
"keyword" parameter of the "admin-search.php" script. Openads
phpAdsNew and phpPgAds versions 2.0.9-r1 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/457990
______________________________________________________________________

07.5.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: 212cafeBoard Multiple Cross-Site Scripting Vulnerabilities
Description: 212cafeBoard is a web log application. It is prone to
multiple cross-site scripting vulnerabilities because it fails to
properly sanitize user-supplied input to the "user" parameter of the
"list3.php" script and the "keyword" parameter of the "search.php"
script. 212cafeBoard versions 0.08 Beta and 6.30 Beta are vulnerable
and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/22167
______________________________________________________________________

07.5.47 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Bitweaver Articles and Blogs Multiple Cross-Site Scripting
Vulnerabilities
Description: Bitweaver is a web-based framework and content manager
application. It is vulnerable to multiple cross-site scripting issues
due to insufficient sanitization of user-supplied input to various
scripts. Bitweaver versions 1.3.1 and earlier are vulnerable.
Ref: http://www.securityfocus.com/archive/1/457695
______________________________________________________________________

07.5.48 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: 212Cafe Guestbook Show.PHP Cross-Site Scripting
Description: 212Cafe Guestbook is a web-based guest book application.
It is prone to a cross-site scripting vulnerability because it fails
to properly sanitize user-supplied input to the "user" parameter of
the "show.php" script. 212Cafe version 4.00 beta is vulnerable and
other versions may also be affected.
Ref: http://www.securityfocus.com/bid/22173
______________________________________________________________________

07.5.49 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Openads for PostgreSQL Unspecified Cross-Site Scripting
Description: Openads for PostgreSQL is an open source ad server. It is
prone to an unspecified cross-site scripting vulnerability because it
fails to properly sanitize user-supplied input. Openads for PostgreSQL
versions prior to 2.0.10 are affected.
Ref: http://www.securityfocus.com/bid/22124
______________________________________________________________________

07.5.50 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PostNuke Reviews Index.PHP Cross-Site Scripting
Description: PostNuke is a content management system. It is vulnerable
to a cross-site scripting issue due to insufficient sanitization of
user-supplied input to the "index.php" script in the "Reviews"
section. PostNuke version 0.764 is vulnerable.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
______________________________________________________________________

07.5.51 CVE: CVE-2007-0390
Platform: Web Application - Cross Site Scripting
Title: Sabros.US Index.PHP Cross-Site Scripting
Description: The Sabros.US application is a web-based content manager
for bookmarks. It is vulnerable to a cross-site scripting issue due to
insufficient sanitization of user-supplied input to the "tag"
parameter of the "index.php" script. Sabros.US version 1.7 is
vulnerable.
Ref: http://www.securityfocus.com/bid/22115
______________________________________________________________________

07.5.52 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Makit Newsposter Script News_Page.ASP SQL Injection
Description: Makit Newsposter Script is a web-based news posting
script. It is affected by a SQL injection issue due to insufficient
sanitization of the "uid" parameter of the "news_page.asp" script.
Ref: http://www.securityfocus.com/bid/22230
______________________________________________________________________

07.5.53 CVE: Not Available
Platform: Web Application - SQL Injection
Title: GPS CMS Print.ASP SQL Injection
Description: GPS is a web-based content management system (CMS). It is
exposed to an SQL injection issue because it fails to properly
sanitize user-supplied input to the "id" parameter of the "print.asp"
script before using it in an SQL query.
GPS version 1.2 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/22232
______________________________________________________________________

07.5.54 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ASP News News_Detail.ASP SQL Injection
Description: ASP NEWS is a web-based news application. Insufficient
sanitization of the "id" parameter of the "news_detail.asp" script
exposes the application to an SQL injection issue. ASP NEWS version 3
is affected.
Ref: http://www.securityfocus.com/bid/22214
______________________________________________________________________

07.5.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ASP Edge User.ASP SQL Injection
Description: ASP EDGE is a content management system (CMS). It is
exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data to the "user" parameter of the "user.asp"
script before using it in an SQL query. ASP EDGE Version 1.2b is
vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/22212
______________________________________________________________________

07.5.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Drupal Acidfree Module Node Title SQL Injection
Description: The Acidfree Module for Drupal is a media management
system. It is prone to an SQL injection vulnerability because it fails
to properly sanitize user-supplied input before using it in an SQL
query. Acidfree versions prior to 4.6.0-1.0 and 4.7.0-1.0 are
affected.
Ref: http://drupal.org/node/112145
______________________________________________________________________

07.5.57 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Website Baker Login.PHP SQL Injection
Description: Website Baker is a content management system. It is
vulnerable to an SQL injection issue due to insufficient sanitization
of user-supplied data to the "REMEMBER_KEY" cookie parameter. Website
Baker version 2.6.5 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/457684
______________________________________________________________________

07.5.58 CVE: Not Available
Platform: Web Application - SQL Injection
Title: FishCart Olst Parameter SQL Injection
Description: FishCart is a cross platform shopping cart application.
It is prone to an SQL injection vulnerability due to insufficient
input sanitization of the "olst" parameter of the "display.php"
script. Versions 3.1 and prior are reportedly vulnerable.
Ref: http://www.securityfocus.com/bid/22166
______________________________________________________________________

07.5.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Unique Ads Banner.PHP SQL Injection
Description: Unique Ads is a web-based banner ad application. It is
vulnerable to an SQL injection issue due to insufficient santization
of user-supplied input to the "bid" parameter of the "banner.php"
script. Unique Ads version 1 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/457667
______________________________________________________________________

07.5.60 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP-Nuke Multiple SQL Injection Vulnerabilities
Description: PHP-Nuke is a web forum. It is prone to multiple SQL
injection vulnerabilities because it fails to sufficiently sanitize
user-supplied data to unspecified parameters of the "advertising",
"weblinks" and "reviews" sections. PHP-Nuke version 7.9 is vulnerable
and other versions may also be affected.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
______________________________________________________________________

07.5.61 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Joomla CMS Multiple SQL Injection Vulnerabilities
Description: Joomla CMS is a web-based content management systems. It
is prone to multiple SQL injection issues because the application
fails to properly sanitize user-supplied input to various parameters
before using it in an SQL query. Joomla CMS version 1.5.0 beta is
vulnerable and other versions may also be affected.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
______________________________________________________________________

07.5.62 CVE: Not Available
Platform: Web Application
Title: CGI Rescue WebForm Multiple Input Validation Vulnerabilities
Description: CGI Rescue WebForm is a web-based application. It is
vulnerable to multiple input validation issues due to insufficient
sanitization of user-supplied input to various scripts. CGI Rescue
WebForm versions 4.3 and earlier are vulnerable.
Ref: http://www.securityfocus.com/bid/22243
______________________________________________________________________

07.5.63 CVE: Not Available
Platform: Web Application
Title: High5 Review Script Search Field HTML Injection
Description: High5 Review Script is a review and rating application.
It is vulnerable to an HTML injection issue due to insufficient
sanitization of user-supplied inupt to the search field of the "index.php"
script. All versions are vulnerable.
Ref: http://www.securityfocus.com/archive/1/458122
______________________________________________________________________

07.5.64 CVE: Not Available
Platform: Web Application
Title: Virtual Path PHPBB Module Configure.PHP Remote File Include
Description: Virtual Path is a module for phpBB that makes the path
(link) shorter and easier to remember. It is prone to a remote file
include vulnerability because it fails to sufficiently sanitize
user-supplied input to the "phpbb_root_path" parameter of the
"vp/configure.php" script before using it in an "include()" call.
Virtual Path version 1.0 is vulnerable and other versions may also be
affected.
Ref: http://www.securityfocus.com/bid/22241
______________________________________________________________________

07.5.65 CVE: Not Available
Platform: Web Application
Title: Digitalxero Xero Portal PHPBB_Root_Path Multiple Remote File
Include Vulnerabilities
Description: Xero Portal is a web-based portal application. It is
prone to multiple remote file include vulnerabilities because it fails
to sufficiently sanitize user-supplied input to the "phpbb_root_path"
parameter of the various scripts. Xero Portal version 1.2 is
vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/22227
______________________________________________________________________

07.5.66 CVE: Not Available
Platform: Web Application
Title: Drupal Project and Project Issues Tracking Modules Multiple
Vulnerabilities
Description: Drupal "project" and "project issue tracking" modules are
project management modules for the Drupal content management system.
The applications are vulnerable to multiple vulnerabilities. Please
see the advisory for further information.
Ref: http://www.securityfocus.com/bid/22224
______________________________________________________________________

07.5.67 CVE: Not Available
Platform: Web Application
Title: Community Server Pingback SourceURI Denial of Service and
Information Disclosure
Description: Community Server is a web-based blogging application. It
is vulnerable to multiple issues due to its Pingback and XML-RPC
implementation. Community Server versions 2.1 and earlier are
vulnerable.
Ref: http://www.securityfocus.com/archive/1/457999
______________________________________________________________________

07.5.68 CVE: Not Available
Platform: Web Application
Title: AWFFull Unspecified Multiple Buffer Overflow Vulnerabilities
Description: AWFFull is a web-based web server log analysis tool. It
is affected by multiple buffer overflow issues due to insufficient
sanitization of user-supplied input. AWFFull versions 3.7.1 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/22215
______________________________________________________________________

07.5.69 CVE: Not Available
Platform: Web Application
Title: Virtual Host Administrator Modules_Dir Remote File Include
Description: Virtual Host Administrator is a web-based control panel.
It is prone to a remote file include vulnerability due to insufficient
input sanitization of the "MODULES_DIR" parameter of
"modules/mail/main.php". Version 0.1 is reportedly vulnerable.
Ref: http://www.securityfocus.com/bid/22218
______________________________________________________________________

07.5.70 CVE: Not Available
Platform: Web Application
Title: Wordpress Pingback SourceURI Denial of Service and Information
Disclosure
Description: Wordpress is a blogging application. It is exposed to a
denial of service vulnerability because the application fails
to verify the "Content-Type" of incoming data and fails to limit the
amount of data retrieved. It is also prone to an information
disclosure vulnerability because the application fails to authenticate
the "sourceURI" in Pingback requests. Wordpress versions prior to 2.1
are vulnerable.
Ref: http://www.securityfocus.com/bid/22220
______________________________________________________________________

07.5.71 CVE: Not Available
Platform: Web Application
Title: RPW Config.PHP Remote File Include
Description: RPW is a web-based menu system module for phpBB. It is
vulnerable to a remote file include issue due to insufficient
sanitization of user-supplied input to the "sql_language" parameter of
the "config.php" script. RPW version 1.0.2 is vulnerable.
Ref: http://www.milw0rm.com/exploits/3185
______________________________________________________________________

07.5.72 CVE: Not Available
Platform: Web Application
Title: phpXD Path Remote File Include
Description: phpXD is an XML DOM implementation for PHP4. It is
vulnerable to a remote file include issue due to insufficient
sanitization of user-supplied input to the "path" parameter. phpXD
version 0.3 is vulnerable.
Ref: http://www.securityfocus.com/bid/22201
______________________________________________________________________

07.5.73 CVE: Not Available
Platform: Web Application
Title: MyBB Private.PHP HTML Injection
Description: MyBB is a bulletin board application. It is exposed to an
HTML injection issue because it fails to properly sanitize
user-supplied input before using it in the "Subject" field of the
"private.php" script. MyBB versions 1.2.2 and earlier are affected.
Ref: http://www.securityfocus.com/bid/22205
______________________________________________________________________

07.5.74 CVE: Not Available
Platform: Web Application
Title: MaklerPlus Multiple Unspecified Vulnerabilities
Description: MaklerPlus is a web-based real estate application. It is
prone to multiple unspecified vulnerabilities. Versions prior to 1.2
are reportedly vulnerable.
Ref: http://www.securityfocus.com/bid/22206
______________________________________________________________________

07.5.75 CVE: Not Available
Platform: Web Application
Title: Mini Web Server Unspecified Multiple Buffer Overflow
Vulnerabilities
Description: Mini Web Server is a small web server application designed
to be embedded into other applications. It is vulnerable to multiple
buffer overflow issues when processing unspecified HTTP requests. Mini
Web Server versions 0.04 and earlier are vulnerable.
Ref:
http://sourceforge.net/project/shownotes.php?release_id=479480&group_id=187000
______________________________________________________________________

07.5.76 CVE: Not Available
Platform: Web Application
Title: BBClone Selectlang.PHP Remote File Include
Description: BBClone is a web-based counter application. It is prone
to a remote file include vulnerability because it fails to
sufficiently sanitize user-supplied input to the "BBC_LANGUAGE_PATH"
parameter of the "selectlang.php" script. BBClone version 0.31 is
vulnerable.
Ref: http://www.securityfocus.com/bid/22197
______________________________________________________________________

07.5.77 CVE: Not Available
Platform: Web Application
Title: Yana Framework Guestbook Unspecified Security Bypass
Description: Yana Framework is a freely-available guestbook
application. It is affected by a security bypass issue. Yana Framework
version 2.8.5 is affected.
Ref: http://www.securityfocus.com/bid/22178
______________________________________________________________________

07.5.78 CVE: Not Available
Platform: Web Application
Title: Vote! Pro Multiple PHP Code Execution Vulnerabilities
Description: Vote! Pro is a web-based voting application. It is
vulnerable to multiple arbitrary PHP code execution issues due to
insufficient sanitization of user-supplied input to various
parameters. Vote! Pro version 4.0 is vulnerable.
Ref: http://www.securityfocus.com/bid/22187
______________________________________________________________________

07.5.79 CVE: Not Available
Platform: Web Application
Title: PHP Link Directory Link Submission HTML Injection
Description: PHP Link Directory is a link directory implemented. It is
prone to an HTML injection vulnerability that occurs when an attacker
entices an unsuspecting administrator to validate a specially crafted
link. Versions 3.0.6 and prior are reportedly vulnerable.
Ref: http://www.securityfocus.com/bid/22174
______________________________________________________________________

07.5.80 CVE: Not Available
Platform: Web Application
Title: Zomp Index.PHP Local File Include
Description: Zomp is a web-based application. It is vulnerable to a
local file include issue because it fails to properly sanitize
user-supplied input to the "setting[[skin]" parameter of the
"theme/default/index.php" script. All versions of Zomp are vulnerable.
Ref: http://www.securityfocus.com/bid/22157
______________________________________________________________________

07.5.81 CVE: Not Available
Platform: Web Application
Title: PHPIndexPage Config.PHP Remote File Include
Description: PHPIndexPage is a web-based application. It is vulnerable
to a remote file include issue due to insufficient sanitization of
user-supplied input to the "env[inc_path]" parameter of the
"config.php" script. PHPIndexPage versions 1.0 and 1.0.1 are
vulnerable.
Ref: http://www.securityfocus.com/bid/22161/info
______________________________________________________________________

07.5.82 CVE: Not Available
Platform: Web Application
Title: Neon Labs Website NL.PHP Remote File Include
Description: Neon Labs Website is a library of PHP modules and
classes. Insufficient sanitization of the "g_strRootDir" parameter in
the "lib/nl/nl.php" script exposes the application to a remote file
include issue. Neon Labs Website version 3.2 is affected.
Ref: http://www.securityfocus.com/bid/22162
______________________________________________________________________

07.5.83 CVE: Not Available
Platform: Web Application
Title: XMB MemCP.PHP HTML Injection
Description: XMB is an instant messaging application, implemented in
PHP. It is prone to an HTML injection vulnerability due to
insufficient input sanitization of the "recipient" field when
submitting a new message on the "memcp.php" page. Versions 1.9.6 and
prior are reportedly vulnerable.
Ref: http://www.securityfocus.com/bid/22163
______________________________________________________________________

07.5.84 CVE: Not Available
Platform: Web Application
Title: PHPSherpa Racine Parameter Remote File Include
Description: PhpSherpa is a web-based portal application. Insufficient
sanitization in the "config.inc.php" of the "include()" function
exposes the application to a remote file include issue.
Ref: http://www.securityfocus.com/bid/22156
______________________________________________________________________

07.5.85 CVE: Not Available
Platform: Web Application
Title: Upload Service Remote File Include
Description: Upload Service is a web-based application to upload
files. It is vulnerable to a remote file include issue due to
insufficient sanitization of user-supplied input to the "maindir"
parameter of the "top.php" script. Upload Service version 1.0 is
vulnerable.
Ref: http://www.securityfocus.com/bid/22150
______________________________________________________________________

07.5.86 CVE: Not Available
Platform: Web Application
Title: Mafia Scum Tools Index.PHP Remote File Include
Description: Mafia Scum Tools is an application to generate numbers.
The application is prone to a remote file include vulnerability
because it fails to properly sanitize user-supplied input to the "gen"
variable of the "index.php" script. Mafia Scum Tools version 2.0.0 is
affected.
Ref: http://www.securityfocus.com/bid/22151
______________________________________________________________________

07.5.87 CVE: Not Available
Platform: Web Application
Title: WebChat Remote File Include
Description: WebChat is a chat application. It is exposed to a remote
file include vulnerability because it fails to properly sanitize
user-supplied input to the "WEBCHATPATH" parameter of "defines.php".
WebChat version 0.77 is reportedly vulnerable.
Ref: http://www.securityfocus.com/bid/22153
______________________________________________________________________

07.5.88 CVE: Not Available
Platform: Web Application
Title: Bradabra Includes.PHP Remote File Include
Description: Bradabra is a web-based application. It is vulnerable to
a remote file include issue due to insufficient sanitization of
user-supplied input to the "include_path" parameter of the
"includes.php" script. Bradabra version 2.0.5 is vulnerable.
Ref: http://www.securityfocus.com/bid/22155
______________________________________________________________________

07.5.89 CVE: Not Available
Platform: Web Application
Title: Easebay Resources Paypal Subscription Manager Multiple Input
Validation Vulnerabilities
Description: Easebay Resources Paypal Subscription Manager is a
payment system for online subscriptions. It is prone to an SQL
injection vulnerability in the "keyword" parameter of the
"memberlist.php" script and a cross-site scripting vulnerability in
the "Admin" parameter of the "edit_member.php" script.
Ref: http://www.securityfocus.com/bid/22141
______________________________________________________________________

07.5.90 CVE: CVE-2007-0401,CVE-2007-0400
Platform: Web Application
Title: Easebay Resources Login Manager Multiple Input Validation
Vulnerabilities
Description: Easebay Resources Login Manager is a web site management
system. It is vulnerable to multiple input validation issues due to
insufficient sanitization of user-supplied input to various
parameters. All versions are vulnerable.
Ref: http://www.securityfocus.com/archive/1/457505
______________________________________________________________________

07.5.91 CVE: Not Available
Platform: Web Application
Title: SMF Index.PHP HTML Injection
Description: Simple Machines Forum (SMF) is an open source web forum.
It is exposed to an HTML injection vulnerability because it fails to
properly sanitize user-supplied input to the "recipient" and "BCC"
fields of the "index.php" page before using it in dynamically
generated content. SMF version 1.1 RC3 is affected.
Ref: http://www.securityfocus.com/bid/22143
______________________________________________________________________

07.5.92 CVE: Not Available
Platform: Web Application
Title: DocMan Multiple Input Validation Vulnerabilities
Description: DocMan is a web-based document manager application for
the Joomla content management system. It is exposed to multiple
unspecified SQL injection validation vulnerabilities and an
unspecified cross-site scripting vulnerability because it fails to
sufficiently sanitize user-supplied input. DocMan version 1.3 RC2 is
vulnerable and other versions may also be affected.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
______________________________________________________________________

07.5.93 CVE: Not Available
Platform: Web Application
Title: ArsDigita Community System Directory Traversal
Description: ArsDigita Community System is a web-based collaboration
application. Insufficient sanitization of the "../" directory
traversal sequence exposes the application to a directory traversal
request.
Ref: http://www.securityfocus.com/bid/22121
______________________________________________________________________

07.5.94 CVE: CVE-2007-0376
Platform: Web Application
Title: VirtueMart Joomla ECommerce Edition Multiple Unspecified Input
Validation Vulnerabilities
Description: VirtueMart is an ecommerce application and Joomla
eCommerce Edition is a content manager. It is vulnerable to multiple
input validation issues due to insufficient sanitization of
user-supplied input to various scripts. VirtueMart Joomla eCommerce
Edition version 1.0.7 is vulnerable.
Ref:
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0355.html
______________________________________________________________________

07.5.95 CVE: Not Available
Platform: Web Application
Title: WebGUI Registration Username HTML Injection
Description: WebGUI is a content manager. Insufficient sanitization of
the "username" parameter on the registration page exposes the
application to an HTML injection issue. WebGUI versions prior to 7.3.5
beta are vulnerable.
Ref: http://www.securityfocus.com/bid/22114
______________________________________________________________________

07.5.96 CVE: Not Available
Platform: Network Device
Title: Cisco IOS IPv6 Source Routing Remote Memory Corruption
Description: Cisco IOS is prone to a remote memory corruption
vulnerability. This issue is due to a failure of the software to
properly handle IPv6 packets containing specially crafted type 0
routing headers.
Ref:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
______________________________________________________________________

07.5.97 CVE: Not Available
Platform: Network Device
Title: Cisco Multiple Devices Crafted IP Option Multiple Remote Code
Execution Vulnerabilities
Description: Cisco IOS and Cisco IOS XR are network communications
operating systems used in many Cisco routers and network switches.
Multiple Cisco switches and routers running Cisco IOS and Cisco IOS XR
are prone to multiple remote denial of service and code execution
vulnerabilities. Please see the advisory for further information.
Ref:
http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb157.shtml
______________________________________________________________________

07.5.98 CVE: Not Available
Platform: Network Device
Title: AVM FRITZ!Box VoIP Remote Denial of Service
Description: FRITZ!Box is a wireless DSL modem and router. A
zero-length UDP packet sent to the SIP port 5060 of the device through
the IP interface or the DSL line causes the VoIP-telephony service to
crash.
Ref: http://www.securityfocus.com/bid/22130
______________________________________________________________________

07.5.99 CVE: CVE-2007-0397
Platform: Network Device
Title: Cisco SSL/TLS Certificate and SSH Public Key Validation
Description: Cisco Security Monitoring, Analysis and Response System
(CS-MARS) and Cisco Adaptive Security Device Manager (ASDM) are a
security system that correlates and analyzes data in event logs
received from various network devices. Both do not validate the
SSL/TLS certificates or SSH public keys when connecting to devices,
which allows remote attackers to spoof those devices to obtain
sensitive information or generate incorrect information. See the
advisory for further details.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070118-certs.shtml
______________________________________________________________________

07.5.100 CVE: Not Available
Platform: Hardware
Title: Multiple VOIP Phones Aredfox PA168 Chipset Session Hijacking
Description: Aredfox PA168 is a programmable chip for VoIP based
devices. Multiple VoIP phones using the Aredfox PA168 Chipset are
vulnerable to a session hijacking issue due to a design error. VoIP
phones using the Aredfox PA168 chipset with SIP Firmware versions
V1.42 and 1.54 are vulnerable.
Ref: http://www.securityfocus.com/bid/22191
______________________________________________________________________

07.5.101 CVE: Not Available
Platform: Hardware
Title: T-Com Speedport 500V 'LogInKey' Cookie Parameter Authentication
Bypass
Description: T-Com Speedport 500V is a DSL modem and router. It is
exposed to a vulnerability which allows attackers to bypass the
firmware's authentication mechanism by providing a cookie with a
"LOGINKEY" parameter and a value of "TECOM". T-Com Speed 500V with
Firmware version 1.31 is vulnerable and other versions may also be
affected.
Ref: http://www.securityfocus.com/bid/22160
______________________________________________________________________

(c) 2007. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFFvoHu+LUG5KFpTkYRAitPAJ43t0FCdEC3JQibLVyDQPUqpxiYSACeJIT+
HkhwOt5qQhEXG9c6D05pZKs=
=SdoY
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]