NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2007

RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 8

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Feb 19 2007 - 15:47:20 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This report contains so many critical vulnerabilities in Microsoft
Windows and Microsoft Office that readers might well miss the notices
of important vulnerabilities in Apple Mac OS, in two Cisco security
products, in PHP, HP-UX and even in a popular BitTorrent client.

Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
February 19, 2007 Vol. 6. Week 8
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Windows (#1, #4, #5, #6, #7, #8, #9, #13)
Microsoft Office 5 (#2, #3)
Other Microsoft Products 9
Third Party Windows Apps 5
Apple 2 (#10)
Linux 3
Solaris 2
AIX 1
Unix 2 (#12)
Cross Platform 8 (#14)
Web Application - XSS 10
Web Application - SQL Injection 5
Web Application 27 (#11)
Network Device 1 (#15, #16)
Hardware 3

***************** Sponsored By Fiberlink Communications *****************

Mobile Preparedness for Business Continuity. Are you prepared to turn
office workers into mobile workers during times of crisis? Does your
plan consider complete endpoint security and easy-to-use network
connectivity for all users? This whitepaper discusses steps you should
take to ensure protection and productivity during an emergency.
http://www.sans.org/info/3591
*************************************************************************
Announcing SANS 2007 in San Diego Mar 29-April 6
More than 50 immersion courses plus a big expo all on the ocean.
Why SANS? "I have attended courses by several of SANS rivals, and SANS
blew them away." (Alton Thompson, US Marines).
http://www.sans.org/sans2007/event.php
*************************************************************************

Table of Contents

Part I - Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Microsoft Data Access Components Buffer Overflow (MS07-009)
(2) CRITICAL: Microsoft Office Multiple Vulnerabilities (MS07-015)
(3) CRITICAL: Microsoft Word Multiple Vulnerabilities (MS07-014)
(4) CRITICAL: Microsoft HTML Help ActiveX Control Code Execution Vulnerability (MS07-008)
(5) CRITICAL: Microsoft Malware Protection Engine Integer Overflow (MS07-010)
(6) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS07-016)
(7) HIGH: Microsoft OLE Dialog Memory Corruption (MS07-011)
(8) HIGH: Microsoft MFC Memory Corruption (MS07-012)
(9) HIGH: Microsoft RichEdit Memory Corruption (MS07-012)
(10) HIGH: Apple Mac OS X Multiple Vulnerabilities (Apple Security Update 2007-002)
(11) MODERATE: PHP Multiple Vulnerabilities

Other Software
(12) CRITICAL: HP-UX SLSd Arbitrary File Creation Vulnerability
(13) HIGH: Microsoft Interactive Training Buffer Overflow (MS07-005)
(14) HIGH: uTorrent Buffer Overflow
(15) HIGH: Cisco Intrusion Prevention System Multiple Vulnerabilities
(16) MODERATE: Cisco Firewall Services Module Multiple Vulnerabilities

Patches
(17) PATCH: Sun Solaris/SunOS Telnet Daemon Authentication Bypass Vulnerability

*************************** Sponsored Link: ***************************

1) The SANS Encryption Summit, April 23-25, provides concrete,
actionable information you can deploy as soon as you return to work.
http://www.sans.org/info/3596
*************************************************************************

Part II - Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Windows
07.8.1 - Trend Micro OfficeScan Client ActiveX Control Remote Buffer Overflow
07.8.2 - Comodo Firewall Flawed Component Control Cryptographic Hash
07.8.3 - MailEnable SMTP NTLM Authentication Unspecified Denial of Service
07.8.4 - MailEnable Web Mail Client Multiple HTML Injection and Cross-Site Scripting Vulnerabilities
07.8.5 - ActSoft DVD-Tools DVDTools.OCX ActiveX Control Remote Buffer Overflow
07.8.6 - Microsoft Windows Shell Hardware Detection Service Privilege Escalation
07.8.7 - iTinySoft Studio Total Video Player M3U Playlist Buffer Overflow
07.8.8 - Microsoft Windows Image Acquisition Service Privilege Escalation
07.8.9 - Microsoft Windows OLE Dialog Remote Code Execution
-- Microsoft Office
07.8.10 - Microsoft Word 2000/2002 Remote Code Execution
07.8.11 - Microsoft Excel Remote Denial of Service
07.8.12 - Microsoft Word Macro Permissions Bypass Arbitrary Code Execution
07.8.13 - Microsoft Word Malformed Drawing Object Arbitrary Code Execution
07.8.14 - Microsoft Office and Microsoft Windows RichEdit Component Remote Code Execution
-- Other Microsoft Products
07.8.15 - Microsoft Internet Explorer IMJPCKSI COM Object Instantiation Memory Corruption
07.8.16 - Microsoft Internet Explorer FTP Server Response Parsing Memory Corruption
07.8.17 - Microsoft Internet Explorer COM Object Instantiation Variant Memory Corruption
07.8.18 - Microsoft Step by Step Interactive Training Buffer Overflow
07.8.19 - Microsoft MFC Embedded OLE Object Remote Code Execution
07.8.20 - Microsoft HTML Help ActiveX Control Remote Code Execution
07.8.21 - Microsoft Antivirus Engine Integer Overflow
07.8.22 - Microsoft Internet Explorer JavaScript Key Filtering Variant
07.8.23 - Microsoft Internet Explorer for Windows Mobile Remote WML Content Denial of Service
-- Third Party Windows Apps
07.8.24 - Mozilla Firefox Location.Hostname Dom Property Cookie Theft
07.8.25 - uTorrent Torrent File Handling Remote Heap Buffer Overflow
07.8.26 - Mozilla Firefox JavaScript Key Filtering Variant
07.8.27 - Roaring Penguin Software MIMEDefang Unspecified Remote Buffer Overflow
07.8.28 - SmidgeonSoft PEBrowse Remote Buffer Overflow
-- Linux
07.8.29 - HP Serviceguard for Linux Unspecified Remote Unauthorized Access
07.8.30 - Linux Kernel Key_Alloc_Serial() Local Denial of Service
07.8.31 - March Networks Digital Video Recorders Unspecified Denial of Service
-- Solaris
07.8.32 - Sun Solaris TCP Subsystem Remote Denial of Service
07.8.33 - Sun Solaris Telnet Remote Authentication Bypass
-- Aix
07.8.34 - IBM AIX SWCONS Buffer Overflow
-- Unix
07.8.35 - HP-UX ARPA Transport Software Unspecified Local Denial of Service
07.8.36 - HP-UX SLSD Remote Arbitrary File Creation
-- Cross Platform
07.8.37 - ClamAV MIME Header ID Parameter String Directory Traversal
07.8.38 - SpamAssassin Long URI Handling Remote Denial of Service
07.8.39 - ClamAV CAB File Remote Denial of Service
07.8.40 - Amarok Magnature Shell Command Injection
07.8.41 - LizardTech DjVu Browser Plug-in Multiple Buffer Overflow Vulnerabilities
07.8.42 - MiniWebSVR Multiple Request Remote Denial of Service
07.8.43 - MoinMoin Multiple Cross-Site Scripting Vulnerabilities
07.8.44 - MoinMoin Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - Cross Site Scripting
07.8.45 - Deskpro Faq.PHP Cross-Site Scripting
07.8.46 - Calendar Express Search.PHP Cross-Site Scripting
07.8.47 - Adobe ColdFusion Unspecified Cross-Site Scripting
07.8.48 - Adobe JRun Administrator Console Cross-Site Scripting
07.8.49 - Wordpress Templates.PHP Cross-Site Scripting
07.8.50 - TaskFreak! Error.PHP Cross-Site Scripting
07.8.51 - JBoss Portal Noproject Portal Cross-Site Scripting
07.8.52 - Community Server SearchResults.ASPX Cross-Site Scripting
07.8.53 - Atlassian JIRA BrowseProject.JSPA Cross-Site Scripting
07.8.54 - Qdig QWD Variable Cross-Site Scripting
-- Web Application - SQL Injection
07.8.55 - CodeAvalanche News Inc_Listnews.ASP SQL Injection
07.8.56 - ibProArcade Arcade.PHP SQL Injection
07.8.57 - PollMentor Pollmentorres.ASP SQL Injection
07.8.58 - phpCC Nickpage.PHP SQL Injection
07.8.59 - Philboard Philboard_forum.ASP SQL Injection
-- Web Application
07.8.60 - EasyMail Objects Connect Method Remote Stack Buffer Overflow
07.8.61 - LifeType Unspecified Parameter Handling Information Disclosure
07.8.62 - nabopoll Survey.Inc.PHP Remote File Include
07.8.63 - ZebraFeeds Multiple Remote File Include Vulnerabilities
07.8.64 - Webapp.Org Webapp Multiple Remote Vulnerabilities
07.8.65 - Jupiter CMS Multiple Scripts Multiple Input Validation Vulnerabilities
07.8.66 - WebTester Multiple Input Validation Vulnerabilities
07.8.67 - AT Contenator Nav.PHP Remote File Include
07.8.68 - Fullaspsite Shop Listmain.ASP Multiple Input Validation Vulnerabilities
07.8.69 - Mail Search.HTML HTML Injection
07.8.70 - Radical Technologies Portal Search Multiple Input Validation Vulnerabilities
07.8.71 - Virtual Calendar Multiple Cross-Site Scripting Vulnerabilities
07.8.72 - Apache Stats Extract Function Multiple Input Validation Vulnerabilities
07.8.73 - phpMyVisites Multiple Input Validation Vulnerabilities
07.8.74 - TagIt! TagBoard Multiple Remote File Include Vulnerabilities
07.8.75 - php rrd Browser 'p' Parameter Directory Traversal
07.8.76 - phpPolls phpPollAdmin.PHP3 Administrative Authentication Bypass
07.8.77 - IP3 NetAccess Directory Traversal
07.8.78 - PHP 'str_ireplace' Remote Denial of Service
07.8.79 - McRefer Administrative Authentication Bypass
07.8.80 - Allons_voter Administrative Authentication Bypass
07.8.81 - Nabopoll Administrative Authentication Bypass
07.8.82 - OPENi-CMS Plugin Remote File Include
07.8.83 - Plain Old Webserver Firefox Extension Directory Traversal
07.8.84 - PHP Versions 5.2.0 and Prior Multiple Vulnerabilities
07.8.85 - Kiwi CatTools TFTP Directory Traversal
07.8.86 - eXtreme File Hosting Arbitrary RAR File Upload
-- Network Device
07.8.87 - Cisco IOS Intrusion Prevention System Multiple Vulnerabilities
-- Hardware
07.8.88 - Cisco Multiple Products Multiple Remote Denial of Service Vulnerabilities
07.8.89 - Cisco PIX/ASA Privilege Escalation
07.8.90 - Palm OS Treo Find Feature Information Disclosure
***********************************************************************

PART I - Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar
at TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process

******************************
Widely-Deployed Software
******************************

(1) CRITICAL: Microsoft Data Access Components Buffer Overflow (MS07-009)
Affected:
Microsoft Windows 2000/XP/2003

Description: The Microsoft Data Access Components (MDAC) is used to
access databases and other data storage systems, and is installed by
default on Microsoft Windows. The "ADODB.Connection" ActiveX control,
installed as part of MDAC, contains a buffer overflow vulnerability. A
web page that instantiates this control could exploit this overflow and
execute arbitrary code with the privileges of the current user.
Technical details and a working exploit for this vulnerability are
publicly available. Additionally, exploit code targeting arbitrary
ActiveX controls is widely available and easily adaptable to take
advantage of this vulnerability. Other vulnerabilities in MDAC have been
widely exploited in the past.

Status: Microsoft confirmed, updates available.

Council Site Actions: All of the reporting council sites are responding
to the Microsoft issues in the same manner. They plan to distribute the
patches during their next regularly scheduled system maintenance window.
Some sites will use accelerated update pushes for higher criticality
items.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/ms07-009.mspx
SANS ISC Microsoft Analysis
http://isc.sans.org/diary.html?storyid=2232
Proof of Concept
http://www.securityfocus.com/data/vulnerabilities/exploits/20704.txt
Microsoft Security Response Center Blog Posting
http://www.securityfocus.com/data/vulnerabilities/exploits/20704.txt
SecurityFocus BID
http://www.securityfocus.com/bid/20704

****************************************************************

(2) CRITICAL: Microsoft Office Multiple Vulnerabilities (MS07-015)
Affected:
Microsoft Office 2000/XP/2003
Microsoft Project 2000/2002
Microsoft Visio 2002
Microsoft Office 2004 for Mac

Description: Microsoft Office contains multiple vulnerabilities:
(1) A specially-crafted Microsoft PowerPoint file could trigger an
invalid memory access and execute arbitrary code with the privileges of
the current user. This vulnerability was originally discussed in
Microsoft Security Bulletins MS06-062 and MS06-058, but the fix provided
in those bulletins was not effective.
(2) A specially-crafted Microsoft Excel file could trigger an invalid
memory access and execute arbitrary code with the privileges of the
current user. It is believed that this vulnerability is related to
MS07-014. This vulnerability is known to be attacked by at least two
viruses, the "Trojan.Mdropper.Y" and "Exploit-MSExcel.h" viruses.

Note that the vulnerable file types are not opened without prompting in
any version of Microsoft Office after Office 2000. Both of these issues
were discussed previously in RISK. Both of these vulnerabilities have
been previously publicly disclosed, and are therefore greater targets
for exploitation.

Status: Microsoft confirmed, updates available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS07-015.mspx
Symantec Writeup ("Trojan.Mdropper.Y")
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-020717-0252-99
Previous RISK Entries
http://www.sans.org/newsletters/risk/display.php?v=5&i=41#widely5
http://www.sans.org/newsletters/risk/display.php?v=6&i=6#widely1
SecurityFocus BIDs
http://www.securityfocus.com/bid/20325
http://www.securityfocus.com/bid/22383

****************************************************************

(3) CRITICAL: Microsoft Word Multiple Vulnerabilities (MS07-014)
Affected:
Microsoft Word 2000/2002/2003
Microsoft Works Suite 2004/2005/2006
Microsoft Office 2004 for Mac

Description: Microsoft Word contains multiple memory corruption
vulnerabilities that arise from the way Word parses documents containing
data structures such as drawing objects, strings etc. In addition,
certain specially crafted Word files containing macros will execute
those macros without any user prompting. These vulnerabilities can
result in arbitrary code execution with the privileges of the current
user. Several working exploits and proofs-of-concept are publicly
available, and some of these flaws have been being actively exploited
prior to the announcement of this bulletin. Two of these
vulnerabilities are being exploited by the "Trojan.Mdropper.X" and
"Trojan.Mdropper.Y" viruses.

Status: Microsoft confirmed, updates available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/MS07-014.mspx
Proofs of Concept (Word documents)
http://returnaddr.org/exploit/word2000/
http://www.securityfocus.com/data/vulnerabilities/exploits/12122006-djtest.doc
Symantec Writeup ("Trojan.Mdropper.X" and "Trojan.Mdropper.Y")
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-020717-0252-99
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-013010-5422-99
Microsoft Security Response Center Blog Posting (discusses active exploitation of some flaws)
http://blogs.technet.com/msrc/archive/2006/12/15/update-on-current-word-vulnerability-reports.aspx
Posting by Juha-Matti Laurio
http://www.securityfocus.com/archive/1/454093
Previous RISK Entries
http://www.sans.org/newsletters/risk/display.php?v=6&i=6#widely1
http://www.sans.org/newsletters/risk/display.php?v=5&i=49#widely1
SecurityFocus BIDs
http://www.securityfocus.com/bid/22567
http://www.securityfocus.com/bid/22225
http://www.securityfocus.com/bid/22383
http://www.securityfocus.com/bid/22482
http://www.securityfocus.com/bid/21451
http://www.securityfocus.com/bid/21589
http://www.securityfocus.com/bid/21518
http://www.securityfocus.com/bid/22477

***************************************************************

(4) CRITICAL: Microsoft HTML Help ActiveX Control Code Execution Vulnerability (MS07-008)
Affected:
Microsoft Windows 2000/XP/2003

Description: Microsoft HTML Help is Microsoft's standard format for help
documents. The Microsoft HTML Help ActiveX control, used to view these
documents, contains a buffer overflow vulnerability. A web page that
instantiates this control could trigger this overflow and execute
arbitrary code with the privileges of the current user. Full technical
details for this vulnerability are not believed to be publicly
available, but similar exploits have been widely exploited in the past.
Reusable exploit code targeting arbitrary ActiveX controls is widely
available and easily adaptable.

Status: Microsoft confirmed, updates available.

Council Site Actions:
All of the reporting council sites are responding to the Microsoft
issues in the same manner. They plan to distribute the patches during
their next regularly scheduled system maintenance window. Some sites
will use accelerated update pushes for higher criticality items.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/ms07-008.mspx
SecurityFocus BID
http://www.securityfocus.com/bid/22478

****************************************************************

(5) CRITICAL: Microsoft Malware Protection Engine Integer Overflow (MS07-010)
Affected:
Microsoft Windows Live OneCare
Microsoft Antigen for Exchange and for SMTP Gateway versions 9.x
Microsoft Windows Defender
Microsoft Forefront Security

Description: The Microsoft Malware Protection Engine, used by various
Microsoft products to scan for and detect malware, contains an integer
overflow vulnerability. A specially-crafted Portable Document Format
(PDF) file could trigger this vulnerability and execute arbitrary code
with the privileges of the process accessing the document (typically
SYSTEM). In many cases (for example, email gateways that automatically
scan attachments), no user interaction is necessary to exploit this
vulnerability. Malicious documents could be delivered to vulnerable
systems via email, web, instant messaging, peer-to-peer file sharing,
etc.

Status: Microsoft confirmed, updates available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/Bulletin/ms07-010.mspx
IBM X-Force Entry
https://www.it-isac.org/postings/cyber/alertdetail.php?id=4105&menutype=menupublic
SecurityFocus BID
http://www.securityfocus.com/bid/22479

****************************************************************

(6) CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities (MS07-016)
Affected:
Microsoft Windows 2000/XP/2003

Description: Microsoft Internet Explorer contains multiple vulnerabilities:
(1) Microsoft Internet Explorer contains a memory corruption
vulnerability when instantiating certain Component Object Model (COM)
objects. A web page that instantiates one of these vulnerable objects
could exploit this vulnerability and execute arbitrary code with the
privileges of the current user. Available exploit code can be easily
modified to attack the vulnerable objects.
(2) Microsoft Internet Explorer contains a memory corruption
vulnerability in the parsing of File Transfer Protocol (FTP) responses.
A malicious FTP server could trigger this vulnerability and execute
arbitrary code with the privileges of the current user. Though this
vulnerability affects Internet Explorer's FTP functionality, it can be
exploited just as other Internet Explorer vulnerabilities have been
exploited: a website that provides a link to the malicious FTP server
could exploit this vulnerability.

Status: Microsoft confirmed, updates available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms07-016.mspx
SecurityFocus BIDs
http://www.securityfocus.com/bid/22486
http://www.securityfocus.com/bid/22504
http://www.securityfocus.com/bid/22489

****************************************************************

(7) HIGH: Microsoft OLE Dialog Memory Corruption (MS07-011)
Affected:
Microsoft Windows 2000/XP/2003

Description: The Microsoft Object Linking and Embedding (OLE) Dialog
component, contains a memory corruption vulnerability. A
specially-crafted Rich Text Format (RTF) document that embeds an OLE
component could exploit this vulnerability and execute arbitrary code
with the privileges of the current user. The Microsoft security bulletin
says the user must interact with the embedded component to trigger the
vulnerability.

Status: Microsoft confirmed, updates available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms07-011.mspx
Wikipedia Article on Object Linking and Embedding
http://en.wikipedia.org/wiki/Object_Linking_and_Embedding
Security Focus BID
http://www.securityfocus.com/bid/22483

****************************************************************

(8) HIGH: Microsoft MFC Memory Corruption (MS07-012)
Affected:
Microsoft Windows 2000/XP/2003
Microsoft Visual Studio .NET 2002/2003

Description: The Microsoft MFC component, shipped with Microsoft Windows
and Microsoft Visual Studio .NET, contains a memory corruption
vulnerability. A specially-crafted Rich Text Format (RTF) document that
embeds an Object Linking and Embedding (OLE) component could exploit
this vulnerability and execute arbitrary code with the privileges of the
current user. According to the security bulletin, the user must interact
with the embedded component to trigger the vulnerability. This issue is
believed to be related to MS07-011, above.

Status: Microsoft confirmed, updates available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms07-012.mspx
Wikipedia Article on Object Linking and Embedding
http://en.wikipedia.org/wiki/Object_Linking_and_Embedding
Security Focus BID
http://www.securityfocus.com/bid/22476

****************************************************************

(9) HIGH: Microsoft RichEdit Memory Corruption (MS07-012)
Affected:
Microsoft Windows 2000/XP/2003

Description: The Microsoft RichEdit component contains a memory
corruption vulnerability. A specially-crafted Rich Text Format (RTF)
document that embeds a Object Linking and Embedding (OLE) component
could exploit this vulnerability and execute arbitrary code with the
privileges of the current user. According to the security bulletin, the
user must interact with the embedded component to trigger the
vulnerability. This issue is believed to be related to MS07-011, above.

Status: Microsoft confirmed, updates available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms07-013.mspx
Wikipedia Article on Object Linking and Embedding
http://en.wikipedia.org/wiki/Object_Linking_and_Embedding
Security Focus BID
http://www.securityfocus.com/bid/21876

****************************************************************

(10) HIGH: Apple Mac OS X Multiple Vulnerabilities (Apple Security Update 2007-002)
Affected:
Apple Mac OS X version 10.4.8 and prior

Description: Apple Mac OS X contains multiple vulnerabilities:
(1) Finder, the main user interface for Mac OS X, contains flaws in the
processing of Disk Image files. These files store an embedded filesystem
and are used to transfer data and applications. A specially-crafted Disk
Image file could exploit these flaws and lead to arbitrary code
execution with the privileges of the current user or, potentially, the
kernel. Technical details and proofs-of-concept are publicly available
for these flaws. These flaws were discussed in a previous issue of
RISK.
(2) iChat, Apple's Instant Messaging client, contains a format string
vulnerability. A specially-crafted "aim://" URL could exploit this
vulnerability and lead to arbitrary code execution with the privileges
of the current user. Technical details and a proof-of-concept are
publicly available for this flaw. This flaw was discussed in a previous
issue of RISK.

Status: Apple confirmed, updates available.

Council Site Actions: Only one of the responding council sites is using
the affected software and they plan to distribute the update during
their next regularly scheduled system maintenance window.

References:
Apple Security Advisory
http://docs.info.apple.com/article.html?artnum=305102
Previous RISK Entries
http://www.sans.org/newsletters/risk/display.php?v=6&i=3#widely5
http://www.sans.org/newsletters/risk/display.php?v=6&i=5#widely7
Month of Apple Bugs Advisories
http://projects.info-pull.com/moab/MOAB-20-01-2007.html
http://projects.info-pull.com/moab/MOAB-09-01-2007.html
http://projects.info-pull.com/moab/MOAB-10-01-2007.html
Document by Kevin Finisterre
http://www.digitalmunition.com/DMA%5B2007-0109a%5D.txt
Wikipedia Article on Disk Images
http://en.wikipedia.org/wiki/.dmg
SecurityFocus BIDs
http://www.securityfocus.com/bid/21980
http://www.securityfocus.com/bid/21993
http://www.securityfocus.com/bid/22146

****************************************************************

(11) MODERATE: PHP Multiple Vulnerabilities
Affected:
PHP 5.x versions prior to 5.2.1
PHP 4.x versions prior to 4.4.5

Description: PHP contains multiple remotely-exploitable vulnerabilities.
Specially-crafted requests could trigger these vulnerabilities and
potentially lead to arbitrary code execution with the privileges of the
PHP process, arbitrary file overwrites, denials-of-service, and other
conditions. According to the PHP advisory, some of these vulnerabilities
are remotely exploitable. While no in-depth technical information has
been published, because PHP is open source, technical details can be
obtained via source code analysis.

Status: PHP confirmed, updates available. Versions 4.4.5 and 5.2.1
released to fix the flaws.

Council Site Actions:
Not officially in use here. Non-corporate users advised to update.

References:
PHP Update Announcement
http://www.php.net/releases/5_2_1.php
http://www.php.net/releases/4_4_5.php
SecurityFocus BID
http://www.securityfocus.com/bid/22496

*****************
Other Software
*****************

(12) CRITICAL: HP-UX SLSd Arbitrary File Creation Vulnerability
Affected:
HP HP-UX 11.11i and 10.20, and probably other versions.

Description: HP-UX, HP's UNIX-based operating system, contains a flaw
in its "SLSd_daemon" program. This program is used to provide
distributed access to graphics hardware. A specially-crafted request to
the RPC service provided by this program could allow an attacker to
write an arbitrary file to any location on the filesystem, with root
privileges. By overwriting certain files, an attacker could completely
compromise the vulnerable system. Some technical details for this
vulnerability are publicly available.

Status: HP confirmed, updates available.

Council Site Actions: Two of the responding council sites are using the
affected software. One site has SLSd disabled on all of their HP-UX
systems. The other will deploy the update during their next regularly
scheduled system maintenance cycle.

References:
HP Security Advisory
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00862809
iDefense Security Advisory
http://www.securityfocus.com/archive/1/460073/30/0/threaded
HP-UX Home Page
http://h20338.www2.hp.com/hpux11i/cache/324545-0-0-0-121.html
SecurityFocus BID
http://www.securityfocus.com/bid/22551

****************************************************************

(13) HIGH: Microsoft Interactive Training Buffer Overflow (MS07-005)
Affected:
Microsoft Step-by-Step Interactive Training

Description: Microsoft Step-by-Step Interactive Training, used to train
end users using a variety of methods, contains a buffer overflow
vulnerability. A specially-crafted bookmark file (a file used by the
Interactive Training system to store links to topics and other
information) could exploit this vulnerability. Successfully exploiting
this vulnerability would allow the attacker to execute arbitrary code
with the privileges of the current user. Note that, depending on the
configuration, bookmark files may be automatically opened without
prompting. Some technical details for this vulnerability are publicly
available.

Status: Microsoft confirmed, updates available.

References:
Microsoft Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms07-005.mspx
Posting by Brett Moore (includes some technical details)
http://www.securityfocus.com/archive/1/460009
SecurityFocus BID
http://www.securityfocus.com/bid/22484

****************************************************************

(14) HIGH: uTorrent Buffer Overflow
Affected:
uTorrent version 1.6 and possibly prior

Description: uTorrent, a popular BitTorrent client, contains a buffer
overflow. A specially-crafted request could trigger this buffer overflow
and allow arbitrary code execution with the privileges of the vulnerable
process. Technical details and a working exploit are publicly available
for this exploit. Note that BitTorrent clients are often connected to
large numbers of other systems, and for long periods of time, allowing
for more opportunities for exploitation.

Status: uTorrent confirmed, updates available.

Council Site Actions: The affected software and/or configuration are not
in production or widespread use, or are not officially supported at any
of the council sites. They reported that no action was necessary.

References;
uTorrent Change Log
http://download.utorrent.com/1.6.1/utorrent-1.6.1.txt
Exploit
http://downloads.securityfocus.com/vulnerabilities/exploits/22533.c
Wikipedia Article on BitTorrent
http://en.wikipedia.org/wiki/BitTorrent
uTorrent Home Page
http://www.utorrent.com
SecurityFocus BID
http://www.securityfocus.com/bid/22530

****************************************************************

(15) HIGH: Cisco Intrusion Prevention System Multiple Vulnerabilities
Affected:
Cisco Intrusion Prevention System running IOS versions 12.3 and 12.4
Note that, due to the large number of Cisco IOS releases with these
version numbers, users are advised to check the Cisco security advisory
for a full list of vulnerable versions.

Description: Cisco's Intrusion Prevention System (IPS) contains multiple
vulnerabilities:
(1) Specially-crafted traffic sent as IP fragments could bypass the
protections provided by the IPS, potentially allowing malicious traffic
to vulnerable systems. Users can mitigate the impact of this
vulnerability by disallowing all fragmented IP traffic, though this has
potential implications for network performance.
(2) Specially-crafted traffic that triggers the use of the "ATOMIC.TCP"
engine's regular expression feature can cause the device to reload,
leading to a denial-of-service condition. Filters that use this engine
and its regular expression feature are publicly known.

Status: Cisco confirmed, updates available.

References:
Cisco Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml
Cisco Applied Intelligence Response
http://www.cisco.com/warp/public/707/cisco-air-20070213-iosips.shtml
SecurityFocus BID
http://www.securityfocus.com/bid/22549

****************************************************************

(16) MODERATE: Cisco Firewall Services Module Multiple Vulnerabilities
Affected:
Cisco Firewall Services Module in Cisco Catalyst 6500 series switch and
Cisco 7600 series routers

Description: The Cisco Firewall Services Module, an integrated firewall
module for Cisco Catalyst switches and Cisco routers, contains multiple
vulnerabilities:
(1) Specially-crafted HTTP traffic may cause a vulnerable device to
reload, leading to a denial-of-service condition. Note that the device
must be configured to perform enhanced HTTP request inspection to be
vulnerable.
(2) Specially-crafted Session Initiation Protocol (SIP) traffic may
cause a vulnerable device to reload, leading to a denial-of-service
condition. Note that the device must be configured to perform enhanced
SIP inspection. Depending on the version of the device, this inspection
may be enabled by default.
(3) Specially-crafted traffic destined directly for the Firewall
Services Module may cause the device to reload, leading to a
denial-of-service condition, if the device is configured to log
debugging messages.
(4) Specially-crafted HTTP or HTTPS traffic may cause a vulnerable
device to reload, leading to a denial-of-service condition if the device
is configured to perform "authentication for network access" and certain
authentication commands are part of the device's configuration.
(5) Specially-crafted HTTPS traffic destined directly for the Firewall
Services Module may cause the device to reload, leading to a
denial-of-service condition, if the device is configured to run its
internal HTTP server.

Status: Cisco confirmed, updates available.

References:
Cisco Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20070214-fwsm.shtml
SecurityFocus BID
http://www.securityfocus.com/bid/22561

**********
Patches
**********

(17) PATCH: Sun Solaris/SunOS Telnet Daemon Authentication Bypass Vulnerability

Description: The Sun Solaris/SunOS telnet daemon vulnerability discussed
in last week's issue of RISK has been patched by Sun. Users are advised
to apply this patch as quickly as possible.

References:
Sun Security Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
Previous RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=6&i=7#widely1

***********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 8 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5378 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

07.8.1 CVE: Not Available
Platform: Windows
Title: Trend Micro OfficeScan Client ActiveX Control Remote Buffer
Overflow
Description: Trend Micro OfficeScan is an integrated enterprise-level
security product that protects against viruses, spyware, worms, and
blended threats. It is exposed to a remote buffer overflow issue because
the application fails to properly bounds check user-supplied data
before copying it into an insufficiently sized memory buffer. Trend
Micro OfficeScan Corporate Edition versions 7.0 and 7.3 are affected.
Ref:
http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txt
______________________________________________________________________

07.8.2 CVE: Not Available
Platform: Windows
Title: Comodo Firewall Flawed Component Control Cryptographic Hash
Description: Comodo is a firewall application. Comodo Firewall is
prone to a component control cryptographic hash issue because of a
design error. Comodo Firewall Pro versions 2.4.17.183 and 2.4.16.174,
and Comodo Personal Firewall version 2.3.6.81 are affected.
Ref:
http://www.matousec.com/info/advisories/Comodo-DLL-injection-via-weak-hash-function-exploitation.php
______________________________________________________________________

07.8.3 CVE: Not Available
Platform: Windows
Title: MailEnable SMTP NTLM Authentication Unspecified Denial of
Service
Description: MailEnable is mail server software.It is prone to a
remote denial of service vulnerability because it fails to properly
handle user-supplied input. This issue arises in the SMTP server
during NTLM authentication when processing base64 encoded input and
may result in a crash of the affected service. MailEnable Professional
and Enterprise Edition versions 2.37 and prior are affected.
Ref: http://www.securityfocus.com/bid/22565
______________________________________________________________________

07.8.4 CVE: CVE-2007-0651, CVE-2007-0652
Platform: Windows
Title: MailEnable Web Mail Client Multiple HTML Injection and
Cross-Site Scripting Vulnerabilities
Description: MailEnable Web Mail Client is a commercially available
mail server. It is prone to multiple input validation vulnerabilities.
These issues are due to a failure in the application to properly
sanitize user-supplied input before using it in dynamically generated
content. MailEnable Professional versions 2.351 and prior are
vulnerable.
Ref: http://www.securityfocus.com/bid/22554
http://www.securityfocus.com/archive/1/460063
http://secunia.com/secunia_research/2007-38/advisory/
______________________________________________________________________

07.8.5 CVE: Not Available
Platform: Windows
Title: ActSoft DVD-Tools DVDTools.OCX ActiveX Control Remote Buffer
Overflow
Description: ActSoft DVD Tools is an ActiveX controller that allows
users to convert DVD's into other video formats. ActSoft DVD Tools is
prone to a remote buffer overflow issue because the application fails
to properly bounds check user-supplied data before copying it into an
insufficiently sized memory buffer. ActSoft DVD Tools version 3.8.5 is
affected.
Ref: http://support.microsoft.com/kb/240797
http://www.securityfocus.com/bid/22558
______________________________________________________________________

07.8.6 CVE: CVE-2007-0211
Platform: Windows
Title: Microsoft Windows Shell Hardware Detection Service Privilege
Escalation
Description: Microsoft Windows Shell Hardware Detection service is
used to detect and register new hardware. The service is prone to a
local privilege escalation vulnerability due to a lack of proper input
validation on an unspecified function parameter.
Microsoft Windows XP Tablet PC Edition SP2 and prior versions are
affected.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-006.mspx
______________________________________________________________________

07.8.7 CVE: Not Available
Platform: Windows
Title: iTinySoft Studio Total Video Player M3U Playlist Buffer
Overflow
Description: Total Video Player is a multiformat video player for
Microsoft Windows. The application is prone to a stack based
buffer overflow vulnerability because it fails to properly verify the
size of user-supplied data before copying it into an insufficiently
sized process buffer. Version 1.03 is affected.
Ref: http://www.securityfocus.com/bid/22553
______________________________________________________________________

07.8.8 CVE: CVE-2007-0210
Platform: Windows
Title: Microsoft Windows Image Acquisition Service Privilege
Escalation
Description: Microsoft Windows Image Acquisition (WIA) service enables
communication between imaging programs and imaging devices. The
service is prone to a vulnerability due to an unchecked buffer. See
the advisory for details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-007.mspx
______________________________________________________________________

07.8.9 CVE: CVE-2007-0026
Platform: Windows
Title: Microsoft Windows OLE Dialog Remote Code Execution
Description: Rich Text Files (RTF) provide a format for text and
graphic interchange that can be used within different operating
systems and operating devices. OLE is the technology that is used to
create and edit compound documents and provides embedding and linking
support. Please refer to the link below for further details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-011.mspx
______________________________________________________________________

07.8.10 CVE: CVE-2007-0870
Platform: Microsoft Office
Title: Microsoft Word 2000/2002 Remote Code Execution
Description: Microsoft Word is prone to a remote code execution
vulnerability that arises because of a memory corruption
vulnerability. Microsoft Word 2002 SP3 and prior versions are
affected. Refer to the advisory for details.
Ref: http://www.microsoft.com/technet/security/advisory/933052.mspx
http://www.kb.cert.org/vuls/id/332404
______________________________________________________________________

07.8.11 CVE: CVE-2007-0671
Platform: Microsoft Office
Title: Microsoft Excel Remote Denial of Service
Description: Microsoft Excel is a spreadsheet application that is part
of the Microsoft Office suite. It is reportedly prone to a denial of
service vulnerability because when the application handles a specially
crafted spreadsheet file it results in a NULL pointer dereference.
Microsoft Excel 2003 SP3 and earlier versions are affected.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-015.mspx
______________________________________________________________________

07.8.12 CVE: CVE-2007-0208
Platform: Microsoft Office
Title: Microsoft Word Macro Permissions Bypass Arbitrary Code
Execution
Description: Microsoft Word is prone to a remote code execution
vulnerability because the application fails to handle maliciously
crafted Word files. Microsoft Works Suite 2006 and prior versions are
affected. Refer to the advisory for details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-014.mspx
______________________________________________________________________

07.8.13 CVE: CVE-2007-0209
Platform: Microsoft Office
Title: Microsoft Word Malformed Drawing Object Arbitrary Code
Execution
Description: Microsoft Word is prone to a remote code execution
vulnerability because the application fails to handle maliciously
crafted Word files containing a malformed drawing object. See the
advisory for details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-014.mspx
______________________________________________________________________

07.8.14 CVE: CVE-2007-0032
Platform: Microsoft Office
Title: Microsoft Office and Microsoft Windows RichEdit Component
Remote Code Execution
Description: Microsoft Office and Microsoft Windows are prone to a
remote code execution vulnerability. This issue occurs when the
RichEdit OLE component included with Microsoft Windows and Microsoft
Office does not perform sufficient validation when parsing specially
crafted OLE objects embedded within Rich Text Files (RTF).
Please refer to the link below for further details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-013.mspx
______________________________________________________________________

07.8.15 CVE: CVE-2006-4697
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer IMJPCKSI COM Object Instantiation
Memory Corruption
Description: Microsoft Internet Explorer is prone to a memory
corruption vulnerability. The vulnerability arises because of the way
Internet Explorer attempts to instantiate certain COM objects as
ActiveX controls. Versions 6.0 and prior are affected.
Ref: http://www.securityfocus.com/bid/22486
http://support.microsoft.com/kb/q240797/
http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx
______________________________________________________________________

07.8.16 CVE: CVE-2007-0217
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer FTP Server Response Parsing Memory
Corruption
Description: Microsoft Internet Explorer is prone to a memory
corruption vulnerability when parsing certain FTP server responses.
This issue occurs when Internet Explorer follows FTP URIs and attempts
to process responses returned from malicious servers. Internet
Explorer 6.0 and earlier are affected. Refer to the advisory for details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx
______________________________________________________________________

07.8.17 CVE: CVE-2007-0219
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer COM Object Instantiation Variant
Memory Corruption
Description: Microsoft Internet Explorer is prone to a memory
corruption vulnerability. The vulnerability arises because of the way
Internet Explorer attempts to instantiate certain COM objects as
ActiveX controls. The COM objects may let remote attackers corrupt
process memory and facilitate arbitrary code execution in the context
of the currently logged-in user on the affected computer. Please
refer to the link below for further details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx
______________________________________________________________________

07.8.18 CVE: CVE-2006-3448
Platform: Other Microsoft Products
Title: Microsoft Step by Step Interactive Training Buffer Overflow
Description: Microsoft Step by Step Interactive Training is an engine
used for various interactive training titles provided by various
vendors. Microsoft Step by Step Interactive Training is prone to a
buffer overflow vulnerability because it fails to bounds check
user-supplied data before copying it into an insufficiently sized
buffer.
Ref: http://www.securityfocus.com/bid/22484
http://www.microsoft.com/technet/security/Bulletin/MS07-005.mspx
http://www.securityfocus.com/archive/1/460009
______________________________________________________________________

07.8.19 CVE: CVE-2007-0025
Platform: Other Microsoft Products
Title: Microsoft MFC Embedded OLE Object Remote Code Execution
Description: Rich Text Files (RTF) provide a format for text and
graphic interchange that can be used within different operating
systems and operating devices. Please refer to the Microsoft advisory
for further details.
Ref: http://www.microsoft.com/technet/security/Bulletin/MS07-012.mspx
______________________________________________________________________

07.8.20 CVE: CVE-2007-0214
Platform: Other Microsoft Products
Title: Microsoft HTML Help ActiveX Control Remote Code Execution
Description: Microsoft HTML Help ActiveX control is a program for
inserting help navigation and secondary window functionality into HTML
files. See the advisory for details.
Ref: http://www.microsoft.com/technet/security/bulletin/MS07-008.mspx
______________________________________________________________________

07.8.21 CVE: CVE-2006-5270
Platform: Other Microsoft Products
Title: Microsoft Antivirus Engine Integer Overflow
Description: Microsoft Antivirus Engine is prone to an integer
overflow vulnerability. This issue occurs when the application
processes maliciously crafted PDF files. Versions of Microsoft Windows
Live OneCare and prior are affected. Please refer to Microsoft Advisory
for further details.
Ref: http://www.microsoft.com/technet/security/Bulletin/ms07-010.mspx
______________________________________________________________________

07.8.22 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer JavaScript Key Filtering Variant
Description: Microsoft Internet Explorer is prone to a JavaScript key
filtering vulnerability due to the failure of the browser to securely
handle keystroke input from users.
Microsoft Internet Explorer 6.0 SP1 and prior versions are affected.
Ref: http://www.securityfocus.com/bid/22531
http://www.securityfocus.com/archive/1/459823
______________________________________________________________________

07.8.23 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer for Windows Mobile Remote WML
Content Denial of Service
Description: Microsoft Windows Mobile is an operating system for smart
phones and PDAs. It includes various embedded versions of applications
including Office and Internet Explorer. Internet Explorer for Windows
Mobile is prone to a remote denial of service vulnerability because
the software fails to properly handle malformed remote data. Microsoft
Windows Mobile version 5.0 is affected.
Ref: http://www.securityfocus.com/archive/1/459571
http://www.securityfocus.com/bid/22500
______________________________________________________________________

07.8.24 CVE: Not Available
Platform: Third Party Windows Apps
Title: Mozilla Firefox Location.Hostname Dom Property Cookie Theft
Description: Mozilla Firefox is prone to a cookie theft vulnerability
which arises because the application fails to sufficiently sanitize
user-supplied input. This issue affects version 2.0.0.1.
Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=370445
http://www.securityfocus.com/bid/22566
______________________________________________________________________

07.8.25 CVE: Not Available
Platform: Third Party Windows Apps
Title: uTorrent Torrent File Handling Remote Heap Buffer Overflow
Description: uTorrent is a bit torrent application. It is prone to a
remote heap based buffer overflow vulnerability because the
application fails to properly bounds check user-supplied input before
copying it to an insufficiently sized memory buffer. uTorrent version
1.6 is affected.
Ref: http://www.securityfocus.com/bid/22530
______________________________________________________________________

07.8.26 CVE: Not Available
Platform: Third Party Windows Apps
Title: Mozilla Firefox JavaScript Key Filtering Variant
Description: Mozilla Firefox is prone to a JavaScript key filtering
vulnerability. This issue is due to the failure of the browser to
securely handle keystroke input from users. Mozilla Firefox versions
1.5.0.9 and 2.0.0.1 are affected.
Ref: http://www.securityfocus.com/archive/1/459823
https://bugzilla.mozilla.org/show_bug.cgi?id=56236
https://bugzilla.mozilla.org/show_bug.cgi?id=370092
http://www.securityfocus.com/bid/22524
______________________________________________________________________

07.8.27 CVE: Not Available
Platform: Third Party Windows Apps
Title: Roaring Penguin Software MIMEDefang Unspecified Remote Buffer
Overflow
Description: MIMEDefang is an email filter intended to protect Windows
clients. MIMEDefang is prone to a buffer overflow vulnerability
because the application fails to properly bounds-check unspecified
user-supplied data. This issue affects versions 2.59 and 2.60.
Ref:
http://lists.roaringpenguin.com/pipermail/mimedefang/2007-February/032011.html
http://www.securityfocus.com/bid/22514
______________________________________________________________________

07.8.28 CVE: Not Available
Platform: Third Party Windows Apps
Title: SmidgeonSoft PEBrowse Remote Buffer Overflow
Description: SmidgeonSoft PEBrowse is a freely available application
used to analyse and disassemble Win32 executables without executing
them or loading them into memory as an active process. It is prone to
a remote buffer overflow issue due to failure of the application to
properly bounds check user-supplied data contained in PE-formatted
executable files. PEBrowse Professional version 8.2.1.0 is vulnerable
and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/22501
______________________________________________________________________

07.8.29 CVE: Not Available
Platform: Linux
Title: HP Serviceguard for Linux Unspecified Remote Unauthorized
Access
Description: HP Serviceguard for Linux is a high-availability
clustering system for critical applications. It is exposed to an
unspecified unauthorized access vulnerability.
HP Serviceguard for Linux A.11.16 .10 and A.11.15 .07 are affected.
Ref: http://www.securityfocus.com/archive/1/460216
______________________________________________________________________

07.8.30 CVE: CVE-2007-0006
Platform: Linux
Title: Linux Kernel Key_Alloc_Serial() Local Denial of Service
Description: The Linux kernel is prone to a denial of service
vulnerability because of a NULL pointer dereference. This
vulnerability affects the "key_alloc_serial()" function. Kernel
versions 2.6.x are vulnerable.
Ref: http://www.securityfocus.com/bid/22539
______________________________________________________________________

07.8.31 CVE: Not Available
Platform: Linux
Title: March Networks Digital Video Recorders Unspecified Denial of
Service
Description: March Networks DVRs are digital video recorder devices
that use an embedded Linux operating platform. These devices are prone
to an unspecified denial of service vulnerability because of an
unspecified failure in the device to handle incoming traffic through
TCP port 80. All March Networks DVR 3000 and 4000 series devices are
vulnerable.
Ref: http://www.securityfocus.com/bid/22497
______________________________________________________________________

07.8.32 CVE: Not Available
Platform: Solaris
Title: Sun Solaris TCP Subsystem Remote Denial of Service
Description: Sun Solaris is prone to a remote denial of service
vulnerability. It is vulnerable due to handling TCP processes under
high network load. Sun Solaris versions 10.0 _x86 and earlier are
affected.
Ref:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102796-1&searchclause=
______________________________________________________________________

07.8.33 CVE: CVE-2007-0882
Platform: Solaris
Title: Sun Solaris Telnet Remote Authentication Bypass
Description: Sun Solaris is vulnerable to a bypass authentication
issue because the telnet process passes switches to the login process
which can bypass authentication. Sun Solaris versions 10.0 and 11.0
are affected.
Ref:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1&searchclause=
______________________________________________________________________

07.8.34 CVE: Not Available
Platform: Aix
Title: IBM AIX SWCONS Buffer Overflow
Description: IBM AIX swcons is prone to a local buffer overflow
vulnerability. This issue arises because the application fails to
perform boundary checks prior to copying user-supplied data into
insufficiently sized memory buffers. IBM AIX version 5.3 is affected.
Ref: http://www-1.ibm.com/support/docview.wss?uid=isg1IY94901
______________________________________________________________________

07.8.35 CVE: Not Available
Platform: Unix
Title: HP-UX ARPA Transport Software Unspecified Local Denial of
Service
Description: HP-UX running the ARPA Transport Software is prone to an
unspecified local denial of service vulnerability. This issue occurs
because the application fails to handle exceptional conditions. HP-UX
versions B.11.23 and B.11.11 are affected.
Ref:
http://www1.itrc.hp.com/service/cki/docDisplay.do?admit=-682735245+1171397844076+28353475&docId=c00863839
______________________________________________________________________

07.8.36 CVE: Not Available
Platform: Unix
Title: HP-UX SLSD Remote Arbitrary File Creation
Description: HP-UX running SLSd is prone to a remote arbitrary file
creation vulnerability. SLSd is a Single Logical Screen X Daemon. This
issue occurs when "SLSD_DAEMON = 1" is present in
"/etc/rc.config.d/slsd". Version HP-UX B.11.11 is affected.
Ref: http://www.securityfocus.com/bid/22551
http://www.securityfocus. com/archive/1/460073
______________________________________________________________________

07.8.37 CVE: CVE-2007-0898
Platform: Cross Platform
Title: ClamAV MIME Header ID Parameter String Directory Traversal
Description: ClamAV is an antivirus toolkit. The application is
exposed to a directory traversal vulnerability because it fails to
properly sanitize user-supplied directory traversal strings ("../") in
the "id" string taken from MIME headers in a multipart email message.
Versions prior to the 0.90 stable release are affected.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=476
______________________________________________________________________

07.8.38 CVE: CVE-2007-0451
Platform: Cross Platform
Title: SpamAssassin Long URI Handling Remote Denial of Service
Description: SpamAssassin is a mail filter designed to identify and
process spam. It is exposed to a remote denial of service
vulnerability when the application handles excessively long URIs
included in message content. SpamAssassin versions prior to 3.1.8 are
affected.
Ref:
http://svn.apache.org/repos/asf/spamassassin/branches/3.1/build/announcements/3.1.8.txt
______________________________________________________________________

07.8.39 CVE: CVE-2007-0897
Platform: Cross Platform
Title: ClamAV CAB File Remote Denial of Service
Description: ClamAV is an antivirus application designed for scanning
email traffic over mail gateways. It is exposed to a denial of service
issue because it fails to sufficiently handle cabinet header data.
Versions prior to 0.90 stable are vulnerable.
Ref:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=475
______________________________________________________________________

07.8.40 CVE: Not Available
Platform: Cross Platform
Title: Amarok Magnature Shell Command Injection
Description: Amarok Magnature is a music player for Linux and Unix.
The application is prone to a shell command injection vulnerability
because it fails to properly sanitize user-supplied input to the
Magnature component. Amarok Magnature version 1.4 is affected.
Ref: http://bugs.kde.org/show_bug.cgi?id=138499
http://www.securityfocus.com/bid/22568
______________________________________________________________________

07.8.41 CVE: CVE-2007-0324
Platform: Cross Platform
Title: LizardTech DjVu Browser Plug-in Multiple Buffer Overflow
Vulnerabilities
Description: DjVu Browser plug-in is used to view DjVu documents. It
can be used with Internet Explorer, Firefox and Safari on various
platforms.The application is prone to multiple buffer overflow issues
because it fails to sufficiently bounds check user-supplied data
before copying it to finite sized buffers. DjVu Browser Plug-in
versions prior to 6.1.1 are vulnerable.
Ref: http://www.kb.cert.org/vuls/id/522393
http://www.lizardtech.com/products/doc/djvupluginrelease.php
http://www.securityfocus.com/bid/22569
______________________________________________________________________

07.8.42 CVE: Not Available
Platform: Cross Platform
Title: MiniWebSVR Multiple Request Remote Denial of Service
Description: MiniWebsvr is web server application. The server is prone
to a denial of service vulnerability because it fails to sufficiently
handle multiple HTTP GET requests. MiniWebsvr versions 0.0.6 and
earlier are affected.
Ref: http://www.securityfocus.com/bid/22557
______________________________________________________________________

07.8.43 CVE: Not Available
Platform: Cross Platform
Title: MoinMoin Multiple Cross-Site Scripting Vulnerabilities
Description: MoinMoin is a Wiki type program. It is available for
Unix and Linux platforms. The application is vulnerable to multiple
cross-site scripting attacks because it fails to sufficiently sanitize
user-supplied input to the "hitcounts" and "general" parameters in
Info Pages. Version 1.5.7 is affected.
Ref: http://www.securityfocus.com/bid/22515
______________________________________________________________________

07.8.44 CVE: CVE-2007-0857
Platform: Cross Platform
Title: MoinMoin Multiple Cross-Site Scripting Vulnerabilities
Description: MoinMoin is a Wiki type program. The application is prone
to multiple cross-site scripting vulnerabilities due to insufficient
sanitization of user-supplied input to various parameters.
MoinMoin versions 1.5.6 and earlier are affected.
Ref: http://www.securityfocus.com/bid/22506
______________________________________________________________________

07.8.45 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Deskpro Faq.PHP Cross-Site Scripting
Description: Deskpro is a customer relationship management
application. The application is exposed to a cross-site scripting
issue because it fails to properly sanitize user-supplied input to the
"article" parameter of the "faq.php" script. Version 1.1.0 is
affected.
Ref: http://www.securityfocus.com/archive/1/460200
______________________________________________________________________

07.8.46 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Calendar Express Search.PHP Cross-Site Scripting
Description: Calendar Express is a web-based calendar application. The
application is exposed to cross-site scripting issue because it fails
to properly sanitize user-supplied input to the "allwords" parameter
of the "search.php" script. Calendar Express 2 is affected.
Ref: http://www.securityfocus.com/archive/1/460198
______________________________________________________________________

07.8.47 CVE: CVE-2006-5859
Platform: Web Application - Cross Site Scripting
Title: Adobe ColdFusion Unspecified Cross-Site Scripting
Description: ColdFusion is software for developing web applications.
The application is vulnerable to cross-site scripting attacks because
it fails to sufficiently sanitize user-supplied input before
displaying it in dynamically generated content. Adobe ColdFusion MX
7.02 and prior versions are affected.
Ref: http://www.securityfocus.com/bid/22544
http://www.adobe.com/support/security/bulletins/apsb07-03.html
______________________________________________________________________

07.8.48 CVE: CVE-2006-5860
Platform: Web Application - Cross Site Scripting
Title: Adobe JRun Administrator Console Cross-Site Scripting
Description: JRun is a J2EE application server that is available for
Microsoft Windows, Unix and Linux variants. The application is
vulnerable to cross-site scripting issue because it fails to
sufficiently sanitize user-supplied input to the administrative
console before displaying it in dynamically generated content.
Macromedia JRun version 4.0 and prior versions are affected.
Ref: http://www.adobe.com/support/security/bulletins/apsb07-05.html
http://www.securityfocus.com/bid/22547/info
______________________________________________________________________

07.8.49 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Wordpress Templates.PHP Cross-Site Scripting
Description: Wordpress allows users to generate news pages and web
logs dynamically. Wordpress is prone to a cross-site scripting
vulnerability because it fails to properly sanitize user-supplied
input to the "file" parameter of the "admin/templates.php" script.
WordPress Wordpress (B2) 0.6.2.1 and earlier versions are affected.
Ref: http://www.securityfocus.com/bid/22534
______________________________________________________________________

07.8.50 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: TaskFreak! Error.PHP Cross-Site Scripting
Description: TaskFreak! is a web-based task manager. The application
is prone to a cross-site scripting vulnerability because it fails to
properly sanitize user-supplied input to the "znMessage" parameter of
the "error.php"script. TaskFreak! version 0.5.5 multi user edition is
vulnerable.
Ref: http://www.securityfocus.com/bid/22537
______________________________________________________________________

07.8.51 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: JBoss Portal Noproject Portal Cross-Site Scripting
Description: JBoss Portal is a web portal application. The application
is prone to a cross-site scripting vulnerability because it fails to
properly sanitize user-supplied input to the "noproject" parameter of
the community page. Group JBoss Portal version 2.2.1 is affected.
Ref: http://www.securityfocus.com/bid/22526
______________________________________________________________________

07.8.52 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Community Server SearchResults.ASPX Cross-Site Scripting
Description: Community Server is a web-based image gallery. The
application is prone to a cross-site scripting vulnerability because
it fails to properly sanitize user-supplied input to the "q" parameter
of the "SearchResults.aspx" script.
Ref: http://www.securityfocus.com/archive/1/459848
http://www.securityfocus.com/bid/22529
______________________________________________________________________

07.8.53 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Atlassian JIRA BrowseProject.JSPA Cross-Site Scripting
Description: Atlassian JIRA is a web portal written in
Java/JavaScript. The application is prone to a cross-site scripting
vulnerability because it fails to properly sanitize user-supplied
input to the "id" parameter of the "BrowseProject.jspa" script.
Version 3.7.3 is affected.
Ref: http://www.securityfocus.com/archive/1/459590
______________________________________________________________________

07.8.54 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Qdig QWD Variable Cross-Site Scripting
Description: Quick Digital Image Gallery (Qdig) is a web-based image
gallery. The application is prone to a cross-site scripting
vulnerability because it fails to properly sanitize user-supplied
input to the "Qwd" parameter. Qdig version 1.2.9.3 is affected.
Ref: http://www.securityfocus.com/archive/1/459664
______________________________________________________________________

07.8.55 CVE: Not Available
Platform: Web Application - SQL Injection
Title: CodeAvalanche News Inc_Listnews.ASP SQL Injection
Description: CodeAvalanche News is a web-based news script
application. The application is exposed to an SQL injection vulnerability
because it fails to properly sanitize user-supplied input to the
"CAT_ID" parameter of the "inc_listnews.asp" script before using it in
an SQL query. xfairguy CodeAvalanche News version 1.2 is affected.
Ref: http://www.securityfocus.com/bid/22582
______________________________________________________________________

07.8.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ibProArcade Arcade.PHP SQL Injection
Description: ibProArcade is a professional arcade system for
vBulletin. The application is prone to an SQL injection issue because it
fails to properly sanitize user-supplied input to the "gsearch"
parameter of the "arcade.php" script before using it in an SQL query.
This issue affects version 2.5.9+.
Ref: http://www.securityfocus.com/bid/22575
______________________________________________________________________

07.8.57 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PollMentor Pollmentorres.ASP SQL Injection
Description: PollMentor is a web-based polling application.
The application is prone to an SQL injection vulnerability because it
fails to properly sanitize user-supplied input to the "id" parameter
of the "pollmentorres.asp" script before using it in an SQL query.
Version 2.0 is vulnerable.
Ref: http://www.securityfocus.com/bid/22542
______________________________________________________________________

07.8.58 CVE: Not Available
Platform: Web Application - SQL Injection
Title: phpCC Nickpage.PHP SQL Injection
Description: phpCC is a web-based content management system. It is
prone to an SQL injection vulnerability because it fails to properly
sanitize user-supplied input to the "npid" parameter of the
"nickpage.php" script. Version 4.2 is affected.
Ref: http://www.securityfocus.com/bid/22540
______________________________________________________________________

07.8.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Philboard Philboard_forum.ASP SQL Injection
Description: Philboard is a web-based bulletin board application.
The application is prone to an SQL injection vulnerability
because it fails to sufficiently sanitize user-supplied
data to the "forumid" parameter of the "philboard_forum.asp" script
before using it in an SQL query. philboard version 1.14 is affected.
Ref: http://www.securityfocus.com/bid/22532
______________________________________________________________________

07.8.60 CVE: Not Available
Platform: Web Application
Title: EasyMail Objects Connect Method Remote Stack Buffer Overflow
Description: EasyMail Objects is an application which provides email
sending and receiving for ActiveX applications. The application is
prone to a remote stack-based buffer overflow issue because the
application fails to properly bounds check user-supplied data prior to
copying it to an insufficiently sized buffer. Versions prior to 6.5
are vulnerable.
Ref: http://www.securityfocus.com/archive/1/460237
______________________________________________________________________

07.8.61 CVE: Not Available
Platform: Web Application
Title: LifeType Unspecified Parameter Handling Information Disclosure
Description: LifeType is an open source web-based blog application. It
is exposed to an information disclosure issue because the application
fails to properly sanitize user-supplied input to an unspecified
parameter. LifeType versions 1.1.5 and earlier are affected.
Ref:
http://www.lifetype.net/blog/lifetype-development-journal/2007/02/14/critical-security-issue-lifetype-1.1.6-and-lifetype-1.2-beta2-released
______________________________________________________________________

07.8.62 CVE: Not Available
Platform: Web Application
Title: nabopoll Survey.Inc.PHP Remote File Include
Description: nabopoll is a complete voting/survey system. The
application is exposed to a remote file include issue because it fails
to sufficiently sanitize user-supplied input to the "path" parameter
of the "survey.inc.php" script. Version 1.2.0 is affected.
Ref: http://www.securityfocus.com/bid/22573
______________________________________________________________________

07.8.63 CVE: Not Available
Platform: Web Application
Title: ZebraFeeds Multiple Remote File Include Vulnerabilities
Description: ZebraFeeds is a newsfeed aggregator application. The
application is exposed to multiple remote file include issues because
it fails to sufficiently sanitize user-supplied input to the "zf_path"
parameter of the "aggregator.php" and "controller.php" scripts.
Version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/22576
______________________________________________________________________

07.8.64 CVE: Not Available
Platform: Web Application
Title: Webapp.Org Webapp Multiple Remote Vulnerabilities
Description: WebAPP is web-portal application implemented in
Perl. WebAPP is prone to multiple remote vulnerabilities which include
an information disclosure vulnerability, a vulnerability when entering
data through a hijacked form, an unauthorized access vulnerability and
many more. WebAPP versions 0.9.9 .3.2 and prior are affected.
Ref: http://www.securityfocus.com/bid/22563
______________________________________________________________________

07.8.65 CVE: Not Available
Platform: Web Application
Title: Jupiter CMS Multiple Scripts Multiple Input Validation
Vulnerabilities
Description: Jupiter CMS is a content manager. Jupiter CMS is prone to
multiple input validation vulnerabilities because the application
fails to properly sanitize user-supplied input. Jupiter CMS version
1.1.5 is affected.
Ref: http://www.securityfocus.com/archive/1/460076
http://www.securityfocus.com/bid/22560
______________________________________________________________________

07.8.66 CVE: Not Available
Platform: Web Application
Title: WebTester Multiple Input Validation Vulnerabilities
Description: WebTester is web-based test and quiz creation
application. The application is prone to multiple input validation
vulnerabilities because it fails to properly sanitize user-supplied
input. The issues include multiple unspecified cross-site scripting
issues and multiple SQL injection issues. Versions 5.0.20060927 and
prior are affected.
Ref: http://www.securityfocus.com/archive/1/460078
http://www.securityfocus.com/bid/22559
______________________________________________________________________

07.8.67 CVE: Not Available
Platform: Web Application
Title: AT Contenator Nav.PHP Remote File Include
Description: AT Contenator is a web application. The application is
prone to a remote file include vulnerability because it fails to
sufficiently sanitize user-supplied input to the "Root_To_Script"
parameter of the "_admin/nav.php" script. Version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/22543
______________________________________________________________________

07.8.68 CVE: Not Available
Platform: Web Application
Title: Fullaspsite Shop Listmain.ASP Multiple Input Validation
Vulnerabilities
Description: Fullaspsite Shop is web-based ecommerce application. It
is prone to multiple input validation vulnerabilities because it fails
to properly sanitize user-supplied input to the "cat" parameter of the
"listmain.asp" script.
Ref: http://www.securityfocus.com/bid/22545
______________________________________________________________________

07.8.69 CVE: Not Available
Platform: Web Application
Title: Mail Search.HTML HTML Injection
Description: Mail is a web-based application used to access email via
a web page or wireless device. The application is prone to an input
validation vulnerability that allows malicious HTML and script code to
be injected before the input is used in dynamically generated content.
Specifically this issue occurs in the search form of the
"html/[languaje folder]/help/search.html" before being processed by
the "search.pl" script. Mail versions 4.61 and prior are affected.
Ref: http://www.securityfocus.com/bid/22552
http://lostmon.blogspot.com/2007/02/mail-searchpl-keywords-variable-cross.html
______________________________________________________________________

07.8.70 CVE: Not Available
Platform: Web Application
Title: Radical Technologies Portal Search Multiple Input Validation
Vulnerabilities
Description: Portal Search is an application that allows users to
search multiple sites. The application is prone to multiple input
validation vulnerabilities because it fails to sufficiently sanitize
user-supplied input. All versions are vulnerable.
Ref: http://www.securityfocus.com/archive/1/459794
______________________________________________________________________

07.8.71 CVE: Not Available
Platform: Web Application
Title: Virtual Calendar Multiple Cross-Site Scripting Vulnerabilities
Description: Virtual Calendar is a web-based calendar application. The
application is prone to multiple cross-site scripting vulnerabilities
because it fails to properly sanitize user-supplied input to the
"sho", "t" and "yr" parameters.
Ref: http://www.securityfocus.com/bid/22536
______________________________________________________________________

07.8.72 CVE: Not Available
Platform: Web Application
Title: Apache Stats Extract Function Multiple Input Validation
Vulnerabilities
Description: Apache Stats is a web traffic monitoring application. It
is prone to multiple input validation vulnerabilities because it fails
to sufficiently sanitize user-supplied data in an "extract()" PHP
function call. Versions prior to 0.0.3 are affected.
Ref: http://www.securityfocus.com/bid/22388
______________________________________________________________________

07.8.73 CVE: Not Available
Platform: Web Application
Title: phpMyVisites Multiple Input Validation Vulnerabilities
Description: phpMyVisites is a web traffic statistics and measurement
application. The application is prone to an HTTP response splitting
vulnerability which affects the "pagename" parameter. It is also prone
to a cross-site scripting vulnerability which affects the
"GetCurrentCompletePath()" routine and a local file include
vulnerability affecting the "pmv_ck_view" cookie parameter.
phpMyVisites versions prior to 2.2 stable are vulnerable.
Ref: http://www.securityfocus.com/archive/1/459792
______________________________________________________________________

07.8.74 CVE: Not Available
Platform: Web Application
Title: TagIt! TagBoard Multiple Remote File Include Vulnerabilities
Description: TagIt! TagBoard is a bulletin board. The application is
prone to multiple remote file include vulnerabilities because it fails
to sufficiently sanitize user-supplied input to various scripts.
TagBoard versions 2.1.b Build 2 and earlier are affected.
Ref: http://www.securityfocus.com/bid/22518
______________________________________________________________________

07.8.75 CVE: Not Available
Platform: Web Application
Title: php rrd Browser 'p' Parameter Directory Traversal
Description: php rrd browser is an rrd utility for polling and
researching. The application is prone to a directory traversal
vulnerability because it fails to properly sanitize user-supplied
input. The issue occurs when specially crafted HTTP GET requests
containing a directory traversal string are sent to the "p" parameter.
Versions prior to 0.2.1 are vulnerable to this issue.
Ref: http://www.securityfocus.com/archive/1/459804
______________________________________________________________________

07.8.76 CVE: Not Available
Platform: Web Application
Title: phpPolls phpPollAdmin.PHP3 Administrative Authentication Bypass
Description: phpPolls is a web-based poll script. This issue occurs
due to insufficient access validation. Specifically, users may access
the administrative script "phpPollAdmin.php3" without supplying a
password. Version 1.0.3 is vulnerable.
Ref: http://www.securityfocus.com/archive/1/459789
______________________________________________________________________

07.8.77 CVE: Not Available
Platform: Web Application
Title: IP3 NetAccess Directory Traversal
Description: IP3 NetAccess devices are rack mounted network
devices. They have SSH and web management interfaces. The application
is prone to a directory traversal vulnerability, because it fails to
properly sanitize user-supplied input to the "filename" parameter of
the "getfile.cgi" script. IP3 NetAccess devices with firmware versions
less than 4.1.9.6 are vulnerable.
Ref: http://www.securityfocus.com/bid/22513
http://www.devtarget.org/ip3-advisory-02-2007.txt
http://www.securityfocus.com/archive/1/459806
______________________________________________________________________

07.8.78 CVE: Not Available
Platform: Web Application
Title: PHP 'str_ireplace' Remote Denial of Service
Description: PHP is a general purpose scripting language that is
especially suited for web development. It is prone to a denial of
service vulnerability due to an error in the "str_ireplace()" routine.
This issue affects PHP version 5.2.1.
Ref: http://www.securityfocus.com/archive/1/459856
______________________________________________________________________

07.8.79 CVE: Not Available
Platform: Web Application
Title: McRefer Administrative Authentication Bypass
Description: McRefer is a web-based site recommendation script. It is
implemented in PHP. McRefer is prone to vulnerability due to
insufficient access validation. Version 1.0 is affected.
Ref: http://www.securityfocus.com/archive/1/459649
http://www.securityfocus.com/bid/22507
______________________________________________________________________

07.8.80 CVE: Not Available
Platform: Web Application
Title: Allons_voter Administrative Authentication Bypass
Description: Allons_voter is a web-based survey script. Allons_voter
is prone to a vulnerability that will let attackers gain
administrative access to the application. This is due to insufficient
access validation. Specifically, users may access administrative
scripts such as "admin_ajouter.php" and "admin_supprimer.php" without
supplying a password. Allons_voter version 1.0 5s is affected.
Ref: http://www.securityfocus.com/archive/1/459652
http://www.securityfocus.com/bid/22508
______________________________________________________________________

07.8.81 CVE: Not Available
Platform: Web Application
Title: Nabopoll Administrative Authentication Bypass
Description: Nabopoll is a web-based survey script. It is prone to a
vulnerability that allows ordinary users to access administrative
scripts such as "config_edit.php", "template_edit.php" and
"survey_edit.php" without supplying a password. Nabopoll versions 1.2
and 1.1 are affected.
Ref: http://www.securityfocus.com/bid/22509
______________________________________________________________________

07.8.82 CVE: Not Available
Platform: Web Application
Title: OPENi-CMS Plugin Remote File Include
Description: OPENi-CMS Plugin is a XAMP content management system. The
application is prone to a remote file include vulnerability because it
fails to sufficiently sanitize user-supplied input to the "oi_dir"
parameter of the "index.php" script before using it in an "include()"
function call. Version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/22511/info
______________________________________________________________________

07.8.83 CVE: Not Available
Platform: Web Application
Title: Plain Old Webserver Firefox Extension Directory Traversal
Description: Plain Old Webserver is a Firefox extension which adds a
simple web server to the browser. The application is prone to a
directory traversal vulnerability because it fails to sufficiently
sanitize user-supplied input via URI requests. Versions 0.0.7 and
0.0.8 are affected.
Ref: http://www.securityfocus.com/bid/22502
______________________________________________________________________

07.8.84 CVE: Not Available
Platform: Web Application
Title: PHP Versions 5.2.0 and Prior Multiple Vulnerabilities
Description: PHP is a general-purpose scripting language that is
especially suited for web development and can be embedded into HTML.
Successful exploits could allow an attacker to write files in
unauthorized locations, cause a denial of service condition, and
potentially execute code. Versions 4.4.4 and prior in 4 branch;
and versions 5.2.0 and prior in 5 branch are affected.
Ref: http://www.php.net/ChangeLog-5.php#5.2.1
http://www.php.net/releases/5_2_1.php
http://www.securityfocus.com/bid/22496
______________________________________________________________________

07.8.85 CVE: CVE-2006-6758
Platform: Web Application
Title: Kiwi CatTools TFTP Directory Traversal
Description: Kiwi CatTool provides automated device configuration
management on routers, switches and firewalls. The application is
prone to a directory traversal vulnerability because it fails to
properly sanitize user-supplied input. The issue occurs when crafted
GET and PUT requests contain directory traversal strings. This issue
affects versions prior to 3.2.0 beta and 3.2.8.
Ref: http://www.kiwisyslog.com/kb/idx/5/178/article/
______________________________________________________________________

07.8.86 CVE: Not Available
Platform: Web Application
Title: eXtreme File Hosting Arbitrary RAR File Upload
Description: eXtreme File Hosting is a web-based file manager. The
application is prone to an arbitrary file upload vulnerability because
it fails to sufficiently sanitize user-supplied input when uploading
malicious PHP code disguised as RAR archive files. An attacker may
trigger this exploit by placing malicious PHP code into a file with a
".php.rar" file extension and uploading it.
Ref: http://www.securityfocus.com/bid/22498
______________________________________________________________________

07.8.87 CVE: Not Available
Platform: Network Device
Title: Cisco IOS Intrusion Prevention System Multiple Vulnerabilities
Description: Cisco IOS (Internetwork Operating System) is an operating
system commonly used on Cisco routers and network switches.
IOS is prone to multiple issues which affect the IPS intrusion
prevention system. These issues include: a security bypass
vulnerability, which occurs because IPS signatures that use regular
expressions can be evaded by sending malicious data as IP fragments,
and a denial of service vulnerability, which is tracked
in Cisco Bug ID CSCsa53334. Cisco IOS 12.4 XB and prior versions
are affected.
Ref: http://www.securityfocus.com/bid/22549
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml
______________________________________________________________________

07.8.88 CVE: Not Available
Platform: Hardware
Title: Cisco Multiple Products Multiple Remote Denial of Service
Vulnerabilities
Description: Multiple Cisco products are prone to multiple denial of
service vulnerabilities. These issues affect Cisco PIX 500 Series
Security Appliances, Cisco ASA 5500 Series Adaptive Security
Appliances and Cisco Firewall Services Module (FWSM). Cisco PIX/ASA
7.0.4 .3 and prior versions are affected.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
http://www.securityfocus.com/archive/1/460080
http://www.securityfocus.com/bid/22561
______________________________________________________________________

07.8.89 CVE: Not Available
Platform: Hardware
Title: Cisco PIX/ASA Privilege Escalation
Description: Cisco PIX and ASA security appliances are prone to a
privilege escalation vulnerability. This issue occurs when the "LOCAL"
method is used for user authentication. Cisco PIX/ASA version 7.2.2 is
affected.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20070214-pix.shtml
______________________________________________________________________

07.8.90 CVE: CVE-2007-0859
Platform: Hardware
Title: Palm OS Treo Find Feature Information Disclosure
Description: Palm OS Treo smartphones are vulnerable to a local
information disclosure issue because the software fails to properly
secure access to certain features when locked. The following devices
are known to be affected: Cingular Treo 650, Treo650-1.03a-VZW and
Treo650-1.12-SPCS, Cingular Treo 680 and Sprint/Verizon Treo 700p.
Ref: http://www.securityfocus.com/archive/1/460059
______________________________________________________________________

(c) 2007. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a party
other than Qualys (as indicated herein) and permission to use such
material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFF2gJJ+LUG5KFpTkYRAnhHAJ493bI/DblqVsDMjuswv55k7Dv0MwCfYi0O
M32HLNekNKUsIaQHw4i5aEA=
=mm+S
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]