NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2007

RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 12

From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Mon Mar 19 2007 - 13:15:19 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apple revealed a big, bad set of vulnerabilities in Mac OS X - some
leading to remote root compromise. Some of them already are being
targeted in published exploits. CA's backup product, BrightStor, is
back on the list of software with critical flaws. McAfee's bugs are a
little less critical, but still require rapid action. These latter two
are a reminder of the retargeting that criminals have done over the past
18 months - focusing much more of their research, and huge numbers of
attacks, on applications ranging from back-up to security to office
applications to media players.
Alan

*************************************************************************
RISK: The Consensus Security Vulnerability Alert
March 19, 2007 Vol. 6. Week 12
*************************************************************************

RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------

Other Microsoft Products 1
Third Party Windows Apps 8 (#3)
Mac OS 1 (#1)
Linux 6
BSD 1 (#4)
Unix 2
Cross Platform 29 (#2, #5)
Web Application - Cross Site Scripting 7
Web Application - SQL Injection 13
Web Application 26

************************* Sponsored By Symantec *************************

Take a 5 minute compliance test. How well do your security policies and
practices hold up under regulatory mandates? Take a five minute test to
get an overall "compliance score". Then learn how Symantec solutions can
help you monitor and report on compliance through a single compliance
architecture that enables you to manage multiple regulations.

http://www.sans.org/info/4726
*************************************************************************

Table of Contents

Part I - Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (2007-003)
(2) CRITICAL: CA BrightStor ARCServe Backup Tape Engine and Portmapper Vulnerabilities
(3) HIGH: McAfee ePolicy Orchestrator and ProtectionPilot Multiple Vulnerabilities
(4) MODERATE: OpenBSD IPv6 Kernel Memory Corruption
(5) LOW: Apache Tomcat Directory Traversal

************************* Sponsored Links: ****************************

1) Join professionals to learn about Log Management tools at the Log
Management Summit April 23-25.
http://www.sans.org/info/4731

2) Upcoming SANS Ask the Expert Webcast, "The State of Malware Today",
March 21 at 1pm EDT.
http://www.sans.org/info/4736

3) Don't miss SANS Ask the Expert Webcast: Sustainable Compliance
through Host Access Management and Data Security Reviews on Thursday,
March 22nd at 1:00 PM EDT (1800 UTC/GMT)Sign up now!
http://www.sans.org/info/4741
*************************************************************************

Part II - Comprehensive List of Newly Discovered Vulnerabilities from
Qualys (www.qualys.com)

-- Other Microsoft Products
07.12.1 - Microsoft Internet Explorer NavCancel.HTM Cross-Site Scripting
-- Third Party Windows Apps
07.12.2 - Avant Browser Content Type Stack-Based Buffer Overflow
07.12.3 - Symantec Norton Personal Firewall 2006 SymTDI Driver Local Denial of Service
07.12.4 - Symantec Norton Personal Firewall 2006 SymEvent Driver Local Denial of Service
07.12.5 - Orchestrator SiteManager.DLL ActiveX Control Remote Buffer Overflow Vulnerabilities
07.12.6 - NewsBin Pro Long File Name Buffer Overflow
07.12.7 - WarFTP Unspecified Stack-Based Buffer Overflow
07.12.8 - NewsReactor Long File Name Buffer Overflow
07.12.9 - D-Link TFTP Transporting Mode Remote Buffer Overflow
-- Mac Os
07.12.10 - Apple Mac OS X Multiple Applications Multiple Vulnerabilities
-- Linux
07.12.11 - Xen QEMU VNC Server Arbitrary Information Disclosure
07.12.12 - Linux Kernel Netfilter NFNetLink_Log Multiple NULL Pointer Dereference Vulnerabilities
07.12.13 - KTorrent Multiple Remote Vulnerabilities
07.12.14 - Linux Kernel Ipv6_Getsockopt_Sticky Memory Leak Information Disclosure
07.12.15 - Linux Kernel BINFMT_ELF PT_INTERP Local Information Disclosure
07.12.16 - Plash Shell Command Injection
-- BSD
07.12.17 - OpenBSD ICMP6 Packet MBuf Remote Denialof Service
-- Unix
07.12.18 - minigzip Controls File_Compress Buffer Overflow
07.12.19 - AstroCam Remote Denial of Service
-- Cross Platform
07.12.20 - Computer Associates BrightStor ARCServe BackUp Tape Engine Multiple Vulnerabilities
07.12.21 - Sun Java System Web Server Unspecified Unauthorized Access
07.12.22 - qftp Set_Umask Function Stack-Based Buffer-Overflow
07.12.23 - LIBftb Multiple Remote Buffer Overflow Vulnerabilities
07.12.24 - PHP Array_User_KIey_Compare Function Memory Corruption
07.12.25 - IBM WebSphere Application Server Source Code Disclosure
07.12.26 - PHP Interbase Extension Multiple Remote Buffer Overflow Vulnerabilities
07.12.27 - PHP Session Identifier Rejection Double Free Memory Corruption
07.12.28 - Sun Java System Web Server Certificate Revocation Access Control Bypass
07.12.29 - Trend Micro Scan Engine UPX File Parsing Remote Denial of Service
07.12.30 - PHP Session_Regenerate_ID Function Double Free Memory Corruption
07.12.31 - PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass Vulnerabilities
07.12.32 - PHProjekt Arbitrary File Upload
07.12.33 - Adobe JRun Unspecified Denial of Service
07.12.34 - Apache HTTP Server Tomcat Directory Traversal
07.12.35 - MySQL Commander Remote File Include
07.12.36 - Unrarlib URarLib_Get Function Buffer Overflow
07.12.37 - Netperf Insecure Temporary File Creation
07.12.38 - Xine DirectShow Loader Remote Buffer Overflow
07.12.39 - Open Educational System Multiple Remote File Include Vulnerabilities
07.12.40 - PennMUSH Multiple Command Denial of Service Vulnerabilities
07.12.41 - PHP EXT/Filter Function Remote Buffer Overflow
07.12.42 - PHP EXT/Filter HTML Stripping Bypass
07.12.43 - Oracle Database Server DACL Multiple Insecure Permissions Vulnerabilities
07.12.44 - PHP EXT/Filter FDF Post Filter Bypass
07.12.45 - Sun JMX RMI-IIOP Local Unauthorized Access
07.12.46 - PHP CPDF_Open Local Information Disclosure
07.12.47 - MySQL Single Row SubSelect Remote Denial of Service
07.12.48 - PHP SNMPGet Function Local Buffer Overflow
-- Web Application - Cross Site Scripting
07.12.49 - DirectAdmin CMD_USER_STATS Cross-Site Scripting
07.12.50 - Oracle Portal P_OldURL Parameter Cross-Site Scripting
07.12.51 - IBM Rational ClearQuest Defect Logging Attachment Cross-Site Scripting
07.12.52 - Multiple Cisco Products Online Help Cross-Site Scripting
07.12.53 - Horde Framework login.php Cross-Site Scripting
07.12.54 - PHProjekt Multiple Cross-Site Scripting Vulnerabilities
07.12.55 - MindTouch DekiWiki PopUp-NoTopic.php Cross-Site Scripting
-- Web Application - SQL Injection
07.12.56 - PhpStats Multiple SQL Injection Vulnerabilities
07.12.57 - Creative Files kommentare.php SQL Injection
07.12.58 - Absolute Image Gallery gallery.asp SQL Injection
07.12.59 - Woltlab Burning Board usergroups.php SQL Injection
07.12.60 - WSN Guest comment.php SQL injection
07.12.61 - PHProjekt Multiple SQL Injection Vulnerabilities
07.12.62 - JGBBS search.asp SQL Injection
07.12.63 - X-Ice News System devami.asp SQL Injection
07.12.64 - PHP Labs JobSitePro search.php SQL injection
07.12.65 - Triexa SonicMailer Pro index.php SQL injection
07.12.66 - Duyuru Scripti goster.asp SQL Injection
07.12.67 - PHP-Nuke Lang Parameter Local File Include and SQL Injection Vulnerabilities
07.12.68 - HC Design NEWSSYSTEM index.php SQL Injection
-- Web Application
07.12.69 - Cyber-Inside WebLog Local File Include
07.12.70 - Holtstraeter Rot 13 Enkrypt.PHP Directory Traversal
07.12.71 - WBBlog index.php Multiple Input Validation Vulnerabilities
07.12.72 - McGallery download.php Information Disclosure
07.12.73 - Horde Framework and IMP Cleanup Cron Script Arbitrary File Deletion
07.12.74 - Viper Web Portal index.php Remote File Include
07.12.75 - CCMail update.php Remote File Include
07.12.76 - Dayfox Blog postpost.php Remote PHP Code Execution
07.12.77 - GrafX Company Website Builder Pro comanda.php Remote File Include
07.12.78 - Horde IMP Webmail Client Multiple Input Validation Vulnerabilities
07.12.79 - WebCreator Multiple Remote File Include Vulnerabilities
07.12.80 - CARE2X Multiple Remote File Include Vulnerabilities
07.12.81 - Weekly Drawing Contest check_vote.php Local File Include
07.12.82 - Weekly Drawing Contest contest.php Remote Authentication Bypass
07.12.83 - ClipShare ADODB-Connection.Inc.php Remote File Include
07.12.84 - PostNuke Phgstats Module Remote File Include
07.12.85 - AssetMan PDF_File Parameter Directory Traversal
07.12.86 - cPanel Multiple Local File Include Vulnerabilities
07.12.87 - Grayscale Blog Multiple Input Validation Vulnerabilities
07.12.88 - Premod SubDog 2 Multiple Remote File Include Vulnerabilities
07.12.89 - SoftNews Media Group DataLife Engine Multiple Remote File Include Vulnerabilities
07.12.90 - Work System ECommerce include_top.php Remote File Include
07.12.91 - Coppermine Photo Gallery Multiple Remote File Include Vulnerabilities
07.12.92 - Wordpress WP_Title Function HTML Injection
07.12.93 - JCCorp URLShrink Free createurl.php Remote File Include
07.12.94 - PMB Multiple Remote File Include Vulnerabilities

*************************************************************************
PART I - Critical Vulnerabilities

Part I for this issue has been compiled by Rob King and Rohit Dhamankar
at TippingPoint, a division of 3Com, as a by-product of that company's
continuous effort to ensure that its intrusion prevention products
effectively block exploits using known vulnerabilities. TippingPoint's
analysis is complemented by input from a council of security managers
from twelve large organizations who confidentially share with SANS the
specific actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process

********************************
Widely Deployed Software
********************************

(1) CRITICAL: Apple Mac OS X Multiple Vulnerabilities (2007-003)
Affected:
Mac OS X versions prior to 10.4.9
Apple iPhoto 6.0.5 and possibly prior

Description: Mac OS X contains multiple vulnerabilities that can be
exploited to completely compromise users' systems.
(1) An image with a specially-crafted embedded ColorSync profile (data
used to provide color consistency between various displays) could
trigger a stack-based buffer overflow. Successfully exploiting this
buffer overflow could allow an attacker to execute arbitrary code with
the privileges of the current user. Note that this flaw may affect
images embedded in web pages.
(2) A specially-crafted Disk Image file could trigger several
vulnerabilities, including integer and buffer overflow vulnerabilities.
Successfully exploiting these vulnerabilities could lead to arbitrary
code execution with the privileges of the current user, and possibly
with kernel-level privileges. Note that, depending on configuration,
disk images are opened automatically by Safari after download. Disk
images are often used to distribute software and software updates.
(3) A logic error in the DirectoryService subsystem could allow an
unprivileged LDAP user to arbitrarily change the system root password,
allowing for complete system compromise. Note that the system must be
configured for LDAP usage.
(4) A specially-crafted GNU tar (tape archive) file could overwrite
arbitrary files when extracted. These files must be owned by the current
user. Note that, depending on configuration, tar files may be
automatically extracted after download.
(5) A specially-crafted GIF, PICT or RAW image file could exploit an
integer overflow in the ImageIO subsystem or a heap overflow in the
QuickDraw manager subsystem. Successfully exploiting these overflows
could allow an attacker to execute arbitrary code with the privileges
of the current user. Note that this flaw may affect images embedded in
web pages.
(6) The default version of the MySQL server shipped with Mac OS X Server
contains multiple vulnerabilities, including some that could lead to
arbitrary code execution with the privileges of the MySQL process.
(7) A logical flaw in the handling of authentication credentials in Mac
OS X Server's Server Manager subsystem could allow an attacker to access
the Server Manager without proper authentication.
(8) A specially-crafted Software Update Catalog file could exploit a
vulnerability in the Software Update subsystem, allowing an attacker to
execute arbitrary code with the privileges of the Software Update
process.
(9) iPhoto fails to handle specially-crafted XML. Subscribing to a
malicious photocast could trigger a format string in iPhoto and
potentially execute arbitrary code with the privileges of the current
user. Note that the user must manually subscribe to a malicious podcast.
This update was shipped as a separate update from Apple Security Update
2007-003. Several of these vulnerabilities have technical details
and/or working exploits publicly available (see references below).
Additionally, several of these issues have been discussed in earlier
issues of RISK. This software update also addresses several other,
lower-severity vulnerabilities including local-only, denial-of-service,
and cross-site scripting vulnerabilities.

Status: Apple confirmed, updates available.

Council Site Actions: Only one of the reporting council sites is using
the affected software and they are in the process of pushing the updates
out to the affected systems.

References:
Apple Security Advisories
http://docs.info.apple.com/article.html?artnum=305214
http://docs.info.apple.com/article.html?artnum=305031
http://docs.info.apple.com/article.html?artnum=305215
Previous RISK Entries
http://www.sans.org/newsletters/risk/display.php?v=6&i=5#widely6
http://www.sans.org/newsletters/risk/display.php?v=6&i=8#widely10
Month of Apple Bugs References
http://projects.info-pull.com/mokb/MOKB-30-11-2006.html
http://projects.info-pull.com/moab/MOAB-24-01-2007.html
http://projects.info-pull.com/moab/MOAB-04-01-2007.html
http://projects.info-pull.com/moab/MOAB-14-01-2007.html
http://applefun.blogspot.com/2007/01/moab-10-01-2007-apple-dmg-ufs.html
http://projects.info-pull.com/moab/MOAB-23-01-2007.html
http://projects.info-pull.com/mokb/MOKB-20-11-2006.html
http://projects.info-pull.com/mokb/MOKB-21-11-2006.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/22630
http://www.securityfocus.com/bid/22228
http://www.securityfocus.com/bid/21236
http://www.securityfocus.com/bid/21201
http://www.securityfocus.com/bid/22948
http://www.securityfocus.com/bid/22207
http://www.securityfocus.com/bid/21993
http://www.securityfocus.com/bid/21383
http://www.securityfocus.com/bid/22222
http://www.securityfocus.com/bid/21871
http://www.securityfocus.com/bid/22041

*************************************************************************

(2) CRITICAL: CA BrightStor ARCServe Backup Tape Engine and Portmapper Vulnerabilities
Affected:
BrightStor Products:
BrightStor ARCserve Backup r11.5, r11.1, r11, r10.5, v9.01
CA Protection Suites r2:
CA Server and Business Protection Suites r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

Description: Computer Associates BrightStor ARCserve Backup products
provide backup services for Windows, NetWare, Linux and UNIX. The Tape
Engine feature allows the backup products to use tape drives as a
storage media. The Tape Engine process, which listens on port 6502/tcp,
contains multiple vulnerabilities in the handling of RPC requests that
can be exploited to either shut down the Tape Engine service or possibly
execute arbitrary code with "SYSTEM" privileges. In addition, the
portmapper service also contains a vulnerability that can be exploited
to crash the service. The technical details have not yet been publicly
posted.

Status: CA has released patches for the affected products. A workaround
is to block access to the port 6502/tcp and 111/udp at the network
perimeter to prevent attacks originating from the Internet.

Special Note: CA BrightStor products have been widely exploited during
the past year. Hence, this patch should be applied on a priority basis.

References:
Computer Associates Advisory
http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317
SecurityFocus BID
http://www.securityfocus.com/bid/22994

*******************************************************************

(3) HIGH: McAfee ePolicy Orchestrator and ProtectionPilot Multiple Vulnerabilities
Affected:
McAfee ePolicy Orchestrator versions 3.5p6 and 3.6.1 and prior
McAfee ProtectionPilot versions 1.1.1p3 and 1.5.0 and prior

Description: McAfee ePolicy Orchestrator and ProtectionPilot contain
multiple vulnerabilities in the "SiteManager" ActiveX component. A
malicious web page that instantiates this component could exploit these
vulnerabilities and execute arbitrary code with the privileges of the
current user. Note that this component is generally only installed on
the Orchestrator or ProtectionPilot server, or a system with the
management console for one of these applications installed. Technical
details for these vulnerabilities is publicly available, and reusable
exploit code for ActiveX components could be easily adapted to target
this component.

Status: McAfee confirmed, updates available. Users can mitigate the
impact of this vulnerability by disabling the vulnerable control via
Microsoft's "kill bit" mechanism for CLSID
"4124FDF6-B540-44C5-96B4-A380CEE9826A".

Council Site Actions: Two of the reporting council sites are using the
affected software. One site plans to deploy the patch during their next
regularly scheduled maintenance cycle. The other site is still
investigating their course of action. They may accept the risk due to
the fact that their systems are in the process of being integrated into
their parent company.

References:
McAfee Security Advisory
https://knowledge.mcafee.com/article/26/612496_f.SAL_Public.html
Fortinet Security Research Team Posting
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0162.html
Microsoft Knowledge Base Article (details the "kill bit" mechanism")
http://support.microsoft.com/kb/240797
Product Home Pages
http://www.mcafee.com/us/enterprise/products/system_security_management/epolicy_orchestrator.html
http://www.mcafee.com/us/smb/products/management_solutions/protection_pilot.html
SecurityFocus BIDs
http://www.securityfocus.com/bid/22952

*************************************************************************

(4) MODERATE: OpenBSD IPv6 Kernel Memory Corruption
Affection:
OpenBSD version 3.1 - 4.1, and possibly prior

Description: OpenBSD, a derivative of the classical BSD operating system
(itself descended from Unix) designed for high security, contains a
kernel memory corruption vulnerability in its handling of IPv6 traffic.
A specially-crafted IPv6 packet could exploit this memory corruption
issue to execute arbitrary code with kernel privileges, effectively
taking complete control of a vulnerable system. Note that, to
successfully exploit this vulnerability, an attacker must be able to
inject traffic onto the vulnerable system's local network. IPv6 is
enabled by default in OpenBSD. Technical details and a working exploit
are publicly available for this vulnerability.

Status: OpenBSD confirmed, updates available.

Council Site Actions: Two of the reporting council sites have responded
to this item. One site has already patched their systems as part of
their regular system maintenance. The other site has advised their users
to update their systems on their own.

References:
OpenBSD Errata Entry (includes patch)
http://www.openbsd.org/errata40.html#m_dup1
Posting by Core Security Technologies (includes working exploit)
http://archives.neohapsis.com/archives/bugtraq/2007-03/0158.html
SANS Internet Storm Center Handler's Diary Entry
http://isc.sans.org/diary.html?storyid=2445
Slashdot Discussion
http://it.slashdot.org/article.pl?sid=07/03/15/0045207
Wikipedia Article on BSD
http://en.wikipedia.org/wiki/Berkeley_Software_Distribution
Wikipedia Article on the term "Unix-Like"
http://en.wikipedia.org/wiki/Unix-like
OpenBSD Home Page
http://www.openbsd.org
SecurityFocus BID
http://www.securityfocus.com/bid/22901

*************************************************************************

(5) LOW: Apache Tomcat Directory Traversal
Affected:
Apache Tomcat versions prior to 5.5.23 and 6.0.10

Description: Apache Tomcat, a popular Java servlet container and
application server, contains a directory traversal vulnerability. A
specially-crafted request could allow an attacker to read arbitrary
files below the configured document root of the Tomcat server. Note that
the files must be readable by the Tomcat server process. A simple
proof-of-concept is available.

Status: Apache confirmed, updates available.

Council Site Actions: Three of the reporting council sites are using
the affect software and plan to respond on some level. The first site
only has a few small installations of Tomcat and they have advised the
developers to upgrade those systems manually.

The second site has advised their user base to update. The third site
is still investigating the best course of action - they have multiple
Tomcat installations and a number of one-off solutions. They plan to
research all Tomcat server locations.

References:
Posting by SEC Consult (includes proof-of-concept)
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0167.html
Product Home Page
http://tomcat.apache.org
SecurityFocus BID
http://www.securityfocus.com/bid/22960

***********************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 12 2007

This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 5402 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

07.12.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Internet Explorer NavCancel.HTM Cross-Site Scripting
Description: Microsoft Internet Explorer is exposed to a cross-site
scripting issue because it fails to sufficiently sanitize
user-supplied data. This issue arises when rendering the local
"Navigation Canceled" resource page "res://ieframe.ddl/navcancel.htm".
When page navigation is canceled, the intended URI path is appended to
the local resource path following a "#" character. Microsoft Internet
Explorer version 7.0 is affected.
Ref: http://www.securityfocus.com/bid/22966
______________________________________________________________________

07.12.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Avant Browser Content Type Stack-Based Buffer Overflow
Description: Avant Browser is a web browser. The application is
exposed to a remote stack-based buffer overflow issue because it fails
to properly bounds check user-supplied input before copying it to an
insufficiently sized memory buffer. Avant Browser version 9.02 build
17 is affected.
Ref: http://www.securityfocus.com/bid/23002
______________________________________________________________________

07.12.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Symantec Norton Personal Firewall 2006 SymTDI Driver Local
Denial of Service
Description: Norton Personal Firewall 2006 is prone to a local denial
of service issue. This issue occurs when attackers send malformed data
to the "SymTDI" driver. Symantec Norton Personal Firewall 2006 versions
9.1.0.33 and 9.1.1.7 are affected.
Ref: http://www.securityfocus.com/archive/1/462926
______________________________________________________________________

07.12.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Symantec Norton Personal Firewall 2006 SymEvent Driver Local
Denial of Service
Description: Norton Personal Firewall 2006 is prone to a local denial
of service issue. This issue occurs when attackers send malformed data
to the "SymEvent" driver. Symantec Norton Personal Firewall 2006
version 9.1.1.7 is affected.
Ref: http://www.securityfocus.com/bid/22961
______________________________________________________________________

07.12.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Orchestrator SiteManager.DLL ActiveX Control Remote Buffer
Overflow Vulnerabilities
Description: McAfee EPolicy Orchestrator is a suite of applications
that provide anti-virus, anti-spyware, system firewalls, host IPS,
content filtering and patch management.
The application is exposed to multiple buffer overflow issues as
software fails to perform sufficient bounds checking of user-supplied
input before copying it to insufficiently sized memory buffers.
McAfee ProtectionPilot versions 1.5 and earlier are affected.
Ref:
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496
______________________________________________________________________

07.12.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: NewsBin Pro Long File Name Buffer Overflow
Description: NewsBin Pro is a news collector application. The
application is exposed to a remote buffer overflow issue because it
fails to bounds check user-supplied data before copying it into an
insufficiently sized buffer. NewsBin Pro version 4.32 is affected.
Ref: http://www.securityfocus.com/bid/22940
______________________________________________________________________

07.12.7 CVE: Not Available
Platform: Third Party Windows Apps
Title: WarFTP Unspecified Stack-Based Buffer Overflow
Description: WarFTP is a File Transfer Protocol server application for
the Microsoft Windows operating system. The application is exposed to
a stack-based buffer overflow issue because WarFTP fails to properly
check boundaries on unspecified user-supplied data before copying it
to an insufficiently sized buffer. The issue occurs prior to
authentication. WarFTP version 1.65 is affected.
Ref: http://www.securityfocus.com/bid/22944
______________________________________________________________________

07.12.8 CVE: Not Available
Platform: Third Party Windows Apps
Title: NewsReactor Long File Name Buffer Overflow
Description: NewsReactor is a news collector application. The
application is exposed to a remote buffer overflow issue because it
fails to bounds check user-supplied data before copying it into an
insufficiently sized buffer. NewsReactor version 20070220 is affected.
Ref: http://www.securityfocus.com/bid/22936
______________________________________________________________________

07.12.9 CVE: Not Available
Platform: Third Party Windows Apps
Title: D-Link TFTP Transporting Mode Remote Buffer Overflow
Description: D-Link TFTP is a freely available TFTP (Trivial FTP)
server. The application is prone to a buffer overflow issue because it
fails to properly bounds check user-supplied data before storing it in
a finite sized memory buffer. D-Link TFTP version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/22923/info
______________________________________________________________________

07.12.10 CVE: CVE-2007-0719, CVE-2007-0720, CVE-2007-0721,
CVE-2007-0722, CVE-2007-0723, CVE-2007-0724, CVE-2007-0726,
CVE-2007-0728, CVE-2007-0730, CVE-2007-0731, CVE-2007-0733
Platform: Mac Os
Title: Apple Mac OS X Multiple Applications Multiple Vulnerabilities
Description: Mac OS X is exposed to multiple issues. Mac OS X and Mac OS
X Server versions 10.3.9 and 10.4 through 10.4.8 are affected. Please
refer to the advisory for further details.
Ref: http://www.kb.cert.org/vuls/id/557064
______________________________________________________________________

07.12.11 CVE: CVE-2007-0998
Platform: Linux
Title: Xen QEMU VNC Server Arbitrary Information Disclosure
Description: Xen is an application for monitoring virtual machines.
QEMU is a processor emulator that supports full system virtualization.
The application is exposed to an unspecified issue that lets attackers
obtain arbitrary information. The issue stems from a flaw in the VNC
server code in QEMU. RedHat Enterprise Linux Virtualization v.5 server
and earlier versions are affected.
Ref: http://rhn.redhat.com/errata/RHSA-2007-0114.html
______________________________________________________________________

07.12.12 CVE: Not Available
Platform: Linux
Title: Linux Kernel Netfilter NFNetLink_Log Multiple NULL Pointer
Dereference Vulnerabilities
Description: The Linux kernel is exposed to multiple NULL pointer
dereference issues due to NULL pointer dereference problems in
"nfnetlink_log". Linux kernel 2.6.20 and all earlier versions
are affected.
Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.3
______________________________________________________________________

07.12.13 CVE: Not Available
Platform: Linux
Title: KTorrent Multiple Remote Vulnerabilities
Description: KTorrent is a BitTorrent application for KDE. The
application is exposed to multiple remote vulnerabilities, which
occurs while processing the paths of filenames within torrents or when
processing messages with invalid chunk indexes. KTorrent versions
prior to 2.1.2 are affected.
Ref: http://www.securityfocus.com/bid/22930
______________________________________________________________________

07.12.14 CVE: CVE-2007-1000
Platform: Linux
Title: Linux Kernel Ipv6_Getsockopt_Sticky Memory Leak Information
Disclosure
Description: Linux Kernel is exposed to an information disclosure
issue because it fails to handle unexpected user-supplied input. The
vulnerability exists in the "ipv6_getsockopt_sticky()" function of the
net/ipv6/ipv6_sockglue.c source file. Kernel versions 2.6.0 to 2.6.20.1 are affected.
Ref: http://www.kb.cert.org/vuls/id/920689
______________________________________________________________________

07.12.15 CVE: CVE-2007-0958
Platform: Linux
Title: Linux Kernel BINFMT_ELF PT_INTERP Local Information Disclosure
Description: The Linux Kernel is exposed to an issue that occurs in
the Linux ELF binary loader. This issue can allow local attackers to
gain access to privileged information which resides in the
"load_elf_binary" function of the "binfmt_elf.c" file. Linux Kernel
versions in the 2.6.0 branch prior to 2.6.20 are affected.
Ref: http://rhn.redhat.com/errata/RHSA-2007-0099.html
______________________________________________________________________

07.12.16 CVE: Not Available
Platform: Linux
Title: Plash Shell Command Injection
Description: Plash is an application designed to place executables
into a sandbox to minimize the privileges granted to unknown or
untrusted applications. Plash is exposed to a shell command injection
issue because it fails to properly isolate executing binaries from
using the TIOCSTI ioctl on "/dev/tty". Plash version 1.17 is
affected.
Ref: http://lists.gnu.org/archive/html/plash/2007-03/msg00000.html
______________________________________________________________________

07.12.17 CVE: CVE-2007-1365
Platform: BSD
Title: OpenBSD ICMP6 Packet MBuf Remote Denial of Service
Description: OpenBSD is exposed to a remote denial of service issue
when handling specially crafted ICMP6 packets. Specifically, this issue
occurs in the "m_dup1()" function when copying the content from one
"mbuf" structure to another "mbuf" structure.
OpenBSD versions 3.9 and 4.0 are affected.
Ref: http://www.securityfocus.com/bid/22901
______________________________________________________________________

07.12.18 CVE: Not Available
Platform: Unix
Title: minigzip Controls File_Compress Buffer Overflow
Description: minigzip is a minimal implementation of the gzip
compression tool. It is available for Unix-like operating systems. The
application is exposed to a buffer overflow issue because the
application fails to bounds check user-supplied data before copying
"file_compress()" data into an "outfile" buffer.
Ref: http://www.securityfocus.com/bid/22964
______________________________________________________________________

07.12.19 CVE: Not Available
Platform: Unix
Title: AstroCam Remote Denial of Service
Description: AstroCam is a UNIX daemon that is used to control remote
cameras. The server can be controlled with a Web interface. The
application is exposed to a remote denial of service issue. Please
refer to the advisory for further details. AstroCam versions prior to
2.6.6 are affected.
Ref: http://www.securityfocus.com/bid/22924/info
______________________________________________________________________

07.12.20 CVE: CVE-2007-1447, CVE-2007-1448
Platform: Cross Platform
Title: Computer Associates BrightStor ARCServe BackUp Tape Engine
Multiple Vulnerabilities
Description: Computer Associates BrightStor ARCserve Backup products
provide backup and restore protection for various clients. The
application is exposed to a memory corruption issue that arises when the
application handles an RPC request containing specially crafted
procedure arguments. A denial of service issue affecting the Tape
Engine service presents itself due to an unspecified RPC function.
See the reference below for a list of affected versions.
Ref: http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317
______________________________________________________________________

07.12.21 CVE: Not Available
Platform: Cross Platform
Title: Sun Java System Web Server Unspecified Unauthorized Access
Description: Sun Java System Web Server is an application for serving
and managing web applications. The application is exposed to an
unspecified issue that lets attackers gain unauthorized access to
data stored on the web server. Please check the attached advisory for
details.
Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102833-1
______________________________________________________________________

07.12.22 CVE: Not Available
Platform: Cross Platform
Title: qftp Set_Umask Function Stack-Based Buffer Overflow
Description: The "ftplib" package is a library of FTP (File Transfer
Protocol) functions. The "qftp" application uses and is included with
the "ftplib" source code distribution. The "qftp" application is
exposed to multiple stack-based buffer overflow issues because it fails
to properly check boundaries on user-supplied data before copying it
to an insufficiently sized buffer. qftp version 3.1-1 of the "ftplib"
library is affected.
Ref: http://www.securityfocus.com/bid/22986
______________________________________________________________________

07.12.23 CVE: Not Available
Platform: Cross Platform
Title: LIBftp Multiple Remote Buffer Overflow Vulnerabilities
Description: LIBftp is a library that implements FTP (File Transfer
Protocol) functions. The appplication is exposed to multiple remote
buffer overflow issues because the application fails to bounds check
"FtpArchie()", "FtpDebugDebug()", "FtpOpenDir()", and "FtpSize()"
functions when copying user-supplied data from their parameters into
"FtpString". LIBftp version 5.0 is affected.
Ref: http://www.securityfocus.com/bid/22987
______________________________________________________________________

07.12.24 CVE: Not Available
Platform: Cross Platform
Title: PHP Array_User_KIey_Compare Function Memory Corruption
Description: PHP is prone to a memory corruption issue because it fails to
sufficiently sanitize user-supplied data and facilitate arbitrary code
execution. PHP versions 4.x prior to 4.4.6 and versions 5.x prior to 5.2.1 are affected.
Ref: http://www.php-security.org/MOPB/MOPB-24-2007.html
______________________________________________________________________

07.12.25 CVE: Not Available
Platform: Cross Platform
Title: IBM WebSphere Application Server Source Code Disclosure
Description: IBM WebSphere Application Server is a utility designed to
facilitate the creation of various enterprise web applications. The
application is exposed to a sourcecode disclosure issue due to an
input validation flaw when handling malformed HTTP requests containing
certain characters in the URI. IBM Websphere Application Server 6.1.3
and all earlier versions are affected.
Ref: http://www.securityfocus.com/bid/22991
______________________________________________________________________

07.12.26 CVE: Not Available
Platform: Cross Platform
Title: PHP Interbase Extension Multiple Remote Buffer Overflow
Vulnerabilities
Description: The PHP Interbase extension is a database module for PHP.
The application is exposed to multiple remote buffer overflow issues
because it fails to perform boundary checks before copying
user-supplied data to insufficiently sized memory buffers. PHP versions
4.4.6 and earlier on Microsoft Windows are affected.
Ref: http://www.securityfocus.com/archive/1/462931
______________________________________________________________________

07.12.27 CVE: Not Available
Platform: Cross Platform
Title: PHP Session Identifier Rejection Double Free Memory Corruption
Description: PHP is exposed to a double free memory corruption issue.
When a session identifier is rejected, a flag is set which causes the
application to free a pointer to the previous session identifier and
create a new identifier. The issue arises as this operation is not
atomic and can be interrupted by exceptional conditions. PHP versions
5.2.0 and 5.2.1 are affected.
Ref: http://www.php-security.org/MOPB/MOPB-23-2007.html
______________________________________________________________________

07.12.28 CVE: Not Available
Platform: Cross Platform
Title: Sun Java System Web Server Certificate Revocation Access
Control Bypass
Description: Sun Java System Web Server is an application for serving
and managing web applications. The application is exposed to an access
bypass issue because it fails to properly enforce certificate
revocations. Affected versions include Sun Java System Web Server 6.1
prior to SP7 (all types including AIX and HP-UX). Also affected are all
versions prior to the following patch levels per operating system: Linux
patch 118202-11, Solaris x86 patch 116649-19, and SPARC patch 116648-19.
Ref: http://www.securityfocus.com/bid/22973
______________________________________________________________________

07.12.29 CVE: Not Available
Platform: Cross Platform
Title: Trend Micro Scan Engine UPX File Parsing Remote Denial of
Service
Description: The Trend Micro Scan Engine is available on various
products shipped by the vendor. The application is exposed to a denial
of service issue because it fails to properly handle compressed UPX
files. Various products using the Trend Micro Antivirus Scan Engine
versions 8 and above are affected.
Ref:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034587
______________________________________________________________________

07.12.30 CVE: Not Available
Platform: Cross Platform
Title: PHP Session_Regenerate_ID Function Double Free Memory
Corruption
Description: PHP is exposed to a double free memory corruption issue
which resides in the "session_regenerate_id()" function used to
regenerate a new session identifier. The affected function fails to
clear a previously freed pointer from the previous session before
calling the session identifier generator. PHP versions 5 to 5.2.1 are
affected. PHP version 4 is vulnerable only if successful remote
exploits are proven.
Ref: http://www.php-security.org/MOPB/MOPB-22-2007.html
______________________________________________________________________

07.12.31 CVE: Not Available
Platform: Cross Platform
Title: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass
Vulnerabilities
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
PHP versions 5.2.1 and prior are vulnerable to these issues. Please
refer to the advisory for further details.
Ref: http://www.php-security.org/MOPB/MOPB-21-2007.html
______________________________________________________________________

07.12.32 CVE: Not Available
Platform: Cross Platform
Title: PHProjekt Arbitrary File Upload
Description: PHProjekt is a freely available, open-source PHP
Groupware package. It is actively maintained by the PHProjekt
Development Team. The application is exposed to an arbitrary file
upload issue. PHProjekt versions prior to 5.2.1 are affected. Please
refer to the advisory for further details.
Ref: http://www.securityfocus.com/bid/22956
______________________________________________________________________

07.12.33 CVE: CVE-2007-1278
Platform: Cross Platform
Title: Adobe JRun Unspecified Denial of Service
Description: Adobe JRun is a J2EE application server. The application
is exposed to a denial of service issue while taking specific actions
after requesting a file located in the JRun application server's root
folder. Microsoft IIS 6 installations running JRun 4 Updater 6 and
earlier versions are affected.
Ref: http://www.adobe.com/support/security/bulletins/apsb07-07.html
______________________________________________________________________

07.12.34 CVE: Not Available
Platform: Cross Platform
Title: Apache HTTP Server Tomcat Directory Traversal
Description: Apache Tomcat is the servlet container used in the
official Reference Implementation for the Java Servlet and JavaServer
Pages technologies. The application is exposed to a directory
traversal issue because it fails to sufficiently sanitize
user-supplied input. Apache Tomcat versions in the 5.0 series
prior to 5.5.22 and versions in the 6.0 series prior to 6.0.10 are
affected.
Ref: http://www.securityfocus.com/bid/22960
______________________________________________________________________

07.12.35 CVE: Not Available
Platform: Cross Platform
Title: MySQL Commander Remote File Include
Description: MySQL Commander is a web-based application. The
application is exposed to a remote file include issue because it fails
to sufficiently sanitize user-supplied input to the "home" parameter
of the "ressourcen/dbopen.php" script. MySQL Commander versions 2.7
and earlier are affected.
Ref: http://www.securityfocus.com/bid/22941
______________________________________________________________________

07.12.36 CVE: Not Available
Platform: Cross Platform
Title: unrarlib URarLib_Get Function Buffer Overflow
Description: unrarlib is a library for opening and reading RAR files.
The library is exposed to a buffer overflow issue because it fails to
perform proper bounds checking of user-supplied input before copying
it to an insufficiently sized memory buffer. The problem occurs in the
"urarlib_get()" function of "unrarlib.c". unrarlib version 0.4 is
affected.
Ref: http://www.securityfocus.com/bid/22942
______________________________________________________________________

07.12.37 CVE: Not Available
Platform: Cross Platform
Title: Netperf Insecure Temporary File Creation
Description: Netperf is a benchmark tool to measure various aspects of
networking performance. The "netperf.debug" file creates temporary files
in an insecure manner. Netperf version 2.4.3 is affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413658
______________________________________________________________________

07.12.38 CVE: CVE-2007-1387
Platform: Cross Platform
Title: Xine DirectShow Loader Remote Buffer Overflow
Description: Xine is an open source multimedia player for audio and
video. Xine is exposed to a remote buffer overflow issue because the
application fails to perform boundary checks prior to copying
user-supplied input into finite sized buffers. xine-lib version 1.1.2
and all earlier versions are affected.
Ref: http://www.securityfocus.com/bid/22933
______________________________________________________________________

07.12.39 CVE: Not Available
Platform: Cross Platform
Title: Open Educational System Multiple Remote File Include
Vulnerabilities
Description: Open Educational System is an open source learning
application. The application is exposed to multiple remote file
include issues because it fails to properly sanitize user-supplied
input before processing it in an "include()" function call. Open
Educational System version 0.1 beta is affected.
Ref: http://advisories.echo.or.id/adv/adv69-K-159-2007.txt
______________________________________________________________________

07.12.40 CVE: Not Available
Platform: Cross Platform
Title: PennMUSH Multiple Command Denial of Service Vulnerabilities
Description: PennMUSH is an application server for "mud" (multi-user
dungeon), a textual game. The application is exposed to multiple remote
denial of service issues due to an unspecified error when a user sends
a specially crafted "speak()" command or a "buy()" command with "buy"
and "pricelist" attributes. PennMUSH versions prior to 1.8.2p3 are
affected.
Ref: http://www.pennmush.org/archives/pennmush-announce/2007/000137.html
______________________________________________________________________

07.12.41 CVE: Not Available
Platform: Cross Platform
Title: PHP EXT/Filter Function Remote Buffer Overflow
Description: The PHP ext/filter is an optional extension for PHP 5. It
is designed to filter out malicious content from user-supplied input.
The application is exposed to a remote buffer overflow issue because
the application fails to perform boundary checks before copying
user-supplied data to insufficiently sized memory buffers.
PHP version 5.2.0 is affected.
Ref: http://www.php-security.org/MOPB/MOPB-19-2007.html
______________________________________________________________________

07.12.42 CVE: Not Available
Platform: Cross Platform
Title: PHP EXT/Filter HTML Stripping Bypass
Description: The PHP ext/filter is an optional extension for PHP 5. It
is designed to filter out malicious content from user-supplied input.
The filter is prone to a filter bypass issue when the
"FILTER_SANITIZE_STRING" filter is used with the
"FILTER_FLAG_STRIP_LOW" flag. PHP ext/filter version 5.2 is affected.
Ref: http://www.securityfocus.com/bid/22914
______________________________________________________________________

07.12.43 CVE: Not Available
Platform: Cross Platform
Title: Oracle Database Server DACL Multiple Insecure Permissions
Vulnerabilities
Description: Oracle Database Server is exposed to multiple insecure
permissions issues due to a failure in the application to properly
secure the individual processes of the application. Oracle Database
Server version 10gR2 for Windows is affected.
Ref: http://www.securityfocus.com/bid/22905
______________________________________________________________________

07.12.44 CVE: Not Available
Platform: Cross Platform
Title: PHP EXT/Filter FDF Post Filter Bypass
Description: The PHP ext/filter is an optional extension for PHP 5. It
is designed to filter out malicious content from user-supplied input.
The filter is prone to a filter bypass issue because it can be
bypassed when ext/fdf is installed. PHP version 5.1.6 and earlier
versions are affected.
Ref: http://www.php-security.org/MOPB/MOPB-17-2007.html
______________________________________________________________________

07.12.45 CVE: Not Available
Platform: Cross Platform
Title: Sun JMX RMI-IIOP Local Unauthorized Access
Description: Sun Java Management Extensions (JMX) Remote API provides
remote access to JMX MBeans servers. Sun JMX is exposed to a local
unauthorized access issue that occurs in the Remote Method Invocation
over Internet Inter ORB Protocol (RMI-IIOP) when processing a local
RMI-IIOP server application. JMX RMI-IIOP API which is part of the
Java Dynamic Management Kit product is affected.
Ref:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102835-1&searchclause=
______________________________________________________________________

07.12.46 CVE: Not Available
Platform: Cross Platform
Title: PHP CPDF_Open Local Information Disclosure
Description: PHP is a general purpose scripting language that is
especially suited for web development and can be embedded into HTML.
The PHP "cpdf_open()" function is exposed to a local information
disclosure issue because the application fails to properly verify that
the file specified is an existing PDF file. PHP version 4.4.6 is
affected.
Ref: http://www.securityfocus.com/bid/22897
______________________________________________________________________

07.12.47 CVE: Not Available
Platform: Cross Platform
Title: MySQL Single Row SubSelect Remote Denial of Service
Description: MySQL is an open source SQL database management system
available for multiple operating systems. The application is exposed
to a remote denial of service issue because it fails to handle certain
SELECT statements to database metadata. MySQL versions prior to 5.0.37
are vulnerable.
Ref: http://www.securityfocus.com/archive/1/462339
______________________________________________________________________

07.12.48 CVE: Not Available
Platform: Cross Platform
Title: PHP SNMPGet Function Local Buffer Overflow
Description: PHP is prone to a local buffer overflow issue because the
application fails to perform boundary checks before copying
user-supplied data to insufficiently sized memory buffers. PHP for
Microsoft Windows versions 4.4.6 is affected.
Ref: http://www.securityfocus.com/bid/22893
______________________________________________________________________

07.12.49 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: DirectAdmin CMD_USER_STATS Cross-Site Scripting
Description: DirectAdmin is a web site administration panel. The
application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input to the "RESULT"
parameter of the "CMD_USER_STATS" script. JBMC Software DirectAdmin
version 1.292 is affected.
Ref: http://www.securityfocus.com/archive/1/463003
______________________________________________________________________

07.12.50 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Oracle Portal P_OldURL Parameter Cross-Site Scripting
Description: Oracle Portal is a portal application integrated into
Oracle's application server software. The application is exposed to a
cross-site scripting issue because it fails to properly sanitize
user-supplied input to the "p_oldurl" parameter of the
"portal/PORTAL.wwv_main.render_warning_screen" script. Oracle Portal
version 10g is affected.
Ref: http://www.securityfocus.com/bid/22999
______________________________________________________________________

07.12.51 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: IBM Rational ClearQuest Defect Logging Attachment Cross-Site
Scripting
Description: IBM Rational ClearQuest is a software development
management application. It is exposed to a cross-site scripting issue
due to a lack of proper sanitization of user-supplied input. IBM
Rational ClearQuest version 7.0.0.0 is affected.
Ref: http://www.securityfocus.com/archive/1/462919
______________________________________________________________________

07.12.52 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Multiple Cisco Products Online Help Cross-Site Scripting
Description: Multiple Cisco products are exposed to a cross-site
scripting issue because they fail to properly sanitize user-supplied
input. The search script contained in the "PreSearch.html" or
"PreSearch.class" partially sanitizes user-supplied input. Cisco VPN
Client for Windows version 4.8.1 and earlier, for Solaris versions 4.0.2 C and
earlier, for Mac OS X 4.0.2 C and earlier, for Linux versions
3.6.1 and earlier are affected.
Ref: http://www.cisco.com/warp/public/707/cisco-sr-20070315-xss.shtml
______________________________________________________________________

07.12.53 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Horde Framework Login.php Cross-Site Scripting
Description: Horde Framework is a web log application. The application
is exposed to an HTML injection issue because it fails to properly
sanitize user-supplied input to a "new_lang" parameter of the
"login.php" script. Horde Framework versions earlier than 3.1.4 are
affected.
Ref: http://lists.horde.org/archives/announce/2007/000315.html
______________________________________________________________________

07.12.54 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: PHProjekt Multiple Cross-Site Scripting Vulnerabilities
Description: PHProjekt is a modular web-based application to share
information and documents.
The application is exposed to multiple cross-site scripting issues
because it fails to sufficiently sanitize user-supplied input.
PHProjekt versions 5.2.0 and earlier are affected.
Ref: http://www.securityfocus.com/bid/22957
______________________________________________________________________

07.12.55 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: MindTouch DekiWiki PopUp-NoTopic.php Cross-Site Scripting
Description: MindTouch DekiWiki is a file server and intranet tool.
The application is exposed to a cross-site scripting issue because it
fails to properly sanitize user-supplied input to the "message"
parameter of the "/skins/ace/popup-notopic.php" script. MindTouch
DekiWiki versions prior to "gooseberry++" are affected.
Ref: http://www.securityfocus.com/bid/22891
______________________________________________________________________

07.12.56 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PhpStats Multiple SQL Injection Vulnerabilities
Description: PhpStats is a web site statistics analysis application. It
is exposed to multiple SQL injection issues because it fails to
properly sanitize user-supplied input before using it in an SQL query
using the "PC-REMOTE-ADDR" parameter and "ip" parameter of the
"php-stats.recphp.php" script. PhpStats version 0.1.9.1b is affected.
Ref: http://www.securityfocus.com/bid/23003
______________________________________________________________________

07.12.57 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Creative Files kommentare.php SQL Injection
Description: Creative Files is a web-based download manager. The
application is exposed to an SQL injection issue because it fails to
properly sanitize user-supplied input to the "dlid" parameter of the
"kommentare.php" script before using it in an SQL query. Creative
Files version 1.2 is affected.
Ref: http://www.securityfocus.com/bid/23000
______________________________________________________________________

07.12.58 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Absolute Image Gallery gallery.asp SQL Injection
Description: Absolute Image Gallery is a web based photo album
application implemented in ASP.
The application is exposed to an SQL injection issue because it fails
to properly sanitize user-supplied input to the "categoryid" parameter
of the "gallery.asp" script. Absolute Image Gallery version XE 2.0 is
affected.
Ref: http://www.securityfocus.com/bid/22988
______________________________________________________________________

07.12.59 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Woltlab Burning Board usergroups.php SQL Injection
Description: Woltlab Burning Board is a free web-based bulletin board
package based on PHP and MySQL. The application is exposed to an SQL
injection issue because it fails to properly sanitize user-supplied
input to the "action" parameter of the "usergroup.php" script. Woltlab
Burning Board version 2.7 and earlier versions are affected.
Ref: http://www.securityfocus.com/bid/22970
______________________________________________________________________

07.12.60 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WSN Guest Comment.PHP SQL injection
Description: WSN Guest is a guestbook application. The application is
exposed to an SQL injection issue because it fails to properly
sanitize user supplied input to the "id" parameter of the
"comment.php" script before using it in an SQL query. WSN Guest
version 1.2.1 is affected.
Ref: http://www.securityfocus.com/bid/22969
______________________________________________________________________

07.12.61 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHProjekt Multiple SQL Injection Vulnerabilities
Description: PHProjekt is a freely available, open-source PHP
Groupware package. It is actively maintained by the PHProjekt
Development Team. The application is exposed to multiple SQL injection
issues because it fails to properly sanitize user-supplied input
before using it in an SQL query. The vulnerabilities can be triggered
through the "calendar" module, the "search" module and through an
unspecified cookie value. PHProjekt versions 5.2.0 and earlier
are affected.
Ref: http://www.securityfocus.com/archive/1/462789
______________________________________________________________________

07.12.62 CVE: Not Available
Platform: Web Application - SQL Injection
Title: JGBBS search.asp SQL Injection
Description: JGBBS is a tree style forum application. The application
is exposed to an SQL injection issue because it fails to properly
sanitize user-supplied input to the "Author" parameter of the
"search.asp" script before using it in an SQL query. JGBBS version 3.0
beta 1 is affected.
Ref: http://www.securityfocus.com/archive/1/462699
______________________________________________________________________

07.12.63 CVE: Not Available
Platform: Web Application - SQL Injection
Title: X-Ice News System devami.asp SQL Injection
Description: X-Ice News System is a content management system (CMS).
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data to the "id" parameter of
the "devami.asp" script before using it in an SQL query. X-Ice News
System version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/22939
______________________________________________________________________

07.12.64 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP Labs JobSitePro search.php SQL injection
Description: PHP Labs JobSitePro is a web-based application. It allows
users to create and manage a job recruitment site. The application is
prone to an SQL injection issue because it fails to properly sanitize
user-supplied input to the "search.php" script before using it in an
SQL query. JobSitePro version 1.0 is affected.
Ref: http://www.securityfocus.com/bid/22916
______________________________________________________________________

07.12.65 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Triexa SonicMailer Pro index.php SQL injection
Description: Triexa SonicMailer Pro is a mailing list manager. The
application is prone to an SQL injection issue because it fails to
properly sanitize user-supplied input to the "list" parameter of the
"index.php" script before using it in an SQL query. SonicMailer Pro
3.2.3 and prior versions are affected.
Ref: http://www.securityfocus.com/bid/22920
______________________________________________________________________

07.12.66 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Duyuru Scripti goster.asp SQL Injection
Description: Duyuru Scripti is a web-based application. The
application is prone to an SQL injection issue because it fails to
properly sanitize user-supplied input to the "id" parameter of the
"goster.asp" script before using it in an SQL query.
Ref: http://www.securityfocus.com/archive/1/462448
______________________________________________________________________

07.12.67 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PHP-Nuke Lang Parameter Local File Include and SQL Injection
Vulnerabilities
Description: PHP Nuke is a content manager and portal system. The
application is prone to a local file include issue and an SQL
injection issue because it fails to sufficiently sanitize
user-supplied input through the "lang" cookie data parameter. PHP Nuke
version 8.0 is affected.
Ref: http://www.securityfocus.com/archive/1/462443
______________________________________________________________________

07.12.68 CVE: Not Available
Platform: Web Application - SQL Injection
Title: HC Design NEWSSYSTEM index.php SQL Injection
Description: NEWSSYSTEM is a web-based news script application. The
application is prone to an SQL injection issue because it fails to
properly sanitize user-supplied input to the "ID" parameter of the
"index.php" script before using it in an SQL query. NEWSSYSTEM versions
1.0 and 1.4 are affected.
Ref: http://www.securityfocus.com/archive/1/462347
______________________________________________________________________

07.12.69 CVE: Not Available
Platform: Web Application
Title: Cyber-Inside WebLog Local File Include
Description: Cyber Inside WebLog is a web-based application. It is
ecposed to a local file include issue because it fails to properly
sanitize user-supplied input to the "file" parameter of the
"index.php" script.
Ref: http://www.securityfocus.com/bid/22995
______________________________________________________________________

07.12.70 CVE: Not Available
Platform: Web Application
Title: Holtstraeter Rot 13 enkrypt.php Directory Traversal
Description: Rot 13 is a simplified implementation of the Caeser
cipher algorithm to encrypt sensitive information. The appplication is
exposed to a directory traversal issue because it fails to properly
sanitize user-supplied input. The issue occurs when specially crafted
HTTP GET requests containing a directory traversal string are sent to
the "datei" parameter of the "enkrypt.php" script.
Ref: http://www.securityfocus.com/archive/1/463011
______________________________________________________________________

07.12.71 CVE: Not Available
Platform: Web Application
Title: WBBlog index.php Multiple Input Validation Vulnerabilities
Description: WBBlog is a single-user blogging application. It is
exposed to input validation issues because it fails to sufficiently
sanitize user-supplied data affecting the "e_id" parameter of the
"index.php" script.
Ref: http://www.securityfocus.com/bid/22998
______________________________________________________________________

07.12.72 CVE: Not Available
Platform: Web Application
Title: McGallery download.php Information Disclosure
Description: McGallery is a web-based application. It is exposed to an
information disclosure issue because the application fails to properly
sanitize user supplied input to the "filename" parameter of the
"download.php" script. McGallery version 0.5b is affected.
Ref: http://www.securityfocus.com/bid/22989
______________________________________________________________________

07.12.73 CVE: Not Available
Platform: Web Application
Title: Horde Framework and IMP Cleanup Cron Script Arbitrary File
Deletion
Description: Horde Framework is an application framework used with
other Horde Project products. IMP is a webmail application for
accessing IMAP and POP3 mailboxes. It is implemented on the Horde
Framework. The application is exposed to a file deletion issue as
filepath output strings from the "find(1)" function are passed as the
Y value to a "for X in Y; do" statement. Since the Y value is space
delimited, the for loop processes filepaths with spaces as separate
files. Horde IMP versions 3.2.6 and earlier versions are affected.
Ref: http://www.securityfocus.com/archive/1/462933
______________________________________________________________________

07.12.74 CVE: Not Available
Platform: Web Application
Title: Viper Web Portal index.php Remote File Include
Description: Viper Web Portal is a content management system. The
application is exposed to a remote file include issue because it fails
to sufficiently sanitize user-supplied input to the "modpath"
parameter of the "index.php" script. ViperWeb Portal alpha version 0.1
is affected.
Ref: http://www.securityfocus.com/bid/22979
______________________________________________________________________

07.12.75 CVE: Not Available
Platform: Web Application
Title: CCMail Update.PHP Remote File Include
Description: CcMail is a webmail application. It is exposed to a
remote file include issue because it fails to sufficiently sanitize
user-supplied input to the "functions_dir" parameter of the
"functions/update.php" script. CcMail version 1.0.1 is affected.
Ref: http://www.securityfocus.com/bid/22983
______________________________________________________________________

07.12.76 CVE: Not Available
Platform: Web Application
Title: Dayfox Blog postpost.php Remote PHP Code Execution
Description: Dayfox Blog is a PHP-based application for creating blogs
sites. The application is exposed to an arbitrary PHP code execution
issue because it fails to properly sanitize user-supplied input to the
"cat" parameter of the "postpost.php" script.
Dayfox Blog version 4.5 is affected.
Ref: http://www.securityfocus.com/bid/22972
______________________________________________________________________

07.12.77 CVE: Not Available
Platform: Web Application
Title: GrafX Company Website Builder Pro comanda.php Remote File
Include
Description: Company Website Builder Pro is a content management
system (CMS). The application is exposed to a remote file include
issue because it fails to sufficiently sanitize user-supplied input to
the "INCLUDE_PATH" parameter of the "comanda.php" script. Company
Website Builder Pro version 1.9.8 is affected.
Ref: http://www.securityfocus.com/archive/1/462917
______________________________________________________________________

07.12.78 CVE: Not Available
Platform: Web Application
Title: Horde IMP Webmail Client Multiple Input Validation
Vulnerabilities
Description: Horde IMP Webmail Client provides webmail access to IMAP
and POP3 accounts. The application is exposed to multiple input
validation issues because it fails to sufficiently sanitize
user-supplied input. Horde IMP versions 4.0.4 and earlier are
affected.
Ref: http://lists.horde.org/archives/announce/2007/000316.html
______________________________________________________________________

07.12.79 CVE: Not Available
Platform: Web Application
Title: WebCreator Multiple Remote File Include Vulnerabilities
Description: WebCreator is an application to create web sites. The
application is prone to multiple remote file include issues because it
fails to properly sanitize user-supplied input before processing it in
an "include()" function call. WebCreator versions 0.2.6-rc3 and
earlier are affected.
Ref: http://advisories.echo.or.id/adv/adv74-theday-2007.txt
______________________________________________________________________

07.12.80 CVE: Not Available
Platform: Web Application
Title: CARE2X Multiple Remote File Include Vulnerabilities
Description: CARE2X is an application that is used to integrate data,
functions and workflows in a healthcare environment. The application
is exposed to multiple remote file include issues because it fails to
properly sanitize user-supplied input before processing it in an
"include()" function call. CARE2X version 1.1 is affected.
Ref: http://www.securityfocus.com/archive/1/462808
______________________________________________________________________

07.12.81 CVE: Not Available
Platform: Web Application
Title: Weekly Drawing Contest check_vote.php Local File Include
Description: Weekly Drawing Contest is a forum application. The
application is prone to a local file include issue because it fails to
properly sanitize user-supplied input to the "order" parameter of the
"check_vote.php" script. Weekly Drawing Contest version 0.0.1 is
affected.
Ref: http://www.securityfocus.com/bid/22937
______________________________________________________________________

07.12.82 CVE: Not Available
Platform: Web Application
Title: Weekly Drawing Contest Contest.PHP Remote Authentication Bypass
Description: Weekly Drawing Contest is a contest CMS. The application
is exposed to an issue that allows remote attackers to bypass
authentication and simply navigate to the "admin/contest.php" script.
Weekly Drawing Contest version 0.0.1 is affected.
Ref: http://www.securityfocus.com/archive/1/462702
______________________________________________________________________

07.12.83 CVE: Not Available
Platform: Web Application
Title: ClipShare ADODB-Connection.Inc.php Remote File Include
Description: ClipShare is a web-based application for sharing photos
and videos. The application is exposed to a remote file include issue
because it fails to sufficiently sanitize user-supplied input to the
"cmd" parameter of the "adodb-connection.inc.php" script. ClipShare
version 1.5.3 is affected.
Ref: http://www.securityfocus.com/bid/22928
______________________________________________________________________

07.12.84 CVE: Not Available
Platform: Web Application
Title: PostNuke Phgstats Module Remote File Include
Description: PostNuke Phgstats Module is a game server status/query
script. The application is prone to a remote file include issue
because it fails to sufficiently sanitize user-supplied input to the
"phgdir" parameter of the "phgstats.inc.php" script. PostNuke Phgstats
Module version 0.5 is affected.
Ref: http://www.securityfocus.com/bid/22918
______________________________________________________________________

07.12.85 CVE: Not Available
Platform: Web Application
Title: AssetMan PDF_File Parameter Directory Traversal
Description: AssetMan is a web-based application to track company
assets. The application is prone to a directory traversal issue
because it fails to properly sanitize user-supplied input. The issue
occurs when specially crafted HTTP GET requests containing a directory
traversal string are sent to the "pdf_file" parameter. AssetMan
versions 2.4a and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/462577
______________________________________________________________________

07.12.86 CVE: Not Available
Platform: Web Application
Title: cPanel Multiple Local File Include Vulnerabilities
Description: Cpanel is a web hosting control panel. The application is
prone to multiple local file include issues because it fails to
properly sanitize user-supplied input to the "userlanguage" parameter
of the "load_language.php" script and "fantasticopath" parameter of
the "mysqlconfig.php" script. Cpanel versions 10.9.x and earlier
are affected.
Ref: http://www.securityfocus.com/bid/22915
______________________________________________________________________

07.12.87 CVE: Not Available
Platform: Web Application
Title: Grayscale Blog Multiple Input Validation Vulnerabilities
Description: Grayscale Blog is a web based blogging application. The
application is prone to multiple input validation issues because it
fails to sufficiently sanitize user-supplied data. Grayscale Blog
version 0.8.0 is affected.
Ref: http://www.securityfocus.com/archive/1/462441
______________________________________________________________________

07.12.88 CVE: Not Available
Platform: Web Application
Title: Premod SubDog 2 Multiple Remote File Include Vulnerabilities
Description: Premod SubDog 2 is a module for phpBB. The application is
prone to multiple remote file include issues because it fails to
properly sanitize user-supplied input before processing it in an
"include()" function call.
Ref: http://www.securityfocus.com/archive/1/462444
______________________________________________________________________

07.12.89 CVE: Not Available
Platform: Web Application
Title: SoftNews Media Group DataLife Engine Multiple Remote File
Include Vulnerabilities
Description: DataLife Engine is web-based content management system.
The application is prone to multiple remote file include issues
because it fails to properly sanitize user-supplied input before
processing it in an "include()" function call, which affects the
"root_dir" parameter of "init.php" and "- Ajax/editnews.php" scripts.
DataLife Engine version 5.5 and 4.1 are affected.
Ref: http://www.securityfocus.com/bid/22913
______________________________________________________________________

07.12.90 CVE: Not Available
Platform: Web Application
Title: Work System ECommerce include_top.php Remote File Include
Description: Work System Ecommerce is a content manager. The
application is prone to a remote file include issue because it fails
to sufficiently sanitize user-supplied input to the "g_include"
parameter of the "include/include_top.php" script. Work system
Ecommerce versions 3.0.5 and earlier are affected.
Ref: http://www.securityfocus.com/bid/22908
______________________________________________________________________

07.12.91 CVE: Not Available
Platform: Web Application
Title: Coppermine Photo Gallery Multiple Remote File Include
Vulnerabilities
Description: Coppermine Photo Gallery is a web-based image gallery.
The application is exposed to multiple remote file-include issues
because it fails to properly sanitize user-supplied input in various
script files.
Ref: http://www.securityfocus.com/archive/1/462322
______________________________________________________________________

07.12.92 CVE: Not Available
Platform: Web Application
Title: Wordpress WP_Title Function HTML Injection
Description: Wordpress is a web-log application. The application is
prone to an HTML injection issue because it fails to properly sanitize
user-supplied input to the "year" field of the "wp_title" function.
WordPress versions 2.1.2 and earlier are affected.
Ref: http://www.securityfocus.com/archive/1/462374
______________________________________________________________________

07.12.93 CVE: Not Available
Platform: Web Application
Title: JCCorp URLShrink Free CreateURL.PHP Remote File Include
Description: JCCorp URLShrink Free is a URL shrinking tool. The
application is exposed to a remote file include issue because it fails
to sufficiently sanitize user-supplied input to the "formurl"
parameter of the "createurl.php" script. JCcorp URLShrink Free version
1.3.1 is affected.
Ref: http://www.securityfocus.com/archive/1/462310
______________________________________________________________________

07.12.94 CVE: Not Available
Platform: Web Application
Title: PMB Multiple Remote File Include Vulnerabilities
Description: PMB is an application to aid in the management of a
library. The application is exposed to multiple remote file include
issues because it fails to properly sanitize user-supplied input
before processing it in an "include()" function call. PMB version
3.0.13 is affected.
Ref: http://www.securityfocus.com/archive/1/462452
______________________________________________________________________

(c) 2007. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.

Subscriptions: RISK is distributed free of charge to people responsible
for managing and securing information systems and networks. You may
forward this newsletter to others with such responsibility inside or
outside your organization.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFF/sbg+LUG5KFpTkYRAmDrAJ479H3t2dmHUXAdxUJ/2LVvjxxmqwCdEdA7
W6HnDtcJoYD1M/QVWc7NB1I=
=jTfP
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]